From CSV to CSA: the validation playbook the FDA just rewrote
For thirty years, compliance validation in regulated industries meant one thing: computer system validation (CSV) — a document-heavy, one-size-fits-all ritual of scripted tests and wet-ink protocols, performed the same way whether a system printed labels or dosed patients. In 2025 and 2026 that model is being dismantled and rebuilt, all at once, on both sides of the Atlantic. If you own quality, regulatory, or validation for a zero-tolerance enterprise, the playbook you wrote your SOPs against is now out of date.
This is the operating model that replaces it — and why the teams moving fastest treat validation not as a cost to survive, but as quality data they own.
What “compliance validation” actually means in 2026
Compliance validation is the documented, risk-based evidence that a computerized system does what it must — for product quality, patient safety, and data integrity. Simple enough. The confusion is that three different disciplines all answer to the phrase and rarely talk to each other:
- Regulated system validation — CSV / Computer Software Assurance, governed by FDA 21 CFR Part 11, EU Annex 11, and GAMP 5.
- Security-certification compliance — SOC 2, ISO 27001, the world of GRC automation.
- Manufacturing quality-system validation — process and quality-management validation on the plant floor.
Most vendors own exactly one lane and pretend the others don’t exist, which is why buyers get whipsawed. The thesis of this post is simpler than any of them: rigor should follow risk, and the evidence you generate should compound — not evaporate into a filing cabinet.
The end of one-size-fits-all CSV
On September 24, 2025, the FDA issued its final guidance on Computer Software Assurance (CSA) for production and quality-system software — widely described as one of the most significant shifts in GxP software validation in three decades. It formally supersedes Section 6 of the old validation guidance and reframes the entire exercise around a least-burdensome, risk-based philosophy (FDA guidance landing page).
In practice, CSA inverts where effort goes:
- Scripted testing where a failure would directly affect product quality or patient safety.
- Unscripted, exploratory, and automated testing where risk is lower.
- Leveraged supplier evidence instead of re-testing what a vendor already proved.
The catch for most teams: SOPs written for prescriptive CSV are now simultaneously over-burdensome (they demand scripted proof everywhere) and out of step (they don’t recognize automated or unscripted assurance). CSA isn’t “less testing” — it’s testing proportional to risk. Good explainers on the CSV-to-CSA transition now exist, but authoritative, operational guidance remains genuinely scarce.
The convergence nobody is connecting
CSA is not happening in isolation. Three more regulatory currents are converging on the same idea — risk-based critical thinking plus continuous assurance — and if you map all four into one model instead of four compliance silos, the work stops duplicating itself:
- GAMP 5, 2nd Edition (ISPE, published July 2022) is the backbone: it formalizes critical thinking, explicitly endorses Agile and iterative delivery, maximizes supplier leverage, and adds new appendices for AI/ML, cloud, and open-source — deliberately aligned with the FDA’s CSA direction.
- The EU rewrite. In July 2025 the European Commission opened consultation on a sweeping revision of GMP Annex 11 (Computerised Systems), a brand-new Annex 22 on Artificial Intelligence, and a revised Chapter 4. The guideline roughly quadruples in length and — for the first time — makes cybersecurity a core GMP requirement and codifies ALCOA+ data-integrity principles.
- The EU AI Act. Its high-risk obligations — a documented quality management system, conformity assessment, and human oversight — arrive on a 2026 compliance timeline, pulling AI governance into the same validation operating model.
Read together with CSA, they say one thing: validation is becoming continuous, risk-based, and AI-aware. Teams that keep four separate binders will pay for the same control four times.
From periodic revalidation to continuous assurance
The deeper problem is cadence. Point-in-time validation assumes systems change rarely. Modern estates — SaaS platforms on monthly release trains, CI/CD pipelines, configurable cloud QMS — change constantly, and every configuration change threatens the validated state. Periodic revalidation can’t keep up.
Continuous assurance moves the evidence into the pipeline itself: automated regression, automated audit-trail review, and evidence captured as a byproduct of each change, so a system stays in a perpetually validated state. The point isn’t only to automate the testing — it’s to automate the evidence, which is where most of the documentation drag actually lives.
This is exactly the seam TestLauncher is built for: a deterministic, auditable core (Launch App) that holds the validated state, and autonomous testing (bugAgent) that exercises the system continuously and captures each signal as owned, traceable data.
The ROI — and the honest limits of the data
Organizations that adopt a CSA / risk-based model report 30–50% reductions in validation time. We cite that figure with a deliberate caveat: it is industry- and vendor-reported, not peer-reviewed — empirical CSA-ROI data is still emerging. The honest business case doesn’t need an inflated number anyway. It’s a comparison of two costs:
- Over-validation — slow releases, armies of screenshots, effort spent proving low-risk things work.
- Under-validation — data-integrity findings, warning letters, remediation, and the reputational tax of a public quality failure.
The way to escape guessing is to own your validation data and build a defensible internal benchmark — your real cycle times, your real defect-escape rates — instead of borrowing someone else’s slide.
Validating AI/ML under GxP: the least-settled frontier
The hardest question in the room is how to validate a system that doesn’t behave deterministically. GAMP 5’s AI/ML appendix, the draft Annex 22, and the EU AI Act’s high-risk QMS all point at the same frontier, and guidance is thinnest exactly where anxiety is highest.
The workable approach borrows from good validation practice rather than inventing a new religion: frame the intended use, govern the data, require human oversight, and treat continuous monitoring as the validation strategy for a model whose behavior can drift. AI in the quality loop needs an accountability layer — a record of what it did and why — before it can be defended to an auditor. That is the problem ARC, TestLauncher’s agentic regulatory-compliance product, is designed for: a repeatable method for validating AI-enabled regulated systems, aligned with GAMP 5 and CSV expectations rather than claiming a certificate no software can hold.
Validation as an owned quality asset
Validation evidence is quality data you own. It either compounds into reusable intelligence — a searchable record of how your systems behave, what your auditors ask, what your engineers decided — or it decays into liability and re-work, relearned from near-zero at every audit.
A durable, searchable quality record survives personnel turnover and makes the next audit start from near-complete. Wire that evidence into a living 100-year digital thread (qualThread) and proof-of-compliance stops being a filing cabinet and becomes an asset. This is the whitespace: no incumbent unifies validation, quality, and knowledge into one owned-data layer. It’s the same reason poor quality compounds into a $2.41-trillion liability across every zero-tolerance industry — from medical and life sciences to aerospace and defense to smart manufacturing.
A practical crosswalk: validate once, satisfy many
You do not need one test campaign per framework. Build a single control map across 21 CFR Part 11 ↔ EU Annex 11 ↔ ISO 13485 ↔ EU AI Act QMS and the overlaps are large — records, electronic signatures, audit trails, data integrity, change control. Structure your evidence so one campaign supports multiple frameworks and jurisdictions, and turn recurring auditor themes into a prioritized, risk-based test-and-evidence strategy.
A short migration checklist for teams moving from CSV to CSA:
- Reclassify systems by risk — direct product/safety impact vs. indirect.
- Rewrite SOPs to permit unscripted, exploratory, and automated assurance.
- Leverage supplier evidence instead of re-testing commodity software.
- Automate the evidence, not just the tests.
- Own the record so the next audit — and the next framework — starts ahead.
Frequently asked questions
What is the difference between CSV and CSA, and which does the FDA now expect? CSV is the older, document-heavy, one-size-fits-all model. Computer Software Assurance (CSA) is the FDA’s finalized, risk-based successor (September 2025): scripted testing where risk is high, unscripted or automated assurance where it isn’t. CSA is now the FDA’s recommended approach for production and quality-system software.
Does CSA mean less testing? No. It means risk-proportionate testing — more rigor where a failure would harm product quality or patient safety, less ceremony where it wouldn’t.
How does GAMP 5 2nd Edition relate to FDA CSA? GAMP 5 (2nd Ed., 2022) provides the critical-thinking and supplier-leverage framework that CSA operationalizes; the two are deliberately aligned.
What changes with the EU Annex 11 revision and new Annex 22? The 2025 EU draft expands Annex 11 substantially, adds a dedicated AI annex (Annex 22), makes cybersecurity a core GMP requirement, and codifies ALCOA+ data-integrity principles.
How do you validate an AI/ML system in a GxP environment? Frame the intended use, govern the training and input data, require human oversight, and treat continuous monitoring as the ongoing validation strategy for models that can drift.
Modern validation is continuous, risk-based, and owned. TestLauncher builds the agentic quality infrastructure that makes it so — unifying validation, QA, knowledge, security, and performance into one intelligence layer you own. See how the platform fits together, review our approach to security and compliance, or talk to us about modernizing validation.