Regulatory Open Forum

This message was posted by a user wishing to remain anonymous

Hello,

Does anyone have a suggestion for how to handle validation for off-the-shelf software versions?

We were several versions behind (12) on a software and now wish to implement the current version.  The list of changes from the software developer are >100 pages, so almost impractical to review change-by-change.

I helped a client recently resolve a nonconformity that was issued when the client had lost pace with OTS software version updates that were being automatically pushed from the software vendor.  I hate to break some bad news, but regulatory bodies like the U.S. FDA, European Notified Bodies, Health Canada, etc., think that medical product quality management systems (including requirements for product, quality system, and process software validation) are essential for ensuring public health.  So those obligations need to be taken very seriously.

Accordingly, all changes (either individually or collectively) made for validated software need to be assessed for impact, followed by appropriate revalidation considerations made commensurate with risk and complexity.  Bodies like the FDA or a Notified Body won't be receptive (putting it lightly) to a mindset asserting that there are too many changes to warrant proper validation considerations.  It may be possible in some circumstances to create some margin for ourselves regarding lower-risk applications, but that can be dicey.

------------------------------
Kevin Randall, ASQ CQA, RAC (Europe, Canada, U.S.)
Principal Consultant
Ridgway, CO
United States
© Copyright 2021 by ComplianceAcuity, Inc. All rights reserved.
------------------------------

Original Message:
Sent: 19-Aug-2021 14:00
From: Anonymous Member
Subject: off-the-shelf software validation for version updates

This message was posted by a user wishing to remain anonymous

Hello,

Does anyone have a suggestion for how to handle validation for off-the-shelf software versions?

We were several versions behind (12) on a software and now wish to implement the current version.  The list of changes from the software developer are >100 pages, so almost impractical to review change-by-change.

Hi Anon,
there is lots of guidance and standards out there for CSV.    You can check out the FDA GPSV guidance, 21 CFR part 11 (if applicable), AAMI TIR36, and AAMI/ISO TIR 80002-2.   I'm med device focused, so those are the ones i go to. 
if you are in the Pharma world check also check out GAMP5.  GAMP5 is useful in the medical device world too with respect to their classification of the different software types such as OTS SW.  But besides that i consider it limited for medical devices.

in the scenario, you describe above.  Sounds like you are best to just execute  a new validation for the new version of the software.  

hope this helps
Seb

------------------------------
Sebastian Clerkin
Consultant
Cork
Ireland
------------------------------

Original Message:
Sent: 19-Aug-2021 14:00
From: Anonymous Member
Subject: off-the-shelf software validation for version updates

This message was posted by a user wishing to remain anonymous

Hello,

Does anyone have a suggestion for how to handle validation for off-the-shelf software versions?

We were several versions behind (12) on a software and now wish to implement the current version.  The list of changes from the software developer are >100 pages, so almost impractical to review change-by-change.

This question is covered in an FDA guidance document. There are several software guidances that are helpful and that you should have in your library. Can't remember the exact title on this one and presently on vacation without access to my files (purposely).  But I have referred to these guidances often and find them useful, even though they are now a bit dated. And the author, John Murray has retired from FDA, but he always provided good, useful information. 

it may have been "General Principles of Software Validation" or something like that. 

------------------------------
Edwin Bills MEd, CQA, RAC, BSc, CQE, ASQ
Principal Consultant
Overland Park KS
United States
elb@edwinbillsconsultant.comPrincipal Consultant
------------------------------

Original Message:
Sent: 19-Aug-2021 14:00
From: Anonymous Member
Subject: off-the-shelf software validation for version updates

This message was posted by a user wishing to remain anonymous

Hello,

Does anyone have a suggestion for how to handle validation for off-the-shelf software versions?

We were several versions behind (12) on a software and now wish to implement the current version.  The list of changes from the software developer are >100 pages, so almost impractical to review change-by-change.

Hello,

Already some good advice concerning information about OTS software and CSV software.  To answer your original questions about the 100+ pages of changes, indeed the expectation from a regulatory perspective is keeping up to date.  The best approach for all of those changes are to create a risk-based approach to the changes where each change could be "ranked" depending on the impact, severity, or relationship to data integrity.  Generally there are many changes which are minor or low impact so these can be graded easily.  The time you would want to spend is on those changes which have a larger impact and should have documentation or justification on how they impact your QMS/product.  This could easily be done in say an Excel spreadsheet or similar.

------------------------------
Richard Vincins RAC
Vice President Global Regulatory Affairs
------------------------------

Original Message:
Sent: 20-Aug-2021 06:50
From: Edwin Bills
Subject: off-the-shelf software validation for version updates

This question is covered in an FDA guidance document. There are several software guidances that are helpful and that you should have in your library. Can't remember the exact title on this one and presently on vacation without access to my files (purposely).  But I have referred to these guidances often and find them useful, even though they are now a bit dated. And the author, John Murray has retired from FDA, but he always provided good, useful information. 

it may have been "General Principles of Software Validation" or something like that. 

------------------------------
Edwin Bills MEd, CQA, RAC, BSc, CQE, ASQ
Principal Consultant
Overland Park KS
United States
elb@edwinbillsconsultant.comPrincipal Consultant

Original Message:
Sent: 19-Aug-2021 14:00
From: Anonymous Member
Subject: off-the-shelf software validation for version updates

This message was posted by a user wishing to remain anonymous

Hello,

Does anyone have a suggestion for how to handle validation for off-the-shelf software versions?

We were several versions behind (12) on a software and now wish to implement the current version.  The list of changes from the software developer are >100 pages, so almost impractical to review change-by-change.

This message was posted by a user wishing to remain anonymous

I was just watching this video by Christian Kaestner on Off-the-Shelf software. Doesn't answer your question directly, but is quite well done and on this topic of OTS and SOUP: https://youtu.be/KLd4MFBYZn0
Original Message:
Sent: 19-Aug-2021 14:00
From: Anonymous Member
Subject: off-the-shelf software validation for version updates

This message was posted by a user wishing to remain anonymous

Hello,

Does anyone have a suggestion for how to handle validation for off-the-shelf software versions?

We were several versions behind (12) on a software and now wish to implement the current version.  The list of changes from the software developer are >100 pages, so almost impractical to review change-by-change.