FDA final guidance (Feb 2026) on risk-based assurance for software used in medical device production and quality management systems. Supersedes the September 24, 2025 version, with the title updated from "Quality System Software" to "Quality Management System Software" to align with the QMSR (21 CFR Part 820 / ISO 13485:2016 harmonization effective February 2, 2026). Replaces Section 6 of the 2002 GPSV. Does NOT apply to SaMD/SiMD.

This FDA draft guidance (2025) provides lifecycle management and premarket submission recommendations for software incorporating artificial intelligence and machine learning (AI/ML) technologies. The document addresses critical AI-specific considerations including training data management, algorithm performance monitoring, software modification processes, and predetermined change control planning. Manufacturers should establish robust procedures for documenting training and validation datasets, monitoring real-world performance against predetermined performance specifications, and implementing planned modifications without requiring submission of new premarket applications when modifications fall within pre-approved change control plans. The guidance specifically addresses adaptive algorithms that modify behavior based on accumulated clinical experience, establishing frameworks for distinguishing routine algorithm refinement from material modifications requiring FDA notification. Post-market performance evaluation plans should establish metrics for ongoing algorithm performance assessment across diverse patient populations and clinical settings. The document remains under comment collection, with FDA inviting stakeholder input on implementation feasibility and technical approaches. Manufacturers of AI/ML-enabled medical devices should actively monitor guidance finalization and incorporate recommendations into development strategies to facilitate efficient regulatory approval pathways.

This FDA final guidance (December 2024) establishes the regulatory framework for Predetermined Change Control Plans (PCCPs) enabling efficient modification management for AI-enabled medical device software. The PCCP mechanism, authorized under FDORA Section 515C, permits manufacturers to implement specified software modifications without submitting supplemental premarket applications, provided modifications remain within the FDA-approved change control plan. Manufacturers must establish comprehensive PCCPs describing anticipated modification categories, methodologies for implementing changes while maintaining safety and effectiveness, and impact assessment procedures demonstrating that modifications do not adversely affect device performance or patient safety. Each PCCP submission must include three essential elements: clear descriptions of modifications covered by the plan, detailed methodologies and procedures for implementing modifications, and systematic impact assessment approaches demonstrating continued compliance with original approval specifications. The guidance specifies that PCCPs must align with 21 CFR Part 820 (Quality Management System Regulation) change management requirements, ensuring integration within broader quality system frameworks. This mechanism substantially reduces regulatory burden while maintaining robust oversight of AI algorithm modifications. Manufacturers should carefully define PCCP scope to encompass anticipated algorithm refinements while excluding modifications requiring comprehensive re-validation.

The FDA's Quality Management System Regulation establishes comprehensive good manufacturing practice (CGMP) requirements for medical device manufacturing. Through the final rule effective February 2, 2026, the QMSR incorporates by reference ISO 13485:2016, aligning FDA requirements with international quality management standards. The regulation covers design and development controls (equivalent to 21 CFR 820.30), manufacturing operations, documentation, and management oversight across the entire device lifecycle. Key requirements include design input and output specifications, design review and verification, design validation, design transfer, and identification and implementation of design changes. The QMSR serves as a foundational regulatory framework for simultaneous FDA and Japanese approval pathways, establishing baseline quality system compliance expectations for manufacturers seeking marketing authorization in multiple regions. Compliance with these requirements demonstrates commitment to systematic quality assurance throughout device development and commercialization.

This FDA guidance addresses off-the-shelf (OTS) software including operating systems, database management systems, programming language compilers, libraries, and middleware incorporated into medical devices. The document provides practical recommendations for documenting OTS software in premarket submissions, recognizing the regulatory challenges associated with software of unknown or partially known provenance (SOUP). Manufacturers should evaluate and document vendor information, known defects and vulnerabilities, product lifecycle and support duration, configuration management practices, and compatibility with device safety and effectiveness requirements. The guidance establishes documentation expectations proportionate to OTS software risk contribution to overall device safety. Manufacturers must demonstrate that OTS software selection and management processes follow systematic risk-based approaches. This document serves as the practical foundation for implementing IEC 62304 Section 7.1 (SOUP management) requirements, bridging international standards and FDA regulatory expectations. Manufacturers should maintain current understanding of OTS software vulnerabilities and security patches, coordinating with vendors to receive timely security updates and assessing impact on marketed devices through post-market surveillance protocols.

This FDA final guidance (September 2023) establishes current cybersecurity requirements for medical device manufacturers, implementing legal mandates from the Consolidated Appropriations Act 2023 (Section 524B). The guidance specifies mandatory inclusion of software bill of materials (SBOM), vulnerability disclosure policies, and cybersecurity management plans in premarket submissions for devices with network connectivity or remote functionality. Manufacturers must establish processes for identifying, evaluating, and disclosing known and potential cybersecurity vulnerabilities to the FDA and relevant stakeholders. The cybersecurity management plan should address threat modeling, risk assessment, security design controls, and post-market monitoring strategies. The guidance demonstrates alignment with international standards including IEC 81001-5-1 (application of risk management to network security) and AAMI TIR57 (medical device security guidance), facilitating harmonized global regulatory compliance. Manufacturers should integrate cybersecurity considerations throughout the device lifecycle from design through post-market surveillance. The guidance represents current regulatory expectations and serves as the primary reference for FDA premarket submissions incorporating cybersecurity requirements. Compliance demonstrates manufacturer commitment to protecting patient safety and data integrity.