CSA vs CSV for AI systems

CSV (Computer System Validation) tests a system against full documented requirements regardless of risk. CSA (Computer Software Assurance) is the FDA risk-based approach that puts assurance effort where patient safety and data integrity are most exposed. For an AI system, CSA means heavy testing on the outputs that carry real risk and lighter assurance on the rest.

The shift comes from the FDA 2022 draft guidance on Computer Software Assurance for production and quality systems. Classic CSV often produced binders of test scripts for low-risk functions, which discouraged teams from adopting software at all. CSA asks a different first question. What is the risk to the patient and the record if this function fails? The answer sets the depth of testing.

For an AI agent the unit of risk is the output, not the model. A draft that a human reviews before it touches anything regulated sits low on the scale. A figure that flows straight into a 21 CFR Part 11 record sits high and needs scripted testing with a named sign-off. That is the same logic behind audit-ready AI agents, and it sits inside the control framework in GAMP 5 for AI agents. See also our regulatory affairs work.

What changes between CSV and CSA

• The starting question. CSV starts from requirements to document. CSA starts from the risk a function poses to patient safety and data integrity.
• Where effort goes. CSA concentrates scripted testing on high-risk AI outputs and allows lighter, unscripted assurance on low-risk ones.
• What stays the same. Part 11, the predicate rules, and the need for a human accountable for each regulated output do not relax.

Common questions