Overview of

Computerized Systems Compliance

Using the GAMP 5 Guide
Jim John
ProPharma Group, Inc.
(816) 682-2642
jim.john@propharmagroup.com

Who Cares About CSV?

Systems throughout the organization involved
in the development, production, storage and
distribution of pharmaceutical products or
medical devices have to be considered
Resources involved in any way with IT,
computer, or automated systems is affected:
Developers
Maintainers
Users

Purpose of This Presentation

To discuss and clarify key topics
Get to know the evolution of the GAMP
Methodology to the latest release
Consider where GAMP 5 concepts can
improve your existing methodology

GAMP Objectives
GAMP guidance aims to achieve
computerized systems that are fit for
intended use and meet current regulatory
requirements, by building upon existing
industry good practice in an efficient and
effective manner.

Guidance
It is not a prescriptive method or a standard,
but..
Pragmatic guidance
Approaches
Tools for the practitioner

Applied with expertise and good judgement

Evolution of GAMP Guidance

Calibration
Legacy Systems
Laboratory
VPCS
ERES
Testing
Data Archiving Global
Information Systems
IT Infrastructure

Drivers

Other Drivers

Avoid duplication
Leverage suppliers
Scale activities
Reflect today
Configurable packages
Development models
8

Key Objectives

patient safety
product quality
data integrity
9

GAMP
Document
Structure

10

Main Body Overview

Key Concepts
Life Cycle
Quality Risk Management
Regulated Company Activities
Supplier Activities
Efficiency Improvements
11

5 Key Concepts

Life Cycle Approach Within a QMS

Scaleable Life Cycle Activities
Process and Product Understanding
Science-Based Quality Risk Management
Leveraging Supplier Involvement

12

User and Supplier Life Cycles

Product and Process Understanding

Basis of science- and risk-based decisions
Focus on critical aspects
Identify
Specify
Verify

CQAs / CPPs

14

Life Cycle Approach Within a QMS

Suitable Life Cycle
Intrinsic to QMS
Continuous improvement

15

GAMP V Model Transition

Verifies

User Requirement
Specification

Performance
Qualification
Report

Functional
Specification

Specify
Design

Specification

RiskManagement

Plan

Verifies

Verifies

Operational
Qualification

Verify
Installation
Qualification

Configure
& Code

System
Build

Figure
3.3: A General Approach for Achieving Compliance and Fitness for Intended Use
Figure xx: A Basic Framework For Achieving Compliance
and Fitness For Intended Use
Source Figure 3.3, GAMP 5 A Risk Based Approach to Compliance GxP Computerized Systems Copyright ISPE 2008. All rights reserved.

Scaleable Life Cycle Activities

Risk
Complexity and Novelty
Supplier

17

Science Based Quality Risk

Management
Assessment

Control

Communication
Focus on patient safety,
product quality,
and data integrity

Review
Based on
ICH Q9
18

Leveraging Supplier Involvement

Requirements
gathering
Risk assessments
Functional / other
specifications
Configuration
Testing
Support and
maintenance

Assess:
Suitability
Accuracy
Completeness

Flexibility:
Format
Structure
19

Life Cycle Phases

Compatibility with Other Standards

ASTM E2500 Standard Guide for
Specification, Design, and Verification of
Pharmaceutical and Biopharmaceutical
Manufacturing Systems and Equipment

21

GAMP5 and ASTM E2500

Good Engineering Practice
Product
Knowledge

Requirements

Process
Knowledge
Regulatory
Requirements
Company
Quality Regs.

Specification
and Design

Verification

Acceptance
and
Release

Operations &
Continuous
Improvement

GAMP 5

GAMP 5

GAMP 5

GAMP 5 GAMP 5

Planning

Specification

Verification

Reporting

Ongoing

Configuration

and

Operations

Coding

Release

Risk Management
Design Review

Change Management

The Specification, Design, and Verification Process Diagram from ASTM E2500

Governance

Policies and procedures

Roles and responsibilities
Training
Supplier relationships
System inventory
Planning for compliance & validation
Continuous improvement

23

Stages Within the Project Phase

Planning
Specification, configuration, and
coding
Verification
Reporting and release

24

Planning

Activities
Responsibilities
Procedures
Timelines
See Appendix M1

26

Specification, Configuration, &

Coding
Specifications allow
Development
Verification
Maintenance

Number and level of

detail varies
Defined process

27

Verification
Testing
Reviews
Identify defects!

28

Supporting Processes

Risk Management
Change and Configuration Management
Design Review
Traceability
Document Management

29

Design Review

Planned
Systematic
Identify Defects
Corrective Action
Scaleable
Rigor/Extent
Documentation

See also Appendix M5

30

Traceability
Requirements
Specification
Verification
Design
Configure/Code

GAMP 5 Categories

Continuum

Category

GAMP 4

GAMP 5

Operating system

Infrastructure software

Firmware

No longer used

Standard software packages

Non-configured products

Configurable software
packages

Configured products

Custom (bespoke) software

Custom applications

GAMP 5
Quality Risk Management

33

Critical Processes are Those Which:

Generate, manipulate, or control data supporting
regulatory safety and efficacy submissions
Control critical parameters in preclinical, clinical,
development, and manufacturing
Control or provide information for product release
Control information required in case of product recall
Control adverse event or complaint recording or
reporting
Support pharmacovigilance (investigation of Adverse
risks)

34

Definitions
Harm

Hazard
Risk

Severity

Damage to health, including the

damage that can occur from loss
of product quality or availability.
The potential source of harm.
The combination of the
probability of occurrence of harm
and the severity of that harm.
A measure of the possible
consequences of a hazard.

35

Step 1 Initial Risk Assessment

Based on business processes, user requirements, regulatory
requirements and known functional areas
Inputs

Outputs

User Requirements

GxP or non-GxP

GxP Regulations

Major Risks
Considered

Previous Assessments
Dont repeat unnecessarily!

Overall Risk
36

Step 2 Identify Functions with GxP Impact

Functions with impact on patient safety, product quality, and
data integrity

Inputs
Specifications
System Architecture

Outputs
List of Functions to
be further evaluated

Categorization of
Components
37

Step 3 Perform Functional Risk Assessments

& Identify Controls

Inputs
Functions from Step 2
SME Experience
Scenarios
Possible Hazards

Outputs
Breakdown of Risks
to Low, Medium and
High.
Detailed
Assessments and
Mitigation for High
38

Functional Risk Assessment

Identify
Hazards and risk scenarios
Severity impact on safety quality or
other harm
Probability
Detectability
39

GAMP Risk Assessment Tool

A simple two-step process:
Plot Severity vs. Probability to obtain Risk Class

High

Medium

Low

Probability

Severity

Class 1

High
Class 2

Medium
Low

Class 3

40

GAMP Risk Assessment Tool

Plot Risk Class vs. Detectability to obtain Risk Priority

Risk Class

Low

Medium

High

Detectability

Priority 1

1
Priority 2

2
3

Priority 3

41

Step 3 (continued) Controlling the Risk

Inputs

Outputs
Mitigation Strategies

Scenarios with
High Risk from
Functional
Analysis

Change the process

Change the design
Add new features
Apply external
procedures
42

Step 4 Implement & Verify Appropriate

Controls
Verification activity
should demonstrate
that the controls are
effective in performing
the required risk
reduction.

43

Step 5 Review Risks Monitor Controls

Establish Periodic Review

of Control Effectiveness
Apply Risk Process in
Change Management
Activities

Frequency and
extent of any
periodic review
should be based on
the level of risk

44

Risk-Based Decisions
What do they impact ?

Number and depth of design reviews

Need for, and extent of, source code review
Rigor of supplier evaluation
Depth and rigor of functional testing

45

Operation Appendices
O1 Handover
O2 Establishing & Managing
Support Services
O3 Performance Monitoring
O4 Incident Management
O5 Corrective and
Preventive Action (CAPA)
Performance Monitoring
O6 Operational Change &
Configuration Management

O7 Repair Activity
O8 Periodic Review
O9 Backup and Restore
O10 Business Continuity
Management
O11 Security Management
O12 System Administration
O13 Archiving and Retrieval

46

Summary
GAMP 5 provides more flexibility in the
number and types of validation lifecycle
products used.
Application of Risk and use of SME
Knowledge are keys to success

47