computer system validation using GAMP 5

8/10/2019 computer system validation using GAMP 5

1/47

Overview ofComputerized Systems Compliance

Using the GAMP 5 Guide

Jim John

ProPharma Group, Inc.

(816) [email protected]


2/47

Who Cares About CSV? Systems throughout the organization involved

in the development, production, storage and

distribution of pharmaceutical products ormedical devices have to be considered

Resources involved in any way with IT,

computer, or automated systems is affected:Developers

Maintainers

Users


3/47

Purpose of This Presentation

To discuss and clarify key topics

Get to know the evolution of the GAMP

Methodology to the latest release

Consider where GAMP 5 concepts canimprove your existing methodology


4/47

GAMP Objectives

GAMP guidance aims to achievecomputerized systems that are fit for

intended use and meet current regulatory

requirements, by building upon existingindustry good practice in an efficient and

effective manner.

4


5/47

Guidance

It is not a prescriptive method or a standard,

but..

Pragmatic guidanceApproaches

Tools for the practitioner

Applied with expertise and good judgement

5


6/47

Evolution of GAMP Guidance

54321Calibration Legacy Systems

Laboratory VPCS

ERES Testing

Data Archiving Global

Information SystemsIT Infrastructure


7/47

Drivers


8/47

Other Drivers

Avoid duplication

Leverage suppliers

Scale activities

Reflect today

Configurable packagesDevelopment models

8


9/47

Key Objectives

9

patient safety

product quality

data integrity


10/47

10

GAMP

Document

Structure


11/47

Main Body Overview

Key Concepts

Life Cycle

Quality Risk Management

Regulated Company Activities

Supplier Activities Efficiency Improvements

11


12/47

5 Key Concepts

Life Cycle Approach Within a QMS

Scaleable Life Cycle Activities

Process and Product Understanding

Science-Based Quality Risk Management

Leveraging Supplier Involvement

12


13/47

User and Supplier Life Cycles


14/47

Product and Process Understanding

Basis of science- and risk-based decisions Focus on critical aspects

Identify

Specify

Verify

CQAs / CPPs

14


15/47

Life Cycle Approach Within a QMS

Suitable Life CycleIntrinsic to QMS

Continuous improvement

15


16/47

Specify

Plan

Verify

Configure

& Code

Report

RiskManagem

ent

A Basic Framework For Achieving Compliance

and Fitness For Intended Use

Figure xx:Figure 3.3: A General Approach for Achieving Compliance and Fitness for Intended Use

Source Figure 3.3, GAMP 5 A Risk Based Approach to Compliance GxP Computerized Systems Copyright ISPE 2008. All rights reserved.

GAMP V Model Transition

VerifiesUser Requirement

Specification

Functional

Specification

Design

Specification

System

Build

Installation

Qualification

Operational

Qualification

Performance

Qualification

Verifies

Verifies


17/47

Scaleable Life Cycle Activities

Risk

Complexity and Novelty

Supplier

17


18/47

Science Based Quality RiskManagement

Focus on patient safety,

product quality,

and data integrity

18

Assessment Control

Communication

Review

Based on

ICH Q9


19/47

Leveraging Supplier Involvement

Assess:Suitability

Accuracy

Completeness

Flexibility:Format

Structure

Requirementsgathering

Risk assessments

Functional / otherspecifications

Configuration

Testing Support and

maintenance 19


20/47

Life Cycle Phases


21/47

Compatibility with Other Standards

ASTM E2500 Standard Guide for

Specification, Design, and Verification of

Pharmaceutical and BiopharmaceuticalManufacturing Systems and Equipment

21


22/47

GAMP 5

Ongoing

Operations

GAMP 5

Reporting

and

Release

GAMP 5

Verification

GAMP 5

Specification

Configuration

Coding

GAMP 5

Planning

GAMP5 and ASTM E2500

Good Engineering Practice

Risk Management

Design Review

Change Management

Requirements Specification

and Design

Verification Acceptance

and

ReleaseOperations &

Continuous

Improvement

Product

Knowledge

Process

Knowledge

Regulatory

Requirements

Company

Quality Regs.

The Specification, Design, and Verification Process Diagram from ASTM E2500


23/47

Governance

Policies and procedures

Roles and responsibilities Training

Supplier relationships

System inventory

Planning for compliance & validation

Continuous improvement

23


24/47

Stages Within the Project Phase

Planning

Specification, configuration, and

coding Verification

Reporting and release

24


25/47


26/47

Planning

Activities

Responsibilities

Procedures

Timelines

26

See Appendix M1


27/47

Specification, Configuration, &

Coding

Specifications allow

Development

Verification

Maintenance Number and level of

detail varies

Defined process

27


28/47

Verification

Testing Reviews

Identify defects!

28


29/47

Supporting Processes

Risk Management

Change and Configuration Management

Design Review

Traceability

Document Management

29


30/47

Design Review

Planned Systematic

Identify Defects

Corrective Action

Scaleable

Rigor/Extent

Documentation

30See also Appendix M5


31/47

Traceability

Requirements

Specification

Design

Verification

Configure/Code


32/47

GAMP 5 CategoriesCategory GAMP 4 GAMP 5

1 Operating system Infrastructure software

2 Firmware No longer used

3 Standard software packages Non-configured products

4

Configurable software

packagesConfigured products

5 Custom (bespoke) software Custom applications

Con

tinuum


33/47

GAMP 5

Quality Risk Management

33


34/47

Critical Processes are Those Which: Generate, manipulate, or control data supporting

regulatory safety and efficacy submissions

Control critical parameters in preclinical, clinical,development, and manufacturing

Control or provide information for product release

Control information required in case of product recall Control adverse event or complaint recording or

reporting

Support pharmacovigilance (investigation of Adverserisks)

34


35/47

Definitions

Harm Damage to health, including the

damage that can occur from lossof product quality or availability.

Hazard The potential source of harm.

Risk The combination of theprobability of occurrence of harmand the severity of that harm.

Severity A measure of the possibleconsequences of a hazard.

35


36/47

Step 1 Initial Risk Assessment

Based on business processes, user requirements, regulatory

requirements and known functional areas

36Dont repeat unnecessarily!

Inputs Outputs

GxP or non-GxP

Major Risks

Considered

Overall Risk

User Requirements

GxP Regulations

Previous Assessments


37/47

Step 2 Identify Functions with GxP Impact

Functions with impact on patient safety, product quality, and

data integrity

37

Specifications

System Architecture

Categorization of

Components

Inputs Outputs

List of Functions to

be further evaluated


38/47

Step 3 Perform Functional Risk Assessments

& Identify Controls

Functions from Step 2SME Experience

Scenarios

Possible Hazards

38

Breakdown of Risks

to Low, Medium andHigh.

Detailed

Assessments andMitigation for High

Inputs Outputs


39/47

Functional Risk Assessment

Identify

Hazards and risk scenarios

Severity impact on safety quality or

other harm

ProbabilityDetectability

39


40/47

GAMP Risk Assessment Tool

40

Probability

S

everity

Low

Medium

High

Low

Medium

High

Class 3

Class 2

Class 1

A simple two-step process:

Plot Severity vs. Probability to obtain Risk Class


41/47

GAMP Risk Assessment Tool

41

Priority 1

Priority 3

Priority 2

3

2

1

High

Medium

Low

R

iskClass

Detectability

Plot Risk Class vs. Detectability to obtain Risk Priority


42/47

Step 3 (continued) Controlling the Risk

42

Mitigation Strategies

Change the process Change the design

Add new features

Apply external

procedures

Scenarios with

High Risk from

Functional

Analysis

Inputs Outputs


43/47

Step 4 Implement & Verify Appropriate

Controls

Verification activity

should demonstrate

that the controls are

effective in performing

the required riskreduction.

43


44/47

Step 5 Review Risks Monitor Controls

Establish Periodic Reviewof Control Effectiveness

Apply Risk Process in

Change ManagementActivities

44

Frequency andextent of any

periodic reviewshould be based onthe level of risk


45/47

Risk-Based Decisions

What do they impact ?

Number and depth of design reviews

Need for, and extent of, source code review

Rigor of supplier evaluation

Depth and rigor of functional testing

45


46/47

Operation Appendices O1 Handover

O2 Establishing & Managing

Support Services

O3 Performance Monitoring

O4 Incident Management

O5 Corrective andPreventive Action (CAPA)

Performance Monitoring

O6 Operational Change &Configuration Management

O7 Repair Activity

O8 Periodic Review O9 Backup and Restore

O10 Business Continuity

Management

O11 Security Management

O12 System Administration

O13 Archiving and Retrieval

46


47/47

Summary

GAMP 5 provides more flexibility in the

number and types of validation lifecycle

products used. Application of Risk and use of SME

Knowledge are keys to success

47

Documents

computer system validation using GAMP 5