COMPUTERISED SYSTEM

1.0 GxP Impact Assessment

The following checklist shall be used to determine if system is subject to GxP regulation.
Sr.No. Questionnaires Answers
Does the system control, record, change, monitor, track, store, transmit or
1 Yes / No
make decisions about data related to products, process or components?
Is this system used to automate manufacturing / packaging / laboratory
2 Yes / No
/QMS process?
3 Does this system used to provide training to employee? Yes / No
Is this system used to monitor, control or supervise environment? (E.g.
4 Yes / No
Temperature, humidity etc.)
Is this system used for physical access to manufacturing, laboratory or
5 Yes / No
documentation archives?
Is the system used to maintain purchasing, inventory or distribution data for
6 Yes / No
the company’s products?

If any of the above questions is answered ‘YES’ then the system is classified as “GxP relevant”.

2.0 ERES Assessment (Electronic Record Electronic Signature)

This section is applicable if the system is determined as GxP relevant as per the GxP Impact Assessment.
The following checklist shall be used to determine the ERES capabilities.
Sr.No. Questionnaires Answers
Does the system create/modify/maintain/archive/retrieve or transmit GxP
E-1 Yes / No
relevant electronic records?
If the system processes the electronic records as mentioned above, are these
E-2 Yes / No
records used in their electronic form to support GxP decision?
Does the system involves electronic signature (as a part of a workflow and/or
E-3 mandated by the predicate rules) that are intended to be the equivalent of Yes / No
handwritten/initials?

 If all the above questions are answered with ‘NO’, the system is classified as ‘Non ERES relevant’.
 If only E-2 is answered with ‘YES’, the system is classified as ‘Non ERES relevant’.
 If E-1 and E-2 is answered with ‘YES’, the system is classified as ‘Electronic record (ER) relevant’.
 If all the above questions answer with ‘YES’, the system is classified as ‘Electronic record and
Electronic Signature (ERES) relevant’.

3.0 System GAMP Category Classification

The system is categorized based on the computerize system classification defined in GAMP5 guideline.

GAMP Category Question

It is an infrastructure software i.e. Layered software (i.e., upon which
applications are built) or software used to manage the operating environment?
1
If no then go to next question.
(Infrastructure
Typical Examples: Operating systems, Database engines, Middleware,
Software
Programming languages, statistical packages, network monitoring tools, Version
control tools.
1
 GAMP Category Question
Is it a non-configured product?
3 (Non-
If no then go to next question.
Configured
Typical Examples: Run-time parameters may be entered and stored, but the
Products)
software can not be configured to suit the business process.
It is a commercially available package that involves configuring predefined
software modules?
4 (Configured
If no then go to next question.
Products
Typical Examples: LMS, Data acquisition systems, ADR reporting, CDMS, EDMS
Spreadsheets.
Is it a custom applications i.e. software custom designed and coded to suit the
business process without any prior history of usage?
5 (Custom
Typical Examples : Internally and Externally developed IT applications, Custom
applications)
firmware, Spreadsheet with macros, Customized modules/Functions in
configurable software.

4.0 Criticality Assessment

This section covers the detailed methodology for determining criticality assessment predefined set of
questionnaire listed below. The questionnaire is prepared keeping product quality as prime focus.

Sr. No. System evaluation based on product quality Risk Category

Failure of the system has insignificant impact on product quality and/or
1 the impact is under control / acceptable. Unlikely to result in a regulatory Low
citation and is non-reportable.
The system is not directly in contact with product and generates data that
may or may not be used for product acceptance or rejection. Further the
2 Medium
failure of the system can provokes minor regulatory observation for
improvement.
The system is directly in contact with product and generates data that
may or may not be used for product acceptance or rejection. The failure
3 High
of such system could provoke warning letter (483) or observations,
seizer/recall of goods or more serious regulatory penalty.

4.0 System Level Risk Assessment

Based on the system criticality identified and associated GAMP5 category identified, the system level
risk shall be determined as per the below criticality matrix.
System Criticality
GAMP5 Category
Low Medium High
Infrastructure Software
(Category 1) A A A
Non-Configurable
Products (Category 3) A A B
Configured Products
(Category 4) B B C
Custom Applications
(Category 5) B C C
System level risk : A - Low, B - Medium, C - High

2
5.0 Validation Deliverables
Validation deliverables considering the Criticality Assessment and software GAMP5 category shall be
as below:

Infrastructure software (GAMP5 Category 1)

Level of
Criticality FS/ ERES
URS SVA VP FRA IQ OQ PQ RTM VSR
DS/CS RTM #
Low √
Medium √
High √

Non-Configured Products (GAMP5 Category 3)

Level of
Criticality FS/ ERES
URS SVA VP FRA IQ OQ PQ RTM VSR
DS/CS RTM #
Low (√)* (√)* (√)* (√)* √
Medium (√)* (√)* (√)* (√)* √ √ √
High (√)* √ (√)* (√)* (√)* (√)* √ √ √ √

Configured Products (GAMP5 Category 4)

Level of
Criticality FS/ ERES
URS SVA VP FRA IQ OQ PQ RTM VSR
DS/CS RTM #
Low √* (√)* (√)* √ √
Medium √* √ (√)* √ √ (√)* (√)* √ √ √ √
High √ √ (√)* √ √ (√)* (√)* √ √ √ √

Customized Software (GAMP5 Category 5)

Level of
Criticality FS/ ERES
URS SVA VP FRA IQ OQ PQ RTM VSR
DS/CS RTM #
Low √* √ (√)* (√)* √ (√)* √
Medium √ √ (√)* √ √ (√)* (√)* √ √ √ √
High √ √ (√)* √ √ (√)* (√)* √ √ √ √

Where,
# - Applicable if System is ERES relevant.
√ - Required deliverable
√* - URS for dedicated infrastructure might be included in overall system URS.
(√) - Deliverables are required, but might be delivered by the vendor/supplier.
(√)* - Deliverables are required, but can be clubbed with equipment documents