Overview of Computerized Systems Compliance

Using the GAMP® 5 Guide

Jim JohnProPharma Group, Inc.(816) 682-2642jim.john@propharmagroup.com

Who Cares About CSV?• Systems throughout the organization involved

in the development, production, storage and distribution of pharmaceutical products or medical devices have to be considered

• Resources involved in any way with IT, computer, or automated systems is affected:– Developers– Maintainers– Users

Purpose of This Presentation

• To discuss and clarify key topics• Get to know the evolution of the GAMP

Methodology to the latest release• Consider where GAMP 5 concepts can

improve your existing methodology

GAMP Objectives

GAMP® guidance aims to achieve computerized systems that are fit for intended use and meet current regulatory requirements, by building upon existing industry good practice in an efficient and effective manner.

4

Guidance• It is not a prescriptive method or a standard,

but..– Pragmatic guidance– Approaches– Tools for the practitioner

• Applied with expertise and good judgement

5

Evolution of GAMP Guidance

54321Calibration Legacy SystemsLaboratory VPCSERES TestingData Archiving Global Information SystemsIT Infrastructure

Drivers

Other Drivers• Avoid duplication• Leverage suppliers• Scale activities• Reflect today

– Configurable packages– Development models

8

Key Objectives

9

patient safety product quality

data integrity

10

GAMPDocumentStructure

Main Body Overview• Key Concepts• Life Cycle• Quality Risk Management• Regulated Company Activities• Supplier Activities• Efficiency Improvements

11

5 Key Concepts

• Life Cycle Approach Within a QMS• Scaleable Life Cycle Activities• Process and Product Understanding• Science-Based Quality Risk Management• Leveraging Supplier Involvement

12

User and Supplier Life Cycles

Product and Process Understanding

• Basis of science- and risk-based decisions• Focus on critical aspects

– Identify– Specify– Verify

• CQAs / CPPs

14

Life Cycle Approach Within a QMS

• Suitable Life Cycle–Intrinsic to QMS

• Continuous improvement

15

Specify

Plan

Verify

Configure& Code

Report

Risk M

anag

emen

t

A Basic Framework For Achieving Compliance and Fitness For Intended Use

Figure xx:Figure 3.3: A General Approach for Achieving Compliance and Fitness for Intended Use

Source Figure 3.3, GAMP 5 A Risk Based Approach to Compliance GxP Computerized Systems © Copyright ISPE 2008. All rights reserved.

GAMP V Model Transition

VerifiesUser Requirement Specification

Functional Specification

DesignSpecification

System Build

InstallationQualification

OperationalQualification

Performance Qualification

Verifies

Verifies

Scaleable Life Cycle Activities

• Risk• Complexity and Novelty• Supplier

17

Science Based Quality Risk Management

Focus on patient safety, product quality, and data integrity…

18

AssessmentControl

CommunicationReview

Based on ICH Q9

Leveraging Supplier Involvement

• Assess: – Suitability– Accuracy– Completeness

• Flexibility:– Format– Structure

• Requirements gathering

• Risk assessments• Functional / other

specifications• Configuration• Testing• Support and

maintenance 19

Life Cycle Phases

Compatibility with Other Standards

ASTM E2500 Standard Guide for Specification, Design, and Verification of Pharmaceutical and Biopharmaceutical Manufacturing Systems and Equipment

21

GAMP 5Ongoing

Operations

GAMP 5Reporting

and

Release

GAMP 5Verification

GAMP 5Specification

Configuration

Coding

GAMP 5

Planning

GAMP5 and ASTM E2500Good Engineering Practice

Risk Management

Design Review

Change Management

Requirements Specificationand Design

Verification AcceptanceandRelease

Operations &Continuous Improvement

ProductKnowledge

ProcessKnowledge

RegulatoryRequirements

Company Quality Regs.

The Specification, Design, and Verification Process – Diagram from ASTM E2500

Governance

• Policies and procedures• Roles and responsibilities• Training• Supplier relationships• System inventory• Planning for compliance & validation• Continuous improvement

23

Stages Within the Project Phase

• Planning• Specification, configuration, and

coding• Verification• Reporting and release

24

Planning

• Activities• Responsibilities• Procedures• Timelines

26

See Appendix M1

Specification, Configuration, & Coding

• Specifications allow– Development– Verification– Maintenance

• Number and level of detail varies

• Defined process

27

Verification

• Testing• Reviews• Identify defects!

28

Supporting Processes

• Risk Management• Change and Configuration Management• Design Review• Traceability• Document Management

29

Design Review

• Planned• Systematic• Identify Defects• Corrective Action• Scaleable

– Rigor/Extent– Documentation

30See also Appendix M5

Traceability

Requirements

Specification

Design

Verification

Configure/Code

GAMP 5 CategoriesCategory GAMP 4 GAMP 5

1 Operating system Infrastructure software

2 Firmware No longer used

3 Standard software packages Non-configured products

4 Configurable software packages Configured products

5 Custom (bespoke) software Custom applications

Cont

inuu

m

GAMP 5Quality Risk Management

33

Critical Processes are Those Which:• Generate, manipulate, or control data supporting

regulatory safety and efficacy submissions• Control critical parameters in preclinical, clinical,

development, and manufacturing• Control or provide information for product release• Control information required in case of product recall• Control adverse event or complaint recording or

reporting• Support pharmacovigilance (investigation of Adverse

risks)

34

Definitions

• Harm Damage to health, including the damage that can occur from loss of product quality or availability.

• Hazard The potential source of harm.• Risk The combination of the

probability of occurrence of harm and the severity of that harm.

• Severity A measure of the possible consequences of a hazard.

35

Step 1 – Initial Risk Assessment

• Based on business processes, user requirements, regulatory requirements and known functional areas

36Don’t repeat unnecessarily!

Inputs Outputs

GxP or non-GxP

Major Risks Considered

Overall Risk

User Requirements

GxP Regulations

Previous Assessments

Step 2 – Identify Functions with GxP Impact

• Functions with impact on patient safety, product quality, and data integrity

37

Specifications

System Architecture

Categorization of Components

Inputs Outputs

List of Functions to be further evaluated

Step 3 – Perform Functional Risk Assessments & Identify Controls

Functions from Step 2

SME Experience

Scenarios

Possible Hazards

38

Breakdown of Risks to Low, Medium and High.

Detailed Assessments and Mitigation for High

Inputs Outputs

Functional Risk Assessment

• Identify– Hazards and risk scenarios– Severity – impact on safety quality or

other harm– Probability– Detectability

39

GAMP Risk Assessment Tool

40

Probability

Seve

rity

Low

Medium

High

Low

Med

ium

Hig

h

Class 3

Class 2

Class 1

A simple two-step process:

Plot Severity vs. Probability to obtain Risk Class

GAMP Risk Assessment Tool

41

Priority 1

Priority 3

Priority 2

3

2

1

Hig

h

Med

ium

Low

Ris

k C

lassDetectability

Plot Risk Class vs. Detectability to obtain Risk Priority

Step 3 (continued) Controlling the Risk

42

Mitigation Strategies

• Change the process• Change the design• Add new features• Apply external

procedures

Scenarios with High Risk from Functional Analysis

Inputs Outputs

Step 4 – Implement & Verify AppropriateControls

• Verification activity should demonstrate that the controls are effective in performing the required risk reduction.

43

Step 5 – Review Risks Monitor Controls

Establish Periodic Review of Control Effectiveness

Apply Risk Process in Change Management Activities

44

Frequency and extent of any periodic review should be based on the level of risk

Risk-Based Decisions What do they impact ?

• Number and depth of design reviews • Need for, and extent of, source code review• Rigor of supplier evaluation• Depth and rigor of functional testing

45

Operation Appendices• O1 – Handover• O2 – Establishing & Managing

Support Services• O3 – Performance Monitoring• O4 – Incident Management• O5 – Corrective and

Preventive Action (CAPA)• Performance Monitoring• O6 – Operational Change &

Configuration Management

• O7 – Repair Activity• O8 – Periodic Review• O9 – Backup and Restore• O10 – Business Continuity

Management• O11 – Security Management• O12 – System Administration• O13 – Archiving and Retrieval

46

Summary

• GAMP 5 provides more flexibility in the number and types of validation lifecycle products used.

• Application of Risk and use of SME Knowledge are keys to success

47