Response to a question received on one of my webinars on V& V:

My response:

“John, I understand the concept of "Freeze changes" for the Validation Planning, but does "Freeze" mean absolutely no changes, or are minor changes which do not impact on safety and effectiveness permissible?  I struggle with this part of validation, because there is never perfect information at the start of a validation.  No argument that the changes must be frozen but let me give some examples:

  

 During a mixing step for a liquid bulk reagent, one step states to mix at room temperature for 15 - 30 minutes.  If it turns out that this time interval is not convenient, and objective data can be used to justify a change, could the mix at room temperature be revised to stir for at least 15 minutes, but no more than 10 hours?

1. A raw material is stored frozen, until time of use, and then it is thawed the night prior to the liquid bulking process.  Again, if objective data can be used to justify the change, and it is known the material thaws to room conditions within 3 hours, can the procedure be revised to thaw the material, and the material may be used within 10 hours.

Revising a protocol will cause a new revision level, which immediately catches attention with QA, who insists the revision level is not permissible as part of the validation.  Again, the changes can be mitigated as not impacting on product design.

 

Thank you for any thoughts and suggestions.”

 

ANS: I won't comment on your specifics as I would have to know more, and that becomes a consulting project.  However, some basics:

•  The definition of "change" should be in your company's SOP. In your example, some questions - "What is room temperature?"  "Thaws within 3 hrs?" Acceptable for use "within 10 hrs"?, etc. Changes of any sort would need to be verified / tested, as the very least in a lab book, for your "objective evidence".  Temp at freezing, and thawed should be defined / repeatable / verified by instrumentation, everything verified. 
• Not sure what you mean by "changes can be mitigated as not impacting on product design" - that's not a complete CGMP definition of change. Many CGMP-defined controlled changes do not impact product design, yet must be controlled, or otherwise can lead to the FDA's claim of "adulterated product", in this case meaning that a review of an SOP, et al, to see what was done to a lot/batch, may not indicate what actually was done at some point in time when that specific revision was in effect.
• Of course a change requires validation to make sure the change does what it should and doesn't do what it shouldn't (no unintended consequences) and a document(s) revision if controlled/CGMP as all changes should be.  E.g., every statement in para 1b above would need to be verified or validated (tested/proved) that the requirement(s) were each met / achieved. Even the statement "It is known" is not true of itself and  also needs what it refers to, to be proved / verified to truly be "known".
• Changes should be accomplished before validation, which includes the subsequent change in the revision level of any impacted documentation by said change, the point I made in the webinar and the whole point of this discussion, as the question being resolved is "what is it you're validating, and why validate something that is being changed, before the change occurs, waste of time and money and resulting in a meaningless validation.".

- JEL@jelincoln.com  03/03/2026

The FDA's New CSA (Computer Software Assurance) requirements

The New CSA requirements per the FDA's new guidance document can be summed up as follows:  Computer software assurance focuses on preventing the introduction of defects into the software development cycle and it encourages the use of a risk-based (patient / user) approach to establish confidence that software is fit for its intended use.

- jel@jelincoln.com  02/12/2026

Ques:  "We had a question from the previous webinar on IQ, OQ, PQ:

 

“Mr. Lincoln, what if a validated commercial software was originally validated using a software system that is no longer supported by the software company and/or the commercial software has been updated.  Does the validation have to be repeated?  For example, Microsoft Version 7 was used as part of the validation process for Lab Solutions, a system software used to support Shimadzu spectrophotometers.  This was completed in 2007.  In 2026 Microsoft no longer supports Version 7 and/or Shimadzu has updated the Lab Solutions software.  What needs to occur to avoid a 483 observation during an audit? ” 

 

ANS: These situations happen frequently. Usually as part of your annual QMS Review. you consider the status of existing V&V's, and that would apply here.  If nothing has changed in terms of the validation's issues being resolved by the validation, that the resolution / answers are still valid, then the version or updates involved in components of the V&V would not be an issue - that's basically the 'bottom line'. 

On the other hand, if the updates / obsolesce, et al, was due to any inherent defect in the supporting test mechanisms, then there is an issue, and a possible re-verification or re-validation may be required, and any additional follow-ups to remediate any product affected may need to be addressed, depending upon Failure Investigation / Root Cause Analysis findings. Ditto if there's any negative trends / irregularities in the data provided by the spectro system, per your NCMR / CAPA system. 

You should call out this analysis and results in your QMS management review documentation, whether done now or as part of any upcoming annual review, and revisit as necessary in the future, if necessary per the above.

- jel@jelincoln.com 02/10/2026

 FDA Town Hall – Quality Management System Regulation: Risk and Design and Development,   01/14/26, Wednesday, 2:00 PM ET,  US FDA, ~1 hour

I just attended an FDA Teams audio presentation on the new QMSR to be implemented on February 02, 2026, by all Medical Device Companies selling product in the US.  

Some key takeaways:

-  Risk management is an important part of the new QMSR / ISO 13485: 3.17, 3.18, 4.1.2(b), 7.1, 7.3, and 7.4;

-  Design and Development ( the old Design Control) is an important component of risk management; or rather Risk Management (and, if necessary, Use / Human Factors Engineering) are an important part of Design Control; 

-  The FDA expects that the design review team(s) have independence for decision making;

-  ISO 14971 or a similar risk management system should form the basis of the QMS / device risk       

   management activities, especially pertaining to QA/QC, Production and Purchasing; 

   Note that harm (to patient / people is the focus of FDA's/ISO 14971's requirements, not financial /  

   scheduling / business risks; 

-  Design control is not retroactive for devices;  only a requirement for devices designed or changed since 

   October 1997 (when 820.30 Design Control was implemented);

-  Changes to a device can be documented in the DHF or under the company's CGMP change control   

   system;

-  The DHF or applicable product documents (and risk management documents) should be reviewed 

   periodically or when a new risk is   

   determined, and updated / addressed accordingly;

-  Ditto the risk management elements of the QMS (and the Device Risk Management file);

-  The FDA does not expect companies to change existing historical documents (e.g., DHFs, archived  

   documents) to reference the new changes, references, terminology.    

One key point that was not addressed was the Final Rule / Preamble emphasis that the QMSR is not intended to, nor does it substantially change the QMS of the old QSR, that ISO 13485 meets the basic requirements of the old 21 CFR 820, except for a change in references (generally from 820 to ISO 13485),  some terminology changes, and a few legal requirements unique to the USA as required in the FD and C Act, under which the FDA acts, addressed in the new 820, Subparts A and B. 

A transcript of the meeting should be available on fda.gov in approximately 2 weeks.  

-  jel@jelincoln.com 01/14/2026

Some grammatical changes to para. 3. - JEL 02/19/26

- added last comment to 2nd bullet point above, " or rather..." ; and diagrams below - JEL, 02/24/26 

US FDA’S QUALITY MANAGEMENT SYSTEM REGULATION (QMSR, 21 CFR PART 820)

NEW COMPLIANCE INSPECTION / AUDIT MODEL (replacing QSIT), dated 02/02/2026

  

   OAFR’s:

  MDRs;

      Reports of Corrections and

            Removals; 

       Medical Device Tracking

            Requirements;

       Unique Device Identification