YOUR LIFE SCIENCE CONSULTING SOLUTIONS PARTNER

Contact Us

CSA vs. CSV: Evidence Types That Stand Up in Audits

How to justify scripted vs. unscripted testing using risk rationale 

CSV (Computer System Validation) traditionally relied on heavy, fully scripted testing, generating large volumes of documentation. FDA’s Computer Software Assurance (CSA) final guidance shifts focus on risk‑based assurance with the right level of testing, not the most. The goal is confidence, not paperwork. 

The FDA states clearly that assurance activities should be commensurate with risk and that unscripted approaches are acceptable and encouraged when appropriate.  
This modernization reduces burdens while still providing defensible audit evidence. [intuitionlabs.ai] 

Below is a clear breakdown of which evidence types auditors trust, and how to justify the choice using risk rationale. 

1. Scripted vs. Unscripted Testing: What FDA Says

FDA’s final CSA guidance confirms: 

  • Scripted testing is appropriate for high‑risk, high‑impact functions. 
  • Unscripted testing methods (exploratory, ad‑hoc/error guessing, scenario-based) are acceptable for lower‑risk functions and often uncover defects more effectively.

Importantly, the FDA emphasizes that assurance evidence should be “least burdensome” while demonstrating control of production and quality system software. 

2. When Scripted Testing Is Expected 

High Process Risk

Use scripted testing when the failure of a software feature could create a quality problem that compromises safety, as defined by FDA.

Examples that typically require scripted tests: 

  1. MES step enforcement (critical to batch control) 
  2. Automated quality decision logic (e.g., release/hold functions) 
  3. Electronic signature functions required by regulation 
  4. Critical data transformation or calculations 
  5. SCADA/MES interfaces supporting batch record integrity 

Why auditors trust scripted evidence:

  • Shows traceability from requirement → test step → expected result → actual result
  • Demonstrates repeatable controlled testing
  • Provides defensible evidence for high‑risk functionality 

Refer to this useful example when writing the justification:

“This function was classified as a high process risk because failure could foreseeably impact product quality or patient safety; therefore, scripted testing was selected to provide rigorous, traceable assurance.”
(Consistent with FDA’s definition of high process risk.) [intuitionlabs.ai]

3. When Unscripted Testing Is Appropriate

Not High Process Risk

FDA explicitly endorses exploratory, scenario-based, and error-guessing testing for lower‑risk functions.

Use unscripted assurance when:

  1. The feature does not directly control product quality or safety
  2. Failure has no foreseeable impact on patient risk
  3. The workflow outcome can be evaluated without step‑by‑step scripts
  4. The feature supports, not drives, production or quality processes

Examples of functions suitable for unscripted evidence:

  • Dashboard displays
  • User preference settings
  • Non‑critical notifications
  • Administrative, low‑impact configuration functions
  • Logging or reporting functions that do not trigger quality decisions

Why auditors trust unscripted evidence:

  • Still shows intentional, documented testing, but without unnecessary overhead
  • Demonstrates focus on risk, not documentation volume
  • Aligns directly with FDA’s “least burdensome” CSA model

How to justify it:

“This function was classified as not high process risk because failure would not foreseeably compromise product quality or patient safety. Unscripted testing was selected per FDA CSA guidance to provide appropriate, efficient assurance.”

4. Evidence Types That Stand Up in Audits

Under CSA, auditors expect to see clarity, not volume.

Here is what makes evidence defensible:

1. Risk‑based justification

A short rationale linking intended use → risk level → assurance activity.
Required explicitly in the CSA final guidance.

2. Documentation of the test activity

Even unscripted tests must produce:

  • What was tested
  • How it was tested
  • What the outcome was

FDA emphasizes appropriate, not excessive, documentation.

3. Clear linkage to intended use

Auditors want to see that testing supports the software’s role in production or QMS operations.

4. Evidence that testing covered foreseeable risks

This aligns with FDA’s requirement to address “reasonably foreseeable failure modes.”

5. A SimpleCompliant Framework for Choosing Evidence

Use this three-step decision model:

1. Define Intended Use

  • What does this feature/function do in production or QMS?
  • Does it influence product quality or safety? 
    (FDA calls intended use the starting point.) 

2. Classify Process Risk 

  • High process risk → rigorous (scripted)
  • Not high process risk → flexible (unscripted)
    (Risk must be linked to patient/product impact.)

3. Select Assurance Activity Based on Risk

  • Choose the least burdensome activity that provides confidence.
  • Document the rationale and outcome.
    (This matches FDA’s CSA guidance.)

Summary

CSV = document‑driven
CSA = risk‑driven + evidence‑appropriate + auditor‑friendly

Auditors will trust your evidence when you show:

  1. Intended use
  2. Risk classification
  3. Appropriate assurance method
  4. Clear, concise test evidence

With CSA, organizations no longer need to produce endless documents Only meaningful, risk‑based records that demonstrate confidence in software used for production and quality are necessary.

About PSC Biotech®

Founded in 1996, PSC Biotech® has spent more than two decades providing life sciences with essential services to ensure that healthcare products are developed, manufactured, and distributed to the highest standards in compliance with all applicable regulatory requirements.

Our goal is to skyrocket our clients’ success. To achieve this, our method is straightforward; we put the client’s needs first. We attain top-tier expertise for each project stage, from generating comprehensive project plans to reaching extensive production operations into attentive asset management, authenticity, and non-expendable ventures. Since our inception, PSC Biotech® has served as a strategic partner to emerging and established life science companies, all to help bring their life-saving products to market.

PSC Biotech® operates in 52 countries globally and has served thousands of clients. Employing a global team of skilled professionals and experts that span strategically located offices in North America, Europe, Asia, and the Middle East, we are proud of the roles we have fulfilled to help our clients achieve success.

Explore PSC Biotech’s full range of services at biotech.com, and follow us on LinkedIn to stay up to date!
https://www.linkedin.com/company/psc-biotech-corp/