Software validation - Off The Shelf Software - Web hosted

#1
My company has several OTS Software we use in our QMS processes. We perform software validation on the majority of the Software systems based on risk and requirements. When validation is performed we document the software version number. When software versions are updated, we re-evaluate to determine if validation is required.

However, most of these OTS software are web-based, meaning they don't have a standard version release periodically with a change notification from the vendor. These web-based software providers update the software monthly with release notes only, no version number, or change notification.

How do others manage software validation for software providers that update software monthly without notifications?
 
Elsmar Forum Sponsor

yodon

Leader
Super Moderator
#2
First off, what is the risk of those applications failing due to the "uncontrolled" upgrades? If not 'low' then maybe the application is not appropriate.

If the risk is tolerable, I would suggest you monitor (weekly?) for release notices and, when found, do the evaluation to determine if you're still in a validated state or if actions are required to bring you back into a validated state.

Of course, document everything.
 

MC Eistee

Starting to get Involved
#3
What I experienced that it is something hard to go through all the change notes and figure out whether it does have an impact or not.

If you are lucky the monthly changes are already clustered into different categories, e.g. bug fixes, security updates, functional updates. Bug fixes and security updates are usually not meant to change existing functions so the critical part is to look into the functional updates. Still also the functional updates can be to many to actually look through or to hard to understand.
Then it comes back to basic validation. During validation you should have identified the requirements that are higher than just low risk. So you would need to look into them right after the updates.
 

Enternationalist

Involved In Discussions
#4
We used some services like this, and came across similar difficulties. Changes were pushed to us with no ability to hold off or negotiate.

First part of the answer (for us) was to ensure contracts and agreements with those providers were adequate (i.e., see if you can get particular terms and conditions that protect you from the effects of changes, as well as sufficient advance warning of the releases). Depending on their policies, you might be able to make some risk-based ruling (e.g. minor software releases might only need low effort, while major version changes might require some re-testing)

A second part of the answer was to ask the provider to provide us copies of their internal validation documents when they make a new release - you still have to conduct activities to maintain the validated state, but you can lower the risk and effort required by accepting existing documentation where reasonable.

The third part was heavily risk-based activities - take a frank risk assessment of the application of the software, and determine what (if any) features could be modified with negligible risk, and allow those changes to not disrupt the validated state unless some particular problems are identified. We would further define which of the software's interfaces were critical. When changes came out, we would implement additional risk controls on those interfaces to keep outputs valid while our detailed validation documentation caught up, without having to stop using the software. (e.g., if the software automatically adds some marking to one of your documents, you might temporarily have quality staff manually verify that output on documentation until the re-validation is complete).

I hope that your usage is sufficiently low-risk; even with the above methods of keeping the work reasonable, it takes a surprising amount of resources to genuinely maintain validated states on continuously updated software. If the application is very low risk, you would want to justify a low level of effort unless some problem were observed - if the application is quite high risk, you may want consider a more stable service.
 

Enternationalist

Involved In Discussions
#6
Isn't the whole point in validating something making sure that stuff is actually what it's meant to?
Of course - I think MC wasn't implying that you wouldn't look at those updates, but that you would apply greater scrutiny and priority to more major functional changes (just as you would with any change impact assessment), since the risk of those affecting your application of the software is basically greater. Or at least that's what I imagine they meant!
 
Thread starter Similar threads Forum Replies Date
Q ISO 13485 7.5.6 Validation - Off the shelf Software ISO 13485:2016 - Medical Device Quality Management Systems 3
R Software validation - off the shelf X-Ray Software Quality Assurance 3
Y OTS (Off The Shelf) Software Validation for 510k Traditional 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
T Validation of OTS (Off The Shelf) Software in Medical Devices IEC 62304 - Medical Device Software Life Cycle Processes 12
C Validation of OTS (Off-the-Shelf) Training Software - Necessary? Qualification and Validation (including 21 CFR Part 11) 13
I Validation of Commercial off-the-shelf software - Spreadsheets ISO 13485:2016 - Medical Device Quality Management Systems 16
M 3D Scanner Software validation ISO 13485:2016 - Medical Device Quality Management Systems 7
D Software Validation Question ISO 13485:2016 - Medical Device Quality Management Systems 10
C. Tejeda Computer system validation approach for Minitab Statistical software Software Quality Assurance 7
John C. Abnet ...validation of computer software ISO 13485:2016 - Medical Device Quality Management Systems 14
B ERP software validation - risk assessment vs validation scope ISO 13485:2016 - Medical Device Quality Management Systems 11
R Validation of Software used in Verification Testing ISO 13485:2016 - Medical Device Quality Management Systems 2
Watchcat Software validation vs design V&V? Other US Medical Device Regulations 27
M Initial Importer/Distributor and Software Validation IEC 62304 - Medical Device Software Life Cycle Processes 1
E ISO 13485 software validation ISO 13485:2016 - Medical Device Quality Management Systems 7
Y ISO 13485:2015 Software Validation IQ/OQ/PQ ISO 13485:2016 - Medical Device Quality Management Systems 13
R Debug mode in software/device validation IEC 62304 - Medical Device Software Life Cycle Processes 2
M Software verification and validation AS9100 AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4
P Software verification and validation procedure IEC 62304 - Medical Device Software Life Cycle Processes 6
H Software Validation for FFS Packaging Machine Qualification and Validation (including 21 CFR Part 11) 1
M ERP / QMS related software standards for Validation IEC 62304 - Medical Device Software Life Cycle Processes 6
D Software validation team Misc. Quality Assurance and Business Systems Related Topics 3
silentmonkey Rationalising the level of effort and depth of software validation based on risk ISO 13485:2016 - Medical Device Quality Management Systems 10
E 13485:2016, Sections 4.1.6, 7.5.6 and 7.6 - Validation of Software - Need some Advice please ISO 13485:2016 - Medical Device Quality Management Systems 3
K Software Validation for Measurement Tools used in Process Validation ISO 13485:2016 - Medical Device Quality Management Systems 2
S SOP for ISO 13485:2016 Quality related Software validation ISO 13485:2016 - Medical Device Quality Management Systems 16
K ERP System Software Validation - ISO13485 2016 4.1.6 Design and Development of Products and Processes 11
D Software validation in Medical Equipment Other Medical Device and Orthopedic Related Topics 20
C Looking for simple Software Validation IQ templates. Qualification and Validation (including 21 CFR Part 11) 4
R Validation of Medical Device Hardware containing Software - How many to Validate ISO 13485:2016 - Medical Device Quality Management Systems 1
F 21 CFR Part 11 - Implicit requirements - Validation plan for a Software as a Service Other US Medical Device Regulations 1
R ISO 13485 Software validation procedure and Quality Objectives Monitoring wanted Document Control Systems, Procedures, Forms and Templates 1
S Validation of COTS Equipment plus Software Qualification and Validation (including 21 CFR Part 11) 12
D Software Validation - Contract manufacturer of Components (PCBA's) Qualification and Validation (including 21 CFR Part 11) 7
Pmarszal Software Validation Training Course - Recommendations Training - Internal, External, Online and Distance Learning 3
T Software Validation Certificate (ISO 13485:2016) ISO 13485:2016 - Medical Device Quality Management Systems 19
R FDA Requirements - Printing Equipment Software Validation Qualification and Validation (including 21 CFR Part 11) 1
G Windows 10 OS build Software Validation US Food and Drug Administration (FDA) 1
S Where to keep Enterprise Resource Planning software (ERP) Validation Records ISO 13485:2016 - Medical Device Quality Management Systems 1
C Software validation (4.1.6 ISO 13485:2016) ISO 13485:2016 - Medical Device Quality Management Systems 20
M Software Validation Guidance Suggestions Various Other Specifications, Standards, and related Requirements 6
S QMS software validation - Documentation ISO 13485:2016 - Medical Device Quality Management Systems 5
A SOP for software validation of software in medical device IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 5
R CNC Software Validation requirements as per ISO 13485:2016 Other ISO and International Standards and European Regulations 8
S What is the clause in ISO 13485 for SAP Software Validation? ISO 13485:2016 - Medical Device Quality Management Systems 3
P Software validation of Data Exporter ISO 13485:2016 - Medical Device Quality Management Systems 3
A Process Validation of QMS Software ISO 13485: 2016 Cl. 4.1.6 ISO 13485:2016 - Medical Device Quality Management Systems 26
P Software Validation for Equipment - Question ISO 13485:2016 - Medical Device Quality Management Systems 5
D Medical Device Software Tool Validation - Compilers! IEC 62304 - Medical Device Software Life Cycle Processes 7
N When is Medical Device Software Validation required? ISO 13485:2016 - Medical Device Quality Management Systems 6

Similar threads

Top Bottom