Description
FDA is issuing this guidance to provide recommendations on computer software assurance for computers and automated data processing systems used as part of medical device production or the quality management system. This guidance describes a risk-based approach to establish confidence in the automation used for production or quality management systems, identify where additional rigor may be appropriate, and various methods and testing activities that may be applied to establish computer software assurance. FDA’s goal is to help manufacturers produce high quality medical devices while complying with the Quality Management System regulation, 21 CFR Part 820. This document supersedes the final guidance “Computer Software Assurance for Production and Quality System Software,” issued September 24, 2025.
Scope & Applicability
Product Classes
8FDA intends to assess device cybersecurity based on a number of factors; demonstrate or maintain its safety and effectiveness; ensuring cybersecurity has become essential to FDA’s ability to protect the public health; Cyber-resiliency capabilities for medical devices
Software as a Service Product Lifecycle Management example
The SaaS PLM is intended to automate the intake of project requirements.
A medical device manufacturer has decided to implement a SaaS-based Product Life Cycle Management System.
A medical device manufacturer has decided to implement a commercial business intelligence solution.
A manufacturer is implementing a COTS LMS and is applying a risk-based approach for computer software assurance.
MES used to manage workflow and track progress
ERP Management system containing features for material restocking
Stakeholders
4Entities whose validation activities may be leveraged by manufacturers
outsourced operation provider
Entity responsible for submitting NDINs
Entity providing software or services to the manufacturer.
Regulatory Context
Attributes
2Failure to perform as intended may result in a quality problem that compromises safety; Classification for software features requiring more rigorous testing.; Risk classification for software functions; the manufacturer determined that the features, functions, and operations do not pose high process risk.; Risk classification level for software functions
Potential for a device to harm the patient or user; necessitating more-rigorous assurance activities, commensurate with the related medical device risk.
Related CFR Sections (7)
- 21CFR11.30§ 11.30 Controls for open systems.
Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt.Read full regulation →
- 21CFR11.10§ 11.10 Controls for closed systems.
Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate theRead full regulation →
- 21CFR11.3§ 11.3 Definitions.
(a) The definitions and interpretations of terms contained in section 201 of the act apply to those terms when used in this part.Read full regulation →
- 21CFR11.1§ 11.1 Scope.
(a) The regulations in this part set forth the criteria under which the agency considers electronic records, electronic signatures, and handwritten signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on Read full regulation →
- 21CFR801.4§ 801.4 Meaning of intended uses.
The words intended uses or words of similar import in §§ 801.5 , 801.119 , 801.122 , and 1100.5 of this chapter refer to the objective intent of the persons legally responsible for the labeling of an article (or their representatives). The intent may be shown by such persons' expressions, the designRead full regulation →
- 21CFR820.1§ 820.1 Scope.
(a) Applicability. Current good manufacturing practice (CGMP) requirements are set forth in this quality management system regulation (QMSR). The requirements in this part govern the methods used in, and the facilities and controls used for, the design, manufacture, packaging, labeling, storage, insRead full regulation →
- 21CFR814.39§ 814.39 PMA supplements.
(a) After FDA's approval of a PMA, an applicant shall submit a PMA supplement for review and approval by FDA before making a change affecting the safety or effectiveness of the device for which the applicant has an approved PMA, unless the change is of a type for which FDA, under paragraph (e) of thRead full regulation →
Related Warning Letters (10)
- 2025-12-09
CGMP/QSR/Medical Devices/Adulterated
Envoy Medical Inc.
- 2025-11-25
CGMP/QSR/Medical Devices/Adulterated
Hong Qiangxing Shenzhen Electronics Limited
- 2025-10-28
CGMP/QSR/Medical Devices/Adulterated
Contec Medical Systems Co., Ltd.
- 2025-10-28
CGMP/QSR/Medical Devices/Adulterated/Misbranded
Royal Philips
- 2025-10-28
CGMP/QSR/Medical Devices/Adulterated/Misbranded
Qianjiang Kingphar Medical Material Co Ltd.
- 2025-10-21
CGMP/QSR/Medical Devices/Adulterated
LEVO AG
- 2025-10-07
CGMP/QSR/Medical Devices/Adulterated
Technological Medical Advancements LLC
- 2025-09-23
Medical Device/Adulterated/Misbranded/Lacks PMA and/or 510(k)
The Richline Group, Inc.
- 2025-09-16
Investigational Device Exemptions (IDE)/Premarket Approval Application (PMA) Adulterated Device
SeniorLife Technologies, Inc.
- 2025-08-26
CGMP/QSR/Medical Devices/Adulterated
Miach Orthopaedics
See Also (8)
- Content of Premarket Submissions for Device Software Functions: Guidance for Industry and Food and Drug Administration Staff (Status: Final)
- CPG Sec. 130.400 Use of Microfiche and/or Microfilm for Method of Records Retention (Status: Final)
- CPG Sec. 130.300 FDA Access to Results of Quality Assurance Program Audits and Inspections (Status: Final)
- CPG Sec. 300.100 Inspection of Manufacturers of Device Components (Status: Final)
- Device Labeling Guidance #G91-1 (Blue Book Memo) (Status: Final)
- CPG Sec. 310.100 Pacemaker Reuse (Status: Final)
- Variance from Manufacturer Report Number Format - No. 5 (Status: Final)
- Immunotoxicity Testing Guidance (Status: Final)