This document provides an overview of the GAMP 5 guide for computerized systems compliance. GAMP 5 aims to build upon existing good practices to help ensure computerized systems are fit for intended use and meet regulatory requirements. It provides a pragmatic, risk-based approach and guidance on key lifecycle activities like planning, specification, verification and change management. Quality risk management is emphasized, including identifying risks, assessing their severity and probability, and controlling high risks. The guidance is flexible and can be applied based on a system's complexity, risks and other factors.

1. Overview of
Computerized Systems Compliance
Using the GAMP® 5 Guide
Jim John
ProPharma Group, Inc.
(816) 682-2642
jim.john@propharmagroup.com

2. Who Cares About CSV?
• Systems throughout the organization involved
in the development, production, storage and
distribution of pharmaceutical products or
medical devices have to be considered
• Resources involved in any way with IT,
computer, or automated systems is affected:
– Developers
– Maintainers
– Users

3. Purpose of This Presentation
• To discuss and clarify key topics
• Get to know the evolution of the GAMP
Methodology to the latest release
• Consider where GAMP 5 concepts can
improve your existing methodology

4. GAMP Objectives
GAMP® guidance aims to achieve
computerized systems that are fit for
intended use and meet current regulatory
requirements, by building upon existing
industry good practice in an efficient and
effective manner.
4

5. Guidance
• It is not a prescriptive method or a standard,
but..
– Pragmatic guidance
– Approaches
– Tools for the practitioner
• Applied with expertise and good judgement
5

6. Evolution of GAMP Guidance
54321
Calibration Legacy Systems
Laboratory VPCS
ERES Testing
Data Archiving Global
Information Systems
IT Infrastructure

7. Drivers

8. Other Drivers
• Avoid duplication
• Leverage suppliers
• Scale activities
• Reflect today
– Configurable packages
– Development models
8

9. Key Objectives
9
patient safety
product quality
data integrity

10. 10
GAMP
Document
Structure

11. Main Body Overview
• Key Concepts
• Life Cycle
• Quality Risk Management
• Regulated Company Activities
• Supplier Activities
• Efficiency Improvements
11

12. 5 Key Concepts
• Life Cycle Approach Within a QMS
• Scaleable Life Cycle Activities
• Process and Product Understanding
• Science-Based Quality Risk Management
• Leveraging Supplier Involvement
12

13. User and Supplier Life Cycles

14. Product and Process Understanding
• Basis of science- and risk-based decisions
• Focus on critical aspects
– Identify
– Specify
– Verify
• CQAs / CPPs
14

15. Life Cycle Approach Within a QMS
• Suitable Life Cycle
–Intrinsic to QMS
• Continuous improvement
15

16. Specify
Plan
Verify
Configure
& Code
Report
RiskManagement
A Basic Framework For Achieving Compliance
and Fitness For Intended Use
Figure xx:
Figure 3.3: A General Approach for Achieving Compliance and Fitness for Intended Use
Source Figure 3.3, GAMP 5 A Risk Based Approach to Compliance GxP Computerized Systems © Copyright ISPE 2008. All rights reserved.
GAMP V Model Transition
VerifiesUser Requirement
Specification
Functional
Specification
Design
Specification
System
Build
Installation
Qualification
Operational
Qualification
Performance
Qualification
Verifies
Verifies

17. Scaleable Life Cycle Activities
• Risk
• Complexity and Novelty
• Supplier
17

18. Science Based Quality Risk
Management
Focus on patient safety,
product quality,
and data integrity…
18
Assessment
Control
Communication
Review
Based on
ICH Q9

19. Leveraging Supplier Involvement
• Assess:
– Suitability
– Accuracy
– Completeness
• Flexibility:
– Format
– Structure
• Requirements
gathering
• Risk assessments
• Functional / other
specifications
• Configuration
• Testing
• Support and
maintenance 19

20. Life Cycle Phases

21. Compatibility with Other Standards
ASTM E2500 Standard Guide for
Specification, Design, and Verification of
Pharmaceutical and Biopharmaceutical
Manufacturing Systems and Equipment
21

22. GAMP 5
Ongoing
Operations
GAMP 5
Reporting
and
Release
GAMP 5
Verification
GAMP 5
Specification
Configuration
Coding
GAMP 5
Planning
GAMP5 and ASTM E2500
Good Engineering Practice
Risk Management
Design Review
Change Management
Requirements Specification
and Design
Verification Acceptance
and
Release
Operations &
Continuous
Improvement
Product
Knowledge
Process
Knowledge
Regulatory
Requirements
Company
Quality Regs.
The Specification, Design, and Verification Process – Diagram from ASTM E2500

23. Governance
• Policies and procedures
• Roles and responsibilities
• Training
• Supplier relationships
• System inventory
• Planning for compliance & validation
• Continuous improvement
23

24. Stages Within the Project Phase
• Planning
• Specification, configuration, and
coding
• Verification
• Reporting and release
24

26. Planning
• Activities
• Responsibilities
• Procedures
• Timelines
26
See Appendix M1

27. Specification, Configuration, &
Coding
• Specifications allow
– Development
– Verification
– Maintenance
• Number and level of
detail varies
• Defined process
27

28. Verification
• Testing
• Reviews
• Identify defects!
28

29. Supporting Processes
• Risk Management
• Change and Configuration Management
• Design Review
• Traceability
• Document Management
29

30. Design Review
• Planned
• Systematic
• Identify Defects
• Corrective Action
• Scaleable
– Rigor/Extent
– Documentation
30See also Appendix M5

31. Traceability
Requirements
Specification
Design
Verification
Configure/Code

32. GAMP 5 Categories
Category GAMP 4 GAMP 5
1 Operating system Infrastructure software
2 Firmware No longer used
3 Standard software packages Non-configured products
4
Configurable software
packages
Configured products
5 Custom (bespoke) software Custom applications
Continuum

33. GAMP 5
Quality Risk Management
33

34. Critical Processes are Those Which:
• Generate, manipulate, or control data supporting
regulatory safety and efficacy submissions
• Control critical parameters in preclinical, clinical,
development, and manufacturing
• Control or provide information for product release
• Control information required in case of product recall
• Control adverse event or complaint recording or
reporting
• Support pharmacovigilance (investigation of Adverse
risks)
34

35. Definitions
• Harm Damage to health, including the
damage that can occur from loss
of product quality or availability.
• Hazard The potential source of harm.
• Risk The combination of the
probability of occurrence of harm
and the severity of that harm.
• Severity A measure of the possible
consequences of a hazard.
35

36. Step 1 – Initial Risk Assessment
• Based on business processes, user requirements, regulatory
requirements and known functional areas
36Don’t repeat unnecessarily!
Inputs Outputs
GxP or non-GxP
Major Risks
Considered
Overall Risk
User Requirements
GxP Regulations
Previous Assessments

37. Step 2 – Identify Functions with GxP Impact
• Functions with impact on patient safety, product quality, and
data integrity
37
Specifications
System Architecture
Categorization of
Components
Inputs Outputs
List of Functions to
be further evaluated

38. Step 3 – Perform Functional Risk Assessments
& Identify Controls
Functions from Step 2
SME Experience
Scenarios
Possible Hazards
38
Breakdown of Risks
to Low, Medium and
High.
Detailed
Assessments and
Mitigation for High
Inputs Outputs

39. Functional Risk Assessment
• Identify
– Hazards and risk scenarios
– Severity – impact on safety quality or
other harm
– Probability
– Detectability
39

40. GAMP Risk Assessment Tool
40
Probability
Severity
Low
Medium
High
Low
Medium
High
Class 3
Class 2
Class 1
A simple two-step process:
Plot Severity vs. Probability to obtain Risk Class

41. GAMP Risk Assessment Tool
41
Priority 1
Priority 3
Priority 2
3
2
1
High
Medium
Low
RiskClass Detectability
Plot Risk Class vs. Detectability to obtain Risk Priority

42. Step 3 (continued) Controlling the Risk
42
Mitigation Strategies
• Change the process
• Change the design
• Add new features
• Apply external
procedures
Scenarios with
High Risk from
Functional
Analysis
Inputs Outputs

43. Step 4 – Implement & Verify Appropriate
Controls
• Verification activity
should demonstrate
that the controls are
effective in performing
the required risk
reduction.
43

44. Step 5 – Review Risks Monitor Controls
Establish Periodic Review
of Control Effectiveness
Apply Risk Process in
Change Management
Activities
44
Frequency and
extent of any
periodic review
should be based on
the level of risk

45. Risk-Based Decisions
What do they impact ?
• Number and depth of design reviews
• Need for, and extent of, source code review
• Rigor of supplier evaluation
• Depth and rigor of functional testing
45

46. Operation Appendices
• O1 – Handover
• O2 – Establishing & Managing
Support Services
• O3 – Performance Monitoring
• O4 – Incident Management
• O5 – Corrective and
Preventive Action (CAPA)
• Performance Monitoring
• O6 – Operational Change &
Configuration Management
• O7 – Repair Activity
• O8 – Periodic Review
• O9 – Backup and Restore
• O10 – Business Continuity
Management
• O11 – Security Management
• O12 – System Administration
• O13 – Archiving and Retrieval
46

47. Summary
• GAMP 5 provides more flexibility in the
number and types of validation lifecycle
products used.
• Application of Risk and use of SME
Knowledge are keys to success
47