Pharma vendor selection requires a structured evaluation framework covering seven weighted categories: regulatory compliance (25%), functionality (20%), data integrity and security (20%), implementation and validation (15%), support and stability (10%), total cost of ownership (5%), and scalability (5%). FDA holds the regulated company — not the vendor — responsible for computerized system compliance under 21 CFR Part 11.
Selecting the wrong software vendor in pharma does not just waste budget. It introduces compliance risk, delays submissions, and creates audit exposure that can persist for years. This applies equally to regulatory submissions software, RIMS platforms, and eCTD publishing tools. The regulated environment demands a structured, defensible evaluation process — one that goes well beyond feature checklists and pricing comparisons.
This guide provides a complete vendor evaluation framework built on regulatory expectations from FDA 21 CFR Part 11, EU Annex 11, GAMP 5, and PIC/S guidance for computerized systems. Every criterion maps to a real requirement that auditors, inspectors, or your quality team will eventually scrutinize.
Key Takeaways
Key Takeaways
- FDA holds the regulated company, not the vendor, responsible for computerized system compliance under 21 CFR Part 11.10.
- The seven-category weighted scorecard prioritizes regulatory compliance (25%) and data integrity (20%) above all other evaluation criteria.
- Validation burden varies materially depending on the vendor's documentation quality and implementation model.
- License price is only one component of total cost of ownership; implementation, validation, and operational overhead often matter just as much.
- Use it as a working document. Score vendors. Compare results. Make a decision you can defend during your next inspection.
Why Pharma Vendor Selection Requires a Different Framework
Generic software evaluation frameworks fail in regulated life sciences for three reasons:
- Regulatory accountability does not transfer. FDA holds the regulated company responsible for the performance of any computerized system used in GxP processes, regardless of who built it. Per 21 CFR Part 11.10, "persons who use closed systems to create, modify, maintain, or transmit electronic records" must implement controls — not the vendor. If the vendor's system fails an audit, your company receives the 483.
- Validation burden scales with vendor quality. GAMP 5 Second Edition establishes that vendor-supplied documentation (IQ/OQ protocols, test records, traceability matrices) can reduce your validation workload — but only if the vendor's quality management system meets GxP standards. A vendor with poor documentation forces you to build validation packages from scratch, often costing more than the software itself. This is analogous to the supplier qualification process in manufacturing — the rigor you apply upfront determines downstream risk.
- Switching costs are asymmetric. Pharmaceutical data migration involves validated records, audit trails, electronic signatures, and regulatory submission histories. Moving off a poorly chosen vendor mid-lifecycle can require extensive remediation and revalidation work.
The framework below addresses all three problems.
The Seven-Category Evaluation Framework
This framework organizes vendor evaluation into seven weighted categories. Each category contains specific criteria scored on a 1-5 scale. Weights reflect the reality that in pharma, compliance and data integrity outweigh convenience features.
Recommended Category Weights
| Category | Weight | Rationale |
|---|---|---|
| 1. Regulatory Compliance | 25% | Non-negotiable baseline; drives audit outcomes |
| 2. Functionality and Fit | 20% | Must solve the actual business problem |
| 3. Data Integrity and Security | 20% | FDA and EMA enforcement priority since 2018 |
| 4. Implementation and Validation | 15% | Determines time-to-value and validation burden |
| 5. Support and Vendor Stability | 10% | Long-term reliability of the partnership |
| 6. Total Cost of Ownership | 5% | Important but secondary to compliance fitness |
| 7. Scalability and Roadmap | 5% | Future-proofing against growth and regulatory change |
Adjust weights based on your organization's risk profile. A pre-revenue biotech with one submission in the pipeline will weight functionality and implementation speed higher. A mid-size pharma managing 20 concurrent submissions will weight scalability and compliance more heavily.
Category 1: Regulatory Compliance (25%)
This is the gating category. A vendor that scores below 3 in any compliance criterion should be eliminated regardless of other strengths.
Scoring Criteria
| Criterion | 1 (Unacceptable) | 3 (Acceptable) | 5 (Excellent) | Score |
|---|---|---|---|---|
| 21 CFR Part 11 compliance | No Part 11 controls | Basic controls (audit trails, e-signatures) with documentation | Full Part 11 compliance with validation documentation package, IQ/OQ protocols, and regulatory traceability | ___ |
| EU Annex 11 compliance | Not addressed | Partially addressed; some gaps | Fully addressed with documented evidence for each clause | ___ |
| GAMP 5 classification and documentation | No GAMP awareness | System classified; basic supplier documentation | Full GAMP 5 aligned lifecycle documentation, risk assessments, and traceability matrices available | ___ |
| Audit trail capability | No audit trail | Basic audit trail (who, what, when) | Immutable, time-stamped audit trail capturing who, what, when, why, with before/after values; non-deletable | ___ |
| Electronic signature controls | No e-signature support | Basic e-signature with authentication | 21 CFR Part 11 compliant e-signatures with meaning, biometric/non-biometric linking, and authority checks | ___ |
| Data integrity (ALCOA+ adherence) | No data integrity controls | Partial ALCOA coverage | Full ALCOA+ compliance: Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, Available | ___ |
| Regulatory agency experience | No regulated industry clients | Some pharma/biotech clients | Demonstrated track record with FDA, EMA, or Health Canada regulated companies; can provide references | ___ |
Category 1 Total: ___ / 35
Red Flags to Watch For
- Vendor cannot produce a Part 11 compliance matrix on request
- Audit trail can be modified or deleted by administrators
- No documented SDLC (Software Development Life Cycle) process
- E-signatures implemented as simple login credentials without secondary authentication
- Vendor has never undergone a customer-initiated supplier audit
Platforms built for regulated environments handle these requirements natively. Assyro, for example, was designed with 21 CFR Part 11 compliance from its architecture layer — audit trails, electronic signature controls, and ALCOA+ data integrity are structural, not bolted on after the fact.
Category 2: Functionality and Fit (20%)
Compliance is the floor. The system must also solve your specific operational problem effectively.
Scoring Criteria
| Criterion | 1 (Unacceptable) | 3 (Acceptable) | 5 (Excellent) | Score |
|---|---|---|---|---|
| Core use-case coverage | Does not address primary need | Covers primary use case with workarounds | Fully addresses primary and secondary use cases out of the box | ___ |
| Workflow alignment | Forces complete process redesign | Requires moderate adaptation | Maps directly to existing regulatory workflows | ___ |
| Automation capabilities | Fully manual processes | Some automation (templates, batch operations) | Intelligent automation: AI-driven validation, error detection, auto-generated documentation | ___ |
| Multi-authority support | Single region only | 2-3 regions with manual configuration | FDA, EMA, Health Canada, PMDA, and other authorities with region-specific rule sets | ___ |
| Reporting and analytics | No built-in reporting | Standard reports with limited customization | Configurable dashboards, audit-ready report generation, and exportable analytics | ___ |
| Integration capability | No APIs or integration options | REST API with basic documentation | Well-documented API, webhooks, pre-built connectors for common pharma systems (DMS, LIMS, eCTD publishers) | ___ |
Category 2 Total: ___ / 30
Key Questions to Ask During Demos
- "Show me the exact workflow for [your most common task]. Do not skip steps."
- "What happens when a user makes an error mid-workflow? How does the system handle correction and audit trail?"
- "How does the system handle [your most complex edge case]?"
- "What percentage of your current customers use the system for [your specific use case]?"
The automation criterion deserves particular scrutiny. Many vendors offer rule-based checks that validate surface-level formatting. Fewer offer deep validation logic. Decision-tree validation — where the system walks through regulatory logic step by step, producing explainable, auditable reasoning for each finding — is the current standard for AI-driven regulatory tools. This approach ensures every flag has a traceable rationale, which matters when an inspector asks "why did you accept this result?"
Category 3: Data Integrity and Security (20%)
Data integrity remains a major enforcement focus area for both FDA and EMA. Your vendor's architecture either supports integrity or undermines it.
Scoring Criteria
| Criterion | 1 (Unacceptable) | 3 (Acceptable) | 5 (Excellent) | Score |
|---|---|---|---|---|
| Access controls | Shared accounts permitted | Individual accounts with role-based access | Granular role-based access with least-privilege enforcement, MFA, and automatic session timeout | ___ |
| Data backup and recovery | No documented backup process | Regular backups with basic recovery plan | Automated backups, documented RPO/RTO, tested disaster recovery with validated restore procedures | ___ |
| Encryption | No encryption | Encryption at rest OR in transit | Encryption at rest AND in transit (TLS 1.2+), key management documented | ___ |
| Hosting and infrastructure | On-premise only, no SOC report | Cloud-hosted with SOC 2 Type I | SOC 2 Type II certified, with GxP-qualified hosting (AWS GovCloud, Azure GxP, or equivalent) | ___ |
| Penetration testing | No security testing | Annual penetration testing | Regular third-party penetration testing with published remediation timelines; vulnerability disclosure program | ___ |
| Data residency and sovereignty | No control over data location | Data residency options available | Full data residency control with documented compliance to regional requirements (GDPR, PIPEDA, etc.) | ___ |
Category 3 Total: ___ / 30
Due Diligence Checklist
Request the following from every vendor under serious consideration:
- [ ] SOC 2 Type II report (current year)
- [ ] Penetration test summary (last 12 months)
- [ ] Data flow diagram showing where regulated data is stored, processed, and transmitted
- [ ] Encryption standards documentation
- [ ] Incident response and breach notification policy
- [ ] Business continuity and disaster recovery plan
- [ ] Data processing agreement (DPA) for GDPR jurisdictions
Category 4: Implementation and Validation (15%)
Implementation speed and validation burden are where hidden costs accumulate. A system that takes longer to deploy and requires heavy external consulting can quickly become much more expensive than the initial license suggests.
Scoring Criteria
| Criterion | 1 (Unacceptable) | 3 (Acceptable) | 5 (Excellent) | Score |
|---|---|---|---|---|
| Time to deployment | Long, unclear deployment | Moderate deployment effort | Short, well-defined deployment with phased rollout option | ___ |
| Validation documentation package | No validation documentation | Basic IQ/OQ documentation | Complete validation package: IQ/OQ/PQ protocols, traceability matrix, risk assessment, test scripts, and summary reports | ___ |
| Configuration vs. customization | Requires heavy custom development | Configurable with some custom work | Fully configurable without code changes; configuration validated through standard protocols | ___ |
| Data migration support | No migration assistance | Basic import/export tools | Validated data migration methodology with reconciliation checks and audit trail preservation | ___ |
| Training and enablement | No training provided | Standard training materials | Role-based training program, self-service knowledge base, and ongoing enablement resources | ___ |
| Customer success / onboarding | No dedicated support during implementation | Project manager assigned | Dedicated success manager with domain expertise (regulatory or pharma background) through go-live and beyond | ___ |
Category 4 Total: ___ / 30
The Validation Burden Test
Ask each vendor: "What validation work will our team need to perform, and what do you provide?"
The answer reveals the true implementation cost. Vendors fall into three tiers:
Tier 1 (Best): Vendor provides a complete validation package aligned to GAMP 5, including IQ/OQ materials, traceability matrices, risk assessments, and PQ templates. Your team reviews and supplements with site-specific testing.
Tier 2 (Acceptable): Vendor provides partial documentation. Your team or a consulting firm must build additional protocols, execute testing, and compile the validation package.
Tier 3 (Costly): Vendor provides no meaningful validation documentation. Your team must build everything from scratch: requirements, risk assessments, test protocols, execution, and summary reports.
The difference between Tier 1 and Tier 3 can materially change the economics of the project. Factor this into TCO calculations.
Vendors that provide stronger validation documentation and clearer onboarding can materially reduce the customer's validation burden. Verify those claims directly during diligence.
Category 5: Support and Vendor Stability (10%)
A vendor relationship in pharma is a long-term commitment. Switching costs are high, data migration is complex, and revalidation is expensive. You need confidence the vendor will exist and perform in five years.
Scoring Criteria
| Criterion | 1 (Unacceptable) | 3 (Acceptable) | 5 (Excellent) | Score |
|---|---|---|---|---|
| Support responsiveness | Email only, multi-day response | Business-hours support with <24h response | Priority support queue with SLA-backed response times; multiple channels (chat, phone, email) | ___ |
| Domain expertise of support team | General IT support, no pharma knowledge | Some team members with regulated industry experience | Support team includes regulatory or pharma domain experts who understand your use case | ___ |
| Product update frequency | Irregular or no updates | Quarterly releases | Regular release cycle with advance notification, release notes, regression testing, and validated upgrade path | ___ |
| Financial stability | No financial information available | Basic financial disclosures | Transparent financials, funded runway, or profitability; references from long-term customers | ___ |
| Customer community and references | No references available | Can provide 1-2 references | Active user community, multiple references in your segment, published case studies | ___ |
Category 5 Total: ___ / 25
Stability Due Diligence
For early-stage or smaller vendors, ask directly:
- What is your current funding status and runway?
- How many paying customers do you have in pharma/biotech?
- What is your customer retention rate?
- What happens to my data if the company is acquired or shuts down? (Data escrow provisions?)
- Can you provide a reference from a customer who has been through an FDA or EMA inspection using your system?
For enterprise vendors, the risks are different: slow innovation, bloated implementations, and being a small fish in a large pond. Ask about roadmap influence, implementation partner quality, and whether you will be dealing with the product team or a reseller channel.
Category 6: Total Cost of Ownership (5%)
License price is only part of the true five-year cost of a pharma software platform. The rest often hides in implementation, validation, training, integrations, and ongoing operational overhead.
Scoring Criteria
| Criterion | 1 (Unacceptable) | 3 (Acceptable) | 5 (Excellent) | Score |
|---|---|---|---|---|
| Pricing transparency | Pricing not disclosed until late in sales cycle | Clear pricing with some variable components | Fully transparent pricing; no hidden fees for users, API calls, storage, or support tiers | ___ |
| Implementation cost | Requires heavy consulting/services investment | Moderate professional services needed | Minimal or no professional services required; self-service implementation with vendor guidance | ___ |
| Validation cost | Validation entirely customer's responsibility | Partial validation support; moderate external cost | Vendor-provided validation package minimizes customer validation cost | ___ |
| Ongoing operational cost | Requires dedicated FTE(s) to administer | Part-time administration needed | Minimal administration; self-service configuration and updates | ___ |
| Upgrade path cost | Major upgrades require revalidation and consulting | Upgrades validated by vendor with minimal customer effort | Validated upgrade path included; backward-compatible releases with pre-tested migration | ___ |
Category 6 Total: ___ / 25
Five-Year TCO Calculation Template
| Cost Component | Year 1 | Year 2 | Year 3 | Year 4 | Year 5 | Total |
|---|---|---|---|---|---|---|
| Software license/subscription | ||||||
| Implementation / professional services | ||||||
| Validation (internal labor + external consulting) | ||||||
| Training (initial + ongoing) | ||||||
| Integration development | ||||||
| Data migration | ||||||
| Internal administration (FTE allocation) | ||||||
| Upgrades / revalidation | ||||||
| Support tier (if premium is required) | ||||||
| Total |
The no-consultant-army model is a meaningful differentiator. Vendors that require heavy professional services to deploy and validate are effectively double-charging: once for the license, again for the army of consultants needed to make it work. Look for vendors that provide validation documentation, onboarding support, and training as part of the subscription — not as high-margin add-on services.
Category 7: Scalability and Roadmap (5%)
Your evaluation should account for where your organization will be in three years, not just where it is today.
Scoring Criteria
| Criterion | 1 (Unacceptable) | 3 (Acceptable) | 5 (Excellent) | Score |
|---|---|---|---|---|
| User and volume scalability | Hard limits on users or data volume | Scalable with additional cost per tier | Elastic scaling with predictable per-user or per-submission pricing | ___ |
| Multi-site / multi-region support | Single-site only | Multi-site with additional configuration | Native multi-site, multi-region support with localized regulatory requirements | ___ |
| Product roadmap transparency | No roadmap visibility | Annual roadmap shared under NDA | Public or customer-shared roadmap with clear prioritization criteria; customer input mechanisms | ___ |
| Regulatory change responsiveness | Customer must track and implement regulatory changes | Vendor tracks changes with periodic updates | Vendor proactively monitors regulatory changes across authorities and pushes updates to rule sets automatically | ___ |
| API and ecosystem maturity | No integration path | Basic API available | Mature API ecosystem with documentation, SDKs, partner integrations, and webhook support | ___ |
Category 7 Total: ___ / 25
The regulatory change responsiveness criterion is often overlooked but critically important. FDA, EMA, Health Canada, and PMDA continuously update guidance, technical specifications, and validation rules. A vendor that proactively tracks these changes and updates the system's rule sets, rather than leaving it entirely to your regulatory team, can materially reduce operational burden. Verify the vendor's update process and validation impact directly during diligence.
Consolidated Scoring Summary
Use this summary table to compare vendors side by side.
| Category | Weight | Vendor A | Vendor B | Vendor C |
|---|---|---|---|---|
| 1. Regulatory Compliance (out of 35) | 25% | ___ | ___ | ___ |
| 2. Functionality and Fit (out of 30) | 20% | ___ | ___ | ___ |
| 3. Data Integrity and Security (out of 30) | 20% | ___ | ___ | ___ |
| 4. Implementation and Validation (out of 30) | 15% | ___ | ___ | ___ |
| 5. Support and Vendor Stability (out of 25) | 10% | ___ | ___ | ___ |
| 6. Total Cost of Ownership (out of 25) | 5% | ___ | ___ | ___ |
| 7. Scalability and Roadmap (out of 25) | 5% | ___ | ___ | ___ |
| Weighted Total | 100% | ___ | ___ | ___ |
Calculating Weighted Scores
For each category:
- Sum the raw criterion scores
- Divide by the maximum possible score for that category to get a percentage
- Multiply by the category weight
- Sum all weighted scores for the final vendor score
Example: Vendor A scores 28/35 in Regulatory Compliance = 80% x 25% weight = 20.0 weighted points.
The Decision Process: From Scorecard to Signature
Scoring is necessary but not sufficient. Follow this five-step process to move from evaluation to decision.
Step 1: Define Requirements Before Seeing Demos
Write your User Requirement Specification (URS) before engaging vendors. Include:
- Business processes the system must support
- Regulatory requirements it must meet (Part 11, Annex 11, predicate rules)
- Integration requirements with existing systems
- Data migration requirements from current tools
- User roles and access control requirements
This prevents vendors from reframing your needs around their strengths.
Step 2: Gate on Compliance
Score all vendors on Category 1 first. Eliminate any vendor scoring below 21/35 (60%). Do not proceed to functionality evaluation for vendors that fail the compliance gate. This saves significant evaluation time and prevents the common trap of falling for a slick UI that cannot survive an audit.
Step 3: Conduct Structured Demos
Give each vendor the same scenario to demo. Use your real workflows, not theirs. Provide sample data in advance and ask them to configure a working demonstration. Score functionality based on what you see, not what they claim.
Step 4: Validate Claims with References
Contact at least two customer references per finalist vendor. Ask:
- What was the actual implementation timeline vs. what was promised?
- What was the true validation effort?
- Have you been through an FDA or EMA inspection with this system? What happened?
- What would you change about your vendor selection process knowing what you know now?
- What is the vendor's responsiveness when something breaks?
Step 5: Negotiate with Leverage
With scored evaluations in hand, you negotiate from data. Share (selectively) how vendors compare. Negotiate on implementation support, validation documentation inclusion, training, and SLA terms — not just license price. In pharma, the terms around validation support, data portability, and escrow provisions matter more than a 10% discount.
Vendor Assessment Questionnaire: 25 Questions to Send Before the Demo
Send this questionnaire to every vendor under consideration. Their response quality — and speed — is itself an evaluation data point.
Compliance and Regulatory
- Provide your 21 CFR Part 11 compliance matrix mapping each sub-section to your system's controls.
- Provide your EU Annex 11 compliance matrix.
- What is your system's GAMP 5 software category classification? Provide supporting documentation.
- Describe your Software Development Life Cycle (SDLC) and how it aligns with GxP requirements.
- Provide your most recent SOC 2 Type II report or equivalent third-party audit.
Data Integrity and Security
- Describe your audit trail implementation, including what events are captured and whether the trail is immutable.
- How are electronic signatures implemented? Do they meet Part 11 requirements for signature manifestation and linking?
- Describe your encryption standards for data at rest and in transit.
- Provide your data flow diagram showing where regulated data resides.
- What is your incident response procedure for data breaches?
Validation and Implementation
- What validation documentation do you provide to customers? List all documents included.
- What is your typical implementation timeline for an organization of our size?
- What professional services or consulting is required for implementation? At what cost?
- Describe your data migration methodology and how data integrity is maintained during migration.
- What does your onboarding and training program include?
Functionality
- Describe how your system handles [your primary use case] step by step.
- What regulatory authorities and submission types does your system support?
- Describe your API capabilities and available integrations.
- How does your system handle regulatory changes (new guidance, updated rules, changed specifications)?
- Provide documentation or a demo of your reporting and analytics capabilities.
Vendor Stability and Support
- How many pharma/biotech customers are currently using your system in production?
- What is your customer retention rate over the last three years?
- Describe your support model, including SLAs, escalation paths, and hours of availability.
- What is your product release cadence? How are upgrades validated and deployed?
- Describe your data portability provisions. What happens to customer data if the relationship ends?
Common Mistakes in Pharma Vendor Selection
1. Evaluating the demo instead of the documentation. A polished demo means the vendor has good sales engineers. It tells you nothing about audit readiness. Request the validation package, compliance matrices, and SOC reports before the second meeting.
2. Underweighting implementation and validation costs. The license is the visible cost. Validation consulting, data migration, integration development, and internal labor during implementation are the less visible costs.
3. Letting IT lead the evaluation alone. IT evaluates infrastructure and security. Quality evaluates compliance and validation. Regulatory evaluates functionality and workflow fit. All three perspectives are required. Form a cross-functional evaluation team with representatives from regulatory affairs, quality assurance, IT, and at minimum one end user.
4. Skipping the reference calls. Vendor-supplied references are pre-screened, but they still reveal useful information when asked the right questions. The question "have you been through an inspection with this system?" separates theoretical compliance from demonstrated compliance.
5. Choosing the incumbent by default. Established vendors may have strong regulatory track records, but their implementation models may not fit every organization. Evaluate incumbents against the same scorecard as newer entrants.
Adapting the Framework by Organization Type
Small Biotech (10-100 employees)
Increase weight on: Implementation speed (Category 4), TCO (Category 6), vendor-provided validation documentation.
Decrease weight on: Multi-site scalability, enterprise integration ecosystem.
Key consideration: You likely do not have a dedicated validation team. The vendor's ability to provide a turnkey validation package is often worth more than a marginal feature advantage.
Mid-Size Pharma
Increase weight on: Multi-authority support, integration capability, regulatory change tracking.
Decrease weight on: Pricing transparency (you have procurement leverage).
Key consideration: You have multiple submissions in flight across regions. The system must handle FDA, EMA, and potentially Health Canada or PMDA requirements without switching tools. Evaluate how the vendor handles simultaneous multi-region workflows and whether region-specific rule sets are included or licensed separately.
CROs and Regulatory Consultancies
Increase weight on: Multi-tenant or multi-client support, white-label reporting, user scalability.
Decrease weight on: Internal IT integration (your stack is simpler).
Key consideration: Your revenue scales with capacity. The right vendor multiplies consultant throughput without proportional headcount. Evaluate whether the system allows you to manage multiple client engagements simultaneously and whether report outputs can be branded for client delivery.
Enterprise Pharma (1,000+ employees)
Increase weight on: Enterprise security, multi-site deployment, integration ecosystem, vendor financial stability.
Decrease weight on: Implementation speed (you have dedicated project teams).
Key consideration: Your risk is selecting a system that becomes shelfware. Prioritize workflow alignment and change management support. Request a proof-of-concept deployment in a representative business unit before committing enterprise-wide.
Conclusion
Pharmaceutical vendor selection is a compliance decision disguised as a procurement decision. The framework above forces rigor into the process by anchoring every evaluation criterion to a regulatory requirement, an operational reality, or a financial consequence.
Start with the compliance gate. Eliminate vendors that cannot demonstrate Part 11 and Annex 11 readiness with documentation, not promises. Score the survivors across all seven categories using the weighted scorecard. Validate claims through structured reference calls. Calculate five-year TCO including the hidden costs of validation, implementation, and ongoing administration.
The vendors that score highest will usually share common traits: compliance built into their architecture rather than layered on top, validation documentation provided rather than outsourced to your team, and implementation models that respect the reality that your regulatory team still has day-to-day work to do.
Download the scoring framework. Assemble your cross-functional evaluation team. Start scoring.
Apply the framework to every serious candidate the same way and require documentary evidence for every material claim.
This guide reflects regulatory requirements current as of January 2026, including FDA 21 CFR Part 11, EU Annex 11, GAMP 5 Second Edition (ISPE, 2022), and PIC/S PI 011-3 guidance on computerized systems. Verify all regulatory citations against current primary sources before use in qualification decisions.