🚨 Big News in Software Assurance for Medical Devices
On September 24, 2025, the FDA released the final Computer Software Assurance (CSA) for Production and Quality System Software guidance.
VIEW THE GUIDANCE: https://www.fda.gov/media/188844/download
This release reshapes expectations around how software is handled in medical device manufacturing and quality systems.
“This guidance provides recommendations regarding computer software assurance for computers or automated data processing systems used as part of production or the quality system for medical devices.”
— FDA Final CSA Guidance
This marks the culmination of years of industry input, risk-based thinking, and evolving software engineering practices.
🧠 New in the Final Guidance: Broader, Clearer, More Practical
In reviewing the final guidance (and comparing with the September 2022 draft), several major shifts stand out. @KenStineman ran a quick AI‑assisted analysis, which surfaced these highlights:
1. Cloud Computing Embraced, Not Avoided
- The guidance now includes formal definitions for Cloud, IaaS, PaaS, SaaS
- Examples walk through CSA applied to a Learning Management System (LMS), and SaaS-based Product Lifecycle Management (PLM) system
- It clarifies when cloud storage is “directly used” vs “supporting” infrastructure
2. Electronic Records & 21 CFR Part 11 Clarified
- New Section V.B offers better guidance on when Part 11 applies
- Encourages native digital records over screenshots or paper
- Reinforces that Part 11 enforcement discretion doesn’t apply to software under 820.70(i)
3. Regulatory Change Handling Enhanced
- Section V.A.3 defines when software changes require 30-day notices vs annual reports
- Uses real-world examples such as with MES / manufacturing execution systems
4. Vendor Oversight Expectations Raised
- Recommends evaluation of vendor AICPA SOC reports and SBOMs, as well as threat modeling, and review of data integrity controls
- Recognizes remote assessments are appropriate when audits aren’t possible
5. Modern Testing & Monitoring Techniques
- Changes the language from from “ad hoc testing” to “scenario‑based testing“
- References cybersecurity testing guidance (security by design, static, and dynamic testing)
- Emphasizes continuous performance monitoring over static test snapshots
📘 Practical Changes & Improved Guidance
- The key to the guidance is applying critical thinking and taking a risk-based approach: define the tool’s intended use, evaluate whether its outputs influence quality, and scale software assurance accordingly.
- Appendix A now features more detailed, stepwise examples
- Table 1 lays out documentation expectations per each testing approach
- Emphasis on risk justification in conclusions at issue resolution
- Stronger push for log data, audit trails, and traceability in validation documentation
🧭 Why This Matters (and Who Should Care)
We’ve been talking about the principles of “risk-based-approach” and “critical thinking” and “agile” software development techniques for building validated software for years and years — but the regulatory RA/QA community leaned toward traditional IQ/OQ/PQ and may have had trouble embracing more modern software engineering assurance techniques.
This guidance is more than compliance — it’s a strategic pivot. It signals that the FDA expects software assurance in medical device manufacturing and related system platforms to evolve, adapt, and align with modern practices.
Who needs to read the guidance?
- Laboratories who are selling Companion Diagnostics or wish to get FDA clearance for their test
- Medical device manufacturers with software in production or quality systems
- Suppliers / software vendors in the medical device ecosystem
- QA / regulatory / software assurance teams
- Software Engineering Teams who need a compliant Software Development Lifecycle (SDLC)
- Consultants guiding device firms through software compliance
What comes next?
- Work toward collaboration between Software Engineering and RA/QA teams
- Reworking cloud-based architectures and validating cloud-integrated tools
- Test Strategey in the New Era — scenario based-testing
- Revisiting vendor assurance, vendor agreements, and practical audits
- Reshaping documentation strategies toward digital, traceable artifacts
- Aligning with the upcoming Part 820 / ISO 13485 alignment (Feb 2026)
💬 Join the Conversation
Have you had a chance to dig into the final guidance yet? What surprised you? What will you need to re-think in your quality / software assurance strategy?
Drop a comment or reach out — we’d love to hear how this affects your roadmaps.
