Overview of Computerized Systems Compliance Using the GAMP® 5 Guide Jim John ProPharma Group, Inc. (816) 682-2642
[email protected] [email protected]
Who Cares About CSV? • Systems throughout the organization involved in the development, production, storage and distribution of pharmaceutical products or medical devices have to be considered IT, • Resources involved in any way with IT, computer, computer, or automated systems is affected: – Developers – Maintainers – Users
Who Cares About CSV? • Systems throughout the organization involved in the development, production, storage and distribution of pharmaceutical products or medical devices have to be considered IT, • Resources involved in any way with IT, computer, computer, or automated systems is affected: – Developers – Maintainers – Users
Purpose of This Presentation • To discuss and clarify key topics • Get to know the evolution of the GAMP Methodology to the latest release • Consider where GAMP 5 concepts can improve your existing methodology
GAMP Objectives GAMP® guidance aims to achieve computerized systems that are fit for intended use and meet current regulatory requirements, by building upon existing industry good practice in an efficient and effective manner manner..
4
Guidance • It is not a prescriptive method or a standard, but.. – Pragmatic guidance – Approaches – Tools for the practitioner
• Applied with expertise and good judgement
5
Evolution of GAMP Guidance
1
2
3
4
Calibration Legacy Systems Laboratory VPCS ERES Testing Data Archiving Global Information Systems IT Infrastructure
5
Drivers
Other Drivers • Avoid duplication • Leverage suppliers • Scale activities • Reflect today – Configurable packages – Development models 8
Key Objectives
patient safety product quality data integrity 9
GAMP Document Structure
10
Main Body Overview •
Key Concepts
•
Life Cycle
•
Quality Risk Management
•
Regulated Company Activities
•
Supplier Activities
•
Efficiency Improvements 11
5 Key Concepts • Life Cycle Approach Within a QMS • Scaleable Life Cycle Activities • Process and Product Understanding • Science-Based Quality Risk Management • Leveraging Supplier Involvement
12
User and Supplier Life Cycles
Product and Process Understanding • Basis of science- and risk-based decisions • Focus on critical aspects – Identify – Specify – Verify
• CQAs / CPPs
14
Life Cycle Approach Within a QMS • Suitable Life Cycle – Intrinsic to QMS • Continuous improvement
15
GAMP V Model Transition
Verifies
User Requirement Specification
Plan
Functional Specification
Specify Design
Specification
Performance Qualification Report
t Verifies n e m e g a n a M k s i R
Verifies
Operational Qualification
Verify Installation Qualification
Configure & Code
System Build
Figure 3.3: A General Approach for Achieving Compliance and Fitness for Intended Use Figure xx:
A Basic Framework For Achieving Compliance and Fitness For Intended Use
Source Figure 3.3, GAMP 5 A Risk Based Approach to Compliance GxP Computerized Systems © Copyright ISPE 2008. All rights reserved.
Scaleable Life Cycle Activities
• Risk • Complexity and Novelty • Supplier
17
Science Based Quality Risk Management Assessment
Control
Communication Focus on patient safety, product quality, and data integrity…
Review Based on ICH Q9 18
Leveraging Supplier Involvement • Requirements gathering • Risk assessments • Functional / other specifications • Configuration • Testing • Support and maintenance
• Assess: – Suitability – Accuracy – Completeness
• Flexibility: – Format – Structure
19
Life Cycle Phases
Compatibility with Other Standards ASTM E2500 Standard Guide for Specification, Design, and Verification of Pharmaceutical and Biopharmaceutical Manufacturing Systems and Equipment
21
GAMP5 and ASTM E2500 Good Engineering Practice Product Knowledge
Requirements
Process Knowledge Regulatory Requirements Company Quality Regs.
Specification and Design
Verification
Acceptance and Release
Operations & Continuous Improvement
GAMP 5
GAMP 5
GAMP 5
GAMP 5 GAMP 5
Planning
Specification
Verification
Reporting
Ongoing
Configuration
and
Operations
Coding
Release
Risk Management Design Review
Change Management
The Specification, Design, and Verification Process – Diagram from ASTM E2500
Governance • • • • • • •
Policies and procedures Roles and responsibilities Training Supplier relationships System inventory Planning for compliance & validation Continuous improvement
23
Stages Within the Project Phase • Planning • Specification, configuration, and coding • Verification • Reporting and release
24
Planning
• Activities • Responsibilities • Procedures • Timelines See Appendix M1
26
Specification, Configuration, & Coding • Specifications allow – Development – Verification – Maintenance
• Number and level of detail varies • Defined process
27
Verification • Testing • Reviews • Identify defects!
28
Supporting Processes • • • • •
Risk Management Change and Configuration Management Design Review Traceability Document Management
29
Design Review • Planned • Systematic • Identify Defects • Corrective Action • Scaleable – Rigor/Extent – Documentation See also Appendix M5
30
Traceability Requirements
Specification Verification Design
Configure/Code
GAMP 5 Categories Category
m u u n i t n o C
GAMP 4
GAMP 5
1
Operating system
Infrastructure software
2
Firmware
No longer used
3
Standard software packages
Non-configured products
4
Configurable software packages
Configured products
5
Custom (bespoke) software
Custom applications
GAMP 5 Quality Risk Management
33
Critical Processes are Those Which: • Generate, manipulate, or control data supporting regulatory safety and efficacy submissions • Control critical parameters in preclinical, clinical, development, and manufacturing • Control or provide information for product release • Control information required in case of product recall • Control adverse event or complaint recording or reporting • Support pharmacovigilance (investigation of Adverse risks)
34
Definitions • Harm
• Hazard • Risk
• Severity
Damage to health, including the damage that can occur from loss of product quality or availability. The potential source of harm. The combination of the probability of occurrence of harm and the severity of that harm . A measure of the possible consequences of a hazard.
35
Step 1 – Initial Risk Assessment • Based on business processes, user requirements, regulatory requirements and known functional areas Inputs
User Requirements GxP Regulations Previous Assessments Don’t repeat unnecessarily!
Outputs
GxP or non-GxP Major Risks Considered Overall Risk 36
Step 2 – Identify Functions with GxP Impact • Functions with impact on patient safety, product quality, and data integrity
Inputs
Specifications System Architecture
Outputs
List of Functions to be further evaluated
Categorization of Components 37
Step 3 – Perform Functional Risk Assessments & Identify Controls
Inputs Functions from Step 2 SME Experience Scenarios Possible Hazards
Outputs
Breakdown of Risks to Low, Medium and High. Detailed Assessments and Mitigation for High 38
Functional Risk Assessment • Identify – Hazards and risk scenarios – Severity – impact on safety quality or other harm
– Probability – Detectability 39
GAMP Risk Assessment Tool A simple two-step process: Plot
Severity vs. Probability to obtain Risk Class Probability m u w i o d L e M
y t i r e v e S
h g i H Class 1
High Class 2
Medium Low
Class 3
40
GAMP Risk Assessment Tool Plot
Risk Class vs. Detectability to obtain Risk Priority
Detectability m h i u g d w i o H e L M
s s 1 a l C 2 k s i R 3
Priority 1 Priority 2 Priority 3
41
Step 3 (continued) Controlling the Risk Inputs
Outputs
Mitigation Strategies Scenarios with High Risk from Functional Analysis
• • • •
Change the process Change the design Add new features Apply external procedures 42
Step 4 – Implement & Verify Appropriate Controls • Verification activity should demonstrate that the controls are effective in performing the required risk reduction.
43
Step 5 – Review Risks Monitor Controls
Establish Periodic Review of Control Effectiveness Apply Risk Process in Change Management Activities
Frequency and extent of any periodic review should be based on the level of risk
44
Risk-Based Decisions What do they impact ? • Number and depth of design reviews • Need for, and extent of, source code review • Rigor of supplier evaluation • Depth and rigor of functional testing
45
Operation Appendices • O1 – Handover
• O7 – Repair Activity
• O2 – Establishing & Managing Support Services
• O8 – Periodic Review
• O3 – Performance Monitoring
• O9 – Backup and Restore
• O4 – Incident Management
• O10 – Business Continuity Management
• O5 – Corrective and Preventive Action (CAPA)
• O11 – Security Management
• Performance Monitoring • O6 – Operational Change & Configuration Management
• O12 – System Administration • O13 – Archiving and Retrieval
46
