BLOG HOME

  • QMS Validation 101: SDLC vs. STLC Methodologies and Relationships

July 9, 2025

Documentation has long been at the heart of quality management system (QMS) validation, particularly in regulated industries such as pharmaceuticals and medical devices. In environments where even minor changes to the QMS can trigger lengthy approval cycles and a stack of deliverables, the idea of doing less can feel risky.

That mindset, however, is beginning to shift.

The FDA’s 2022 draft guidance on computer software assurance (CSA) reflects a growing recognition that traditional computer system validation (CSV) often burdens teams with documentation that adds little value. CSA promotes a smarter, risk-based approach to QMS validation, one that emphasizes critical thinking, real-world system performance, and focused testing where it matters most.

With that in mind, let’s take a closer look at how CSA transforms the QMS validation process and the measurable time and cost savings it delivers on the ground.

Learn more about risk-based validation using CSA guidance from FDA in our free white paper.

What CSA Changes in Practice

Consider a simple update to your QMS, like adding a new field to a form. Under traditional CSV, even a minor change like this would typically trigger a long list of deliverables:

  • Updated functional requirement specifications
  • A formal risk assessment
  • Revised risk documentation
  • A new validation plan
  • Pre-approved test scripts
  • Executed validation
  • A final validation summary report

Each of these documents might require review and approval from three to five stakeholders, stretching what should be a small update into a process that takes weeks. All for a change that poses little to no actual risk to product quality or patient safety.

Under the FDA’s CSA guidance, companies still follow change control protocols, but the steps are streamlined for low-risk changes. Instead of producing multiple documents, teams can consolidate validation into a single document outlining:

  • The assessed risk level
  • The chosen testing approach
  • Traceability back to requirements
  • The test results

For changes that present no risk, such as updating instructional text or modifying a label format, documentation may simply state the rationale for not testing, provided the risk assessment supports it.

CSA: What Gets Tested (and What Doesn’t)

There’s a common misconception that CSA means skipping validation steps. But CSA doesn’t remove testing. Instead, it allows you to think first before deciding how to validate a change, asking:

  • What’s the function?
  • What could go wrong?
  • What’s the impact if it fails?

From there, testing is focused and sized appropriately based on the risk of the change:

  • Low-risk changes, such as adding a new option to a dropdown menu, can typically be handled through exploratory or ad hoc testing. This means documenting the change, explaining why it’s low-risk, and validating the result.
  • Medium-risk changes, like a new field that triggers a calculation, may require a targeted specification mapped to the user and functional requirements. Here the focus is on risk assessment, documenting the test method and outcome, and tying it all back to the requirement.
  • High-risk changes may still warrant traditional test scripting and full documentation.

Ultimately, you’re still testing. You’re just not over-documenting changes that don’t impact quality or safety.

CSA’s Real-World Impact

With CSA, what once required weeks of effort can now be completed in a matter of days. Teams save time, reduce bottlenecks, and can make meaningful improvements to their QMS, all without compromising compliance.

Take a recent example: a series of minor configuration changes that would have required 75+ hours under CSV was completed in just 20 hours using CSA—a 73% reduction in effort, not including the time saved by eliminating multiple approval cycles.

Our Validation Services team has seen similar results across industries. Instead of a manufacturer having to update five separate documents, our team provides an audit-ready validation summary report that details the risk assessment, test justification, and outcome.

CSA Adoption Is Growing

While CSA is still gaining traction, the adoption curve is accelerating.

At AssurX, we’re seeing strong interest in CSA from smaller companies, especially regulated companies without dedicated validation staff. Many of these organizations were either over-documenting to play it safe or skipping validation altogether, assuming they wouldn’t be audited. CSA gives them a smart way to validate and stay in compliance with limited internal resources.

Even in medical device and pharmaceutical companies where CSV is deeply embedded in SOPs, CSA is gaining a foothold. We’ve implemented CSA-based validation for a number of customers in these industries, and several have reported going through audits with zero findings.

Larger companies tend to move slower, not because CSA doesn’t make sense, but because implementing it means rewriting SOPs and retraining teams. While it’s a heavy lift, the benefits are clear—all it takes is someone realizing that CSV is not an efficient use of resources.

Conclusion

QMS software evolves constantly, and it’s important to recognize that your software vendor has already validated its core functionality. Your job is to validate your use of it, and CSA is the most efficient, compliant way to do that.

With the right partner, teams can reduce validation costs significantly while improving audit readiness and compliance. In the end, CSA isn’t about doing less—it’s about doing what matters most.

Learn more about AssurX Risk-Based Validation Solutions with CSA & GAMP 5 Alignment

About the Author

Victoria Alestra has over 15 years of experience in software validation across various industries including life-sciences, manufacturing, energy/utilities, financial security and healthcare. She possesses a deep understanding of quality assurance methodologies and has a proven track record in delivering high-quality software validation. Victoria specializes in working closely with our customers to ensure compliance with their specific requirements and expectations, in addition to leading an independent validation team, where her strong analytical skills and attention to detail plays a crucial role in ensuring error-free releases of software. With her comprehensive understanding of software quality and commitment to delivering exceptional service, Victoria continues to drive innovation and excellence for our customers and within AssurX.