On February 3, 2026, the U.S. Food and Drug Administration (FDA) officially published the final guidance titled “Computer Software Assurance for Production and Quality Management System Software”, docket number FDA-2022-D-0795.
This guidance establishes a unified, structured, and risk-based assurance framework for software used in medical device production and quality systems. The document has evolved from draft to final form and formally signals a paradigm shift for the medical device industry—from the traditional, documentation-heavy Computer System Validation (CSV) model to a modern, risk-based Computer Software Assurance (CSA) approach.
I. Scope of the Guidance
The guidance applies to computer software used in medical device production and quality management systems (PQMS).
FDA explicitly clarifies that the document does not apply to software that is itself a medical device (SaMD). Instead, it covers software used to support quality system activities such as:
- Production control
- Inspection and testing
- Product release
- CAPA management
- Change control
Inspection focus:
Has the company identified all software systems used within its PQMS and formally determined whether they fall under the CSA framework?
II. Regulatory Background
FDA emphasizes that this guidance supplements the Quality System Regulation under 21 CFR Part 820. The CSA approach does not reduce regulatory requirements; rather, it changes how compliance is achieved.
The shift is methodological—not regulatory leniency.
Inspection focus:
Can the company demonstrate that its CSA approach fully satisfies existing regulatory requirements, rather than using the guidance’s non-mandatory nature as justification for reduced controls?
III. Definition of Computer Software Assurance (CSA)
CSA is defined as:
A risk-based approach to establish confidence that software functions as intended and consistently performs according to its intended use.
Importantly, “assurance” does not mean “less validation.” It means validation activities rationalized according to risk.
Inspection focus:
Does the organization understand that CSA is not validation avoidance, but validation optimization based on risk?
IV. Intended Use & Risk Determination
FDA requires firms to:
- Clearly define the intended use of the software within production or quality systems.
- Assess risk based on the software’s potential impact on product quality and patient safety.
Inspection focus:
Is there documented evidence of intended use definitions and formal risk assessments, rather than informal or experience-based judgments?
V. Selection of Assurance Activities
FDA clarifies that assurance activities may include:
- Scripted testing
- Unscripted (exploratory) testing
- Vendor documentation review
- Analysis of operational data
The approach is not limited to traditional IQ/OQ/PQ validation formats.
Inspection focus:
Are assurance activities appropriately aligned with the risk level? Is there evidence of over-validation or under-validation?
VI. Documentation & Records
The guidance stresses the need for objective evidence demonstrating that software is fit for its intended use. However, it does not mandate excessive or redundant documentation.
The focus shifts from document quantity to evidence quality.
Inspection focus:
Can the organization readily retrieve risk assessments, testing evidence, and documented conclusions during an inspection?
VII. Lifecycle & Change Management
FDA makes clear that CSA applies throughout the software lifecycle, including:
- Software updates
- Configuration changes
- Vendor upgrades
Change management must incorporate renewed risk evaluation and adjusted assurance activities.
Inspection focus:
Is each change reassessed for risk impact, with assurance activities updated accordingly?
VIII. FDA Inspection Expectations
FDA indicates that inspection emphasis will be placed on:
- Understanding of system risk
- Logical decision-making
- Risk-based control justification
Inspectors are less concerned with fixed templates and more focused on whether the firm can clearly articulate the rationale behind its CSA decisions.
Inspection focus:
Can the company logically and coherently explain its CSA methodology to investigators?
IX. Compliance Interpretation
FDA-2022-D-0795 does not lower the compliance threshold for software systems. Instead, it raises expectations regarding organizational maturity in risk management and quality thinking.
For medical device manufacturers, the core message of CSA is not “do less validation,” but rather:
Do the right validation—based on risk.