21 CFR 820.70(i) – Automated Processes & Software Controls Compliance Guide

Summary

• 21 CFR 820.70(i) requires medical device manufacturers to validate all computer software used in production or quality systems according to established protocols before use
• All software changes must be validated before approval and issuance, with comprehensive documentation of validation activities and results
• This requirement historically formed part of the FDA’s Quality System Regulation (QSR) under 21 CFR Part 820 and continues to apply under the current Quality Management System Regulation (QMSR) framework. It applies to any automated system or software used in production or the quality management system that could impact device quality or patient safety.
• Non-compliance risks FDA enforcement actions including warning letters, consent decrees, and product recalls
• Kneat’s digital validation platform provides configurable protocols, automated change control workflows, and complete audit trails to ensure continuous compliance with 21 CFR 820.70(i) requirements

What is 21 CFR 820.70(i) – Automated Processes & Software Controls?

In today’s medical device manufacturing environment, automated systems and software are integral to production and quality operations. From manufacturing execution systems to laboratory information management systems, these digital tools directly impact device quality and patient safety. FDA recognized this reality when establishing 21 CFR 820.70(i), a critical regulation that ensures computer software used in production or quality systems meets the same rigorous standards as other manufacturing processes.

At Kneat, we understand that compliance with 21 CFR 820.70(i) is not simply a regulatory checkbox—it’s a fundamental requirement for maintaining device quality, ensuring data integrity, and protecting patients. Our digital validation platform is purpose-built to help life sciences organizations meet these requirements efficiently while maintaining the flexibility to adapt to evolving regulatory expectations and business needs.

Quick definition

21 CFR 820.70(i) states: “When computers or automated data processing systems are used as part of production or the quality system, the manufacturer shall validate computer software for its intended use according to an established protocol. All software changes shall be validated before approval and issuance. These validation activities and results shall be documented.”

This regulation establishes three core mandates: validate software for its intended use, validate all changes before implementation, and maintain comprehensive documentation of all validation activities.

Scope & purpose

The regulation applies to any computer software or automated data processing system used as part of production or the quality system. This broad scope encompasses:

• Manufacturing execution systems (MES)
• Laboratory information management systems (LIMS)
• Enterprise resource planning (ERP) systems
• Quality management systems (QMS)
• Statistical process control software
• Automated inspection and testing equipment
• Environmental monitoring systems
• Calibration management systems

The purpose is straightforward: ensure that automated systems perform as intended and do not introduce errors or deviations that could compromise device quality. Since software failures can have cascading effects on product quality and patient safety, FDA requires the same level of control and validation for automated processes as for manual processes.

Regulatory authority / issuing body

 The U.S. Food and Drug Administration (FDA) issued 21 CFR 820.70(i) under 21 CFR Part 820, the medical device current good manufacturing practice (CGMP) regulation authorized by the Federal Food, Drug, and Cosmetic Act (FD&C Act).

Historically, this requirement appeared within the Quality System Regulation (QSR) framework. Following FDA’s 2024 amendments to Part 820, the regulation is now titled the Quality Management System Regulation (QMSR), which became effective on February 2, 2026 and incorporates ISO 13485:2016 by reference while retaining FDA-specific requirements.

The requirement historically referenced as §820.70(i) falls within the production and process control provisions of Part 820 and addresses validation of automated processes and software used in production or the quality management system. These controls are intended to ensure that automated systems used during manufacturing or quality operations do not compromise device quality, safety, or regulatory compliance.

History & key revisions

The Quality System Regulation, including §820.70(i), became effective on June 1, 1997, replacing the earlier Good Manufacturing Practice (GMP) regulations. The regulation was designed to harmonize with ISO 9001 quality management standards while maintaining specific requirements for medical device manufacturing.

While the core text of §820.70(i) has remained stable, FDA’s interpretation and enforcement have evolved significantly. The agency has issued numerous guidance documents addressing software validation, including the 2002 “General Principles of Software Validation” and more recently, draft guidance on “Computer Software Assurance for Production and Quality System Software” that introduces a more risk-based approach to validation activities.

As regulatory expectations continue to evolve, Kneat remains at the forefront of digital validation technology. Our platform is designed with the flexibility to adapt to changing guidance while maintaining the rigorous controls required by 21 CFR 820.70(i). We continuously update our solution to reflect current best practices and emerging regulatory trends, ensuring our customers maintain compliance as the landscape shifts.

Key Requirements of 21 CFR 820.70(i) – Automated Processes & Software Controls

Software validation core requirements

The foundation of 21 CFR 820.70(i) compliance rests on three interconnected requirements:

• Validate for intended use: Software must be validated to demonstrate it performs as expected for its specific application within production or quality systems
• Follow established protocols: Validation must follow documented, pre-approved protocols that define validation approach, acceptance criteria, and testing procedures
• Document all activities: Complete records of validation activities, results, dates, and approving individuals must be maintained

These requirements apply regardless of whether software is developed in-house, purchased as commercial off-the-shelf (COTS) software, or provided as Software as a Service (SaaS).

Protocol and documentation requirements

FDA requires manufacturers to establish and follow formal validation protocols. According to §820.70(a), these protocols must include:

• Documented instructions and standard operating procedures (SOPs) that define validation methods
• Monitoring and control of process parameters during validation
• Compliance with specified reference standards or codes
• Approval of processes and process equipment before use
• Clear criteria for acceptance expressed in documented standards

Documentation must capture the complete validation lifecycle, including protocol approval, test execution, deviation handling, results analysis, and final approval signatures.

Change control requirements

Section 820.70(b) explicitly addresses changes: “Each manufacturer shall establish and maintain procedures for changes to a specification, method, process, or procedure. Such changes shall be verified or where appropriate validated according to §820.75, before implementation and these activities shall be documented.”

For software systems, this means:

• All software changes require validation before approval and issuance
• Change control procedures must define when revalidation is required
• Changes must be verified or validated before implementation
• Documentation must demonstrate the change does not adversely affect device quality
• Changes must be approved in accordance with §820.40 (Document Controls)

Equipment and calibration integration

When automated systems include inspection, measuring, or test equipment, additional requirements from §820.72 apply:

• Equipment must be suitable for its intended purpose and capable of producing valid results
• Calibration procedures must include specific directions and limits for accuracy and precision
• Calibration standards must be traceable to national or international standards
• Equipment identification, calibration dates, performing individuals, and next calibration dates must be documented
• Records must be displayed on or near equipment or readily available to users

Process validation linkage

Section 820.75 establishes that “where the results of a process cannot be fully verified by subsequent inspection and test, the process shall be validated with a high degree of assurance.” This requirement directly impacts software validation because:

• Automated processes often cannot be fully verified through output inspection alone
• Software validation must demonstrate a “high degree of assurance” that the system performs correctly
• Validated processes must be monitored and controlled to ensure specified requirements continue to be met
• Qualified individuals must perform validated processes
• Monitoring and control methods, data, dates, and performing individuals must be documented

Why Compliance Matters

Regulatory penalties & enforcement

FDA treats 21 CFR 820.70(i) violations seriously. The agency’s enforcement toolkit includes:

• Warning letters: Public notifications of significant violations requiring immediate corrective action
• Consent decrees: Legal agreements requiring comprehensive remediation under FDA oversight
• Product recalls: Mandatory removal of devices from the market when software failures compromise safety or effectiveness
• Import/export restrictions: Prohibition on importing devices or exporting to certain markets
• Criminal prosecution: In cases of willful violations or fraud

Recent FDA warning letters consistently cite inadequate software validation as a recurring deficiency. Common citations include failure to validate software before use, inadequate validation protocols, insufficient documentation, and failure to validate software changes.

Business & patient impact

Beyond regulatory consequences, non-compliance with 21 CFR 820.70(i) creates substantial business and patient risks:

Business impact:

– Manufacturing delays when systems fail or produce unreliable results

– Product recalls and associated costs

– Damage to brand reputation and customer trust

– Loss of market access in regulated jurisdictions

– Increased insurance premiums and legal liability

– Competitive disadvantage against compliant competitors

Patient safety impact:

– Defective devices reaching patients due to undetected software errors

– Incorrect test results leading to misdiagnosis or inappropriate treatment

– Device failures during critical procedures

– Compromised data integrity affecting traceability and recall effectiveness

At Kneat, we recognize that compliance is not merely about avoiding penalties—it’s about ensuring the integrity of processes that directly impact patient safety. Our digital validation platform helps organizations maintain rigorous controls while improving efficiency, reducing validation cycle times by up to 40%, and ensuring audit readiness. By automating validation workflows, enforcing protocol adherence, and maintaining complete audit trails, Kneat enables companies to focus on innovation and quality rather than compliance burden.

Step-by-Step Compliance Roadmap

Gap assessment

Begin by conducting a comprehensive assessment of current software validation practices:

1. Inventory all automated systems: Identify every computer system and automated process used in production or quality operations
2. Review existing validation documentation: Evaluate whether current validation protocols, test scripts, and results meet 21 CFR 820.70(i) requirements
3. Assess change control processes: Determine if software changes are consistently validated before implementation
4. Evaluate documentation completeness: Verify that validation activities, results, dates, and approvers are fully documented
5. Identify gaps and prioritize remediation: Rank systems by risk and compliance gaps to focus resources effectively

Process & technology controls

Establish robust processes and controls to ensure ongoing compliance:

Validation protocols:

– Develop standardized validation protocol templates that define approach, scope, acceptance criteria, and testing procedures

– Ensure protocols address installation qualification (IQ), operational qualification (OQ), and performance qualification (PQ)

– Include risk assessment to determine appropriate validation rigor

– Define clear roles and responsibilities for validation activities

Change control:

– Implement formal change control procedures that require validation before software changes go live

– Define criteria for determining when revalidation is required versus when verification is sufficient

– Establish approval workflows that enforce validation completion before change implementation

– Link change control to document control procedures per §820.40

Technology infrastructure:

– Select validation management systems that enforce protocol adherence and maintain complete audit trails

– Implement electronic signature capabilities that meet 21 CFR Part 11 requirements

– Ensure systems provide version control for protocols, test scripts, and validation reports

– Enable traceability between validation activities and specific software versions

Documentation best practices

Comprehensive documentation is essential for demonstrating compliance:

• Validation protocols: Document validation approach, scope, system description, acceptance criteria, test procedures, and approval signatures
• Test execution records: Capture test results, screenshots, actual versus expected results, deviations, and resolution
• Validation reports: Summarize validation activities, results, deviations, conclusions, and final approval
• Change control records: Document change requests, impact assessments, validation activities, and approvals
• Periodic review records: Maintain evidence of ongoing monitoring and periodic revalidation assessments

Documentation must be readily retrievable, protected from unauthorized changes, and retained according to device history record requirements.

Ongoing monitoring & audit prep

Compliance is not a one-time event but an ongoing commitment:

Continuous monitoring:

– Implement procedures per §820.75(b) for monitoring and controlling validated processes

– Track system performance metrics to detect degradation or unexpected behavior

– Conduct periodic reviews to assess whether revalidation is needed

– Document monitoring activities, including dates and responsible individuals

Audit readiness:

– Maintain a validation master plan that provides an overview of all validated systems

– Organize validation documentation for rapid retrieval during inspections

– Conduct internal audits to identify and remediate gaps before regulatory inspections

– Train personnel on validation requirements and documentation expectations

Kneat’s digital validation platform supports every step of this compliance roadmap. Our configurable protocols ensure consistency and completeness, automated workflows enforce validation before changes go live, and centralized documentation provides instant audit readiness. With Kneat, organizations transform validation from a compliance burden into a strategic advantage, reducing cycle times while maintaining the highest standards of data integrity and regulatory compliance.

Common Pitfalls & How to Avoid Them

Inadequate validation protocols

The mistake: Using generic, superficial validation protocols that fail to adequately test software for its intended use or lack clear acceptance criteria.

Why it happens: Organizations often treat validation as a checkbox exercise rather than a rigorous assessment of software fitness for purpose.

The consequence: FDA warning letters citing failure to validate software according to established protocols, potential product quality issues, and costly revalidation efforts.

Pro tip: Develop risk-based validation protocols that focus testing on critical functions and potential failure modes. Ensure acceptance criteria are specific, measurable, and directly linked to intended use requirements.

How Kneat helps: Kneat provides configurable protocol templates that enforce inclusion of all required elements while allowing customization for specific system risks and intended use. Built-in review workflows ensure protocols are thoroughly vetted before execution.

Poor change control documentation

The mistake: Implementing software changes without validation or failing to document validation activities before changes go live.

Why it happens: Pressure to deploy changes quickly, lack of integration between change control and validation systems, or unclear criteria for when validation is required.

The consequence: Direct violation of 21 CFR 820.70(i)’s requirement that “all software changes shall be validated before approval and issuance.”

Pro tip: Implement automated workflows that prevent change implementation until validation is complete and approved. Define clear criteria for determining validation scope based on change risk.

How Kneat helps: Kneat’s change control workflows enforce validation completion before changes can be approved. The system maintains complete traceability between change requests, validation activities, and implementation, ensuring no change bypasses required validation.

Insufficient validation documentation

The mistake: Incomplete validation records that lack critical information such as test results, deviations, approver signatures, or dates.

Why it happens: Manual documentation processes, lack of standardized templates, or inadequate training on documentation requirements.

The consequence: Inability to demonstrate compliance during audits, FDA observations citing inadequate documentation, and potential need for costly revalidation.

Pro tip: Use standardized templates that prompt for all required information and implement review checkpoints to catch documentation gaps before final approval.

How Kneat helps: Kneat’s digital platform enforces documentation completeness through required fields, automated data capture, and built-in review workflows. The system maintains a complete audit trail of all validation activities, including dates, times, and user actions.

Lack of traceability

The mistake: Inability to link validation activities to specific software versions, changes, or device lots affected by validated systems.

Why it happens: Disconnected systems for validation, change control, and configuration management, or inadequate version control practices.

The consequence: Difficulty assessing impact of software issues, inability to demonstrate validation status during audits, and challenges executing effective recalls if needed.

Pro tip: Implement integrated systems that automatically link validation records to software versions, changes, and affected products. Maintain configuration management records that document system state at time of validation.

How Kneat helps: Kneat provides end-to-end traceability from validation protocols through execution to final approval, with automatic linking to software versions and changes. The platform integrates with configuration management systems to maintain complete validation history.

Inadequate monitoring of validated processes

The mistake: Treating validation as a one-time activity without ongoing monitoring to ensure validated processes continue to meet requirements.

Why it happens: Lack of procedures for periodic review, insufficient resources for ongoing monitoring, or misunderstanding of §820.75(b) requirements.

The consequence: Validated processes drift out of specification without detection, potential product quality issues, and FDA observations citing inadequate process control.

Pro tip: Establish periodic review schedules based on system risk and change frequency. Define specific metrics and acceptance criteria for ongoing monitoring.

How Kneat helps: Kneat’s platform supports ongoing monitoring through scheduled reviews, performance metric tracking, and automated alerts when revalidation may be needed. The system maintains complete records of monitoring activities and results.

Missing calibration records

The mistake: Inadequate documentation of calibration activities for automated inspection, measuring, or test equipment, or failure to maintain calibration schedules.

Why it happens: Manual calibration tracking systems, lack of integration between equipment and calibration management, or inadequate procedures.

The consequence: Violation of §820.72 requirements, potential for invalid test results, and product quality issues.

Pro tip: Implement centralized calibration management that tracks equipment identification, calibration dates, performing individuals, and next calibration dates. Display calibration status on or near equipment.

How Kneat helps: Kneat’s equipment management capabilities track calibration schedules, maintain complete calibration records, and provide alerts when calibration is due. The platform integrates calibration management with validation activities to ensure equipment is properly calibrated during validation.

Failure to revalidate after changes

The mistake: Making changes to specifications, methods, processes, or procedures without assessing need for revalidation or conducting required revalidation activities.

Why it happens: Unclear criteria for when revalidation is required, lack of integration between change control and validation, or inadequate change impact assessment.

The consequence: Direct violation of §820.70(b) requirements, potential for undetected software issues, and product quality risks.

Pro tip: Develop clear criteria for determining when changes require revalidation versus verification. Conduct thorough impact assessments for all changes to validated systems.

How Kneat helps: Kneat’s change control workflows include impact assessment steps that evaluate whether revalidation is required. When revalidation is needed, the system automatically initiates validation activities and prevents change implementation until validation is complete.

FAQs

What is the main goal of 21 CFR 820.70(i) – Automated Processes & Software Controls?

The primary goal is to ensure that computer software and automated systems used in medical device production or quality operations perform as intended and do not introduce errors that could compromise device quality or patient safety. The regulation requires manufacturers to validate software for its intended use, validate all changes before implementation, and maintain comprehensive documentation of validation activities. This ensures automated processes meet the same rigorous standards as manual processes and that software reliability is demonstrated through objective evidence rather than assumed.

Does 21 CFR 820.70(i) – Automated Processes & Software Controls apply to SaaS/Cloud systems?

Yes, 21 CFR 820.70(i) applies to all computer software used as part of production or quality systems, regardless of deployment model. Software as a Service (SaaS) and cloud-based systems must be validated for their intended use just like on-premise software. However, the validation approach may differ based on the level of control the manufacturer has over the system. For SaaS systems, validation typically focuses on verifying that the system performs correctly in the manufacturer’s specific use case, confirming vendor validation activities, assessing data security and integrity controls, and establishing procedures for managing vendor-initiated changes. Manufacturers should obtain validation documentation from SaaS vendors and supplement it with user acceptance testing that demonstrates fitness for the specific intended use.

How often is re-validation required under 21 CFR 820.70(i) – Automated Processes & Software Controls?

The regulation does not specify a fixed revalidation schedule. Instead, revalidation is required when changes occur that could affect system performance or when periodic review indicates revalidation is needed to ensure the system continues to meet requirements. Section 820.70(b) requires that changes to specifications, methods, processes, or procedures be verified or validated before implementation. Organizations should establish risk-based criteria for determining when revalidation is required versus when verification or regression testing is sufficient. Factors to consider include the nature and extent of changes, system criticality, change frequency, and results of ongoing monitoring. Many organizations conduct periodic reviews annually or biennially to assess whether revalidation is needed based on accumulated changes and system performance.

Can electronic signatures satisfy 21 CFR 820.70(i) – Automated Processes & Software Controls?

Yes, electronic signatures can satisfy the approval and documentation requirements of 21 CFR 820.70(i), provided they comply with 21 CFR Part 11 requirements for electronic records and electronic signatures. Part 11 requires that electronic signatures be linked to their respective electronic records, include the printed name, date, and meaning of the signature, and be executed by individuals with appropriate authority. The system must also implement controls to ensure electronic signatures are unique to individuals, cannot be reused by others, and are verified at each use. When properly implemented, electronic signatures provide several advantages over handwritten signatures, including improved traceability, reduced documentation cycle times, and enhanced audit readiness. Kneat’s platform includes compliant electronic signature capabilities that meet both 21 CFR 820.70(i) and Part 11 requirements.

Recent Updates & Future Outlook (2024–2025)

The regulatory landscape for software validation continues to evolve as FDA adapts to technological advances and harmonizes with international standards. Several developments are shaping the future of 21 CFR 820.70(i) compliance:

Computer Software Assurance guidance: In September 2022, FDA issued draft guidance on “Computer Software Assurance for Production and Quality System Software” that introduces a more risk-based, streamlined approach to software validation. The guidance emphasizes assurance activities focused on critical software functions rather than comprehensive documentation of all software features. While still in draft form, this guidance signals FDA’s direction toward more efficient validation approaches that maintain patient safety while reducing compliance burden.

 Quality Management System Regulation (QMSR): The FDA finalized amendments to 21 CFR Part 820 in February 2024 to establish the Quality Management System Regulation (QMSR), which became effective on February 2, 2026. The revised regulation incorporates ISO 13485:2016 by reference, aligning U.S. medical device quality system requirements more closely with international standards while retaining FDA-specific provisions where necessary under the Federal Food, Drug, and Cosmetic Act. Although the regulatory structure has changed, the underlying expectations for validating automated processes and software used in production or quality systems remain consistent with the principles historically described in 21 CFR 820.70(i).

Artificial intelligence and machine learning: As AI/ML technologies become more prevalent in medical device manufacturing and quality systems, FDA is developing frameworks for validating adaptive algorithms and continuously learning systems. The agency’s discussion paper on “Predetermined Change Control Plans for Machine Learning-Enabled Medical Devices” provides insights into how validation requirements may evolve for these technologies.

Digital maturity and Industry 4.0: FDA increasingly recognizes that digital technologies, when properly validated and controlled, can enhance product quality and patient safety. The agency’s participation in the International Medical Device Regulators Forum (IMDRF) and adoption of digital health technologies signal continued evolution toward risk-based, technology-enabled compliance approaches.

Enforcement trends: Recent FDA warning letters and inspection observations continue to emphasize software validation deficiencies, particularly inadequate validation protocols, insufficient change control, and poor documentation. These trends underscore the ongoing importance of robust 21 CFR 820.70(i) compliance programs.

For life sciences organizations, these developments present both challenges and opportunities. Companies that embrace digital validation platforms and risk-based approaches will be better positioned to adapt to evolving requirements while maintaining compliance and operational efficiency. Kneat remains committed to staying ahead of regulatory trends, continuously updating our platform to reflect current best practices and emerging guidance, ensuring our customers maintain compliance as the regulatory landscape evolves.