Eighty percent documentation and twenty percent actual testing is what validation looks like in many medtech companies. Validation processes in medical technology were designed for a world that no longer exists. Back then, IT systems were stable, release cycles were long, and responsibilities were clearly defined.
Today, however, cloud architectures, software as a service (SaaS) platforms with monthly updates, and interconnected system landscapes dominate. This presents a structural challenge to classic computer system validation (CSV). The result? Validation isn’t becoming less secure, but it is becoming less efficient, and regulatory requirements are increasing. The MDR transition, cybersecurity requirements, and the EU AI Act demand more integrated thinking than many existing validation processes provide.
A closer look at the actual effort involved is sobering. Around 80 percent of validation time is spent on documentation. Only about 20 percent is spent on testing and understanding the system. Paradoxically, approximately 80 percent of identified deviations stem not from real system errors but from test script errors or formal inconsistencies.
This structural problem becomes particularly apparent when every update requires a complete stop. For example, if a SaaS QMS provider announces a release in three weeks, the validation team needs six weeks for traditional revalidation. All options are unsatisfactory: Block the update and forego safety-related improvements. Roll it out and explain it at the next audit. Or, they must fundamentally question the validation approach. Additionally, tool proliferation increases the validation effort and widens potential traceability gaps with every additional system. Vendor tests are often duplicated instead of being used in a targeted, risk-based manner. “Compliance eats delivery” is no longer an exaggeration in many organizations, but a lived reality.
The core problem does not lie in stricter regulatory requirements. The reality of the systems themselves has changed more than the regulations. The FDA has recognized this. The updated CSA guidance (Computer Software Assurance, February 2026) and the GAMP 5 second edition (2022) mark a turning point together. Both frameworks shift the focus from “Have we documented enough?” to “ “Do we have the right, robust evidence for the risk?”
This is not a reduction in compliance. It is a different foundation for compliance.
In modern systems, evidence is generated digitally in the form of test results, system logs, audit trails, and monitoring data. The crucial question is whether this evidence is collected in a targeted manner and converted into structured, traceable audit trails, or if it remains unused in the system while team members paste screenshots into Word documents.
Those who approach this paradigm shift in a structured manner can transform validation into a continuous operating model that keeps pace with CI/CD pipelines, SaaS releases, and audit requirements.
Yes, because the regulations do not prescribe a specific approach. The regulatory expectation regarding the quality of the evidence is changing, not the volume of documentation.
Computer Software Assurance (CSA) is a risk-based approach that focuses on whether robust evidence is available for each risk. It is based on the current version of the FDA CSA guidance.
No, because CSA is not a new standard, but rather a shift in mindset within existing structures. A quality management system that aligns with ISO 13485 remains the foundation.
Experience shows that a pilot approach on a defined system yields initial, measurable results within 90 days. These results include clearer risk profiles and faster change lead times.
Everyone responsible for regulated IT systems in medical technology. This includes Quality Assurance, Regulatory Affairs, IT/Engineering, and Management, as each role bears a different part of the risk.
Firstname:
Lastname:
E-Mail Address:
Phone:
Subject:
Your message:
Yes, I consent to my personal data being collected and stored electronically. My data will only be used for the purpose of responding to my inquiry. I have taken note of the privacy policy.
You are currently viewing a placeholder content from OpenStreetMap. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
You need to load content from hCaptcha to submit the form. Please note that doing so will share data with third-party providers.
You are currently viewing a placeholder content from HubSpot. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
You are currently viewing a placeholder content from Hubspot Meetings. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
You are currently viewing a placeholder content from Google Maps. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.