FDA Issues Updated Guidance on Computer Software Assurance for Production and QMS Software

The U.S. Food and Drug Administration (FDA) has issued an updated final guidance titled “Computer Software Assurance for Production and Quality Management System Software”, dated 3 February 2026. This document supersedes the September 2025 version and reflects recent regulatory changes, including alignment with the updated 21 CFR Part 820 Quality Management System Regulation (QMSR), which now incorporates ISO 13485:2016 by reference .

The guidance provides FDA’s current thinking on how manufacturers should establish and maintain confidence that software used in production or quality management systems (QMS) is fit for its intended use, using a risk-based computer software assurance (CSA) approach.

Scope of the Guidance

The guidance applies to computerized systems and software used as part of:

• Medical device production processes, and

• The quality management system, including systems that create, modify, maintain, or support quality records.

This includes, where applicable, cloud-based solutions such as SaaS, PaaS, and IaaS, when used in production or QMS activities. The guidance does not apply to medical device software functions that meet the definition of a medical device under the FD&C Act, which remain covered by FDA’s software validation guidance .

Key Regulatory Context for Manufacturers

The FDA reiterates that manufacturers are required to validate software used in production or QMS activities under ISO 13485:2016, as incorporated into 21 CFR Part 820, which entered into force on 2 February 2026.

This guidance:

• Replaces Section 6 (Validation of Automated Process Equipment and Quality System Software) of FDA’s General Principles of Software Validation guidance

• Promotes a least-burdensome, risk-based approach to software assurance

• Emphasizes maintaining software in a validated state throughout its lifecycle

Risk-Based Computer Software Assurance (CSA)

At the core of the guidance is a risk-based framework that requires manufacturers to:

1. Identify the intended use of each software feature, function, or operation

2. Determine whether the software is used directly in production/QMS or supports it

3. Assess process risk, focusing on whether software failure could lead to a quality problem that foreseeably compromises patient safety

4. Select assurance activities commensurate with the identified risk level

5. Document objective evidence demonstrating the software performs as intended

FDA distinguishes between:

• High process risk software, where failure may compromise safety, and

• Not high process risk software, where failure does not foreseeably affect patient safety.

This distinction directly influences the depth and rigor of assurance activities expected.

Impact on Validation and Testing Activities

The guidance clarifies that traditional scripted testing is not always required. Depending on risk, manufacturers may apply:

• Scripted testing (robust or limited)

• Unscripted testing, including exploratory testing, scenario testing, and error guessing

• A combination of methods, selected based on risk rather than system type

FDA explicitly supports leveraging:

• Supplier validation activities

• Vendor audits and certifications

• Continuous monitoring and automated testing

• Digital records, audit trails, and system logs instead of paper-based evidence

Software Changes and Regulatory Reporting

For manufacturers with PMA or HDE-approved devices, the guidance explains how changes to production or QMS software should be assessed:

• Changes that do not foreseeably affect safety or effectiveness may be reported in annual reports

• Changes that may affect safety or effectiveness may require a 30-day notice

This assessment must be based on the risk impact of the software change, not solely on whether software was modified .

Electronic Records and Part 11 Considerations

The guidance also addresses common manufacturer questions regarding 21 CFR Part 11. FDA clarifies that:

• Part 11 applies when electronic records are required under predicate rules (including Part 820)

• Not all system-generated logs are automatically subject to Part 11

• Enforcement discretion for Part 11 validation does not remove the obligation to validate production or QMS software under ISO 13485

What This Means for Manufacturers

For medical device manufacturers, this updated guidance reinforces that:

• Software assurance must be risk-based, documented, and justified

• Not all systems require the same level of validation effort

• Vendor assessments and existing controls can significantly reduce validation burden

• Cloud-based and automated systems are acceptable when appropriately controlled

• Objective evidence should be fit for purpose, not excessive

The guidance supports more agile, scalable, and efficient validation strategies, while maintaining FDA’s expectations for product quality, data integrity, and patient safety.