The FDA’s guidance for computer software assurance (CSA) is not a groundbreaking policy document, but the guidance provides insight into how much effort a manufacturing site must put into verifying software used to govern a variety of functions at a facility.
The FDA’s Center for Devices and Radiological Health (CDRH) reposted the guidance in February 2026, five months after
releasing the most recent substantive update to the guidance. The February 2026 version incorporates text to bring the document into alignment with the Quality Management System Regulation (QMSR), which went into force Feb. 2.
The scope of the CSA guidance is limited to computers and other automated data processing systems that are used as part of a production system for medical devices. Any such systems used to govern the quality system at the manufacturing site are also within the scope. The guidance broadly defines CSA as a risk-based approach to ensuring that the software in question is fit for purpose. The use of a risk-based framework ensures that the operator of the facility will have to undertake a validation effort that is proportional to the risk posed by the facility’s use of the software.
As might be expected, software that is used directly as part of the production or quality system will be subject to more rigorous validation requirements than would apply to software used to support production or the quality management system (QMS). Examples of software used directly in production or QMS management include software that automates production processes or which processes device manufacturing data. Other examples include software used to process quality system data and software used to maintain quality records for the manufacturing process.
In contrast, examples of software used in a support role might include software used to automate general record-keeping activities, but software used for the quality system that is not part of the quality record might also fall under the “support” category. Software that is used to provide a general data infrastructure function, such as networking and user authentication functions, would not be subject to validation per Part 820 of the QMSR.
Facilities that use cloud computing infrastructure to meet their data needs may not need to validate that use under Part 820. Any cloud computing deployed as infrastructure as a service (IaaS) would not be subject to Part 820 validation if the service is used solely as a repository for production and process data backup. If the IaaS is used as the primary storage medium for quality records, however, it may be subject to Part 820 validation.
The guidance also highlights the scenario in which a computer system provides a software function that is applied to several different parts of the facility’s operations, including when the software is commercial, off-the-shelf (COTS) software. Depending on the software function, the manufacturer may have to validate the use of the software under Part 820. However, none of the requirements characterized in this guidance affects the facility’s responsibilities under Part 11, which governs electronic records and electronic signatures.
The FDA stated that the risk analysis required of manufacturers for their computing systems is distinct from risk analysis as described in ISO 14971, the internationally recognized risk management paradigm. The difference is that facility computer risks should be evaluated as to whether failures are “reasonably foreseeable,” which contrasts significantly with the probabilistic approach to risk described in the ISO standard.
Copyright © 2026 - Medmarc