Sie sind auf Seite 1von 18

GAMP 5

A Risk-Based
Risk Based Approach to
Compliant GxP
Computerized Systems
Stephen Shields
8 October 2013
ASQ Orange
O
Section
S ti Meeting
M ti Part
P t2

Disclaimer

This presentation is made at the request of ASQ.

The presenter is a full-time employee and stockholder of Allergan, Inc.

The information provided and opinions expressed during this presentation


are those of the presenter and are not the position of and may not be
attributed to Allergan, Inc.

Agenda
Operation Phase

Hanover
Service and Performance Monitoring
Incident Management and CAPA
Change Management
Periodic Review
Continuity Management
Security and System Administration
Record Management

Retirement Phase
Withdrawal
Decommissioning
Disposition

Operation Phase
The approach and required activities should be selected and scaled
according to the nature, risk, and complexity of the system in question.
The regulated company should ensure that appropriate operational
processes, procedures,
d
and
d plans
l
h
have b
been iimplemented,
l
t d and
d are
supported by appropriate training.
Compliance and fitness for intended use must be maintained throughout the
systems operational life
life.
The integrity of the system and its data should be maintained at all times
and verified as part of periodic review.
Opportunities for process and system improvements should be sought
based on periodic review and evaluation, operational and performance data,
and root-cause analysis of failures (Incident Management and CAPA).
Change management should provide a dependable mechanism for prompt
implementation of technically sound improvements following the approach
to specification, design, and verification.

Operation Phase Information Flows

Operation Phase - Processes


Process Group

Process

Handover

Handover Process

Service Management and Performance


Monitoring

Establishing and Managing Support Services


Performance Monitoring

Incident Management and CAPA

Incident Management
CAPA

Change Management

Change Management
Configuration Management
Repair Activity

Audits and Review

Periodic Review
Internal Quality Audits

Continuity
y Management
g

Backup
p and Restore
Business Continuity Planning
Disaster Recovery Planning

Security and System Administration

Security Management
Systems Administration

Records Management

Retention
Archive and Retrieval

Training

Training Management

Handover
Handover is the process for transfer of responsibility of a
computerized system from a project team or a service group to a
new service group.
Typical conditions for handover to business

Fit for Intended Use


Compliant
Trained Users
Operation Security & Roles Established
SOPs Effective (operational & support)
Unique Configuration Elements Established
Issues Closed/Resolved
Rollback Strategy

Handover Process

Service Management & Performance Monitoring


Maintaining a system in a state of compliance is often
dependent upon services provided by organizations
outside the direct control of the system owner.
A Service Level Agreement (SLA) establishes responsibilities between the IT Service
Provider and the Customer.
A Operating Level Agreement (OLA) defines the goods or Services to be provided to the IT
Service Provider by another part of the same Organization and the responsibilities of both
parties
An Underpinning Contract (UC) defines targets and responsibilities of a Third Party to meet
agreed
dS
Service
i L
Levell T
Targets
t iin an SLA
SLA.

Where appropriate, performance of the system should


be monitored to capture problems in a timely manner. It
also may be possible to anticipate failure through the use
of monitoring tools and techniques.

Support Services Process

Incident Management and CAPA


Incident Management
process should address:
Categorize incidents
Triage to the most appropriate
resource or complimentary
process
p
Document
Review
Prioritization
Progress towards resolution
Escalation
Closure

CAPA process should


address:
Investigation
Investigation, understanding
and correcting discrepancies
based on root-cause analysis
Preventing
g recurrence of
discrepancies
Preventing occurrences of a
possible/predicted
di
discrepancies
i
Effectiveness

Change Management
Critical activity fundamental to maintaining the compliant
status of systems and processes
Software (including middleware)
middleware), configuration
configuration, hardware
hardware,
infrastructure, or use of the system
Reviewed to assess impact and risk of implementing the change
Suitably evaluated, authorized, documented, tested, and approved
before implementation, and subsequently closed
Scaled based on the nature, risk, and complexity of the change
Continuous p
process and system
y
improvements
p
based on p
periodic
review and evaluation, operational and performance data, and rootcause analysis of failures.
Emergency changes performed change management process or repair
SOPs
SOP

Periodic Review
Verify system remain compliant with regulatory
requirements, fit for intended use, and meet company
policies and procedures
procedures.
Interval appropriate to the impact and operation history of the system
Pre-defined process
Documented with corrective actions tracked to satisfactory completion

Continuity Management
Backup and Restoration
software, records, and data are made, maintained, and retained for a
defined period within safe and secure areas
Restore procedures should be established, tested, and the results of
that testing documented

Business Continuityy Planning


g
Plans established and exercised to ensure the timely and effective
resumption of these critical business processes and systems

Disaster Recovery Planning


Details the precautions taken to minimize the effects of a disaster,
allowing the organization to either maintain or quickly resume critical
functions ((focus on disaster prevention).
p
)

Security and System Administration


Adequately protected against willful or accidental loss,
damage, or unauthorized change
Procedures for managing secure access
access, including adding and
removing privileges for authorized users, malware management,
password management, and physical security measures
Role-based securityy
Apply to all users, including administrators, super-users, users, and
support staff (including supplier support staff)
Procedures for administrative support for systems

Record Management
Records must be maintained and accessible throughout
their retention period
Establish policies for retention of regulated records
Retain data on-line or archive
Establish procedures for archival and retrieval

Retirement Phase
Systematic process of permanently removing a system
from use
Withdrawal
Withdrawal, system decommissioning,
decommissioning system disposal
disposal, and migration
of required data
Withdraw the system from active operations, i.e., users are deactivated,
interfaces disabled. No data should be added to the system
y
from this
point forward. Special access should be retained for data reporting,
results analysis and support.
Decommission the system
Determine disposition of data, documentation, software, and hardware
(permanently destroyed, re-tasked, archived, migrated).

Questions?
Stephen Shields
WWQA Director
Computerized System Compliance and Quality

All
Allergan,
IInc.
Shields_Stephen@Allergan.com
714-246-5320