Professional Documents
Culture Documents
GAMP 5 Overview
Paul Fenton
January 2013
/ Overview
– Introduction to GAMP5
– Differences between GAMP4 and GAMP5
– How to use GAMP5 effectively
– What the regulations say
– High level overview of the key concepts of GAMP5
• Quality Management
• V Model
• Lifecycle Phases
• System Categories
• Documentation
• Required Procedures
• Supplier Management
/ Introduction to GAMP5
• GAMP 5 - A Risk-Based Approach to Compliant GxP
Computerized Systems
– Is a framework for developing, qualifying,
validating and maintaining systems used in GxP
– Is produced by ISPE
– Is widely used within the pharmaceutical
industry
– Is understood by inspectors
– Is not a regulatory requirement but rather a
pragmatic guidance
/ Introduction to GAMP5
• GAMP provides practical guidance that:
– facilitates the interpretation of regulatory
requirements
– establishes a common language and
terminology
– promotes a system life cycle approach based on
good practice
– clarifies roles and responsibility
– Focuses on patient safety, product quality and
data integrity
/ Introduction to GAMP5
• Aims to be compatible with other methods, models
and schemes including:
– Quality systems (IEEE, ISO 9000 Series)
– Organization Capability and Maturity (CMMI)
– Software processing models (ISO 12207)
– Software development models (RAD, Agile, RUP,
XP)
– IT Service Models (ITIL)
• Is composed of a main body and multiple appendix
with practical resources
/ Introduction to GAMP5
/ GAMP Drivers
Focus on Patient
Safety,
Life Cycle Product Quality, Effective
Approach and Data Integrity Governance to
within QMS Achieve and
Maintain GxP
Compliance
Scalable
Approach to GxP
Compliance GAMP 5 Continuous
Improvement
Effective within QMS
Supplier Improving GxP
Quality by
Relationships Compliance
Design (QbD) Critical Quality
Efficiency
Configurable Use of Existing Attributes (CQA)
Systems Documentation Science Based
and Development and Knowledge Quality Mgt
Models of Risks
Principle Requirements
• We need to have formal system documentation
which is maintained under change control
• We need to validate systems to ensure that they
are fit for thier intended use
• We need to apply a risk based approach based on
patient safety, product quality and data integrity
• We need to have adequate change and
configuration management procedures
Maintain and
Develop
Supplier (of Products and
Deliver Products Support
computerized and Services Products and
Services
Services
systems and
services)
/ Quality Management
• A well designed system lifecycle should:
– be an intrinsic part of the company’s quality system
– Allows for continuous system and process
improvements based on:
• Periodic review
• Operational and performance data
• Root cause analysis of failures
– Ensure assurance of quality and fitness for intended use
– Ensure regulatory compliance
– Facilitates a QbD approach
/ Lifecycle Approach
Good Engineering Practice
Product
Knowledge
Process
Operation and
Knowledge Specification Acceptance
Requirements Verification Continuous
and Design and Release Improvement
Regulatory
Requirements
Company
Quality Reqs
Risk Management
Design Review
Change Management
/ V Model
15
/
/ System Description
• High level document which describes the hardware
and software components of the system
• EU GMP Annex 11, Clause 4, requires that there is
an up to date description of every GxP regulated
computerized system
• It should also describe:
– Principles
– Objectives
– Scope of the system
– Security features
– Main functions
/ System Description
/ Functional Specifications
• Document which describes ‘How’ the system should meet
the user requirements
• Establish a formal standard for functional specifications
• Define a high level overview of the different
components/functions and thier relationships
• Identify the different functions and describe:
– The process
– The inputs
– The process
– Critical calculations or algorithms
– The outputs
– Error handling
/ Functional Specifications
• Use screen mockups to help define user interface
specifications
• Establish performance and scaleability requirements
• Identify each function with a unique identifier
• Use process diagrams wherever possible
• Establish clear links to user requirements thorough the use
of the traceability matrix
• Use consistent naming conventions
• Formal testing is done on FS, so ensure that it is measurable
and link to tests in the traceability matrix
• Ensure the programmer understands the FS
• Identify when design review needs to occur
/ Functional Specifications
/ Configuration Specification
/ Design Specifications
• Technical document which describes how the system is to
be developped
• Should allow the reconstruction of the system
• Should describe all classes and reference functions in the FS
• Establish a class design model
• Class descriptions should include:
– All inputs, outputs and parameters
– System flow diagrams
– Technical description of algorithms
– Error handling and checking
– Data mapping
– Display screens and Reports (format, when generated,
which data)
/ Design Specifications
• Database design should include:
– Physical and logical database diagram with all
relevant keys, indexes and releationships
– Data dictionary with table name, field name,
data type, size and required Y/N
– Description of all stored procedures, views and
triggers
• Identify when Design reivew is required
• If using an iterative or agile approach, identify
whether several DS will be developed or a
cumulative document will be produced
/ Coding
• All code should be versioned using a source code
management system i.e. SourceSafe, SVN etc.
• Code should be properly documented through the use of
cartouches and in-code comments
• Formal coding conventions should be used to define how
code is structured and code elements are identified
• Formal, documented and independant code review should
be undertaken for each version/iteration of code
• Source file names should be referenced in the DS
• Released code should fall under change control
/ Test Plan
/ Test strategy
Test Protocol /
Test Results
Specification
/ Installation Testing
/ Configuration Testing
/ Functional Testing
• Also known as Operational Qualification (OQ)
• Usually governed by its own protocol
• Positive and negative functional tests on each system
module
• Documented using test scripts with predefined test cases
and data
• Expected results and actual results should be defined
• Scope of testing is defined following the risk assessment
• Can also be executed as part of system testing before
release to client
• Usually executed in clients environment
/ Requirements Testing
• Also known as Perfromance Qualification (PQ) or User
Acceptance Testing (UAT)
• Aims to verify that the system meets the user requirements
and that the system is fit for its intended use
• Usually positive testing of end to end business process in
the system
• Expected and actual results should be defined / captured
• Scope of testing is defined following the risk assessment
• Usually executed in clients environment and could be
executed by the client
/ System Categories
/ Traceability - Characteristics
/ Traceability - Example
URS FS DS UT/IT IV FV OV
UR4.10 FS5.6. DS3.4 UT10.1 n/a FV3 Steps 1-10 OV5 Steps 5-7
IT5, IT6 OV6 All Steps
UR4.11 FS5.6. DS3.4. UT10.2 IV1 FV3 Steps 11-15 OV5 Steps 8-15
FS5.7. IT6 FV4 Steps 1-5
UR4.12 FS5.8. DS3.5. UT10.3 IV1 FV4 Steps 6-18 OV7 All Steps
IT6
UR5.1. FS5.1. DS5.1. UT5.1 IV1 FV5.1. All Steps OV5 All Steps
IT5
/ Traceability - Benefits
/ Required Procedures
/ Supplier Management
/ Determining risk
• Determining the risks posed by a computerized system
requires a common and shared understanding of:
– impact of the computerized system on patient safety,
product quality, and data integrity
– supported business processes
– user requirements
– regulatory requirements
– project approach (contracts, methods, timelines)
– system components and architecture
– system functions
• Risks need to be determined by the SMEs that have the
knowledge to undertand the above
/ Risk Management
70
m m
u h w u
i h
w i g g
o d i o d i
L e H L e H
M M
74
/ Conclusion