On 24 September 2025, the FDA published its final guidance on Computer Software Assurance (CSA) for software used in medical device manufacturing and quality systems, thereby updating the earlier framework developed in 2002. The document introduces a risk-based approach and emphasises alignment with ISO 13485.

From traditional validation to CSA – a paradigm shift

The previous Computer System Validation (CSV) model focused heavily on documenting test activities. In practice, this often led to excessive bureaucracy and less attention to actual risks.

CSA shifts the focus to intended use – meaning the purpose for which a system is used. If software directly impacts patient safety or product quality, the validation requirements are considerably higher than for auxiliary tools without clinical risk implications.

Key elements of the new approach

The FDA guidance specifies that manufacturers must adjust the scope of assurance activities according to the type and level of software-related risk. This requires implementing processes that include:

  • classification of software based on its significance for quality and patient safety,
  • appropriate testing methods – from exploratory testing to detailed validation protocols,
  • transparent yet proportionate documentation of decisions and outcomes,
  • lifecycle change management, including reassessment of risks at each update,
  • integration of cybersecurity controls as an essential part of quality assurance.

Links to MDR and IVDR

Although the FDA guidance is not legally tied to EU law, its principles resonate with MDR and IVDR:

  • Annex I (GSPR) requires minimisation of risks, including those related to software. CSA provides a practical framework for meeting this requirement.
  • Annex II demands comprehensive technical documentation; FDA stresses proportionality – consistent with MDR’s call for clarity and transparency.
  • Articles 83+ MDR address Post-Market Surveillance (PMS). CSA supports this by promoting active monitoring of system performance post-deployment.

Impact on Manufacturers and Notified Bodies

Implementation of CSA has practical consequences:

  • greater flexibility in tailoring validation to real risks,
  • better resource utilisation by reducing unnecessary documentation,
  • facilitation of global regulatory convergence (FDA and MDR/IVDR),
  • increased expectations from Notified Bodies, who may require evidence of CSA implementation in conformity assessments.

New challenges: cybersecurity and change management

FDA highlights the importance of ensuring software resilience against cyber threats – consistent with Annex I, section 17 MDR.
Equally, every system update must undergo risk assessment. Significant changes, such as modifications to algorithms controlling production processes, may require full revalidation – fully aligned with Article 120(3) MDR.

Conclusion

The new FDA guidance is a practical roadmap for manufacturers to implement CSA while remaining compliant with regulatory expectations. In summary:

  • validation should be proportionate to risk,
  • intended use determines the assurance scope,
  • cybersecurity and change management are integral,
  • CSA promotes global harmonisation with MDR/IVDR.

For MedTech companies, this means updating QMS procedures, training teams, and investing in risk analysis and lifecycle monitoring tools.