Watch out for the GAMP5 spin on validation versus verification.
From my post on the Yahoo Tech Group site:
Our customers tell us that vendor software is not 21 CFR 11 compliant - it is “enabled”. Compliance involves steps that only the end user can complete. We start with a completed 21 CFR 11 assessment plus GAMP.
You should consider offering IQ and OQ (but not PQ) protocols - also GAMP5 equivalents. But you offer the protocol - it is not executed yet.
Beyond FAT, SAT, GAMP etc. we have never seen a benefit in an in-house validation. It only seems to be expenditure with no return. All our customers have different approaches to validation. We’re only just seeing them start to ask us for our protocols (using the GAMP5 “leverage supplier documentation” approach). Much of our FAT and SAT is now being used by customers as an appendix to IQ/OQ - so why validate it ourselves too?
When we get audited the topic of change control is big so…
For “Category 5”, change control applies after FAT for code and applies at any time for signed-off documents. When writing custom code, the whole thing is in flux until you lock it down for the FAT so change control is a little bit difficult to quantify. I’ve argued this with customers a few times who expect CC pre-FAT but when I show them how you actually prepare custom code they back down.
I’ve actually never sold the same custom code twice in 21 years of automation engineering. No two clients have ever had the same requirements. The only exception being shared libraries and core data processing functions.11
On the other hand for code you use again and again or a software package that hardly varies from one client to another, you need good change control. “Category 3” for example.