The FDA's Quality Management System Regulation establishes comprehensive good manufacturing practice (CGMP) requirements for medical device manufacturing. Through the final rule effective February 2, 2026, the QMSR incorporates by reference ISO 13485:2016, aligning FDA requirements with international quality management standards. The regulation covers design and development controls (equivalent to 21 CFR 820.30), manufacturing operations, documentation, and management oversight across the entire device lifecycle. Key requirements include design input and output specifications, design review and verification, design validation, design transfer, and identification and implementation of design changes. The QMSR serves as a foundational regulatory framework for simultaneous FDA and Japanese approval pathways, establishing baseline quality system compliance expectations for manufacturers seeking marketing authorization in multiple regions. Compliance with these requirements demonstrates commitment to systematic quality assurance throughout device development and commercialization.

This FDA guidance addresses off-the-shelf (OTS) software including operating systems, database management systems, programming language compilers, libraries, and middleware incorporated into medical devices. The document provides practical recommendations for documenting OTS software in premarket submissions, recognizing the regulatory challenges associated with software of unknown or partially known provenance (SOUP). Manufacturers should evaluate and document vendor information, known defects and vulnerabilities, product lifecycle and support duration, configuration management practices, and compatibility with device safety and effectiveness requirements. The guidance establishes documentation expectations proportionate to OTS software risk contribution to overall device safety. Manufacturers must demonstrate that OTS software selection and management processes follow systematic risk-based approaches. This document serves as the practical foundation for implementing IEC 62304 Section 7.1 (SOUP management) requirements, bridging international standards and FDA regulatory expectations. Manufacturers should maintain current understanding of OTS software vulnerabilities and security patches, coordinating with vendors to receive timely security updates and assessing impact on marketed devices through post-market surveillance protocols.

This FDA final guidance (September 2023) establishes current cybersecurity requirements for medical device manufacturers, implementing legal mandates from the Consolidated Appropriations Act 2023 (Section 524B). The guidance specifies mandatory inclusion of software bill of materials (SBOM), vulnerability disclosure policies, and cybersecurity management plans in premarket submissions for devices with network connectivity or remote functionality. Manufacturers must establish processes for identifying, evaluating, and disclosing known and potential cybersecurity vulnerabilities to the FDA and relevant stakeholders. The cybersecurity management plan should address threat modeling, risk assessment, security design controls, and post-market monitoring strategies. The guidance demonstrates alignment with international standards including IEC 81001-5-1 (application of risk management to network security) and AAMI TIR57 (medical device security guidance), facilitating harmonized global regulatory compliance. Manufacturers should integrate cybersecurity considerations throughout the device lifecycle from design through post-market surveillance. The guidance represents current regulatory expectations and serves as the primary reference for FDA premarket submissions incorporating cybersecurity requirements. Compliance demonstrates manufacturer commitment to protecting patient safety and data integrity.

This FDA final guidance (2023) specifies required documentation content for software in premarket submissions including 510(k), PMA, and De Novo pathways. The guidance provides structured requirements based on software risk level (minor, moderate, major) classification, recognizing that documentation scope should be proportionate to patient risk. For each software risk category, the document delineates specific submission requirements for design specifications, system architecture, verification and validation (V&V) documentation, cybersecurity considerations, and unmet need summaries. Manufacturers must provide detailed design specifications describing intended functionality and performance parameters, system architecture documentation explaining software structure and interfaces, comprehensive V&V documentation demonstrating safety and effectiveness testing, and cybersecurity management plans addressing relevant threats. The guidance replaces the previous "Content of Premarket Submissions for Software" document, incorporating contemporary regulatory expectations including artificial intelligence considerations, interoperability requirements, and cybersecurity standards. Compliance with these content requirements streamlines FDA review and supports timely device approval decisions.

This FDA final guidance addresses design and regulatory considerations for medical devices that communicate electronically with other devices, health information systems, or electronic health records (EHR). The document emphasizes that interoperable devices must maintain safety and effectiveness across diverse clinical environments and integration scenarios. Manufacturers should incorporate risk management per ISO 14971 to identify and mitigate hazards associated with data exchange, system interoperability, and information integrity. Key design considerations include error detection and correction mechanisms, data validation and reconciliation procedures, interface standardization (HL7, DICOM, or equivalent standards), and cybersecurity protections ensuring confidential and accurate information exchange. Premarket submissions for interoperable devices must include technical documentation describing data exchange protocols, interface specifications, validation testing demonstrating accurate data transmission and receipt, and labeling clearly defining compatible systems and valid use cases. The guidance establishes that interoperability requirements should be addressed through systematic design controls incorporating software development processes per IEC 62304 where applicable. Manufacturers should validate interoperability across representative healthcare information technology environments. The guidance recognizes that interoperable devices create complex system-level risks requiring comprehensive validation approaches extending beyond individual device testing.

This FDA guidance document (2005) addresses cybersecurity management for network-connected medical devices incorporating off-the-shelf (OTS) software components. The guidance delineates responsibility allocation between manufacturers and healthcare facility information technology personnel, acknowledging shared accountability for device cybersecurity posture. Key technical topics include operating system patch management, antivirus software deployment, network access controls, and authentication mechanisms. The document establishes that manufacturers bear primary responsibility for device design incorporating security controls, while healthcare facilities assume responsibility for network infrastructure, patch management, and periodic security assessments appropriate to their operational environments. While superseded by more contemporary 2023 guidance addressing current cybersecurity threats and FDA regulatory expectations, this 2005 document provides valuable historical context for understanding the evolution of FDA cybersecurity requirements. Manufacturers and healthcare organizations benefit from understanding these foundational cybersecurity management principles, which remain relevant despite advances in threat landscape and technology. The document emphasizes that cybersecurity is a shared responsibility requiring collaboration between device manufacturers and end-users.

This FDA final guidance (Version 2.0) establishes foundational principles for validating medical device software and software used in device design and manufacturing. The document systematically addresses software lifecycle methodologies, verification and validation (V&V) concepts, and documentation expectations. It defines key terminology including validation, verification, and testing, and describes the relationship between software development processes and regulatory submissions. Although IEC 62304 provides a more recent international standard framework, this guidance document remains a critical reference for FDA submissions and regulatory expectations. Manufacturers should apply the lifecycle principles outlined herein to demonstrate software safety and effectiveness. The guidance emphasizes that validation must be commensurate with device risk classification and intended use. It provides practical examples of validation approaches for various software categories and addresses both standalone software (SaMD) and software as a component of hardware devices. The document serves as essential foundational material for understanding FDA's expectations regarding software documentation in premarket applications.