Is Software Validation Needed When Upgrading an Operating System?

Our company is a pharmaceutical production plant.
We are planning to upgrade the operating systems on most P.C.s from Windows XP to Windows 7.
The systems were qualified by a validation process based on the OS being Win XP.

What actions should be taken in order to keep the systems qualified after upgrading to Win7 OS?

For OTS systems- Is a supplier declaration that the system is compatible to Windows 7 enough to keep the system in a validated state?

Hi gabi:

You have to perform a risk assessment in which you have to demonstrate, that all the requirements for each OTS system are met despite the OS, if so then, you’re done, but if don’t, you have to identify the critical points for each OTS system and perform a verification in order to ensure the compliance with predicate rules, and requirements.

Hope this help.


[quote=gabrielgarate]Hi gabi:

you have to demonstrate, that all the requirements for each OTS system are met despite the OS

Well, how do you get that demonstrated? Theoretically, on paper? Not sure that will be well perceived by an auditor…
I would recommend to Gabi to perform some testing. Based on the initial risk assessment, you should select tests pertaining to the most critical functions from the original OQ test plan.That selected set of tests will be considered as “regression tests” and should be executed after OS migration in order to demonstrate the OS change has no adverse impact / regressive effect on your system. Also some sort of IQ should be carried out upfront to document the change of OS and check basic IT fincutinalities are still OK. Hope this will help, best regards.

Wait a second here. Before you go and blast the idea of performing a paper based risk assessment in lieu of creating some testing just to say you ran some tests, take a read of any of the new guidance coming from the agencies. There is a growing trend with the agencies to rely on the use of Risk Based Approach wherein if you can appropriately assess and understand the risks involved and your plans to mitigate them, you can indeed make this a paper exercise. It is all in how you document it and you understanding of the requirements. Please start reading the current guidance documents and not just stay with what has been done since the introduction of the green screen. That is why there is a little “c” in cGMP.

1 Like

Personally, I’m not sure that doing a risk assessment and calling it good really meets the concept of “risk based validation”. What you should do is assess the risks to your systems that result from the upgrade and do appropriate testing, if any, based on identified risks.
However, it is extremely difficult to identify risks associated with an operating system upgrade unless you have a Microsoft guru on staff. For that reason, I recommend some regression testing based on your highest risk requirements (usually business- or GxP-critical).

1 Like