COTS Software Upgrades

I have a fully validated configurable COTS software system, but I’m struggling with how to organize the change control documents so that all of the employees of our numerous facilities can find things easier.

When the vendor releases a major upgrade (version 5.x to version 6.x for example), we perform a risk assessment, regression testing, IQ, etc. before using it in the Production environment. Should this paperwork be kept with the other less significant change control documents (configuration changes requested by the system owner, bug fixes, etc.)?

Currently, I keep the two types of documents (upgrades vs changes) in separate binders but that makes it tough to get a good chronological picture of all the changes made to the system. In other words, should major vendor upgrades be considered just another change to the system and lumped (in chronological order) with the other changes?

The downside to lumping them together is that auditors want to see when certain versions were installed. (That’s when they think the system should be “re-validated” - a term I don’t use). This makes it harder to find the upgrade documents.

I am familiar with the terms updates (minor changes, maintenance releases) and upgrades (major releases). I have encountered several (more than 10) updates but only TWO upgrades per year for the COTS software that I have dealt with.

Since upgrades do incorporate updates, your IQ at upgrade should have sufficient evidence of all the changes that have happended. You, in fact can then comforatably put away (file aside) the IQ’s done at updates. And not worry about them at the audit!

BTW, I would like to hear on your recipe of FULLY validating COTS software!

Hmm… thought I posted yesterday but I do recall a server hiccup. I’ll try again.

My first question would be why all employees at various facilities would need access to your change control documents?

That aside, you should organize things to help YOU. If you can do things that facilitate auditing (e.g., post it notes on key pages or an index) then all the better. I would indeed think keeping the data in chronological order provides the best opportunity for you to manage the data but if you can do so with 2 sets of books (boy, that sounds bad, doesn’t it?), then that’s fine.