On September 24, 2025, the FDA released its long-awaited final guidance on Computer Software Assurance (CSA) for Production and Quality System Software. This guidance introduces a modern, risk-based, and least-burdensome approach to validating software used in manufacturing and quality systems. It’s a major shift for medical device companies, especially those relying on SaaS, cloud tools, or automated processes to support their quality management systems (QMS).
Why the FDA Computer Software Assurance Guidance Matters
The guidance reframes how manufacturers should approach validation for software used in production or in the quality system: focus on intended use + risk (what FDA calls “computer software assurance”) rather than one-size-fits-all scripted testing.
FDA explicitly endorses a least-burdensome, risk-based program that can include scripted testing, unscripted/exploratory testing, continuous monitoring, and leveraging supplier/developer evidence where appropriate.
The guidance clarifies when 21 CFR Part 11 applies and warns that the Part 11 guidance’s enforcement discretion about validation does not relieve manufacturers of the validation requirement in 21 CFR 820.70(i) for software used as part of production or the QMS.
Section-by-Section Breakdown of the Final Guidance
The guidance provides recommendations for computers and automated data processing systems used as part of device production or the quality system (not device software that is itself the medical device). It applies to on-prem, cloud (IaaS/PaaS/SaaS) models when those cloud services are used for production or quality-system activities. The guidance explicitly applies the risk-based principles from FDA’s Software Validation guidance to production/QMS software.
1. Identifying the Intended Use: Determine whether the software (or features within it) is used directly in production/the QMS, to support production/the QMS, or is out of scope (e.g., general business apps). The intended use drives regulatory obligation (21 CFR 820.70(i)).
2. Determining the Risk-Based Approach: Classify individual features/functions/operations as high process risk (a failure could foreseeably compromise safety) or not high process risk (impact limited to process/QMS). Use that classification to scale assurance rigor.
3. Production or Quality System Software Changes: Apply the same risk principles to changes. For devices with approved PMAs/HDEs, FDA explains how to decide 30-day supplements vs. annual report treatment based on whether the change may affect safety/effectiveness.
4. Determining Appropriate Assurance Activities: Select assurance activities commensurate with the risk (scripted testing, unscripted/exploratory testing, vendor evidence, automated tests, continuous monitoring, etc.).
5. Addition Considerations: Leverage existing process controls, vendor assessment, cybersecurity controls, and other organizational QMS activities to reduce the incremental assurance burden.
6. Establish the Appropriate Record: Document sufficient objective evidence (intended use, risk analysis result, description of assurance activities, issues found, conclusion and resolution, who performed testing, dates, and sign-offs where appropriate). FDA encourages use of digital evidence (logs, audit trails) where suitable.
You can find the framework and the six steps enumerated in Section V.A of the guidance.Scripted Testing → Test cases recorded and repeatable; appropriate when repeatability, traceability, or auditability are required.
Unscripted Testing → Scenario testing, exploratory testing, and error-guessing — FDA recognizes these methods and explicitly allows them as part of a risk-based assurance strategy (including for some high-risk features where exploratory testing may be more effective).
FDA recommends capturing just enough objective evidence to show a feature/function was assessed and performs as intended; the guidance lists the items that should normally be included (intended use, risk analysis results, test descriptions and results, issues and resolution, test performer/date, and review/approval where appropriate). Importantly, FDA encourages using system-generated digital records (audit trails, logs) instead of duplicative paper artifacts when those digital artifacts are reliable and appropriate for the intended use.
FDA acknowledges limited vendor access for some suppliers and recommends a risk-based vendor assessment: SOC reports, ISO certifications, development lifecycle artifacts, cybersecurity documentation (SBOM, threat models), change notifications, and service agreements with clear responsibilities. For SaaS, FDA recommends service agreements covering security, data integrity, change management, and that automatic updates be assessed via risk-based assurance when they affect intended use.
Action Plan: How to Implement FDA's CSA Guidance
What's New or Different in This Guidance?
FDA is formally recognizing unscripted testing and exploratory approaches as legitimate assurance methods (not merely ad-hoc alternatives). That opens the door to more efficient testing strategies that can be more realistic and higher value for many QMS features.
Vendor/developer evidence is usable: the guidance encourages manufacturers to leverage vendor development, validation, SOC reports and other supplier evidence to reduce duplicate work — a practical win for companies using mature SaaS/COTS tools.
Digital records are preferred when trustworthy: FDA explicitly recommends using system logs/audit trails as evidence rather than screenshots or manual duplication, provided the records meet needs for integrity and availability. That helps modernize evidence collection and reduces paperwork.
Concrete examples (Appendix A) make it easier to translate the high-level framework into specific assurance plans for LMS, nonconformance systems, BI/reporting, and SaaS PLM. Use these as templates.
How Rook Quality Systems Can Help
At Rook we translate regulatory guidance into practical plans you can implement immediately. Our services related to this guidance include:
The FDA’s final Computer Software Assurance guidance is a game-changer for medical device manufacturers. By embracing a risk-based, least-burdensome strategy, companies can reduce unnecessary validation work, leverage vendor evidence, and modernize their QMS assurance activities. The key is thoughtful implementation: classify intended use, document risk rationale, and capture trustworthy evidence.