Thursday, February 12, 2026

The FDA's New CSA (Computer Software Assurance) requirements


The New CSA requirements per the FDA's new guidance document can be summed up as follows:  Computer software assurance focuses on preventing the introduction of defects into the software development cycle and it encourages the use of a risk-based (patient / user) approach to establish confidence that software is fit for its intended use.

- jel@jelincoln.com  02/12/2026





Posted by at No comments:

Tuesday, February 10, 2026

Ques:  "We had a question from the previous webinar on IQ, OQ, PQ:

 
“Mr. Lincoln, what if a validated commercial software was originally validated using a software system that is no longer supported by the software company and/or the commercial software has been updated.  Does the validation have to be repeated?  For example, Microsoft Version 7 was used as part of the validation process for Lab Solutions, a system software used to support Shimadzu spectrophotometers.  This was completed in 2007.  In 2026 Microsoft no longer supports Version 7 and/or Shimadzu has updated the Lab Solutions software.  What needs to occur to avoid a 483 observation during an audit? ” 
 
ANS: These situations happen frequently. Usually as part of your annual QMS Review. you consider the status of existing V&V's, and that would apply here.  If nothing has changed in terms of the validation's issues being resolved by the validation, that the resolution / answers are still valid, then the version or updates involved in components of the V&V would not be an issue - that's basically the 'bottom line'. 

On the other hand, if the updates / obsolesce, et al, was due to any inherent defect in the supporting test mechanisms, then there is an issue, and a possible re-verification or re-validation may be required, and any additional follow-ups to remediate any product affected may need to be addressed, depending upon Failure Investigation / Root Cause Analysis findings. Ditto if there's any negative trends / irregularities in the data provided by the spectro system, per your NCMR / CAPA system. 

You should call out this analysis and results in your QMS management review documentation, whether done now or as part of any upcoming annual review, and revisit as necessary in the future, if necessary per the above.

- jel@jelincoln.com 02/10/2026
Posted by at No comments:

Wednesday, January 14, 2026

 FDA Town Hall – Quality Management System Regulation: Risk and Design and Development,   01/14/26, Wednesday, 2:00 PM ET,  US FDA, ~1 hour

I just attended an FDA Teams audio presentation on the new QMSR to be implemented on February 02, 2026, by all Medical Device Companies selling product in the US.  

Some key takeaways:
-  Risk management is an important part of the new QMSR / ISO 13485: 3.17, 3.18, 4.1.2(b), 7.1, 7.3, and 7.4;
-  Design and Development ( the old Design Control) is an important component of risk management; or rather Risk Management (and, if necessary, Use / Human Factors Engineering) are an important part of Design Control; 
-  The FDA expects that the design review team(s) have independence for decision making;
-  ISO 14971 or a similar risk management system should form the basis of the QMS / device risk       
   management activities, especially pertaining to QA/QC, Production and Purchasing; 
   Note that harm (to patient / people is the focus of FDA's/ISO 14971's requirements, not financial /  
   scheduling / business risks; 
-  Design control is not retroactive for devices;  only a requirement for devices designed or changed since 
   October 1997 (when 820.30 Design Control was implemented);
-  Changes to a device can be documented in the DHF or under the company's CGMP change control   
   system;
-  The DHF or applicable product documents (and risk management documents) should be reviewed 
   periodically or when a new risk is   
   determined, and updated / addressed accordingly;
-  Ditto the risk management elements of the QMS (and the Device Risk Management file);
-  The FDA does not expect companies to change existing historical documents (e.g., DHFs, archived  
   documents) to reference the new changes, references, terminology.    

One key point that was not addressed was the Final Rule / Preamble emphasis that the QMSR is not intended to, nor does it substantially change the QMS of the old QSR, that ISO 13485 meets the basic requirements of the old 21 CFR 820, except for a change in references (generally from 820 to ISO 13485),  some terminology changes, and a few legal requirements unique to the USA as required in the FD and C Act, under which the FDA acts, addressed in the new 820, Subparts A and B. 

A transcript of the meeting should be available on fda.gov in approximately 2 weeks.  

-  jel@jelincoln.com 01/14/2026

Some grammatical changes to para. 3. - JEL 02/19/26

- added last comment to 2nd bullet point above, " or rather..." ; and diagrams below - JEL, 02/24/26 


US FDA’S QUALITY MANAGEMENT SYSTEM REGULATION (QMSR, 21 CFR PART 820)

NEW COMPLIANCE INSPECTION / AUDIT MODEL (replacing QSIT), dated 02/02/2026

  

   OAFR’s:

  MDRs;


      Reports of Corrections and

            Removals; 

       Medical Device Tracking

            Requirements;

       Unique Device Identification 






      

   






Posted by at No comments:
Subscribe to: Comments (Atom)