Computer Software Assurance for Production and Quality System Software
Today we’re reviewing the Food and Drug Administration (FDA) guidance document issued on 09/24/2025, “Computer Software Assurance for Production and Quality System Software”. This guidance provides clarity on how establishments should approach the validation and assurance of software used in medical device production and quality systems (excludes design verification or validation requirements for device software functions) [1] . As the reliance on digital tools and automation in manufacturing grows, production and quality system software are integral to manufacturing, controlling processes from raw materials to final product distribution. The FDA aims in this guidance to streamline the approach and emphasize a risk-based process, so that resources can be focused where they have the greatest impact, ensuring patient and product safety, quality, and regulatory compliance.
For decades, the FDA has required manufacturers to validate software, and traditionally this has been accomplished by software testing and verification activities at each stage of the lifecycle. As processes continue growing, software validation is seen as burdensome as it’s documentation- heavy and requires adequate resources and planning, which stifles innovation and can impact efficiency. Adoption of automation has allowed manufacturers to reduce sources of error, optimize resources, and reduce patient risk. This guidance supplements FDA’s guidance, “General Principles of Software Validation [2] ” (note: Section 6 of that guidance will be replaced with this one), which FDA explains that “software testing alone is often insufficient to establish confidence that the software is fit for its intended use, and therefore recommends ‘software quality assurance’ focus on preventing the introduction of defects into the software development process [1] ”.
Another area the FDA considers in this guidance is regarding the application of 21 CFR Part 11, Electronic Records; Electronic Signatures. For computer software used as part of production or the quality system where electronic records and signatures are required, this would apply. Manufacturers may use a “least-burdensome, risk-based approach” to provide assurance that the software that maintains the electronic records subject to Part 11 performs as intended [3].
Here are some key points:
Risk-based approach – manufacturers should evaluate the potential impact of software on product quality and patient safety where assurance activities should be proportionate with the level of risk, that way resources are focused where failures could have significant consequences.
Critical thinking in software assurance – consider moving away from a ‘checklist’ validation and toward thoughtful documented decision-making to determine the appropriate approach for software validation.
Documentation and evidence – it’s important to maintain clear, concise, and relevant documentation to demonstrate software assurance activities. Evidence should support that the software performs as it is intended.
Leveraging automation, data analytics, machine learning and cloud computing tools – this guidance supports the use of automated testing (ad hoc testing for low-risk software such as BOTS or automatic workflows), continuous integration, and other modern software practices to improve efficiency and reliability.
Supplier and Third-Party software – manufacturers must assess and document the risks associated with software from external providers to ensure that appropriate controls and assurances are in place.
Ongoing monitoring and maintenance – software assurance is not a one time activity, but includes continuous ongoing monitoring, maintenance, and re-evaluation as systems evolve and new risks emerge.
How does a manufacturer achieve compliance? The following steps should be considered:
Conduct a thorough risk assessment for all production and quality system software.
Apply critical thinking to determine the necessary assurance activities for each software application.
Maintain comprehensive documentation that aligns with the FDA’s guidance requirements.
Implement robust controls for supplier and Third-Party software.
Establish procedures for ongoing monitoring, periodic review, and timely updates to assurance activities.
Train staff on the principles of risk-based software assurance and the specifics of the FDA guidance.
This guidance confirms the FDA’s shift toward a more risk-focused software validation approach in manufacturing. By understanding the key risks and implementing compliant strategies, establishments can not only meet regulatory requirements, but also enhance product quality, patient safety, and operational excellence.
Keep checking back as we continue following and updating you on FDA guidance documents that impact our industry!
Have any questions? Contact us here!
References:
[3] https://www.ecfr.gov/current/title-21/chapter-I/subchapter-A/part-11