Updated Computer Software Assurance for Production and QMSR Software Guidance
On February 3, 2026, the Food and Drug Administration (FDA) released their final guidance for Computer Software Assurance (CSA) to align formally with the updated Quality Management System Regulation (QMSR) also known as 21 CFR Part 820. If you missed our previous blog on the introduction of CSA, check it out here [1] ! The FDA is issuing this guidance to provide recommendations on computer software assurance for computers and automated data processing systems used as part of medical device production or the quality management system. This guidance describes a risk-based approach to establish confidence in the automation used for production or quality management systems, identify where additional rigor may be appropriate, and various methods and testing activities that may be applied to establish computer software assurance. FDA’s goal is to help manufacturers produce high quality medical devices while complying with the regulation. This document supersedes the final guidance “Computer Software Assurance for Production and Quality System Software,” issued September 24, 2025 [2] .
While the core risk-based methodology remains consistent, the 2026 version updates the regulatory framework to reflect the FDA’s transition from the Quality System Regulation (QSR) to the QMSR, which incorporates by reference, ISO 13485:2016 Medical Devices – Quality Management Systems – Requirements for Regulatory Purposes.
Here are some key updates and differences:
Regulatory harmonization: The 2026 guidance replaces legacy references to the QSR with the new QMSR. It explicitly ties software assurance activities to the risk management principles found in ISO 13485:2016.
Terminology refinement: The document shifts from “Computer Software Assurance for Production and Quality System Software” to “Production and Quality Management System Software” to match the QMSR’s nomenclature (which includes some terms and definitions from ISO 9000:2015 Quality Management Systems – Requirements).
Testing methodology clarification: Building on the 2025 release, the 2026 update provides even clearer distinctions between “High Process Risk” and “Not High Process Risk” features. It reinforces the use of unscripted/exploratory testing (often referred to as scenario-based testing) for lower risk functions to reduce documentation burdens.
Vendor and digital evidence: The update strengthens the emphasis on leveraging vendor generated objective evidence and digital-first records. It encourages manufacturers to move away from paper-heavy validation files in favor of native digital audit trails and continuous monitoring.
Broadened scope: The 2026 guidance explicitly includes modern delivery models like SaaS, PaaS, and IaaS, as well as AI/ML tools when they are used for production or quality management purposes.
Below, please find a comparison table summarizing the key differences between the September 2025 guidance and the updated February 2026 guidance:
If you would like additional assistance understanding this guidance, please reach out to us here!
References