The final guidance supplements
FDA's 2002 General Principles of Software Validation (GPSV)—except for Section 6 of the GPSV, which the final guidance supersedes—and retains the risk‑based, least-burdensome approach to software assurance that FDA introduced in the 2022 draft.
A risk-based approach to software assurance
In general, the final guidance builds consistently on the framework that FDA introduced in the draft. It applies to software used as part of device production and quality systems, but not to “device software functions” such as software as a medical device or software in a medical device. FDA explicitly endorses a risk-based approach to software assurance, focusing on the intended use of each software feature, function, or operation. The level of validation effort should be commensurate with the risk posed to product quality and patient safety. FDA recommends:
- Manufacturers should start with the software’s intended use to determine whether any feature, function, or operation is indeed used as part of production or the quality system.
- The intended use drives validation scope. Manufacturers must validate software used as part of production or the quality system for its intended use. This includes cloud-based solutions (IaaS, PaaS, and SaaS) and other software that is used directly as part of production or the quality system—such as tools to automate production or quality system processes—or to support production or the quality system—such as development tools or general record-keeping software.
- If the software is used as part of production or the quality system, manufacturers should determine appropriate assurance activities based on the reasonably foreseeable risks. If a failure could create a quality problem that foreseeably compromises safety—a “high process risk”—manufacturers should use testing commensurate with the safety risk. If a failure would not create a quality problem that foreseeably compromises safety—a “not high process risk”—manufacturers could use lessor validation testing that is commensurate with the process risk. While the guidance provides practical examples using this binary approach, it also acknowledges that manufacturers may adopt more granular categories (such as moderate, intermediate, or low risk) to tailor assurance activities to their specific operations. This flexibility allows organizations to scale their validation efforts appropriately, focusing resources where the impact on product quality and patient safety is greatest.
- For high process risks, manufacturers might consider more rigorous, traceable testing such as scripted testing. Conversely, for lower process risks, manufacturers might consider unscripted testing methods such as scenario testing, error-guessing, or exploratory testing. The final guidance does not require particular testing methods for particular risks; manufacturers should instead “apply principles of risk-based testing” to validate that the software performs as intended for the risk identified.
- When using third-party software (cloud-based, on-premise, or hybrid), sponsors should assess vendor capabilities through risk-based methods such as reviewing certifications (e.g., ISO, SOC), development and cybersecurity practices (e.g., SBOM, threat modeling), and data integrity controls (e.g., record retention practices, audit trails, encryption, access control). Onsite audits are optional and may be substituted with alternative evidence if not feasible.
- FDA encourages manufacturers to leverage vendor assessments, certifications (such as ISO 13485), and digital records (such as system logs, audit trails) to reduce manual documentation burden, as opposed to paper documentation, screenshots, or duplicating results already digitally retained by the software when establishing the record associated with the assurance activities.
- Manufacturers should document their assurance activities—including things such as intended use, risk determination, what was tested, by whom, and the results. Manufacturers should map software inventory to intended uses and for each, determine if it supports production or the quality system, and specify whether a feature is “high process risk” or “not high process risk.” Such documentation would serve as a natural input to the master validation plan. In keeping with the final guidance’s least-burdensome approach and in a shift from traditional, prescriptive validation practices, the documentation need only include evidence sufficient to show the software’s acceptability for its intended use. The level of documentation should align with the risk level associated with the software (“high process risk” vs. “not high process risk”).
- If electronic records are maintained under Part 820, Part 11 applies. However, FDA exercises enforcement discretion for some Part 11 requirements, except for validation of software used in production or the quality system.
More definitions and examples
The final guidance also responds to industry requests for clarification on the draft, including the types of software potentially covered by the guidance, the required documentation of assurance activities, and the role of software vendors. For example:
- The final guidance includes a new section on terminology, clarifying the concepts of IaaS, PaaS, and SaaS and including examples of how they might operate materially as part of production or quality systems. It also clarifies expressly that manufacturers can apply the framework to artificial intelligence tools, again, if used as part of production or quality systems.
- The final guidance provides more detail on how manufacturers might rely on information about or from software vendors—such as review of a vendor’s practices and controls around software development—in conducting assurance activities.
- The final guidance emphasizes the least-burdensome approach to documenting assurance activities and, as noted, how manufacturers can document those activities digitally.
- The final guidance offers more robust examples and scenarios to help manufacturers distinguish between different testing methods and “high process risk” and “not high process risk” features, including a new example of how the framework might apply to SaaS-based product lifecycle management systems.
Actionable suggestions for companies
- Conduct a comprehensive gap assessment. Begin by thoroughly reviewing your current software validation and assurance practices against the new FDA guidance. Map out all software used in production and quality system activities and assess whether your existing processes reflect a risk-based approach. Identify areas where traditional, prescriptive validation can be replaced or streamlined with risk-based, least-burdensome methods. This assessment should include interviews with key stakeholders, review of validation documentation, and benchmarking against both FDA and ISO 13485 requirements.
- Update SOPs, policies, and training programs. Revise your standard operating procedures (SOPs) to explicitly incorporate risk-based computer software assurance principles. Ensure your documentation reflects the use of digital records, objective evidence scaled to risk, and vendor evaluation practices. Develop targeted training for staff at all levels—quality, IT, regulatory, and operations—so everyone understands the new expectations, the rationale behind risk-based assurance, and how to document activities appropriately.
- Engage cross-functional teams for holistic implementation. Successful adoption of the guidance requires collaboration across departments. Involve IT, quality assurance, regulatory affairs, operations, and even procurement in mapping software uses, risks, and controls. Cross-functional workshops can help identify hidden risks, clarify intended uses, and ensure that assurance activities are comprehensive and aligned with both regulatory and business objectives.
- Prepare for ISO 13485 alignment and future regulatory changes. With the upcoming QMSR transition, harmonize your quality management system to ISO 13485 standards. This means reviewing your documentation, processes, and supplier controls to ensure they meet both FDA and international requirements. Proactively address gaps in areas such as risk management, supplier evaluation, and electronic records to future-proof your compliance and facilitate global market access.
- Document everything—digitally and efficiently. Maintain clear, concise, and well-organized records of risk assessments, assurance activities, vendor evaluations, and decision-making rationales. Leverage digital tools such as system logs, audit trails, and automated test scripts to capture objective evidence. Ensure your documentation is sufficient to demonstrate acceptability for intended use but avoid unnecessary paperwork. Digital records not only support regulatory compliance but also enhance traceability, audit readiness, and continuous improvement.
- Monitor and continuously improve. Establish mechanisms for ongoing monitoring of software performance, risk, and regulatory changes. Use periodic reviews, internal audits, and feedback loops to refine your assurance strategy. Stay engaged with FDA updates, industry best practices, and evolving standards to ensure your approach remains current and effective.
The final guidance is a welcome modernization update, balancing regulatory rigor with operational efficiency using a practical, risk-based framework for software assurance in production and quality systems. By adopting a risk-based, documented approach, manufacturers can ensure compliance, enhance product quality, and prepare for the evolving regulatory landscape.
Ready to take the next
step?
If your organization needs support with gap assessments, SOP updates, cross-functional workshops, or training tailored to the new FDA guidance and ISO 13485 alignment, reach out to us today. Our team of FDA regulatory experts and ISO 13485 qualified auditors can help you operationalize these requirements, streamline your compliance strategy, and position your company for success in a rapidly evolving regulatory landscape.
At the end of the day, our advice is simple: Embrace the flexibility, but don't compromise on documentation or risk management.
Authored by Kelliann
Payne, Jodi Scott, and Ashley Grey