A risk assessment is a process to identify potential hazards and analyze what could happen if a hazard occurs.
Computer system validation (sometimes called computer validation or CSV) is the process of documenting that a computer system meets a set of defined system requirements.
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Risk assessment for computer system validation
1.
2. VALIDATION MASTER PLAN
The guidance for validation of all Computer systems will be documented in a
Validation Master Plan (VMP)
The Validation Master Plan will include:
Identifying components requiring validation
Prioritizing and justifying the validations to be performed
All activities and assigned responsibilities
Establishing site specific procedures to support validation
3. WHAT IS A COMPUTER SYSTEM ?
‘Computer system’ can be defined as any of the following:
Desktop systems; client or server systems; automated process
Control and laboratory systems; host based
Software ; data acquisition and analysis systems; and all associated software.
The associated software comprises application software or firmware, system
software, and computer system supporting documentation.
Computer systems shall be validated. The computer validation must ensure
accuracy, reliability, consistent intended performance, and the ability to
discern invalid or altered records.
5. COMPUTER SYSTEM VALIDATION – REQUIREMENTS
21 CFR Part 11- §11.10 (a) Validation of systems to ensure
Accuracy, Reliability , Consistent intended performance and
the ability to discern invalid or altered records
Annex. 11 Principle : This Annx. Applies to all forms of
computerized systems used as part of GMP regulated
activities . The application should be validated
Schedule M, Part-1: 29.4 Equipment – (c ) Qualification &
Calibration , including the recording systems and
arrangements for Computerized system validation
6. COMPUTER SYSTEM VALIDATION ….. A JOURNEY
Critical thinking , planning and Assessment is required for this journey …..
What is the business process / workflow ?
What is the intended use of this System ?
For what purpose shall it be used ?
What decisions shall be taken on the Data ?
What are the anticipated RISKS in the entire Life cycle of the validated
system ?
Risk based approach for Computer System validation
7. COMPUTER SYSTEM VALIDATION ….. BUSINESS PROCESS
RISKS must be assessed throughout the entire Life Cycle of the Computer system
and compared to the respective Business requirements for the entire Data life cycle
USER
REQUIREMENTS
REGULATORY
REQUIREMENTS
IMPACT ON PATIENT
SAFETY, PRODUCT
QUALITY &
DATA INTEGRITY
TECHNICAL
CONTROLS
BEHAVIORAL
CONTROLS
PROCEDURAL
CONTROLS
BUSINESS PROCESS
8. WHAT IS A COMPUTER SYSTEM VALIDATION ?
The purpose of the validation process
is to provide a high degree of
assurance that a specific process (or in
this case computer system) will –
Consistently produce a product (control
information or data) that meets
predetermined specifications and quality
attributes .
11. CSV / QUALITY UNIT – ROLES & RESPONSIBILITIES
The QUALITY UNIT has a key role in successfully planning & managing the
compliance and fitness for intended use of computerized systems . The role and
activities need to be independent in nature and are mainly concerned to –
Approval or audit of key documentation e.g. Policies, Procedures, Acceptance criteria,
Plans, Reports etc.
Focus on Critical Quality aspects
Involvement of SMEs (Subject matter experts)
Approval of changes that potentially affect patient safety, product quality, or data integrity
Audit processes and supporting documentary evidence to verify that compliance activities
are effective
12. SOP AND RESPONSIBILITIES
Each Corporate unit is responsible for establishing a policy on COMPUTER SYSTEMS VALIDATION requirements
Site or departments are responsible for:
Computer system validation Standard Operating Procedures (SOPs)
System inventory and assessment
System specific validation protocols
System specific validation documentation
SOPs must:
• Comply with the Computer Systems Validation Policy and VMP as applicable
• Be approved by the appropriate management for that site or department
13.
14. WHY VALIDATION IS REQUIRED ?
Reduces Risk and legal liability
Ensures GMP compliance requirements
Ensures adherence to the current requirements of Software validation and compliances
Validation is applied to many aspects of the healthcare and other regulated industries
and businesses. Examples include:
o Services
o Equipment
o Computer Systems
o Processes
To produce documented evidence, that provides a high degree of assurance that all
parts of the system will consistently work correctly when in use
Computer systems validation includes validation of both new and existing
computer systems
15. WHY DO WE VALIDATE COMPUTER SYSTEMS ?
Computer systems are validated for two important reasons:
To ensure that GMP practices are followed and to adhere to Regulatory requirements.
To demonstrate conformance with the system requirements specification
To ensure assurance of the trustworthiness of the Data and information.
Demonstrate the suitability of computer hardware and software to perform the assigned task
Regulatory compliances shall help in :
Minimizing regulatory actions
Maintaining a positive relationship with regulatory agencies
Expediting submissions to and approval by the FDA
Avoiding product recalls and negative publicity
Key Objectives -
Patient safety
Product quality
Data integrity
16. WHICH SYSTEMS SHOULD BE VALIDATED ?
Computer Systems throughout the organization involved in
the –
Development
Production
Storage
Distribution
of Pharmaceutical products or Medical devices need to be
considered for Computer System Validation
17. VALIDATION PROCESS STEPS
Establish Team’s - These are the teams that will be responsible for the validation process
Determine Validation Activities - Validation activities are the exact details or activities that will be required for each of
the steps in the validation process
o The output from this activity will be the Validation Plan
Write the Validation Protocol - Describes the procedure and the steps within the procedure that will be followed in
order to validate the system
o The Validation Protocol must also provide a high level description of the overall philosophy, intention and approach
Perform Qualification Activities - Design, IQ, OQ, PQ
Review Controls and Procedures
o SOPs (Standard Operating Procedures)
o Training procedures and Training records
Certify the System - This step is where you certify that the validation deliverables have met the acceptance criteria
that were described in the Validation Protocol
o When you certify the system you should prepare a Validation Report
o The validation report should outline the details of the validation process
18. VALIDATION DOCUMENTATION
Documentation that verifies each validation activity
must be generated and stored with the validation
protocol in the appropriate archive.
Validation documentation may include:
Test data
Summary reports
Procedures
Certification forms produced during the validation
process
VALIDATION
MASTER PLAN
CHANGE CONTROL
VALIDATION &
SUMMARY REPORT
VALIDATION
PROTOCOL
REVIEW, APPROVAL
& CCR CLOSURE
20. CSV – COMPLIANCE PATHWAY
VENDOR
MANAGEMENT
RISK
ASSESSMENT
QA SYSTEMS
VALIDATION &
CALIBRATION
EQUIPMENT /
ANALYTICAL CONTROL
21. CSV – RISK BASED APPROACH
The risk based approach for Computer System validation has been
promoted by all major Regulators –
US FDA has been promoting the Risk based approach since 2002
GAMP 5 laid out a practical approach to using Risk for Computerized system
validation
EU & PIC/S GMP Annx.11 recommends that Risk management be applied throughout
the lifecycle of the computerized system
22. QUALITY RISK MANAGEMENT - CSV
Quality Risk Management is a systematic process for the ASSESSMENT,
CONTROL, COMMUNICATION & REVIEW OF RISKS.
Application of Quality Risk Management enables effort to be focused on
critical aspects of a Computerized system, in a controlled and justified
manner.
Quality Risk Management should be based on clear process
understanding and potential impact on patient safety, product quality,
and Data integrity.
Qualitative or quantitative techniques may be used to identify and
manage risks. Controls are developed to reduce risks to an acceptable
level.
Implemented controls are monitored during operation to ensure ongoing
effectiveness.
23. UNDERSTANDING DATA LIFE CYCLE & RISKS
CREATION
PROCESSING
REVIEW,
REPORTING
& USE
ARCHIVAL
&
RETRIEVAL
DESTRUCTION
RISK : Multiple readings
/ best chosen
RISK : Processing into
compliance
RISK : Unprocessed &
unreported Data
RISK : Process control
lacking oversight
RISK : Data not
preserved & secured
24. UNDERSTANDING DATA LIFE CYCLE RISKS & MITIGATION
Risk based approach to GxP Computerized systems
INITIATION VALIDATION OPERATION RETIREMENT
Need
Identification
Proposal
approval
Risk
Assessment
RISK based Validation
Evaluation of Impact
on
o Patient safety
o Product quality
o Data Integrity
Routine use
Data Review
Security controls
Backup / Restore
Change control
Periodic review /
Audit
System
Discontinuation
Change control
Data Migration
Disposal
RISK to Data integrity, Product Quality & Patient safety Varies throughout the
System Life cycle
25. CSV : CONVENTIONAL & CRITICAL EVALUATION
CONVENTIONAL EVALUATION CRITICAL EVALUATION
Can a User Delete without User privileges ??
=> Verify Privileges
Can a User login with a role that is not assigned ??
=> Verify login roles
If Data is Deleted , there is a record of it ??
=> Verify Audit trail
Can a User be assigned for Deletion rights ??
=> Verify User Access grant /change procedure & authorizations
Can the Audit Trail be modified / deleted / turned off ??
=> Verify that the system Audit Trail is always ON and cannot be
turned OFF
Can the Audit Trail be filtered to find deletions ??
=> Verify Audit trail filtering
System requirement : Users in the QC Laboratory shall not be able to delete
the acquired Analytical data .
27. RISK ASSESSMENT – STEP 2 / IDENTIFY FUNCTIONS WITH
GXP IMPACT
Initial Risk Assessment System impact
Review Risk mitigation
Continuous Monitoring
Implement Controls Verify
Perform Functional Risk Assessment
Identify Controls
Identify impacted Functions
SPECIFICATION
SYSTEM
ARCHITECTURE
COMPONENT
CATEGORIZATION
INPUT OUTPUT
LIST OF
FUNCTION FOR
FURTHER
EVALUATION
28. RISK ASSESSMENT – STEP 3 / PERFORM FUNCTIONAL RISK
ASSESSMENT & IDENTIFY CONTROLS
Initial Risk Assessment System impact
Review Risk mitigation
Continuous Monitoring
Implement Controls Verify
Perform Functional Risk Assessment
Identify Controls
Identify impacted Functions
FUNCTIONS FROM
STEP 2
SME EVALUATION
CASE
SCENARIOS
HAZARDS
INPUT OUTPUT
RISK
CATEGORIZATION
(Low, Medium &
High)
ASSESSMENT &
MITIGATION FOR
HIGH RISKS
29. CSV - SECURITY
Access to electronic records should be restricted and monitored by the system’s software through its logon
requirements, security procedures, and audit trail records.
The electronic records must not be altered, browsed, queried, or reported by external software applications
In addition to the logical security built into the system, physical security must be provided to ensure that access
to computer systems and, to electronic records is prevented for unauthorized personnel.
Organizations shall store regulated electronic data in its electronic form, rather than keeping paper based
printouts of the data on file
If information is not recorded on durable media, it cannot be retrieved for future use.
Security related requirements are –
Protection of records , Access controls , Authentication , Audit trail controls , Computer systems time Controls , Authority
checks , Technical controls to open systems , Signature/record linking , Uniqueness of electronic signatures , Electronic
Signature security etc.
30. EVALUATION OF LEGACY SYSTEMS – PART 11 COMPLIANCE
The objective of the evaluation is to identify the system’s functional and/or procedural gaps;
Results of the evaluation will determine whether the operational, maintenance, or security procedures shall provide a controlled
environment, that ensures the integrity of the electronic records and/or signatures as stated in the Part 11 requirements.
An evaluation plan is needed in order to define the nature, extent, schedule, and responsibilities
Each system performing a regulated operation must be identified and the operation it performs must be well understood in order to
prioritize the work
Evaluation shall indicate the priority rating that applicable for each system in the Criticality and Complexity Assessment.
Other factors for prioritization process are –
Based on the Assessment further Remedial and
Corrective actions need to be executed through–
Interpretation
Training
Remediation execution
New applications assessments
Application upgrade assessments
Supplier qualification program
31. GAMP
GAMP® refers to Good Automated Manufacturing Practice.
A system for producing quality equipment using the concept of prospective validation following a life cycle
model. Specifically designed to aid suppliers and users in the pharmaceutical industry.
• GAMP® 5: A Risk-Based Approach to Compliant GxP Computerized Systems provides pragmatic and practical industry
guidance that aims to achieve compliant computerized systems that are fit for intended use in an efficient and effective
manner, while also enabling innovation and technological advances.
• The guide provides a framework for the risk-based approach to computer system validation where a system is evaluated
and assigned to a predefined category based on its intended use and complexity.
• Categorizing the system helps guide the writing of system documentation (including specifications and test scripts and
everything in between).
• GAMP 5 was developed by the ISPE GAMP Community of Practice (CoP), a worldwide group of practitioners and SMEs ,
with significant input and review from international regulators.
32. GAMP 5 / ISPE – KEY CONCEPTS
Key concepts ;
Product & Process understanding
Life cycle approach within a
Quality Management System
Scalable Life cycle Activities
Science based Quality Risk
Management
Leveraging Supplier Involvement
33. GAMP 5 - COMPUTER SYSTEM CONFIGURATION
CATEGORY DETAILS TYPE
1 Infrastructure Software Windows XP
3
Non – configured Products
Standard Applications
3A Vernier calipers (View the reading)
3B
Analytical Balance (View the reading & Print / If Software is not
configured)
3C
Raw Water generation system (View the reading , select the
recipe & Print / No data storage is available )
3D
Autoclave , Lyophilzer , BMS etc. (View the reading , select the
recipe & Print / Data storage is available )
3E
FTIR , UV Spectrometer , HPLC etc. (View the reading , select
the recipe & Print / Data storage & processing is available )
4
Configured Software LIMS , SCADA , SAP etc. (View the reading , select the recipe &
Print / Data storage , processing & configuration is available )
5 Customized Applications Electronic Batch Record
34. GAMP 5 - COMPUTER SYSTEM CONFIGURATION
SYSTEM REQUIREMENTS
CATEGORY
DETAILS
QUALIFICATION
REQUIREMENTS
PASSWORD
CONTROL
DATA BACKUP AUDIT TRAIL
REVIEW
SOFTWARE
BACKUP
CATEGORY 1 YES Not Applicable Not Applicable Not Applicable Not Applicable
CATEGORY 2 Category is not applicable in GAMP 5
CATEGORY 3A YES Not Applicable Not Applicable Not Applicable Not Applicable
CATEGORY 3B YES Required Not Applicable Not Applicable Not Applicable
CATEGORY 3C YES Required Preferred Preferred Preferred
CATEGORY 3D YES Required Required Required Preferred
CATEGORY 3E YES Required Required Required Preferred
CATEGORY 4 YES Required Required Required Preferred
CATEGORY 5 YES Required Required Required Preferred
38. KEY TO SUCCESSFUL CSV
Consider the VALIDATION activity for both
System & Data life cycle period
Form the right CSV Team ; CSV
Practitioners, SME, IT & Quality
Validate the Computer system for the
intended Business requirement
Apply QRM to identify potential Risks and
evaluate critically what/ how & verify
39. If you would like to donate us?
Scan below and donate us 0.013$ (US dollar) (5Rs Indian rupee)
Contact: If you want PPT/PDF files, please contact below.
Email: gnccmysore@gmail.com
Telegram:+919738137533(only for Chat)