We have a SCADA/PLC system and it is a Bespoke System, for CSV is it necesary the full documentation of SDS/SMDS? I mean, things like pseudocodes, data types, error handling, data checking, etc.

The system was made by a provider and we don’t recieve a complete SDS/SMDS documentation.

I will apreciate if you can help me.


Did you do a risk assessment of the system? Did you document what life cycle documents that you do have or will have? For a bespoke system I would make sure that my supplier assessment was completed in great detail. Especially about the supplier Quality Program and programming standards.


Well, I have to say that we are a maxican company, and we have a new specifications from our regulatory agency “Secretaria de Salud” for cumputer systems, now we have to do a CSV and we are new on this task.

We didn’t do any risk assessment for this implementation, and we didn’t do any supplier assessment, for Life Cycle we have:

  • URS.
  • Functional Specifications.
  • Software code.
  • Languages and versions.
  • Documentation for software design, but not complete to comply with SDS/SMDS.
  • Documentation for hardware design.
  • IQ/OQ documentation.

But the new specifications from our regulatory agency are very similar to the FDA’S, thats why we are trying to comply with GAMPS, also because in the future we want to export to USA.

There are some documentation that we no longer have like supplier assessment, but do you recomend to do a risk assessment and make a new validation for all the system? or what is your recomendation?


According to GAMP, the complete lifecycle documentation is recommended for the Bespoke systems, however the risk based approach will be useful determine the level of documentation.

The validation of SCADA/ PLC based systems will require a design documentation. but what you have to document under the design documentation will depend upon the GxP risk, the system complexity and the suppliers maturity and support on these systems.

If you can provide more detail (Business use, critaical parameters, GxP records, interfaces, etc…) ablout your system i could help you in identifying the validation deliverables and their contents to be compliant.

Vanmeeganathan B
Manager, Lifesciences
+91 9704500710


Well for starters you must have picked that vendor for some reason, so do the supplier assessment NOW. And do a risk assessment now. This will help you to find areas that may need more thorough testing. I am not sure by the posts but is the system in production and validated?

If the system has been validated previously you might want to do a GAP Analysis and risk assessment and then revalidate based on that.

Thanks to every body, fo r your comments:

We have done the IQ and OQ validation for the system in general, I mean, we just check that all the intsrumentation and hardware was installed and is working according with the hardware disign specification, and we check that the software is working according with the functional specifications and URS.

Actually the system is in production because our regulatory agency, in the past year, didn’t have any regulation for software, but in this year they started with CSV.

And we will take your recomendations of doing a risk assessment and the supplier assessment as soon as posible.

If you guys have mor comments to do, I will apreciate.