Validating commercial software for use in a regulated environment?

I find myself in a job I never expected to be in.

We are using google docs to do document control and google sheets to track things … We are small so buying expensive packages to do this stuff is not something we will be doing soon… but we need to get certified to be cGMP “like” and will be audited by a 3rd party for compliance…

In this type of situation even for commercial software one has to validate their particular use of the software…

I know I have to write SOPs defining how we use the software and how we set up controls and who as person to do what and how we manage that…

But after that I believe we need to validate that the software does what we say in our SOPs and demonstrates sufficient control.

I think I understand at a high level what needs to be done (write scripts that demonstrate teh requirements of teh SOPs that have performed manually, then see if the excepted results are obtained) , but the devil is always in the details.

Does any one have any pointers on doing that or links to information or examples of how do do that?

Also we need to show long term document storage is safe (Disaster recovery , Data won’t be lost/ corrupted or issues with media or readability long term). So far I just required that all PDFs (how we store the documents ) are in PDF/A format.

Given that is in the cloud under Google control, I am no sure how we do that either!

Thanks for any input,

PS I wanted to write these systems myself using Postgres and Xojo. but they don’t want me to do that.

Eeek !
its been a very very long time since I had to do anything like that (ie/ 25+ years) so I doubt any of it would be relevant any more

Software Design following to ISO / IEC 9126 with all particular standards makes a fat technical documentation for the Software and a validation and verification plan, a development plan and much more. Described also in 62304 it is used also for medical devices and medical software…doing that every day and it IS HARDCORE! and @npalardy : yes, Eeek!

Yeah we were a highly regulated environment and OMG the work involved then was huge and I cannot imagine its gotten any easier

What we are taking abut here is the software used for maintaining the quality system …basically just record keeping, and there there is NO custom software involved…

We just need to validate the that google docs work as we we need it to…

Basically controlling access to documents and records, the audit trail works, and using google sheets for logging data (basically using google sheets as a database), not doing any fancy math or even conditional formatting, and maintaining data integrity…

We are printing then filling out forms manually on paper, signing them, then scanning and saving them in PDF/A format in google docs…

Before we go for ISO 13485 certification we plan to have documents electronically signed using either Docsign Or Adobe Sign using their their 21 CFR Part 11 compliant service, to make life easier (we are not sure documents/records with scanned
“wet” signatures would be acceptable and don’t want to have to deal with a mountain of paper in the long run)

We are not producing medical devices, only things that may be used (with significant further processing by the customer) in the production of things like vaccines, diagnostics kits or maybe cosmetics sometimes.

Basically our use of google docs is only a small step up from an all Paper Quality System.

Is that really likely to be a nightmare to validate?


Anging 13485 makes it anyhow necessary that you are validating within your 13485 documentation. Then Software rules for lifecycle management, development and testing have to be on board while it has direct influences to your 13485 documentation. So I do not understand how you can think this outside of the 13485 documentation???
What signatures are accepted has to do with many facts. First question would be: are you manufacturer of medical software or medical devices while then it is necessary to have notified body controlling your 13485 docs and the processes (not valid in use and Canada while there the government (FDA for US) and the underwriter laboratories are filling this gap) a process for scanning and validation of scanned documents and verification of the document about the original document and the original document provider. Also you need a process for document signature handling.

When and if you are under control of an authority you may need to do all of that you described inside of the audited processes,

Means: if and when you do this now you will do it inside of the 13485 System again!

I understand that at a high level… I think…

What it is not clear to me is how this applies to cloud software namely google docs.

We are not doing any software development ( as much as I would like to).

I don’t… but what we are contemplating is a hybrid system with scanned paper records with information (and for now, signatures) written manually.

No. As i said above we would be making raw materials that go into medical products- as I said potentially biological produced materials that our customer would process further to go into things like vaccines and diagnostic kits. We don’t make hardware or software . We just need to get certified by someone like TUV to be 13485 compliant.

In point of fact we don’t absolutely NEED to be 13485 registered for some to buy from us for those uses, BUT customers producing such product are much more comfortable dealing with a company that is 13485 certified … in the biologics production industry it considered to be “GMP like”

Using Docusign at their 21 CFR Part 11 level of service gives authentication of signers (for approvals) as well as audit trails that are acceptable to the FDA. I realize we would still need to “validate” our use of it , and it would be subject to auditing as it would be part of our system. Google docs has an approval function but I don’t believe it meets 21 CFR Part 11 standards.

My question was how does on deal with this in out situation… Before This job I worked in the pharmaceutical industry as a chemist for almost 14 years, but that was on the Research side… So while I was “exposed” to these kind of things, I did not have to live under them and certainly am not an expert.

We are a small company doing contract manufacturing (we pivoted from exclusively doing R&D to that!) and are trying to get by as frugally as we can. Hence a hybrid QMS using Goggle Docs and scanned paper records.

Personally In our situation I think implementation of a traditional paper system would be simpler in terms of getting registered, but management does not want to have to deal with all the hassles of a lot of paper controlled documents and records everywhere.


Starting with Google docs you might be in the need to write a testing software for validation. If not:lucky you we had to for ASEA, fdA and TÜV. There was no discussion. Then we had to do lifecycle management. 13485 is another animal if you are not manufacturer

As alternative write for the external software of unknown providence a validation plan and validate it

I wonder if a Google rep (not sure who) might be of use in assisting in coming up with a test plan
Surely someone else has needed to do something like this and Google has had to assist in coming up with a plan etc

Seems it cant hurt to ask Google for some assistance given this need
The worst they can say is “no” or “we have no idea”
But maybe they say “Hey we’ve had to pass this sort of certification before and here’s what you need to do/know !”

Not helping cause the plan has to be related directly to the use

I’d still ask them and relate it to the use

Not asking is 100% certain to never get any assistance from them
Cant win the lottery if you never buy a ticket

1 Like

The entire problem is: following to the 13485 Standards you have to fulfill in that case you MUST write a Validation Plan which gives you the ability to validate the Software against your needs in it’s individual case. That makes it impossible to use a validation tool of Google or somebody. It is strictly forbidden to use Software of unknown providence without validation.

For the scanned Documents: in this process I would mark the document as scanned, report who was scanning it, signing that the scan was made form the available copy of that document and reporting also which kind of document it is. Also needed: place where I can get a new copy from the vendor which was producing that document. Last but not least: is this a statical document or is it inside of any updating service, then you HAVE to mark it as update service document and where people can get the needed new copy.

That is the given processing in cases like this. We have this process in my company and in every company of my customers while we all are inside of 13485 Standard. There is no use from Google. Not in 5k years. IT IS NOT ALLOWED to use without the needed validation following to the validation plan.

If you do not like that: one of the next audit of this processes can result in stopping the certification until it is corrected. Nobody needs that.

I know one has to validate their use of the software, but never having written anything like that, a good example to figure out how best to approach practically would be a great help.


First of all Google Docs is a web-service, not a software. Have you read the EULAs and Terms of Use of Google Docs? You simply cannot expect any long term assurances. They tell you today this story and next year another. And sometimes they decide to kick a service or function, putting you straight into something different you need to re-validate and re-audit. And of course they might alter or delete your data if they see fit to so. I remember some models (or porn stars?) who hosted their “business” pics and exposé on Google Drive and got deleted without any notice or chance to restore anything.

If you or your company needs to fulfil the the minimum CIA triad requirements you must either host and maintain everything by your own or find somebody, who enables you to do this.

Let me show you, how business in Germany are regulated. They have the obligation to keep all their electronic records, doucments, quotes, invoices (“Handelsbriefe”) and even unspecified relevant business documents for minimum 6 up to 10 years (GoBD in German use Deepl or Google Translate). Esp small businesses do not know that emails and chat Messages are relevant too if offered or used on Websites as communication. My first question when I enter such companies is to ask for all outgoing Facebook and Whatsapp messages on May, 3rd 2013. Hence the shocked open eyes. In most cases I get nothing. Then I ask for all emails of the same day. Some become busy and asking their admins for long-term backups and experience that their expensive software with fancy hyper-super-subscription fails in doing this. All EULAs does not guarantee anything. Sometimes the software does not run anymore. One backup software even refused to open 9 year old backups (Acronis). They changed their format in the meantime and current versions somehow did not support the old format.

My advice for your Company: Run all your servers and storages by your own. Stick to standards and avoid any proprietary closed-source crap with vendor-lockin-traps with expensive but useless subscription models.

No need to buy anything, all you need is free and open source.
Invest in people and not in crap software!

13485 is much harder than any godb standards. It is the medical quality management rule and is needed for producing, repairing and selling medical devices.

Of course, this is undisputed. My point is, many businesses and esp. so called start-up with all their fancy, shitty business-models already fail in their basic obligations. Till tax office takes a deeper look or you are at odds with a shareholder or founder…

True but in this case iso iec 13485 was asked as a standard which has nothing to do with bookkeeping but with technical documentation and sales documentation and market research and post market clinical followup and RISC management and controlling about processes of management, development, manufacturing, sales, maintenance and much much more. A bookkeeping is 2% of a medical device documentation