New FDA Draft Guidance

New FDA Draft Guidance

FDA Issues Draft Guidance on Computer Software Assurance for Production and Quality System Software

The U.S. Food and Drug Administration (FDA) issued the new draft guidance: Computer Software Assurance for Production and Quality System Software. Download here: 2022-Guidance-Computer-Software-Assurance

This new FDA draft guidance provides recommendations on risk-based assurance activities for computers and automated data processing systems that are used as part of medical device production or the quality system.

FDA is issuing this draft guidance to provide recommendations on “Computer Software Assurance,” aka, “validate computer software” for computers and automated data processing systems that are regulated under 21 CFR 820.70(i).

The specific regulation reads as follows: 21 CFR 820.70(i) Automated processes. When computers or automated data processing systems are used as part of production or the quality system, the manufacturer shall validate computer software for its intended use according to an established protocol. All software changes shall be validated before approval and issuance. These validation activities and results shall be documented.

When final, this new FDA draft guidance will supplement FDA’s guidance, “General Principles of Software Validation” except this guidance will supersede Section 6 (“Validation of Automated Process Equipment and Quality System Software”) of the Software Validation guidance.

This guidance clarifies for the industry that the requirement “validate computer software” in 21 CFR 820.70 is not intended to be the same level of effort as required by the Design Controls requirement 21 CFR 820.30 when the agency says “Design validation shall include software validation and risk analysis, where appropriate.

In the move from “validate computer software” to “Computer Software Assurance” it is interesting to compare the fundamental thoughts:

  1. In the 2002 Guidance, General Principles of Software Validation; Final Guidance for Industry and FDA Staff (2002-01-General Principles of Software Validation-Final Guidance), we see the question, “HOW MUCH VALIDATION EVIDENCE IS NEEDED?”

    The level of validation effort should be commensurate with the risk posed by the automated operation. In addition to risk other factors, such as the complexity of the process software and the degree to which the device manufacturer is dependent upon that automated process to produce a safe and effective device, determine the nature and extent of testing needed as part of the validation effort.

  2. In the 2022 new FDA draft guidance we see the main thought, “COMPUTER SOFTWARE ASSURANCE”

    Computer software assurance is a risk-based approach for establishing and maintaining confidence that software is fit for its intended use. This approach considers the risk of compromised safety and/or quality of the device (should the software fail to perform as intended) to determine the level of assurance effort and activities appropriate to establish confidence in the software. Because the computer software assurance effort is risk-based, it follows a least-burdensome approach, where the burden of validation is no more than necessary to address the risk. Such an approach supports the efficient use of resources, in turn promoting product quality.

I see the release of this new FDA draft guidance as great news for device manufacturers.  This guidance reflects over six years in the making … I know, because I did a lot of work on this draft in 2017 and 2018 before my retirement from the agency.  I am pleased that it still contains many of my initial contributions and thoughts, namely:

  • Device software validation is not the same as the software validation of automated production and quality systems
  • It encourages an increased use of automation in the medical device sector. If you are not automating, you are not state of the art.
  • It encourages the use of more modern software tools and methods. Results should outweigh “all compliance all the time” paradigm
  • It encourages the use of OTS and well proven solutions in the medical device sector. You do not need to recreate the wheel
  • It reinforces the idea that “critical thinking” is better than “check list” compliance-based thinking. More Case for Quality is better.
About the author

John is a 25 year FDA veteran. John served as a regulatory and compliance expert for FDA regulated computers and software. Practice (focus) areas include FDA software related guidances, software device classification determination, pre-market software review, post market software inspectional 483’s, additional information software requests, Digital Health Pre-certification, AAMI Software related TIRs and related medical device software standards.

SoftwareCPR Training Courses:

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  June 5-7, 2024
Boston, MA

Email to request a special pre-registration discount.  Limited number of pre-registration coupons.

Registration Link:

Register Now



Being Agile & Yet Compliant (Public or Private)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for scheduling!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

2-days onsite (4 days virtual) with group exercises, quizzes, examples, Q&A.

Instructors: Mike Russell, Ron Baerg

Next public offering: Tuesday, January 23 through Friday, January 26 from at 11 am – 3 pm EST

Virtual via Zoom

Registration Link:

Register Now



Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
Partners located in the US (CA, FL, MA, MN, TX) and Canada.