Another item the FDA has started discussing more in the last few years, in conjunction with the ISPE GAMP v5 Guidance, is the concept of risk and risk-based validation. One of the things to think about with operating system and antivirus updates is the relative risk of having e.g. a security problem or a virus vulnerability in a system. Sometimes the update risk may be greater than the original risk to the system itself (or vice versa). Some companies have the luxury of staff to deal with networks and server infrastructure qualification and can insulate operating systems from the software validation itself, having the responsibility to make sure that the systems are being kept current with security and antivirus updates. As a general practice companies should periodically run a small set of standard regression tests, triggered by operating system or antivirus updates or simply on a periodic basis, to make sure that changes do not have any adverse impact on the system.
