Over the past ten years, the regulatory requirements for CSV have remained nearly unchanged. However, the systems themselves have an increasingly rapid life cycle with updates, patches, and new functionalities. Technology has also advanced significantly with cloud computing and artificial intelligence. An adjustment of the regulatory requirements was inevitable and has now been made.
Almost simultaneously, new, more detailed requirements and options were published for the North American and European markets.
The EU Commission published drafts for the revised Annex 11 of the EU GMP guidelines and the new Annex 22, which were open for comment until the beginning of October. The requirements are expected to be adopted in 2026. Annex 11 and the new Annex 22 are characterized by a significantly higher or high level of detail and considerably expand the previous framework. For the first time, Annex 22 also addresses the consideration of artificial intelligence (AI) in regulated computer systems, therefore new requirements for validation strategies are needed. In addition, greater focus is placed on the lifecycle approach. Computerized systems must be regularly evaluated and reviewed. Techniques for this can include revalidations or audit trail reviews.
In parallel, after many years of discussion, the US FDA published the final “Computer Software Assurance (CSA) Guide” at the end of September 2025. This document promotes a more risk-based approach that adapts the validation effort to the actual risk to product quality and patient safety.
Both documents have in common that greater importance is attached to the consideration of the supplier and the use of supplier information. This will also lead to greater involvement in the processes on the part of software developers and companies specializing in software customization.
However, CSV will continue to play an important role.
The risk-based approach, which Valicare has been successfully applying for many years and is described in the GAMP® 5, will remain the method of choice for assessing computerized systems. The involvement of the supplier and supplier documentation must be added in any case.
If you have any questions on this topic or like to get an overview, we recommend our webinar on "CSV versus CSA".
You are also welcome to contact us directly through info@valicare.com.
Author: Dr. Carsten Börger | Senior GMP Consultant | Team Leader Qualification & Validation