Questions Received From One of My Recent Webinars on Software V&V:

My responses:

 Q1. Do we need to define and perform periodic validation, or is it mainly an analysis to determine whether changes have occurred that require re-validation?  

ANS:  I believe I mentioned that I don't believe in calendar-scheduled revalidation, nor are they required by regulators.  There should be a periodic re-evaluation for any changes that require a re-validation, e.g., physical move, major repairs, etc., documented if the decision is to not revalidate.  You can also set up systems to maintain equipment in a validated state (challenged, recorded in a log, lot records, or...)  All allowed by the FDA

 

Q2. If we are using COTS software with low risk, can we skip the validation process?

ANS:  No.  FDA has stated that software is a risk-based activity, that's patient/user risk per ISO 14971, documented.  Some validation is necessary for all COTS (all software), at least to verify that it meets your / regulatory needs / requirements, that it does what it should do and doesn't do anything it shouldn't - no unintended consequences.  And Part 11 is mandatory if the COTS is used for CGMP compliance records/sigs. Ditto Cybersecurity, if software can be or is connected to the Internet (including by flash drive, CD-0ROM...). Any V&V done by the vendor, if you have access to it, can be used to reduce what you need to supplement it in your test documentation.

 

Q3. When using SaaS for testing activities (e.g., test tools), where we do not have control over vendor-driven version changes, how can we maintain a validated state? This is especially relevant when vendors provide advanced features but are not specifically focused on the medical device industry.

ANS:  Such vendor change control reporting is a problem in all industries, and especially with cloud-based software.  You're going to have to 1) try to select companies willing to commit to such change notifications, 2) put such requirements in contracts, POs, etc., 3) set up systems to catch changes when such are implemented without notification (common with software changes), 4) shift to CGMP/ISO compliant-vendors, or those who want to be to be more competitive.  Failure to do so will jeopardize $1000's in past validations, put you in conflict with the CGMPs, et al.  This is an on-going problem, and not just with our industry. 

 

Q4. How detailed should a test report be? We conduct multiple V&V rounds for both feature and regression testing, resulting in very detailed test steps. If we generate a final report, it can run into hundreds of pages with step-by-step pass/fail analysis. Is it acceptable to provide a summarized report instead of including detailed step-by-step results to keep the document concise?

ANS:  It should be patient/user risk- based for amount of detail / length.  Don't make the mistake of a "one-size fits all" software V&V test report SOP, which I see all too often with companies. I don't see how a summarized report saves anything if it's a summary of more extensive tests. Obviously 100's of pps should not be necessary for a PLC conveyor system validation or similar, but would be for a cancer drug pump. They can be large multi-page reports for complex, high risk (to people) systems/equipment, or a few pages in a Lab Book for low risk, and/or less complex systems.  They should all have enough information to allow replication:  Project/test No., Title, Purpose/Scope, Approvals, pre-determined acceptance criteria, Materials used in test( P/Ns, Descrip.,  Lot No., qty...) , Equipment used (Equip/Asset No., S/N, Descrip., ...), test set up descrip'n, diagrams...), Requirements/needs to be V&V's, test cases addressing each requirement, results (filled in test cases / data), conclusions (results compared to pre-determined acceptance criteria), Post-Approvals, Appendix -- expand / contract based on risk.   

 

Hope that answers the questions.

-- jel@jelincoln.com  04/28/2026

-- Minor clarifications, Q1 & Q2, 04 /29/26 - JEL

 Some "Test Case" Examples:

Each test case should be based on the test subject's requirements / needs (customers, Standards, legal, manufacturing capabilities, et al) that are being tested (verified / validated)

                                                                            OQ:

PQ:

Include on Each PQ Sheet (2nd Test Case for 

software, i.e., UPS, generator tests):

-- Added Test Case Titles, 04/29/26 - jel@jelincoln.com

- jel@jelincoln   04/27/2026

 Recommended In-House Test Format:

Your in-house test documentation should be structured as follows, each test in a formal document / Test Report or Lab Book, preferable per an SOP on testing, as follows:

• Title;
• Test Number, date(s);
• Description, Scope, Purpose...;
• Pre-approvals signatures/dates, including Tester, Verifyer/QC;
• Material (Description, Part Numbers, Quantity, Lot Numbers...);
• Test Equipment (Description, Asset No., Item No., Serial Numbers... (as appropriate));
• Test Set-Up (Drawings, Schematics, Photos, Diagrams, etc.);
• Predetermined acceptance criteria / expectations;
• Test Requirements;
• Test Cases / Protocol (at least one for each requirement, single or in combination);
• Results (filled in test cases, data);
• Conclusions (how test cases fulfilled pre-determined acceptance criteria ("pass/fail"));
• Post approvals, including tester, Verifyer/QC. 
• Appendix, as needed.

 Include enough information to allow the test to be replicated and obtain similar results. 

- jel@jelincoln.com  04/27/2026

 Response to a question received on one of my webinars on V& V:

My response:

“John, I understand the concept of "Freeze changes" for the Validation Planning, but does "Freeze" mean absolutely no changes, or are minor changes which do not impact on safety and effectiveness permissible?  I struggle with this part of validation, because there is never perfect information at the start of a validation.  No argument that the changes must be frozen but let me give some examples:

  

 During a mixing step for a liquid bulk reagent, one step states to mix at room temperature for 15 - 30 minutes.  If it turns out that this time interval is not convenient, and objective data can be used to justify a change, could the mix at room temperature be revised to stir for at least 15 minutes, but no more than 10 hours?

1. A raw material is stored frozen, until time of use, and then it is thawed the night prior to the liquid bulking process.  Again, if objective data can be used to justify the change, and it is known the material thaws to room conditions within 3 hours, can the procedure be revised to thaw the material, and the material may be used within 10 hours.

Revising a protocol will cause a new revision level, which immediately catches attention with QA, who insists the revision level is not permissible as part of the validation.  Again, the changes can be mitigated as not impacting on product design.

 

Thank you for any thoughts and suggestions.”

 

ANS: I won't comment on your specifics as I would have to know more, and that becomes a consulting project.  However, some basics:

•  The definition of "change" should be in your company's SOP. In your example, some questions - "What is room temperature?"  "Thaws within 3 hrs?" Acceptable for use "within 10 hrs"?, etc. Changes of any sort would need to be verified / tested, as the very least in a lab book, for your "objective evidence".  Temp at freezing, and thawed should be defined / repeatable / verified by instrumentation, everything verified. 
• Not sure what you mean by "changes can be mitigated as not impacting on product design" - that's not a complete CGMP definition of change. Many CGMP-defined controlled changes do not impact product design, yet must be controlled, or otherwise can lead to the FDA's claim of "adulterated product", in this case meaning that a review of an SOP, et al, to see what was done to a lot/batch, may not indicate what actually was done at some point in time when that specific revision was in effect.
• Of course a change requires validation to make sure the change does what it should and doesn't do what it shouldn't (no unintended consequences) and a document(s) revision if controlled/CGMP as all changes should be.  E.g., every statement in para 1b above would need to be verified or validated (tested/proved) that the requirement(s) were each met / achieved. Even the statement "It is known" is not true of itself and  also needs what it refers to, to be proved / verified to truly be "known".
• Changes should be accomplished before validation, which includes the subsequent change in the revision level of any impacted documentation by said change, the point I made in the webinar and the whole point of this discussion, as the question being resolved is "what is it you're validating, and why validate something that is being changed, before the change occurs, waste of time and money and resulting in a meaningless validation.".

- JEL@jelincoln.com  03/03/2026

The FDA's New CSA (Computer Software Assurance) requirements

The New CSA requirements per the FDA's new guidance document can be summed up as follows:  Computer software assurance focuses on preventing the introduction of defects into the software development cycle and it encourages the use of a risk-based (patient / user) approach to establish confidence that software is fit for its intended use.

- jel@jelincoln.com  02/12/2026

Ques:  "We had a question from the previous webinar on IQ, OQ, PQ:

 

“Mr. Lincoln, what if a validated commercial software was originally validated using a software system that is no longer supported by the software company and/or the commercial software has been updated.  Does the validation have to be repeated?  For example, Microsoft Version 7 was used as part of the validation process for Lab Solutions, a system software used to support Shimadzu spectrophotometers.  This was completed in 2007.  In 2026 Microsoft no longer supports Version 7 and/or Shimadzu has updated the Lab Solutions software.  What needs to occur to avoid a 483 observation during an audit? ” 

 

ANS: These situations happen frequently. Usually as part of your annual QMS Review. you consider the status of existing V&V's, and that would apply here.  If nothing has changed in terms of the validation's issues being resolved by the validation, that the resolution / answers are still valid, then the version or updates involved in components of the V&V would not be an issue - that's basically the 'bottom line'. 

On the other hand, if the updates / obsolesce, et al, was due to any inherent defect in the supporting test mechanisms, then there is an issue, and a possible re-verification or re-validation may be required, and any additional follow-ups to remediate any product affected may need to be addressed, depending upon Failure Investigation / Root Cause Analysis findings. Ditto if there's any negative trends / irregularities in the data provided by the spectro system, per your NCMR / CAPA system. 

You should call out this analysis and results in your QMS management review documentation, whether done now or as part of any upcoming annual review, and revisit as necessary in the future, if necessary per the above.

- jel@jelincoln.com 02/10/2026

 FDA Town Hall – Quality Management System Regulation: Risk and Design and Development,   01/14/26, Wednesday, 2:00 PM ET,  US FDA, ~1 hour

I just attended an FDA Teams audio presentation on the new QMSR to be implemented on February 02, 2026, by all Medical Device Companies selling product in the US.  

Some key takeaways:

-  Risk management is an important part of the new QMSR / ISO 13485: 3.17, 3.18, 4.1.2(b), 7.1, 7.3, and 7.4;

-  Design and Development ( the old Design Control) is an important component of risk management; or rather Risk Management (and, if necessary, Use / Human Factors Engineering) are an important part of Design Control; 

-  The FDA expects that the design review team(s) have independence for decision making;

-  ISO 14971 or a similar risk management system should form the basis of the QMS / device risk       

   management activities, especially pertaining to QA/QC, Production and Purchasing; 

   Note that harm (to patient / people is the focus of FDA's/ISO 14971's requirements, not financial /  

   scheduling / business risks; 

-  Design control is not retroactive for devices;  only a requirement for devices designed or changed since 

   October 1997 (when 820.30 Design Control was implemented);

-  Changes to a device can be documented in the DHF or under the company's CGMP change control   

   system;

-  The DHF or applicable product documents (and risk management documents) should be reviewed 

   periodically or when a new risk is   

   determined, and updated / addressed accordingly;

-  Ditto the risk management elements of the QMS (and the Device Risk Management file);

-  The FDA does not expect companies to change existing historical documents (e.g., DHFs, archived  

   documents) to reference the new changes, references, terminology.    

One key point that was not addressed was the Final Rule / Preamble emphasis that the QMSR is not intended to, nor does it substantially change the QMS of the old QSR, that ISO 13485 meets the basic requirements of the old 21 CFR 820, except for a change in references (generally from 820 to ISO 13485),  some terminology changes, and a few legal requirements unique to the USA as required in the FD and C Act, under which the FDA acts, addressed in the new 820, Subparts A and B. 

A transcript of the meeting should be available on fda.gov in approximately 2 weeks.  

-  jel@jelincoln.com 01/14/2026

Some grammatical changes to para. 3. - JEL 02/19/26

- added last comment to 2nd bullet point above, " or rather..." ; and diagrams below - JEL, 02/24/26 

US FDA’S QUALITY MANAGEMENT SYSTEM REGULATION (QMSR, 21 CFR PART 820)

NEW COMPLIANCE INSPECTION / AUDIT MODEL (replacing QSIT), dated 02/02/2026

  

   OAFR’s:

  MDRs;

      Reports of Corrections and

            Removals; 

       Medical Device Tracking

            Requirements;

       Unique Device Identification