Scribd
Upload
25 views32 pages

24.10 1615 Computer System Validation - David Lai (LabWare) - V2

Uploaded by

Chí Nguyễn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
25 views32 pages

24.10 1615 Computer System Validation - David Lai (LabWare) - V2

Uploaded by

Chí Nguyễn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 32

Computerized Systems Validation

David Lai, Taiwan Territory Manager, LabWare

ạ ố ồ
Reference

Connecting Pharmaceutical Knowledge ISPE.org/singapore-affiliate


Contemporary Analytical Laboratory

Connecting Pharmaceutical Knowledge ISPE.org/singapore-affiliate


The Road to Lab of the Future

Connecting Pharmaceutical Knowledge ISPE.org/singapore-affiliate


What is a Computerized System?
According to PIC/S Guidance PI 011-3,
a computerized system is a
combination of computer elements
(hardware, firmware, software) along
with the applicable operating
procedures and people that control
the computer system. This computer
system can be linked to other
equipment or instruments. The
computerized system may further
interact with other computerized
systems, thus forming a networked
operating environment.

PIC/S Guidance PI 011-3. Good practices for computerized systems in


regulated GxP environments. 25 September 2007.

Connecting Pharmaceutical Knowledge ISPE.org/singapore-affiliate


How to Assure We Get Accurate Information

Connecting Pharmaceutical Knowledge ISPE.org/singapore-affiliate


What is Validation?

FDA definition of Validation:

"Establishing documented evidence which provides a high


degree of assurance that a specific process will
consistently produce a product meeting its pre-determined
specifications and quality attributes"

Connecting Pharmaceutical Knowledge ISPE.org/singapore-affiliate


Why can’t we get accurate information

• Incorrect or inappropriate
Operating Procedures

• Human Error

• Data loss

Connecting Pharmaceutical Knowledge ISPE.org/singapore-affiliate


Life Cycle Approach

Connecting Pharmaceutical Knowledge ISPE.org/singapore-affiliate


Life Cycle Approach

Supplier
Involvement

Connecting Pharmaceutical Knowledge ISPE.org/singapore-affiliate


Concept Phase

• Activities in this phase will depend on company


approaches to initiating and justifying project
commencement.
• Generally, these activities are outside the scope of
GAMP.
• However, gaining management commitment to provide
appropriate resources is an important pre-project activity.

Connecting Pharmaceutical Knowledge ISPE.org/singapore-affiliate


Project Phase

Connecting Pharmaceutical Knowledge ISPE.org/singapore-affiliate


Project Stages

1 4

2 3

Risk Management / Design Review / Change management

Connecting Pharmaceutical Knowledge ISPE.org/singapore-affiliate


Planning

Validation Requirements
Plan Specification

Risk
Assessment

Connecting Pharmaceutical Knowledge ISPE.org/singapore-affiliate


System Complexity
Software and hardware components of a system may be analyzed and categorized
in terms of increasing complexity

Connecting Pharmaceutical Knowledge ISPE.org/singapore-affiliate


Categories 1. Infrastructure Software

Category Description Typical Examples Typical Approaches and Considerations

1.Infrastructure • Layered software (i.e., upon • Operating Systems • Record version number, verify correct installation by
Software and Tools which applications are built) • Database Engines following approved installation procedures
• Software used to manage the • Middleware • Assess and record the tool’s adequacy for use
operating environment and • Programming • See the ISPE GAMP Good Practice Guide: IT
infrastructure languages Infrastructure Control and Compliance (Second
• Network and Edition)
performance • See also ISPE GAMP GOOD Practice Guide:
monitoring tools Enabling Innovation – Critical Thinking, Agile, IT
• Scheduling tools Service Management Chapter 4
• Software, systems,
and tools supporting IT
processes
• Requirements
management, test
management, test
automation tools, etc.

Connecting Pharmaceutical Knowledge ISPE.org/singapore-affiliate


Categories 3. Non-Configured
Category Description Typical Examples Typical Approaches and Considerations

3. Standard Run-time parameters may • Firmware-based applications • Requirements definition for key functionality and intended use
System be entered and stored, but • COTS software • Life cycle approach scaled based on system complexity
Component the software cannot be • Some Instruments (See the ISPE • Risk-based approach to supplier assessment (scaled on
configured to suit the GAMP Good Practice Guide: A component categories, GxP impact, and intent to
business process Risk-Based Approach to GxP leverage supplier activities; focus is on the supplier
Compliant Laboratory development life cycle as applied to the component or
Computerized Systems for system under consideration, and the robustness of the
further guidance) supplier’s product and change management processes
ongoing)
• Demonstrate supplier has adequate QMS
• Record version number, verify correct installation
• Risk-based tests against requirements as dictated by use
(for simple systems regular calibration may substitute for
testing)
• Procedures in place for maintaining data
• Procedures in place for maintaining compliance and fitness
for intended use

Connecting Pharmaceutical Knowledge ISPE.org/singapore-affiliate


Categories 4. Configured
Category Description Typical Examples Typical Approaches and Considerations
4. Configured • Software, often very complex, • LIMS Per Category 3 components plus:
Components that can be configured by the • Data acquisition systems • Business process map and data flow diagram
user to meet the specific • SCADA • Risk-based testing to demonstrate the applied
needs of the user’s business • ERP configuration delivers an application meeting the
process. (e.g., via workflows, • Clinical trial monitoring business needs and workflows
process flows)
• DCS
• Software code is not altered.
• ADR reporting
• CDS
• EDMS
• Building Management
Systems
• CRM
• Spreadsheets
• Simple HMI
Note: Specific examples of the
systems containing these
components may also contain
substantial custom elements

Connecting Pharmaceutical Knowledge ISPE.org/singapore-affiliate


Categories 5. Custom
Category Description Typical Examples Typical Approaches and Considerations

5. Custom Applications Software custom designed and Varies, but includes: Same as for configurable, plus:
and Components coded to suit the business • Bespoke interfaces between • Supplier-assessment focus on the supplier’s QMS for
process systems new component development
• Internally and externally • Design and source-code review
developed IT applications • Coding standard
• Internally and externally • Full life cycle information (design specifications, unit,
developed process control module, integration and functional testing, etc., where
applications relevant)
• Custom ladder logic
• Custom firmware
• Spreadsheets (macro)
Note: Even a fully customized
development will leverage
standard software modules and
libraries.

Connecting Pharmaceutical Knowledge ISPE.org/singapore-affiliate


Multi-Category System

Connecting Pharmaceutical Knowledge ISPE.org/singapore-affiliate


Supplier Assessment
Main options for performing a supplier assessment
• Basic assessment based on available information (For components that are
considered as commodities, e.g., common desktop applications, a
documented decision not to perform any assessment may be appropriate)
• Postal audit using a questionnaire (can also be performed via email)
• On-site audit (or virtual online audit if appropriate) by relevant specialist,
auditor, or audit team

A basic assessment is sufficient for lower impact systems, while higher impact systems may require
formal audits. Postal audits may be appropriate for suppliers of standard and configurable products
and services.

Connecting Pharmaceutical Knowledge ISPE.org/singapore-affiliate


Requirements Specification (RS)

Requirements should be Prioritized with emphasis


• Specific • Mandatory (High)
• Measurable • Beneficial (medium)
• Achievable • Nice to have (low)
• Realistic
• Testable (Verifiable)

Connecting Pharmaceutical Knowledge ISPE.org/singapore-affiliate


Validation Plan

A computerized system validation plan should define


• What activities are required
• How they will be performed and who is responsible
• What the output will be
• What the requirements are for acceptance
• How compliance will be maintained for the lifetime of the
system

Connecting Pharmaceutical Knowledge ISPE.org/singapore-affiliate


Relationship between Traditional Qualification Terminology and GAMP 5 Activities

Traditional Term Description GAMP 5 Verification Activity

Design Qualification Documented verification that the proposed design of Design review
(DQ) facilities, systems, and equipment is suitable for the
intended purpose.

Installation Documented verification that a system is installed Checking, testing, or other verification to demonstrate
Qualification (IQ) according to written and approved specifications. correct:
•installation of software and hardware
•configuration of software and hardware

Operational Documented verification that a system operates Testing or other verification of the system against
Qualification (OQ) according to written and approved specifications specifications to demonstrate correct operation of
throughout specified operating ranges. functionality that supports the specific business
process throughout all specified operating ranges.

Performance Documented verification that a system is capable of Testing or other verification of the system to
Qualification (PQ) performing the activities of the processes it is required to demonstrate fitness for intended use and to allow
perform, according to written and approved acceptance of the system against specified
specifications, within the scope of the business process requirements.
and operating environment

Connecting Pharmaceutical Knowledge ISPE.org/singapore-affiliate


Test Environments
Category 3 : There will only be one environment

Category 4 and 5 : There will be three environments:

• Development environment - where prototyping or programming takes place


• Testing environment - where formal testing is performed
• Operational environment - where the system is in its target environment

Formal tests should be performed either in the operational environment (where test records should be clearly
distinguishable from production records or where test records can be archived prior to operational use) or in
a separate test environment. Test documents should specify which environment to use. When using test
environments, the test strategy chosen should justify the equivalency of test results, i.e., justify that similar
results would have been achieved in the operational environment.

Connecting Pharmaceutical Knowledge ISPE.org/singapore-affiliate


Approach for a Standard Product (Category 3)

one environment

Connecting Pharmaceutical Knowledge ISPE.org/singapore-affiliate


Approach for a Configured Product (Category 4)

operational environment

testing environment

development environment

Connecting Pharmaceutical Knowledge ISPE.org/singapore-affiliate


Approach for a Custom Application (Category 5)

operational environment

testing environment

development environment

Connecting Pharmaceutical Knowledge ISPE.org/singapore-affiliate


CSV terminology aligned to the V-model

Connecting Pharmaceutical Knowledge ISPE.org/singapore-affiliate


Security Management

Information security may be characterized as the preservation of:

• Availability: ensuring that authorized users have access to information and


associated assets when required

• Integrity: safeguarding the accuracy and completeness of information and


processing methods

• Confidentiality: ensuring that information is accessible only to those persons


authorized to have access

Connecting Pharmaceutical Knowledge ISPE.org/singapore-affiliate


Backup, Restore, and Archiving
The backup, restore, and archiving capability of data on any computer platform is essential to
preserve the integrity of the information in case of system failures.
• Define the RTO (Recovery Time Objective) : the maximum system break/time to
recover the system
• Define the RPO (Recovery Point Objective ): the maximum loss of data – 0 minutes, 4
hours, 1 day, 1 week
• Design an architecture and backup that will meet these RPO/RTO requirements,
• Archiving to ensures the long-term availability of data by provision of safe storage,
indexing, and refresh activities.
• The restore process should be initially and periodically verified.

Connecting Pharmaceutical Knowledge ISPE.org/singapore-affiliate


Thanks for Listening

David Lai, Taiwan Territory Manager, LabWare


Email: [email protected]
Phone: +886 931 719 899

Connecting Pharmaceutical Knowledge ISPE.org

You might also like