summary of ispe gamp

7/23/2019 Summary of ISPE GAMP

1/18

GAMP 5

-

Computerized SystemsStephen Shields8 October 2013

range ect on eet ng art


2/18

Disclaimer

This presentation is made at the request of ASQ.

The presenter is a full-time employee and stockholder of Allergan, Inc.

are those of the presenter and are not the position of and may not be

attributed to Allergan, Inc.


3/18

Agenda

Operation Phase Hanover

Incident Management and CAPA

Change Management

Periodic Review

Continuity Management

Security and System Administration

Record Management

Retirement Phase Withdrawal

Decommissioning

Disposition


4/18

Operation Phase

The approach and required activities should be selected and scaled

according to the nature, risk, and complexity of the system in question.

The regulated company should ensure that appropriate operational

processes, proce ures, an p ans ave een mp emente , an are

supported by appropriate training.

Compliance and fitness for intended use must be maintained throughout the.

The integrity of the system and its data should be maintained at all times

and verified as part of periodic review.

O ortunities for rocess and s stem im rovements should be sou ht

based on periodic review and evaluation, operational and performance data,

and root-cause analysis of failures (Incident Management and CAPA).

Change management should provide a dependable mechanism for prompt

implementation of technically sound improvements following the approach

to specification, design, and verification.


5/18

Operation Phase Information Flows


6/18

Operation Phase - Processes

Process Group Process

Handover Handover Process

Service Management and Performance Establishing and Managing Support Services

Monitoring Performance Monitoring

Incident Management and CAPA Incident Management

CAPA

Change Management Change Management

Repair Activity

Audits and Review Periodic Review

Internal Quality Audits

Continuit Mana ement Backu and Restore

Business Continuity PlanningDisaster Recovery Planning

Security and System Administration Security Management

Systems Administration

Records Management Retention

Archive and Retrieval

Training Training Management


7/18

Handover

Handover is the process for transfer of responsibility of a

computerized system from a project team or a service group to a

new service group.

Typical conditions for handover to business

Fit for Intended Use

Compliant

Trained Users

Operation Security & Roles Established

SOPs Effective (operational & support)

Unique Configuration Elements Established

Issues Closed/Resolved

Rollback Strategy


8/18

Handover Process


9/18

Service Management & Performance Monitoring

Maintaining a system in a state of compliance is often

outside the direct control of the system owner.

A Service Level Agreement (SLA) establishes responsibilities between the IT ServiceProvider and the Customer.

A Operating Level Agreement (OLA) defines the goods or Services to be provided to the IT

Service Provider by another part of the same Organization and the responsibilities of both

parties

An Underpinning Contract (UC) defines targets and responsibilities of a Third Party to meet

agree erv ce eve argets n an .

Where appropriate, performance of the system should

be monitored to capture problems in a timely manner. It

also may be possible to anticipate failure through the use

of monitoring tools and techniques.


10/18

Support Services Process


11/18

Incident Management and CAPA

Incident Managementprocess should address:

CAPA process shouldaddress:

Triage to the most appropriate

resource or complimentary

process

,

and correcting discrepancies

based on root-cause analysis

Preventing recurrence of

Document

Review

Prioritization

discrepancies

Preventing occurrences of a

possible/predicted

Progress towards resolution

Escalation

Closure

screpanc es Effectiveness


12/18

Change Management

Critical activity fundamental to maintaining the compliantstatus of systems and processes

, , ,

infrastructure, or use of the system

Reviewed to assess impact and risk of implementing the change

before implementation, and subsequently closed

Scaled based on the nature, risk, and complexity of the change

Continuous process and system improvements based on periodic

review and evaluation, operational and performance data, and root-cause analysis of failures.

Emergency changes performed change management process or repair

s


13/18

Periodic Review

Verify system remain compliant with regulatoryrequirements, fit for intended use, and meet company

. Interval appropriate to the impact and operation history of the system

Pre-defined process


14/18

Continuity Management

Backup and Restoration software, records, and data are made, maintained, and retained for adefined period within safe and secure areas

Restore procedures should be established, tested, and the results of

that testing documented

Business Continuit Plannin Plans established and exercised to ensure the timely and effective

resumption of these critical business processes and systems

Details the precautions taken to minimize the effects of a disaster,

allowing the organization to either maintain or quickly resume critical

functions focus on disaster revention .


15/18

Security and System Administration

Adequately protected against willful or accidental loss,damage, or unauthorized change

,

removing privileges for authorized users, malware management,

password management, and physical security measures

Role-based security

Apply to all users, including administrators, super-users, users, and

support staff (including supplier support staff)

Procedures for administrative support for systems


16/18

Record Management

Records must be maintained and accessible throughouttheir retention period

Establish policies for retention of regulated records

Retain data on-line or archive

Establish procedures for archival and retrieval


17/18

Retirement Phase

Systematic process of permanently removing a systemfrom use

, , ,

of required data

Withdraw the system from active operations, i.e., users are deactivated,

interfaces disabled. No data should be added to the system from this

point forward. Special access should be retained for data reporting,

results analysis and support.

Decommission the system

Determine disposition of data, documentation, software, and hardware(permanently destroyed, re-tasked, archived, migrated).


18/18

Questions?

Stephen Shields rec or

Computerized System Compliance and Quality

ergan, [email protected]

714-246-5320

summary of ispe gamp

Documents