RISK BASED APPROACH

VALIDATION MASTER PLAN

 The guidance for validation of all Computer systems will be documented in a

Validation Master Plan (VMP)

 The Validation Master Plan will include:

 Identifying components requiring validation

 Prioritizing and justifying the validations to be performed

 All activities and assigned responsibilities

 Establishing site specific procedures to support validation

 WHAT IS A COMPUTER SYSTEM ?
‘Computer system’ can be defined as any of the following:
 Desktop systems; client or server systems; automated process
 Control and laboratory systems; host based
 Software ; data acquisition and analysis systems; and all associated software.
 The associated software comprises application software or firmware, system
software, and computer system supporting documentation.

Computer systems shall be validated. The computer validation must ensure

accuracy, reliability, consistent intended performance, and the ability to
discern invalid or altered records.
 COMPUTERIZED SYSTEM

‘Computerized system’
consists of :
 Hardware
 Software
 Network components
 Controlled functions
 Related Documentation
 COMPUTER SYSTEM VALIDATION –
REQUIREMENTS

21 CFR Part 11- §11.10 (a) Validation of systems to ensure

Accuracy, Reliability , Consistent intended performance

and the ability to discern invalid or altered records

Annex. 11 Principle : This Annx. Applies to all forms of

computerized systems used as part of GMP regulated

activities . The application should be validated

Schedule M, Part-1: 29.4 Equipment – (c ) Qualification &

Calibration , including the recording systems and

arrangements for Computerized system validation

 COMPUTER SYSTEM VALIDATION ….. A JOURNEY

Critical thinking , planning and Assessment is required for this journey …..
 What is the business process / workflow ?
 What is the intended use of this System ?
 For what purpose shall it be used ?
 What decisions shall be taken on the Data ?
 What are the anticipated RISKS in the entire Life cycle of the validated
system ?

Risk based approach for Computer System validation

 COMPUTER SYSTEM VALIDATION ….. BUSINESS PROCESS

RISKS must be assessed throughout the entire Life Cycle of the Computer system
and compared to the respective Business requirements for the entire Data life cycle

USER
REQUIREMENTS TECHNICAL
CONTROLS

REGULATORY BEHAVIORAL
REQUIREMENTS CONTROLS

IMPACT ON PATIENT PROCEDURAL

SAFETY, PRODUCT CONTROLS
QUALITY & BUSINESS PROCESS
DATA INTEGRITY
 WHAT IS A COMPUTER SYSTEM VALIDATION ?

The purpose of the validation process

is to provide a high degree of
assurance that a specific process (or in
this case computer system) will –
 Consistently produce a product (control
information or data) that meets
predetermined specifications and quality
attributes .
WHAT IS A COMPUTER SYSTEM VALIDATION ?
SOP & QUALIFICATION – RELATIONSHIP
 CSV / QUALITY UNIT – ROLES &
RESPONSIBILITIES

The QUALITY UNIT has a key role in successfully planning & managing the
compliance and fitness for intended use of computerized systems . The role and
activities need to be independent in nature and are mainly concerned to –
 Approval or audit of key documentation e.g. Policies, Procedures, Acceptance criteria,
Plans, Reports etc.
 Focus on Critical Quality aspects
 Involvement of SMEs (Subject matter experts)
 Approval of changes that potentially affect patient safety, product quality, or data integrity
 Audit processes and supporting documentary evidence to verify that compliance activities
are effective
 SOP AND RESPONSIBILITIES
Each Corporate unit is responsible for establishing a policy on COMPUTER SYSTEMS VALIDATION requirements
Site or departments are responsible for:
 Computer system validation Standard Operating Procedures (SOPs)
 System inventory and assessment
 System specific validation protocols
 System specific validation documentation

SOPs must:
• Comply with the Computer Systems Validation Policy and VMP as applicable
• Be approved by the appropriate management for that site or department
 WHY VALIDATION IS REQUIRED ?
 Reduces Risk and legal liability
 Ensures GMP compliance requirements
 Ensures adherence to the current requirements of Software validation and compliances
 Validation is applied to many aspects of the healthcare and other regulated industries and
businesses. Examples include:
o Services
o Equipment
o Computer Systems
o Processes

 To produce documented evidence, that provides a high degree of assurance that all parts of
the system will consistently work correctly when in use
Computer systems validation includes validation of both new and existing
computer systems
 WHY DO WE VALIDATE COMPUTER SYSTEMS ?

Computer systems are validated for two important reasons:

 To ensure that GMP practices are followed and to adhere to Regulatory requirements.
 To demonstrate conformance with the system requirements specification
 To ensure assurance of the trustworthiness of the Data and information.
 Demonstrate the suitability of computer hardware and software to perform the assigned task
Regulatory compliances shall help in :
 Minimizing regulatory actions
 Maintaining a positive relationship with regulatory agencies
 Expediting submissions to and approval by the FDA
 Avoiding product recalls and negative publicity

Key Objectives -
 Patient safety
 Product quality
 Data integrity
WHICH SYSTEMS SHOULD BE VALIDATED ?

Computer Systems throughout the organization involved in

the –
 Development
 Production
 Storage
 Distribution
of Pharmaceutical products or Medical devices need to be
considered for Computer System Validation
 VALIDATION PROCESS STEPS
Establish Team’s - These are the teams that will be responsible for the validation process
Determine Validation Activities - Validation activities are the exact details or activities that will be required for each
of the steps in the validation process
o The output from this activity will be the Validation Plan
Write the Validation Protocol - Describes the procedure and the steps within the procedure that will be followed in
order to validate the system
o The Validation Protocol must also provide a high level description of the overall philosophy, intention and approach
Perform Qualification Activities - Design, IQ, OQ, PQ
Review Controls and Procedures
o SOPs (Standard Operating Procedures)
o Training procedures and Training records
Certify the System - This step is where you certify that the validation deliverables have met the acceptance criteria
that were described in the Validation Protocol
o When you certify the system you should prepare a Validation Report
o The validation report should outline the details of the validation process
 VALIDATION DOCUMENTATION
VALIDATION
 Documentation that verifies each validation activity MASTER PLAN

must be generated and stored with the validation

protocol in the appropriate archive. CHANGE CONTROL

 Validation documentation may include:

VALIDATION
 Test data PROTOCOL
 Summary reports
 Procedures
 Certification forms produced during the validation
process VALIDATION &
SUMMARY REPORT

REVIEW, APPROVAL
& CCR CLOSURE
CSV – TESTING DOCUMENTATION
 CSV – COMPLIANCE PATHWAY

QA SYSTEMS

EQUIPMENT /
ANALYTICAL CONTROL
VALIDATION &
CALIBRATION
RISK
ASSESSMENT

VENDOR
MANAGEMENT
 CSV – RISK BASED APPROACH

The risk based approach for Computer System validation has been
promoted by all major Regulators –
 US FDA has been promoting the Risk based approach since 2002

 GAMP 5 laid out a practical approach to using Risk for Computerized system
validation

 EU & PIC/S GMP Annx.11 recommends that Risk management be applied throughout
the lifecycle of the computerized system
 QUALITY RISK MANAGEMENT - CSV
 Quality Risk Management is a systematic process for the ASSESSMENT,
CONTROL, COMMUNICATION & REVIEW OF RISKS.
 Application of Quality Risk Management enables effort to be focused on
critical aspects of a Computerized system, in a controlled and justified
manner.
 Quality Risk Management should be based on clear process
understanding and potential impact on patient safety, product quality,
and Data integrity.
 Qualitative or quantitative techniques may be used to identify and
manage risks. Controls are developed to reduce risks to an acceptable
level.
 Implemented controls are monitored during operation to ensure
ongoing effectiveness.
 UNDERSTANDING DATA LIFE CYCLE & RISKS

RISK
RISK :: Multiple
Multiple
CREATION readings
readings / best
/ best chosen
chosen

RISK
RISK :: Data
Data not
not DESTRUCTION PROCESSING RISK
RISK :: Processing
Processing into
into
preserved & secured
preserved & secured compliance
compliance

ARCHIVAL REVIEW, RISK

RISK :: Unprocessed
Unprocessed &
&
RISK
RISK :: Process
Process control
control & REPORTING unreported
unreported Data
Data
lacking
lacking oversight
oversight RETRIEVAL & USE
UNDERSTANDING DATA LIFE CYCLE RISKS & MITIGATION

Risk based approach to GxP Computerized systems

INITIATION VALIDATION OPERATION RETIREMENT

 Need  RISK based Validation  Routine use

  System
Identification Evaluation of Impact  Data Review
Discontinuation
 Proposal on  Security controls
o Patient safety  Change control
approval  Backup / Restore
o Product quality  Data Migration
 Risk o  Change control
Data Integrity  Disposal
Assessment  Periodic review /
Audit

RISK to Data integrity, Product Quality & Patient safety  Varies throughout the
System Life cycle
 CSV : CONVENTIONAL & CRITICAL EVALUATION
System requirement : Users in the QC Laboratory shall not be able to delete
the acquired Analytical data .

CONVENTIONAL EVALUATION CRITICAL EVALUATION

Can a User Delete without User privileges ?? Can a User login with a role that is not assigned ??
=> Verify Privileges => Verify login roles

If Data is Deleted , there is a record of it ?? Can a User be assigned for Deletion rights ??
=> Verify Audit trail => Verify User Access grant /change procedure & authorizations

Can the Audit Trail be modified / deleted / turned off ??

=> Verify that the system Audit Trail is always ON and cannot be
turned OFF

Can the Audit Trail be filtered to find deletions ??

=> Verify Audit trail filtering
RISK ASSESSMENT – STEP 1 / INITIAL

Initial Risk Assessment  System impact

INPUT OUTPUT
USER Identify impacted Functions
REQUIREMENTS
GxP / Non GxP
GxP
REGULATIONS MAJOR RISKS
Perform Functional Risk Assessment  CONSIDERED
Identify Controls
INITIAL
ASSESSMENT OVERALL RISK
ASSESSMENT
Implement Controls  Verify

Review Risk mitigation 

Continuous Monitoring
RISK ASSESSMENT – STEP 2 / IDENTIFY FUNCTIONS WITH
GXP IMPACT

Initial Risk Assessment  System impact

INPUT OUTPUT
SPECIFICATION Identify impacted Functions

SYSTEM
ARCHITECTURE LIST OF
Perform Functional Risk Assessment  FUNCTION FOR
COMPONENT Identify Controls
CATEGORIZATION FURTHER
EVALUATION
Implement Controls  Verify

Review Risk mitigation 

Continuous Monitoring
RISK ASSESSMENT – STEP 3 / PERFORM FUNCTIONAL
RISK ASSESSMENT & IDENTIFY CONTROLS

Initial Risk Assessment  System impact

INPUT OUTPUT
FUNCTIONS FROM
STEP 2 Identify impacted Functions
RISK
SME EVALUATION CATEGORIZATION
CASE (Low, Medium &
Perform Functional Risk Assessment  High)
SCENARIOS Identify Controls
ASSESSMENT &
HAZARDS MITIGATION FOR
HIGH RISKS
Implement Controls  Verify

Review Risk mitigation 

Continuous Monitoring
 CSV - SECURITY
 Access to electronic records should be restricted and monitored by the system’s software through its logon
requirements, security procedures, and audit trail records.

 The electronic records must not be altered, browsed, queried, or reported by external software applications

 In addition to the logical security built into the system, physical security must be provided to ensure that access to
computer systems and, to electronic records is prevented for unauthorized personnel.

 Organizations shall store regulated electronic data in its electronic form, rather than keeping paper based printouts
of the data on file

 If information is not recorded on durable media, it cannot be retrieved for future use.

 Security related requirements are –

 Protection of records , Access controls , Authentication , Audit trail controls , Computer systems time Controls , Authority checks
, Technical controls to open systems , Signature/record linking , Uniqueness of electronic signatures , Electronic Signature
security etc.
 E VA LU ATI O N O F LEG A C Y SY ST EM S – PA RT 11 C O M P LI A N C E

 The objective of the evaluation is to identify the system’s functional and/or procedural gaps;
 Results of the evaluation will determine whether the operational, maintenance, or security procedures shall provide a controlled
environment, that ensures the integrity of the electronic records and/or signatures as stated in the Part 11 requirements.
 An evaluation plan is needed in order to define the nature, extent, schedule, and responsibilities
 Each system performing a regulated operation must be identified and the operation it performs must be well understood in order to
prioritize the work
 Evaluation shall indicate the priority rating that applicable for each system in the Criticality and Complexity Assessment.
 Other factors for prioritization process are –
Based on the Assessment further Remedial and
Corrective actions need to be executed through–
 Interpretation
 Training
 Remediation execution
 New applications assessments
 Application upgrade assessments
 Supplier qualification program
 GAMP

GAMP® refers to Good Automated Manufacturing Practice.

A system for producing quality equipment using the concept of prospective validation following a life cycle model.
Specifically designed to aid suppliers and users in the pharmaceutical industry.

• GAMP® 5: A Risk-Based Approach to Compliant GxP Computerized Systems provides pragmatic and practical industry guidance that

aims to achieve compliant computerized systems that are fit for intended use in an efficient and effective manner, while also

enabling innovation and technological advances.

• The guide provides a framework for the risk-based approach to computer system validation where a system is evaluated and

assigned to a predefined category based on its intended use and complexity.

• Categorizing the system helps guide the writing of system documentation (including specifications and test scripts and everything in

between).

• GAMP 5 was developed by the ISPE GAMP Community of Practice (CoP), a worldwide group of practitioners and SMEs , with

significant input and review from international regulators.

 GAMP 5 / ISPE – KEY CONCEPTS

Key concepts ;
 Product & Process understanding
 Life cycle approach within a
Quality Management System
 Scalable Life cycle Activities
 Science based Quality Risk
Management
 Leveraging Supplier Involvement
 G A M P 5 - C O M P U T E R S Y S T E M C O N F I G U R AT I O N

CATEGORY DETAILS TYPE

1 Infrastructure Software Windows XP

3 Standard Applications

3A Vernier calipers (View the reading)

Analytical Balance (View the reading & Print / If Software is not
3B configured)

3C Non – configured Products Raw Water generation system (View the reading , select the
recipe & Print / No data storage is available )
Autoclave , Lyophilzer , BMS etc. (View the reading , select the
3D recipe & Print / Data storage is available )
FTIR , UV Spectrometer , HPLC etc. (View the reading , select
3E the recipe & Print / Data storage & processing is available )

Configured Software LIMS , SCADA , SAP etc. (View the reading , select the recipe &
4 Print / Data storage , processing & configuration is available )

5 Customized Applications Electronic Batch Record

 GAMP 5 - COMPUTER SYSTEM CONFIGURATION
SYSTEM REQUIREMENTS
CATEGORY QUALIFICATION PASSWORD DATA BACKUP AUDIT TRAIL SOFTWARE
DETAILS REQUIREMENTS CONTROL REVIEW BACKUP
CATEGORY 1 YES Not Applicable Not Applicable Not Applicable Not Applicable

CATEGORY 2 Category is not applicable in GAMP 5

CATEGORY 3A YES Not Applicable Not Applicable Not Applicable Not Applicable

CATEGORY 3B YES Required Not Applicable Not Applicable Not Applicable

CATEGORY 3C YES Required Preferred Preferred Preferred

CATEGORY 3D YES Required Required Required Preferred

CATEGORY 3E YES Required Required Required Preferred

CATEGORY 4 YES Required Required Required Preferred

CATEGORY 5 YES Required Required Required Preferred

CURRENT SCENARIO  CSV TO CSA
A RISK based approach ……
KEY TO SUCCESSFUL CSV

Consider the VALIDATION activity for both

System & Data life cycle period

Form the right CSV Team ; CSV

Practitioners, SME, IT & Quality

Validate the Computer system for the

intended Business requirement

Apply QRM to identify potential Risks and

evaluate critically what/ how & verify
If you would like to donate us?
Scan below and donate us 0.013$ (US dollar) (5Rs Indian rupee)
Contact: If you want PPT/PDF files, please contact below.
Email: [email protected]
Telegram:+919738137533(only for Chat)