Re-validating revised Medical Device and Aerospace Product COTS software


Quite Involved in Discussions
(Company background: Medical devices and aerospace products)

My company is using a QMS software suite that contains CAPA, Document Control, Nonconforming Material Handling, Training, etc. For the previously installed version, a colleague and myself performed a validation on the software. I just recently installed the latest version of the software which had 3 previous releases that I did not install.

The software company provides a "readme" pdf for each revision which goes through the enhancements and bug fixes. I was going to use this information to re-validate the software to the latest revision. However upon reviewing the pdf, some of the bug fixes don't makes sense to me as a user most likely because I am not aware of the problem that required these fixes.

I contacted the software company and to make things even more confusing to me they said that some of the fixes would not even apply to my software as they were system dependent (ex. another customer was using a different server setup that caused the problem on their system only).

I am trying to figure out the best way to re-validate the software. I don't want to go through a whole validation again but it almost looks like that is the most efficient way to address the validation process as it is difficult if not impossible to determine what bug fixes actually apply to my system.

Any suggestions or comments on how to go about re-validating COTS software given what I have laid out above?


Super Moderator
At least on the medical device side (can't comment if aero is different), you can limit the scope of the re-validation based on a documented risk assessment. I'll certainly commend you for contacting the vendor and trying to get specific information!

If you can't isolate changes to modules, maybe consider a staged re-validation. Do a "happy path" (very limited) validation just touching each module. If any of the modules are specifically affected or if they are particularly high risk, maybe expand the testing a bit in those areas. Evaluate the results and if all is good, call it re-validated; otherwise, investigate any anomalies and expand the testing accordingly.

As a further risk mitigation, maybe conduct spot reviews after you deploy the new release and see if all is working well. You can define that as a time period or set of activities. Kind of a parallel re-validation. Of course, if you found any anomalies during this period, you'd need to do a deep dive.

Of course, all this is predicated on your procedures allowing it. If your procedures require a full re-validation then that's what you should do.

Document your decisions and provide the rationale, do some level of testing, and document any monitoring you do. I would think that would demonstrate due diligence.


Super Moderator
Oh, be sure to document your analysis of the issues as part of the validation report.
Top Bottom