Search across the website

Find training courses, blog posts, guidelines, knowledge base articles and more.

to navigate esc to close to open

FDA Computer Software Assurance Guidance

Version FDA Computer Software Assurance Guidance

Download version

Type

GMP + GDP

Organisations:

Publication

2026-02-03

Effective Date

-

Filename

guidance-computer-software-assurance-production-quality-system.pdf

Checksum

11e2e21f5eb226b56a578da44e732965a2318e9b983422c6a58e51bc7b2e223a

Change Summary

The document introduces a risk-based "Computer Software Assurance" (CSA) framework that asks manufacturers to identify a software feature's intended use, assess whether a failure would foreseeably compromise patient safety (distinguishing "high process risk" from "not high process risk"), and then apply assurance activities.

Main updates: It provides recommendations for how medical device manufacturers should establish confidence that the computer software they use in production and quality management systems is fit for its intended purpose.

Version Change Structure

1) Rationale for the change

The timing is tied directly to a major regulatory shift. A 2024 FDA final rule amended 21 CFR Part 820 to incorporate ISO 13485:2016 as the governing quality management standard, which took effect February 2, 2026, just one day before this guidance was issued. This guidance was updated to align recommendations with that newly operative regulatory framework.

2) To whom it applies

As medical device manufacturing has grown increasingly reliant on automation, robotics, AI/ML tools, cloud computing, and digital systems, manufacturers needed clearer direction on how to validate this software. The traditional approach — exhaustive, documentation-heavy software validation — was seen as unnecessarily burdensome and ill-suited to modern, rapidly evolving technology. The FDA responded to industry requests for a more agile, practical framework.

4) The current change description

The document introduces a risk-based "Computer Software Assurance" (CSA) framework that asks manufacturers to identify a software feature's intended use, assess whether a failure would foreseeably compromise patient safety (distinguishing "high process risk" from "not high process risk"), and then apply assurance activities — from lightweight exploratory testing to detailed scripted testing — proportionate to that risk. It also addresses electronic records requirements under 21 CFR Part 11 and includes four detailed worked examples covering a nonconformance management system, a learning management system, a business intelligence application, and a SaaS product lifecycle management system.

Newsletter

Get Guideline Updates in Your Mailbox

Subscribe for major GMP/GDP guideline changes, new publications and timeline updates.

We care about your data. Read our privacy policy .