3. INTRODUCTION
GAMP 5 leverages risk management from GAMP 4 and
addresses the entire lifecycle of automated systems
The biggest change being to provide more clearly defined
scalability for effort / deliverables versus the size /
complexity of projects, and to align with the various
regulatory bodies’ emphasis on risk / science-based GxPs.
GAMP 5 aligns with major industry developments including
PQLI1, ICH Q8, Q9, Q10, and ASTM E2500 and points to
the future of computer systems compliance
www.kvstech.com
4. INTRODUCTION…
GAMP 5 is applicable to a wide range of information
systems, lab equipment, integrated manufacturing systems,
and IT infrastructures
After over 4 years of re-work GAMP 5 was released in Feb
2008,and is a major rewrite of GAMP 4 with significant
changes having as primary goals:
Bringing procedures in line with the dynamic Life science
industry
reducing the cost of compliance
www.kvstech.com
5. Coupled to this there is the need to:
Avoid duplication of activities (e.g. by fully integrating engineering and
computer system activities so that they are only performed once)
Leverage supplier activities to the maximum possible extent, while still
ensuring fitness for intended use.
Scale all life cycle activities and associated documentation according to
risk, complexity and novelty.
Recognise that most computerised systems are now based on
configurable packages, many of them networked.
Acknowledge that traditional linear or waterfall development models are
not the most appropriate in all cases.
www.kvstech.com
9. Few of the Important Points:
GAMP 5 is not prescriptive. All lifecycle activities and associated documentation
are to be scaled according to risk, complexity, novelty. (Some examples):
• Risk: manufacturing process control = high risk, database containing
training records = low risk
• Complexity: SAP = high complexity, Excel spreadsheet calculating lab
results = low complexity.
• Novelty: Excel = used by millions worldwide, lab instrument PC
software = used by thousands worldwide, in-house developed
application - used only by the company that developed it.
GAMP 5 - all about risk. Increasing complexity and/or novelty = higher risk =
more effort and deliverables.
Moving away from traditional qualification terminology (e.g. IQ, OQ, PQ).
Terminology confuses people outside of the validation and QA departments.
Terminology is still available, but optional.
www.kvstech.com
10. Few of the Important Points. . .
Most computerized systems now based on configurable packages, many of
them networked.
Validate only if there could be an impact on patient safety, product quality,
data integrity. If none of these, no need to validate, good engineering
practice is sufficient.
Need to be clear on the differences between system owner and process
owner.
QA less involved than in the past. For example QA should review a URS
against the applicable regulations. URS technical review is for technical
subject matter experts. QA does not need to sign a design spec, as they do
not understand it.QA can verify that design specs are being produced for
projects but QA does not need to sign every document in a project.
GAMP 5 approach is consistent with ASTM E2500-07 Standard Guide for
Specification, Design, and Verification of Pharmaceutical and
Biopharmaceutical Manufacturing Systems and Equipment.
www.kvstech.com
11. LIFE CYCLE APPROACH
It entails defining and performing activities in a systematic way from conception,
understanding requirements, through development, release & operational use to
system requirement
Specification, Design and verification Process
www.kvstech.com
13. QUALITY RISK MANAGEMENT
It is a systematic process for the assessment, control,
communication & review of risk.
It is an iterative process used throughout the entire
computerized system life cycle from concept to retirement.
For a given organization, a framework for making risk
management decisions should be defined to ensure
consistency of application across systems and business
functions.
Terminology should be agreed upon, particularly regarding
definitions and metrics for key risk factors.
www.kvstech.com
16. RELATIONSHIP OF RISK,SEVERITY AND CONTROL
Effect on High Risk Priority
•Patient safety Use risk
•Data integrity assessment to
identify specific
controls and
rigor
Medium Risk
Priority
Use generic
checklist controls
Low Risk Priority
Use “Good
practice”
www.kvstech.com
17. SCIENCE BASED QUALITY RISK MANAGEMENT
Determining the risks posed by a computerized system
requires a common and shared understanding of:
Impact of the computerized system on patient safety, product
quality and data integrity
Supported business processes
CQA (Critical Quality Attributes) for systems that monitor or
control CPP (Critical Process parameters)
User requirements
Regulatory requirements
Project approach
System components and architecture
System functions
Supplier capability
www.kvstech.com
18. SCIENCE BASED QUALITY RISK MANAGEMENT…
Managing the risks may be achieved by:
Elimination by Design [EbD]
Reduction to an acceptable level
Verification to demonstrate that risks are managed
to an acceptable level
www.kvstech.com
19. Quality Risk Management Process
The ICH Guideline ICH Q9 describes a systematic approach to
quality risk management intended for general application within
pharmaceutical industry
It defines following two primary principles of quality risk
management
1.The evaluation of risk to quality should be based on scientific
knowledge and ultimately link to the protection of the patient.
2.The level of effort, formality and documentation of the quality
risk management process should be commensurate with the
level of risk.
www.kvstech.com
20. Quality Risk Management Process
• QRM structured according to
ICH Q9 & ISPE Guide
• Starts with system impact
• Including FMEA [Failure
Mode and Effects Analysis]
www.kvstech.com
22. GAMP CATEGORY
1
DIFFERENCE BETWEEN GAMP 4 AND GAMP 5
OPERATING INFRASTRUCTURE
SYSTEMS[GAMP-4] SOFTWARE[GAMP-5]
Only Operating Expanded greatly to
systems included cover established or
commercially available
layered software and
infrastructure software
tools
www.kvstech.com
23. GAMP CATEGORY
2
DIFFERENCE BETWEEN GAMP 4 AND GAMP 5…
FIRMWARE FIRMWARE
[GAMP-4] [GAMP-5]
Configurable and Discontinued-
non-configurable firmware is now
firmware only. treated as software
Custom firmware is in one of
Category 5 categories 3,4 or 5.
www.kvstech.com
24. GAMP CATEGORY
3
DIFFERENCE BETWEEN GAMP 4 AND GAMP 5…
STANDARD NON-CONFIGURED
SOFTWARE PRODUCTS[GAMP-5]
PACKAGES[GAMP-4]
Off-the-shelf products
Commercially available used for business
standard software processes, as well as
packages. those that are
Configuration limited configurable, but for
to establishing the which only the default
run-time environment configuration is used
www.kvstech.com
25. GAMP CATEGORY
4
DIFFERENCE BETWEEN GAMP 4 AND GAMP 5…
CONFIGURABLE CONFIGURED
SOFTWARE PRODUCTS[GAMP-5]
PACKAGES[GAMP-4]
Configured products
Configurable software provide standard
packages provide interfaces and functions
standard interfaces and that enable configuration
functions that enable of the application to
configuration of user- meet user specific
specific business or business processes.
manufacturing processes Configuration using a
vendor-supplied
language should be
handled as custom
components
(Category 5)
www.kvstech.com
26. GAMP CATEGORY
5
DIFFERENCE BETWEEN GAMP 4 AND GAMP 5…
CUSTOM (BESPOKE) CUSTOM
SOFTWARE[GAMP-4] APPLICATIONS
[GAMP-5]
These systems are These systems or
developed to meet the subsystems are
specific needs of the developed to meet the
user company specific needs of the
regulated company.
Inherent risk is high
www.kvstech.com
27. Regulated Company Activities
This involves activities at both the
organizational level and at the level of
individual system, therefore this section is
divided into..
1. Governance for achieving compliance
2. System specific activities
www.kvstech.com
28. 1.Governance for achieving compliance
ACTIVITIES…
Establishing computerized systems compliance
policies and procedures
Identifying clear roles and responsibilities
Training
Managing supplier relationships
Maintaining a system inventory
Planning for validation
Continuous improvement activities
www.kvstech.com
29. 2.System Specific Activities
ACTIVITIES…
Identify compliance standards
Identify system
User requirement specification
Determine strategy for achieving compliance and fitness for
intended use
Planning
System specifications
Development and review of software for custom applications
Test strategy and testing
Reporting and release
Maintaining system compliance during operation
System retirement
www.kvstech.com
30. Supplier Activities
Supplier products, applications and services
Supplier good practices
Quality management system
Requirements
Supplier Quality Planning
Sub-supplier assessments
Specifications
Design reviews
Software production/configuration
Testing
Commercial release
User documentation and training
System support and maintenance during operation
System replacement and retirement
www.kvstech.com
31. EFFICIENCY IMPROVEMENTS
Establishing verifiable and objective user
requirements
Use of risk based decisions
Leveraging supplier input
Leveraging existing documentation
Efficient testing practice
Well managed handover
Efficient change management
Anticipating data archiving and migration needs
www.kvstech.com
34. Critical Process Parameters (CPP’s)
“Process parameters whose variability impact a quality
attribute and therefore need to be controlled to ensure the
process produces the desired quality…….. and have an
effect on the CQA(s) of the drug substance or drug
product.”
A CPP remains critical even if it is controlled.
www.kvstech.com
35. Critical Quality Attributes (CQA’s)
“Physical, chemical, biological or microbiological
properties or characteristics that need to be controlled
(directly or indirectly) to ensure product quality.
(i.e. dissolution, potency, homogeneity, purity)”
www.kvstech.com
36. ASTM E2500
[American Standard for Testing Materials]
Provides a
Risk / Science Based Approach
for
Specification, Design & Verification
of
Manufacturing Systems and Equipment
using
Systematic, Efficient & Effective Methods
www.kvstech.com
37. LIFE CYCLE PHASE: CONCEPT
During concept phase, the regulated company
considers opportunities to automate one or more
business processes based upon business need and
benefits.
At this phase initial requirements will be developed
and potential solutions considered.
From initial understanding of scope, costs and
benefits, a decision is made on whether to proceed
to the project phase.
www.kvstech.com
38. LIFE CYCLE PHASE: PROJECT
The project phase involves…
planning,
supplier assessment & selection ,
various levels of specification,
configuration (or coding for custom applications) and
verification leading to acceptance and release for
operation.
Risk management is applied…
to identify risks and
to remove or reduce them to an acceptable level.
www.kvstech.com
39. LIFE CYCLE PHASE: OPERATION
System operation, typically, is the longest phase and is
managed by..
the use of defined, up to date, operational procedures
applied by..
personnel who have appropriate training, education and
experience.
key aspects :
Maintaining control (including security),
fitness for intended use and
compliance
important activity:
The management of changes of different impact, scope and
complexity.
www.kvstech.com
40. LIFE CYCLE PHASE: RETIREMENT
It involves decisions about…
Data retention,
Migration or destruction and
The management of this processes
www.kvstech.com
41. ICH: International Conference on Harmonisation of technical
Requirements for Registration of Pharmaceuticals
for Human Use
ICH Q-Documents
Q1 Stability
Q2 Analytical Validation
Q3 Impurities
Q4 Pharmacopoeias
Q5 Quality of Biotechnological Products
Q6 Specifications
Q7 Good Manufacturing Practice
Q8 Pharmaceutical Development
Q9 Quality Risk Management
Q10 Pharmaceutical Quality Systems
www.kvstech.com
42. Pharmaceutical Development (Q8)
Past: Data transfer / Variable output
Present: Knowledge transfer / Science
based / Consistent output
Quality Risk Management (Q9)
Past: Used, however poorly defined
Present: Opportunity to use structured
process thinking
Pharmaceutical Quality Systems (Q10)
Past: GMP checklist
Future: Quality Systems across product
life cycle
www.kvstech.com
43. HACCP:
Hazard Analysis and Critical Control
Points
www.kvstech.com
44. PQLI
Physical Quality of Life Index
www.kvstech.com
45. ISPE:
International Society for
Pharmaceutical Engineering
www.kvstech.com
48. PLANNING
Planning should cover all required activities, responsibilities,
procedures and timeline
PLANNING • Activities should be scaled according to:
HIERARCHY
o System impact on patient safety, product
MULTI-SITE quality and data integrity (risk assessment)
o System complexity and novelty (Architecture
and categorization of system components)
SITE
o Outcome of supplier assessment Supplier
capability )
• User requirements are the responsibility
DEPARTMENT
of the user community and should be
OR AREA
maintained and controlled
• Approach should be based on product
and process understanding and relevant
SYSTEM regulatory requirements
www.kvstech.com
49. SPECIFICATION
The role of specification is to enable systems to be
developed, verified and maintained
The number and level of the detail of the
specifications will vary depending upon type of system
and its intended use
Before use ,regulated company should ensure that
they are adequate to support subsequent activities,
including risk assessment, further specification and
development of the system, and verification as
appropriate
Specification may be available from supplier
www.kvstech.com
50. CONFIGURATION AND CODING
The requirements for configuration and coding
activities depend on the type of the system
Any required configuration should be performed in
accordance with a controlled and repeatable
process
The need for code reviews should be addressed as
part of risk management
Configuration management is an intrinsic and vital
aspect of controlled configuration and coding
www.kvstech.com
51. VERIFICATION
Verification confirms that specifications have been met
This may involve multiple stages of reviews and testing
depending on the type of system, the development method
applied, and its use
Testing computerized systems is a fundamental verification
activity
Testing often is performed at several levels depending on the
risk, complexity and novelty
There is a range of different types of testing possible
including normal case (positive), invalid case (negative),
repeatability, performance, volume/load, regression and
structural testing
www.kvstech.com
52. REPORTING
Acceptance and release of the system for use in GxP
regulated activities should require the approval of…
the process owner,
system owner,
quality unit representatives
At the conclusion of the project, a computerized system
validation report should be produced summarizing…
the activities performed,
any deviations from the plan ,
any outstanding and corrective actions,
providing a statement of fitness for intended use of the
system
www.kvstech.com