SOP's for new Web Application

Hello All,

I am currently working on a validation of a new web application for a software company so I have generated the following documentation to cover all aspects of the validation:

  • Intended Use and Base Risk Assessment
  • Validation and Quality Plan
  • URS
  • FS
  • DS
  • RTM
  • IQ
  • OQ
  • PQ
  • Validation Summary Report
I have now being asked to generate a list of SOP’s/Work Instructions that the will need should they be audited, I am looking for input to help me compile this list.

Here is what I have so far:

[FONT=Symbol]· Change Control (As the system will reside with the software company it is under their remit to control any changes that occur to the system, hence an agreement needs to be generated so that the company that is using the application needs to sign-off on any change control before it happens.[/font]
[FONT=Symbol]· Risk Assessment for any change control [/font]
[FONT=Symbol]· Server Qualification[/font]
[FONT=Symbol]· Access Control (Usernames Passwords etc etc)[/font]
[FONT=Symbol]· Application security (i.e related to a web application for example if more that one instance resides on the same server that there will be no chance that different databases will get mixed up)[/font]
[FONT=Symbol]· Data Backup[/font]

Any input would be gratefully appreciated in relation to completing this list.




I think we need a bit more information. Is this a medical device company? Do they already have a Quality System in place and just need to supplement for the peculiarities of a web app or do they need a full-blown quality system developed?

The list you provides looks, to me, more like WIs for this specific application.

Hi Yodon,

I should have been more specific, basically its the software company that need a Qualiy System in place as they will be in total control of the system from hosting the application right down to controlling user access. They will also be in charge to change control with a sign off from the Pharma company that is using the app.

Its an unusual case I guess, so I think my question is does the Software Company need a full blown Quality System similar to what the Pharma company would require if they were in control.

If so what exactly is required?

I know its a braod question but any response would be great.



If for use in the US, then yes, a medical device company - whether building multi-modal imaging machines or web-based software - is expected to have a Quality System in place compliant with 21 CFR Part 820. I don’t think I’ve seen anything indicating otherwise for EU - other than the Quality System be compliant with 13485.

Your approach described above would be compliant, I believe (presuming that’s what the company prescribes in its quality system to meet the necessary regulatory requirements). I don’t know that a PQ offers much benefit for a software-only product. You’ll need to keep in mind the distinction between, and expectations for, verification and validation.

While the list you present can support evidence for complying to a quality system, it’s by far complete, as I’m sure you’re aware. Both the US QSR (820) and 13485 require much more in the way of management controls and device ‘pedigree’ tracing (e.g., DHF). Such a discussion, though, does not lend itself to message board posts. I’ll be glad to discuss offline with you.

Hi Graham

Your original question seems to have wandered off somewhat.
the document list should include a DQ which slots in just above the IQ.
the majority of the SOP’s are required by the process or processes, so if you trawl through their production processes you will find many of the SOP requirements.
if the software vendor is producing a program for a pharma company (the user), there is no requirement for the vendor to conform to any GMP requirements.

However, if the software user is going to categorised the software as ‘critical’ (GAMP5), then the user purchasing the software, has to be absolutely certain that the vendor is going to supply software that is validatable to full life cycle standards.
) refers.

To achieve this, the vendor must be operating in accordance with a quality assurance program that ensures all stages of their product production (from creation to dispatch) are planned approved and documented in accordance with recognized national or international standards. The user must verify this by auditing them.

Now comes the tricky bit. You say the vendor is going to operate the product. Now the whole thing changes and gets complicated.

All persons who have an input into a GMP controlled processes (no matter how small an input) must be trained in GMP (211.25 - Personnel qualifications.) and (211.34 - Consultants.) refer. So the vendor company (now acting as the software operators) would be required to nominate who is going to operate/manage/maintain the system, and then send the nominee’s off for cGMP training.

The pharma company would be required to audit (again) the vendor and verify that the installation and operation of the software was compliant with cGMP.(i.e. the user would be required to fully validate it). They would also have to review all the SOP’s used to operate and maintain it.

The two companies would need to put in place a clearly defined contract of service, defining who was responsible for what. (i.e. in the event of a disaster who’s head would be on the chopping block and for what).

I have run into this with several clients and know, in most cases, the first thing the regulators asked for was the ‘contract of service’.


Thanks Alex, very detailed response.

I might contact you off-line to discuss further if thats ok