GAMP categories and CSV workshop

Effective way to achieved compliance in GxP computerized system

Arnold Edrick, Fajar Sidik, M.Thoha, Ruri Nitrita, Angga Lazuardy, Narya Wijaya
23-24 September 2019
 Hardware Categories
01
Agenda 02 Software Categories

Benefit
03

23-24 September 2019

• Hardware Categories

Standard
Ready to use hardware/
01 infrastructure

Custom
Specially design hardware
specification (DS) must be available
02

23-24 September 2019

 • History GAMP 4 vs GAMP 5
software categories
GAMP 4 GAMP 5

Categories 1 Operating System Categories 1 Infrastructure &

only Layered software
Categories 2 Firmware USP <1058>
Categories 3 Standard Software Categories 3 Non-configured
Package product
Categories 4 Configurable Categories 4 Configured
software package product
Categories 5 Custom
Categories 5 Custom software application

23-24 September 2019

 •Software Categories GAMP 5
Category 1 – Infrastructure
Software/ Layered software Category 3 – Non-Configured Product

Form an integrated environment for “Out of the box product” / “Off the
running and support application shelf product”
and service.
Used by default configuration or else
called parameterization
GAMP 5
Software
Categories
Category 4 – Configured Product
Category 5 – Custom Application You can simply impress your
audience and add a unique zing
Developed software using scripting and appeal to your Presentations.
language to satisfy specific business Easy to change colors, photos.
needs.
23-24 September 2019
•Software Categories 1

Typical example of Commercially available layered software

• Operating System • Spreadsheet package

• Database Managers • Ladder logic
• Programming Interpreters
Language • Statistical programming
• Middleware • Is the system commercially
available (widely common)?
Typical Example of Infrastructure Software
• Is the software or system
• Network monitoring • Configuration used in IT environment?
software management tools
• Batch job scheduling • Version control tools
• Security software

23-24 September 2019

•Software Categories 3
Typical Example of Non-Configured

• Firmware based • Instruments

application • Some Programmable
Logic Control (PLC) • Is the system / application use without
configuration (use immediately)?

• Is the system configuration scope is

printer availability, report header ?

• Is configuration within the scope of

installed application (parameter
modification) ?

23-24 September 2019

 •Software Categories 4 & 5
Typical Example of Configured product* • Is the business process can be changed ?
• How did you change the process?
• LIMS
This example may • Did you develop this application inhouse?
• SCADA
have some custom • Do you following SDLC on your application
• ERP
modulation. before release it to the costumer ?
• BMS
• Do you create the application for each
• EMS
costumer ?
• HMI

Typical example of custom application

• Internally developed IT application
• Internally developed process control
• Custom ladder logic
• VBA macro or excel with macro
• Custom firmware

23-24 September 2019

 Benefit

• Resource and timeline projection

• Necessary vendor audit plan

• Document necessary for compliance

• Minimize validation effort

23-24 September 2019

CSV Model
verifies
Planning Reporting

User verifies Performance

Requirements Qualification Tests
Specification (PQ)
Functional Risk verifies Operational
Functional Assessment Qualification Tests
Specifications
(OQ)
verifies Installation
Design
Qualification Tests
Specifications
(IQ)

System Build
23-24 September 2019
 • CSV Component

1. System overview
1. Purpose 2. System architecture
2. System overview 1. System overview 1. Deviation
3. Data & access
3. System Requirement 2. Scope 2. Justification of
management
4. Functional 3. Responsibilities deviation
4. Security matrix
Specification 4. Test plan and 3. Result
5. Process description
5. Technical procedure 4. Conclusion
6. Infrastructure &
Specification 5. Recommendation
software
6. Design Specification 7. Reference document
8. Risk analysis

URS Risk Assessment Protocol Report

23-24 September 2019

 • CSV Component URS
Indicate the wished key objectives and benefits of company
Ensure that these benefits are covered by the specific requirements
1. Purpose Summary of system main function
2. System overview
3. System Requirement Describes the specific required quality, operational capacity,
regulation, HSE, computerized
4. Functional Describes of how the system/ equipment will work to fulfill the
Specification requirement
5. Technical
Defined the utility, area, service, certification needed to ensure the
Specification
achievement of system requirements
6. Design Specification
Giving the design of system looks and specification of the infrastructure,
peripheral hardware and software to support the functional specification

URS

23-24 September 2019

Environment Monitoring System 2.1 Operational range of sensor is within 20,0°C to 35°C with calculation
of MKT of adjustable period
Installed in warehouse
The area is ambient and cool 2.2 Sensor will give temperature result in °Celsius accurately and
immediately shown on the client PC.
room
2.3 System will record a real time temperature monitoring and save the
data at client PC internal har disk
Requirements
Point 2 in the 2.4 Limited access to the system using security matrix divided per level
document of access with 2 points verification (ID and password)

2.5 Audit trail will record the specific ID start from login until logout with
provided audit trail reporting function in unchangeable format for every
action been done in the system

2.6 No generic ID was possible to be used in the system, unique ID

should be mandatory for every username creation

2.7 Periodic backup and restore data can be successfully performed by

user and backup system should be available

23-24 September 2019

HPLC 2.1 HPLC with auto sampler with minimum vial capacity are 100 vial
Installed in QC Lab.
2.2 HPLC pump operation range minimum is 600bar or 8000psi

2.3 HPLC pump can be as isocratic elution and gradient elution

2.4 During HPLC running a sample no electrical shortage will affect the
system for until minimum of 24hours
Requirements
Point 2 in the 2.5 Limited access to the system using security matrix divided per level
document of access with 2 points verification (ID and password)

2.6 Audit trail will record the specific ID start from login until logout with
provided audit trail reporting function in unchangeable format for every
action been done in the system

2.7 Periodic backup and restore data can be successfully performed by

user and backup system should be available

23-24 September 2019

 •CSV Component Risk Assessment
Summary of system main function
1. System overview
Provide the access Defined the system conceptual model as
2. System
registered in the system and representative of the actual system installed that
architecture
how the system manage give overall understanding of structures and
3. Data & access
data including saving, behavior
management Give the list of access capabilities to each
backup, archiving, 4. Security matrix
modifying, and transferring function related to the system
5. Process
Provide system infrastructure
Provide system business description
(including peripheral hardware) and
process and/or system 6. Infrastructure &
software
functionality description software
7. Reference Assessing the risk according to process
document description with detailed risk scenario,
List of document related consequences and risk category.
8. Risk analysis
in creating risk The result is a test plan related to the
assessment (manual Risk Assessment functional and/or business process
books, supplier FS/ DS,
URS, etc)
23-24 September 2019
• Risk level assessment method
Risk Level Consequences Example
Critical (C) 1. Has possibility on data lose, stopped Sample can be reinjected and
analysis or manipulation data. previous inject not shown on the
2. There is a violation of GMP regulation result (must be tested)
with an impact on public health. And some negative test may in
coorporated to the OQ/PQ
Major (M) 1. Has no possibility on data lose or Data saved at server can’t be
manipulation data but has impact for accessed using menu. (must be
analysis. tested)
2. There is a direct and undetectable
violation of GMP regulations, without
impact on public health
Minor (m) 1. There is no effect on data and Report can’t be printed (may not be
process of analysis. tested, better if tested)
2. Indirect or detectable violation of
GMP regulations, without impact on
public health.
23-24 September 2019
 2 HPLC Risk Assessment
Process a. Lockout threshold: 3 times
GxP Risk
Description (maximum login retries) Process
ID Risk scenario consequence leve Action
step
s l
Data may be OQ: Perform
loss in the validation of
Data backup and
event of C backup process
restore failure
system and restore
corrupt process
OQ: Test plan
System
2.3.1.5 Backup and to verify the
backup and
/6. restore backup and
Backup and restore restore may
restore access
may be performed by performed in
C are limited to
unauthorized the such
personnel
personnel event that
according to
will impact
default security
existing data
matrix
Risk analysis
ID Process step Risk scenario GxP consequences Risk level Action
OQ: Test plan to verify any
login without ID is not
Login may be performed without ID or
2. Login Security of data in HPLC C possible
a correct password
Any login with incorrect
password also no possible
OQ: Verify there is threshold
Wrong login may be performed
HPLC is vulnerable to lockout system incorporated
2a repeatedly in attempt to breach the C
unauthorized access for maximum number of
HPLC system 23-24 September 2019
login retries
 Serialization server
Process description Serialization Risk Assessment
ERP recipe/ with recipe/ material
material
2.1 products management
management

a.Recipe management

GxP Risk
ID Process step Risk scenario Action
consequences level
1. System OQ: Test plan to
architecture Recipe management verify the data set
(According to system Wrong set of from ERP
Serialization The data set from
Client PC
architecture recipe data will lead to transferred
2.1.a ERP will not be C
for serialization will incorrect serial successfully and
transferred correctly
be interfaced from code generation correctly in the
ERP) Serialization client
PC

ID Process step Risk scenario GxP consequences Risk level Action

OQ: Accessing the recipe
Recipe management may be accessed by Uncontrolled serialization management should be
C
unauthorized person result limited and on authorized
person possible
OQ: Test plan to verify any
2.1.a Recipe management
modification will increase the
Any change to the recipe
Activity in recipe management recipe version
will have impact in final C
untraceable print record audit trail after
serialize product
recipe management been
23-24accessSeptember 2019
 Mixing Tank Risk Assessment
GxP
Risk
ID Process step Risk scenario consequenc Action
level
es
OQ: Test case to
Incorrect temperature Impairment to
verify the actual
setting and actual value product M
value show on
output stability
display is correct
OQ: Test case to
Temperature did not Process verify the setup
M
stop at specific run time interrupted temperature run
Temperature
for period
2.5.2 command
OQ: Test case to
button
capability of
mixing tank to
Mixing tank cannot
Process maintain
maintain temperature M
interrupted temperature
inside
after holding
function is
activated

ID Process step Risk scenario GxP consequences Risk level Action

OQ: Verified with taco
Incorrect speed output to the Product not
M meter and verify the
HMI dissolved
result with HMI display
2.5.1 Stirrer command button
OQ: Tested on machine
Product not
Incorrect run time output M initial PQ with calibrated
dissolved
stopwatch
23-24 September 2019
 • CSV Component Protocol
Explain system overall summary

Explain the protocol usage whether it is a initial

validation of validation because of some 1. System overview
modification or system upgrade, etc 2. Scope
3. Responsibilities
Personnel responsibilities list for who will perform 4. Test plan and
the test, review the test and approved the protocol procedure

Include the test name and reference number, test

purpose, test step/procedure, acceptance criteria
and personnel sign for every test

Protocol

23-24 September 2019

Testing 1 - Unauthorized Login
Unauthorized / unregistered User ID, incorrect User ID, incorrect
HPLC Protocol
password, will prohibit user from entering the system.
Test Objective Risk assessment

To ensure that unauthorized / unregistered user ID or password GxP Risk

Process
cannot be used for login ID Risk scenario consequenc lev Action
step
es el
Test Description OQ: Test plan
1. user ID (empty) and correct password to verify any
login without
2. Verify that it cannot login
Login may be ID is not
Security of
3. Type valid user ID and incorrect password performed without possible
2. Login data in C
4. Verify that it cannot login ID or a correct Any login
HPLC
Acceptance Criteria
password with incorrect
password
System cannot be accessed by unauthorized / unregistered user using
also no
no ID or using incorrect password
possible
Results

23-24 September 2019

Testing 2 - Backup Restore
This function is for the project database and the log database can be HPLC Protocol
backed up. GxP Risk
ID Process step Risk scenario Action
Test Objective consequences level
To ensure the user with proper rights can use this function. OQ: Perform
Data may
Test Description validation of
Backup be loss in
1. Login to LabSolutions as System Administrator 2.3.1. Data backup and backup
2. Click the [Administration] icon and select the [Backup] by clicking
and the event C
5/6. restore failure process and
the icon to start the Backup program. restore of system
restore
3. Select 1 or more data from database corrupt
process
4. Verify that the [Backup] function is working
5. Login to LabSolutions as System administrator
6. Click the [Administration] icon and select the [Restore] by clicking
the icon to start the Restore program
7. Verify that the [Restore] function is opened to start the [Restore].
8. Verify that the restore result

Acceptance Criteria
Successful backup and restore sequence
Results
Point 4 – backup result

Point 8 – Restore result

Conclusion:
23-24 September 2019
• CSV Component Report

Deviation happen for each test

1. Deviation
Justification whether the deviation have impact or 2. Justification of
not to the operating system and regulation deviation
3. Result (with
Test protocol result (success or not) (with evidence)
attached evidence) of test plan 4. Conclusion
5. Recommendation
State whether the system is valid or not

Any observable suggestion to increase the

system compliance

Report

23-24 September 2019

Testing 1 - Unauthorized Login
Unauthorized / unregistered User ID, incorrect User ID, incorrect HPLC Report
password, will prohibit user from entering the system.
Test Objective
To ensure that unauthorized / unregistered user ID or password
cannot be used for login

Test Description
1. user ID (empty) and correct password
2. Verify that it cannot login
3. Type valid user ID and incorrect password
4. Verify that it cannot login
Acceptance Criteria Evidence

System cannot be accessed by unauthorized / unregistered user using

no ID or using incorrect password

Results
Testing 2 - Backup Restore
This function is for the project database and the log database can be backed up. HPLC Report
Test Objective
To ensure the user with proper rights can use this function.
Test Description
1. Login to LabSolutions as System Administrator
2. Click the [Administration] icon and select the [Backup] by clicking the icon to
start the Backup program.
3. Select 1 or more data from database
4. Verify that the [Backup] function is working
5. Login to LabSolutions as System administrator
6. Click the [Administration] icon and select the [Restore] by clicking the icon to
start the Restore program
7. Verify that the [Restore] function is opened to start the [Restore].
8. Verify that the restore result

Acceptance Criteria
Successful backup and restore sequence
Results
Point 4 – backup result
Point 8 – Restore result
Conclusion:
 Template URS
Purpose
(Indicate the wished key objectives and benefits and ensure that these
benefits are covered by the specific requirements included in section 3 and
1.
satisfied using indexes/percentages of improvement.)
Example: 5% of improvement process efficiency.

System overview
2. (Summary of system main function)

3. System Requirement
3.1 Data management (scope backup-restore, data saving, data modification)
3.2 Access level requirement
3.2 ALCOA+ requirement
3.3 Business requirement
3.4 Technical requirement (utility, space, ducting)
3.5 HSE requirement
3.6 Document / Certificate requirement
 Template Risk Assessment

ID
(refer to Requirement/ GxP Risk Action
Risk scenario
requirement) process flow consequences level (IQ/OQ/PQ)

1.
2.
3.1
3.2
…
 Template IQ Protocol

Protocol
Observations /
Pass/Fail/Pass
No. Action Expected Result Deviations / Sign / Date
with notes
Attachments
I. Sub section of IQ Protocol (system installation condition) / hardware specification / software specification / supporting procedure
/vendor document and certification
1. Verify Procedure … in place Procedure … in place Procedure number : XXxXX Pass ßÀ© 24 Sep 2019
2.
3.
…

Observations /
No. Action Expected Result Deviations / Pass/Fail Initials / Date
Attachments
II. Sub section of IQ (system installation condition) / hardware specification / software specification / supporting procedure / vendor
document and certification
Installed according to
4. UPS installed UPS brand, specification expected result Pass ßÀ© 24 Sep 2019
5.
6.
..
 Template OQ Protocol
Test 1 Test 2
General test title General test title
Test Objective Test Objective
what function that this test wanted to introduce/ what function that this test wanted to introduce/
challenged challenged
Test Description Test Description
1. Test step or process to achived objective 1. Test step or process to achived objective
2. 2.
3. 3.
4. 4.
… …
Acceptance Criteria Acceptance Criteria
Result of the test that we are hoping to meet Result of the test that we are hoping to meet
requirements requirements
Results Results

Test pass or not Test pass or not

 Template Report
Report
Deviation
Explain which and what test protocol have deviation
Justification for Deviation

Result
Attachment 1 - Evidence (screenshot)
Attachment 2 - Evidence (screenshot)

Conclusion
The system valid or not
Recommendation
Any observable recommendation
THANK YOU