Consider a system that includes a computer (running Windows OS) on which software is installed to run a (low-risk) medical device. As we all know, Microsoft issues Windows patch updates on a regular basis (daily/weekly), and major revisions or new versions approximately bi-annually. The ideal-world expectation that device software is revalidated following any changes to Windows OS quickly becomes unreasonable in most cases.
I would expect that validation efforts should be commensurate with the risk involved. But in a recent inspection, our claim that even in the worst-case of software failure there is no risk was insufficient justification for lack of documented revalidation of software following Windows updates.
So my questions are:
I would expect that validation efforts should be commensurate with the risk involved. But in a recent inspection, our claim that even in the worst-case of software failure there is no risk was insufficient justification for lack of documented revalidation of software following Windows updates.
So my questions are:
- Are there any FDA documents that explicitly tie scope of validation efforts to risk? I'd like some authoritative ammunition to argue our position.
- How do others handle Windows updates and revalidation of device software? The inspector said we should have a process for revalidating software before users may install Windows updates. How is this possible?