Validating commercial software for use in a regulated environment?

I find myself in a job I never expected to be in.

We are using google docs to do document control and google sheets to track things … We are small so buying expensive packages to do this stuff is not something we will be doing soon… but we need to get certified to be cGMP “like” and will be audited by a 3rd party for compliance…

In this type of situation even for commercial software one has to validate their particular use of the software…

I know I have to write SOPs defining how we use teh software and how we set up controls and who as person to do what and how we manage that…

But after that I believe we need to validate that the software does what we say in our SOPs and demonstrates sufficient control.

I think I understand at a high level what needs to be done (write scripts that demonstrate teh requirements of teh SOPs that have performed manually, then see if the excepted results are obtained) , but the devil is always in the details.

Does any one have any pointers on doing that or links to information or examples of how do do that?

Also we need to show long term document storage si safe (Disaster recovery , Data won’t be lost/ corrupted or issues with media or readability long term). So far I just required that all PDFs (how we store the documents ) are in PDF/A format.

Given that is in the cloud under Google control, I am no sure how we do that either!

Thanks for any input,

PS I wanted to write these systems myself using Postgres and Xojo. but they don’t want me to do that.

Hello Karen,

The short answer is ‘it depends’. :slight_smile: A common standard for automotive standards is MISRA. This is dependent on the industry (Aerospace, Automotive, Embedded Systems, Finance, Government, Life Sciences, etc.).

Take the example of a car that gets into an accident. When the accident occurs then all information with hardware, software, mechanical, and personal details will be investigated. I am not sure which industry this is for, and it may be best to ask the company for the regulated environment standard, as there are many standards. Asking the company will provide two aspects: 1) allow you to comply with their suggested regulations in writing, and 2) allow you to bill the company for extra costs due to compliance.

They should be be able to provide you with the preferred systems and languages. IEC 61508 is for electronic programming, IEC 62061, and EN 50128 is for Railway applications for signaling, communication, and processing systems. There are too many standards to list, and different clients will likely focus on standards specific to their industry.

Most embedded systems for electronics use C or C++, and the client should suggest the programming language, and specifically the type, like Visual Studio C++ for example.

Your right, as the standards and practices will need to be able to withstand audits and the extra costs associated with auditing and conforming to the specific standard.

I hope this helps answer a few of your questions :slight_smile:

Edit: Here is a list of more standards:

IEC 61508 - General
ISO 26262 - Automotive
EN 50128 - Railway
IEC 62304 - Medical Devices
IEC 62061 - Manufacturing
IEC 60880 - Nuclear

1 Like

‘cGMP like by 3rd party’ means that you must achieve compliance with customer requirements, not seeking approval from the competent authority, I assume.
That said, 3rd party provided their set of requirements and you work along these.
In aeronautics we have ‘guidance’ material and ‘acceptable means of compliance’. These describe on a per-requirement basis how compliance can be achieved in practice. What do you have?

so first you need a team.
any change/update have a documentation.
before release a quality management and then a acceptance protocol.
be sure the upload/download into Google cloud is not converted.
maybe use a neutral second data storage and verify PDF/A format.

I wanted to write these systems myself using
you know the unforeseeable “features”
make a feature matrix (with pro and cons) and choose the best opportunity with foresight.

Hello, I dont know how big your projects are, but I trink it will end up using a standard product. Its not only about the documentation, its much more : see Aspice . And its depending on the level you want to or have to resch.

You can male some parts by yourself, to make your life easier.


20 years Automotive and still learning something new everyday

The gold standard for validation in GMP is GaMP, which the last time I looked was in version 5.x. If you need to look at that it is very large and expensive to get hold of. It will also scare the pants of you. (figuratively). If you are talking about GCP (which is related to clinical trials) then GaMP is a reasonable starting point, but slightly overkill.

In general principals they will want to see that you have plans in place for the validation of any piece of software that you are using. Even if that plan says that you are not going to validate the likes of Word, Excel etc. They will expect risk assessments to back up the decisions you have made. They will also need to see that you have a good backup and disaster recovery system in place. Including plans to say what you are going to do in the event of a system failure at a key time. Often this involves having a manual procedure to fall back on.

They will also expect to see a system for defect management. Tracking issues and ensuring resolution to restore a validated state. Version tracking on all documents and revision histories.

In terms of GCP and how it related to software it was my life for 33 years working for Oxford University. I’m now retired.