I work in the pharmaceutical industry and as part of my role I audit company validation documents for computerized system. For guidance on this issue I find ‘GAMP guide for validation of automated systems, published by ISPE’ a particularly useful document.
The criticality of software can be categorized into 5 distinct categories as follows (5 being the most critical) in my experience depending on what the databases are used for they would either be a category 3 or 4.:
GAMP Software Category 5- Custom (Bespoke) Software
Example software
Software designed to client needs e.g. PLC
GAMP Software Category 4 Configurable software
Customized application software
GAMP Software Category 3 Commercial off the shelf
Standard application software. ‘Source code not supplied’ / established customer base
GAMP Software Category 2 Firmware
Process instruments (controlling or recording e.g. temperature, pressure or conductivity)
GAMP Software Category 1
Operating systems Windows, DOS, Unix
The criticality drives the scope of validation activity for the software. For category 3 software in the operating environment I would expect to see SOP’s for:
• Versions-should be standard
• Control over access and use
• Control over profiles (e.g. user, admin)
• Compatibility with O/S and applications
In the development environment
• Predefined requirements / design
• Experience of supplier to pharmaceutical industry
• History / pedigree
• Knowledge base
• Support levels
• QA accreditation / Questionnaire
For category 4 software in the operating environment I would expect to see SOP’s for:
As Cat. 3 and
• Configuration management
• Patches and upgrades / impact on other modules
• Control over access and use
In the development environment
• Full lifecycle development and risk assessments
• Experience of supplier to pharmaceutical industry
• QA accreditation / Questionnaire / Audit
• History / pedigree / software std. modules
For the SDLC (software development lifecycle) again depending on the scope of the system the documents I would expect to see would be as per the validation V model.