FDA: Guidance on Computer Software Assurance (CSA)

On September 24, 2025, the FDA published its long-awaited final guidance “Computer Software Assurance for Production and Quality System Software” for medical devices. The document supersedes Section 6 of the FDA’s earlier document, “General Principles of Software Validation,” introducing a modern, risk-based framework that emphasizes intended use, process risk, and patient safety. 

Purpose of the Guidance 

The CSA guidance aims to reduce unnecessary validation burden, foster adoption of digital technologies (including cloud-based tools), and prepare industry for the alignment of FDA’s Quality System Regulation (21 CFR Part 820) with ISO 13485:2016 in February 2026. 

Key Takeaways for Manufacturers 

• Risk-based approach: Scale assurance activities to software’s intended use and process risk 
• Intended use: Validation of software that is used as part of production or quality system for its intended use – including cloud computing models 
• Flexible testing: Risk based use of scripted and exploratory methods 
• Vendor oversight: Stronger reliance on supplier assessments, audits, and certifications 
• Smarter documentation: FDA recommends incorporating the use of digital records, such as system logs, audit trails, and other data generated and maintained by the software. 
• ISO Transition: Build CSA into QMS now to ensure readiness for 2026 harmonisation

Source:

FDA:FDA Guidance Documents - Computer Software Assurance for Production and Quality System Software