This goes back to the due diligence aspect of the validation process. If you’re purchasing two products that both fall under the 21 CFR Part 11 compliance regulation, the due diligence of the vendor is really at the vendor level, so you’re really identifying the processes that the vendor has across their software development lifecycle. Typically, that vendor audit is going to be something that you use across products, so that will be a one-time audit that you need to do initially to ensure the vendor has the correct SOPs in place and their manuals and procedures are up-to-date and all of them are applicable to your intended use of the system. From there, you can refer back to that vendor audit and ensure that’s what your using for the next product you purchase from that vendor.
Of course, there’s always a time component to any type of audit. So, it’s always good to review those audits, especially if you’re purchasing a new product, to ensure you’re linking the new validation packet to the previous audit you had conducted in some traceability matrix or traceability form. It’s also good to conduct an annual review to ensure your notified of any process changes for items like their back up and disaster recovery plan, so you both stay on the same page.