Learnaboutgmp Community

Evaluating Software for GMP Criticality?

I work in the pharmaceutical industry and as part of my role I audit company validation documents for computerized system. For guidance on this issue I find ‘GAMP guide for validation of automated systems, published by ISPE’ a particularly useful document.

The criticality of software can be categorized into 5 distinct categories as follows (5 being the most critical) in my experience depending on what the databases are used for they would either be a category 3 or 4.:

GAMP Software Category 5- Custom (Bespoke) Software
Example software
Software designed to client needs e.g. PLC

GAMP Software Category 4 Configurable software
Customized application software

GAMP Software Category 3 Commercial off the shelf
Standard application software. ‘Source code not supplied’ / established customer base

GAMP Software Category 2 Firmware
Process instruments (controlling or recording e.g. temperature, pressure or conductivity)

GAMP Software Category 1
Operating systems Windows, DOS, Unix

The criticality drives the scope of validation activity for the software. For category 3 software in the operating environment I would expect to see SOP’s for:
• Versions-should be standard
• Control over access and use
• Control over profiles (e.g. user, admin)
• Compatibility with O/S and applications

In the development environment
• Predefined requirements / design
• Experience of supplier to pharmaceutical industry
• History / pedigree
• Knowledge base
• Support levels
• QA accreditation / Questionnaire

For category 4 software in the operating environment I would expect to see SOP’s for:
As Cat. 3 and
• Configuration management
• Patches and upgrades / impact on other modules
• Control over access and use

In the development environment
• Full lifecycle development and risk assessments
• Experience of supplier to pharmaceutical industry
• QA accreditation / Questionnaire / Audit
• History / pedigree / software std. modules

For the SDLC (software development lifecycle) again depending on the scope of the system the documents I would expect to see would be as per the validation V model.