Skip to content
GXPLearn.io

CSV vs CSA: What's the Difference?

CSV and CSA are not opposites. CSV is the GMP discipline of proving fit for intended use; CSA is FDA's risk-based framework for proportioning assurance effort on production and QMS software. Most organisations use both — the question is when each lens applies.

Two lenses on the same obligation

Regulated manufacturers must demonstrate that computerised systems are fit for intended use. CSV provides the lifecycle structure — requirements, design, testing, traceability, change control, and maintained validated state. CSA, as described in FDA's February 2026 guidance (GUI00017045), provides a risk-based method for scoping assurance activities and records on production and QMS software.

GXPLearn's public FAQ summarises the distinction: CSV traditionally maps V-model activities and documented testing; CSA focuses assurance on risk, intended use, and critical thinking rather than uniform documentation depth. Many organisations apply CSV structure for GxP-critical functions and CSA principles to right-size effort.

Module 12 lets learners toggle the same system change between CSV and CSA perspectives — observing how evidence burden, documentation depth, and review defensibility shift while the underlying quality obligation remains.

CSV vs CSA comparison

DimensionCSV (traditional lens)CSA (FDA risk-based lens)
Primary framingLifecycle validation — fitness for intended use under GMPRisk-based assurance — confidence in production/QMS automation
Regulatory anchorGMP / EU GMP Annex 11 / 21 CFR Part 11 (where applicable)FDA GUI00017045 (Feb 2026) for device production/QMS software
Scope driverGxP impact and intended use of the systemProcess risk within production/QMS context
Documentation emphasisTraceable specs, protocols, summaries, change controlObjective evidence proportionate to risk — less uniform depth
Testing defaultOften scripted IQ/OQ/PQ with full traceabilityScripted, unscripted, or hybrid — selected by process risk (FDA Table 1)
Risk toolRisk assessment informs scope (ICH Q9, ISO 14971 context)Process risk distinct from device risk; six-step CSA framework (FDA V.A)
Change handlingChange control with impact assessment and revalidationChange assessment integrated in CSA step 3 — maintain validated state
Vendor / SaaSVendor qualification, gap assessments, traceable evidenceExplicit cloud/SaaS guidance; leverage vendor evidence with critical review
Part 11Controls for electronic records per predicate rulesEnforcement discretion does not apply to production/QMS software validation (FDA V.B)
Typical pitfallCheckbox compliance — volume without critical thinkingUnder-assurance of high process-risk functions
CoexistenceProvides structure and audit language QA expectsRight-sizes effort within CSV/QMS obligations

Testing approach contrast (FDA Table 1)

Under a traditional CSV lens, teams often default to robust scripted protocols for most changes — comprehensive pre-written steps with expected results. This defensibility is valuable for high GxP impact but can be burdensome for low-risk functions.

CSA's Table 1 explicitly contrasts scripted testing (robust or limited) with unscripted methods: scenario testing, error-guessing, and exploratory testing. High process-risk features — such as automated lot release, nonconformance workflows, or training status gates — warrant more rigorous methods. Lower-risk UI or reporting changes may use leaner approaches with documented rationale.

FDA's ERP examples in Section V.A.(2) illustrate the judgement: the same enterprise system may contain both high process-risk modules (batch release, NC handling) and lower-risk reporting — each sized differently.

When each approach applies

Use CSV lifecycle thinking when you need full traceability for GxP-critical systems — batch execution, electronic batch records, release automation, data integrity controls, and interfaces to MES/ERP quality modules.

Apply CSA proportioning when scoping assurance within that lifecycle — deciding whether a change needs full OQ regression, targeted scenario testing, or vendor evidence plus focused verification.

Neither lens authorises skipping evidence for functions that directly affect product quality or quality records. CSA changes how much and what type — not whether assurance occurs.

Explaining the difference to stakeholders

QA reviewers often ask for traceability and documented test evidence. IT and automation teams want efficient change velocity. CSA gives shared language: intended use, process risk, and method selection tied to objective evidence.

GXPLearn Module 12 trains learners to defend assurance decisions in review — comparing evidence packages sized under CSV vs CSA and recording scored decisions in the scenario arena. This mirrors governance conversations as organisations adopt FDA-aligned CSA principles.

GXPLearn CSV/CSA learning path

Modules 09–12 form a coherent validation spine: CSV Validation → V-Model → CSA Assurance → CSV vs CSA comparison. Learners who complete this path can explain differences credibly to QA, IT, and automation stakeholders — a common interview and governance topic.

Explore the guided simulation path at /csv-csa-training, or start Module 09 inside the app. Foundation Modules 01–03 are free after sign-in.

Practise in Module 12 CSV & CSA training path Start learning free

GXPLearn.io provides independent educational content only. FDA guidance cited here is nonbinding recommendations for medical device production and quality management system (QMS) software — not device software functions (SaMD/SiMD). This page does not constitute regulatory advice. Consult your quality organisation and applicable regulations for site-specific decisions. GXPLearn.io is an independent educational platform. Not affiliated with Emerson. Not a real DeltaV emulator. Not validated GMP training software.

Frequently asked questions

What is the difference between CSV and CSA?

CSV is the GMP discipline of proving automated systems are fit for intended use through documented lifecycle validation. CSA is FDA's risk-based framework for proportioning assurance activities on production and QMS software. They address the same underlying obligation with different emphasis on documentation depth and method selection.

Does CSA replace CSV?

No. CSA reframes how assurance is scoped and documented for production/QMS software. CSV lifecycle structure, change control, and validated state maintenance remain GMP expectations. Organisations typically use both.

Which is better — CSV or CSA?

Neither is universally 'better.' CSV provides comprehensive lifecycle structure valued in audits. CSA helps right-size effort to process risk. The best approach applies critical thinking within your QMS — more rigor where GxP impact is high.

Can you use CSV and CSA together?

Yes. A common pattern keeps CSV lifecycle artefacts (URS, traceability, change control) while applying CSA principles to decide testing depth, accept vendor evidence, and use unscripted methods where process risk is lower.

How does FDA Table 1 compare testing methods?

FDA Table 1 contrasts scripted testing (robust or limited) with unscripted methods (scenario testing, error-guessing, exploratory testing). Selection should reflect process risk and intended use — not a single default for all changes.

What is an example of high vs low process risk?

High process risk: automated batch release, nonconformance disposition, training-status enforcement. Lower process risk: read-only dashboards or reports that do not directly drive quality decisions. FDA's ERP examples in Section V.A.(2) illustrate mixed-risk systems.

Does CSV vs CSA apply to pharma as well as medtech?

CSV applies broadly under GMP across life sciences. FDA's February 2026 CSA guidance text focuses on device production/QMS software; parallel FDA guidance exists for pharmaceutical quality systems with similar principles. Always confirm scope for your regulatory context.

What changed in FDA CSA guidance February 2026?

The February 2026 final guidance (GUI00017045) supersedes September 2025, aligns with QMSR/ISO 13485:2016, adds cloud computing definitions, and clarifies Part 11 scoping for production/QMS software validation.

How do auditors view CSA?

Auditors expect objective evidence and sound rationale — not a specific document template. CSA is defensible when process risk assessments, method selection, and records demonstrate fitness for intended use. Under-assurance of high-risk functions remains a finding risk.

Where can I practise CSV vs CSA decisions?

GXPLearn Module 12 provides a split-lens visualiser, evidence-sizing exercises, and a scored scenario arena. Start at /csv-csa-training or open Module 12 in the app after signing in.

Ready to practise regulated workflows?

Choose the path that fits — start with free foundation modules or discuss a team licence for your organisation.

For individuals

Start with the free foundation modules and upgrade when you are ready for simulation labs and professional scenarios.

For businesses

Request a business demo or pilot discussion for team/site licensing, standalone export, and onboarding use cases.