1

GAMP4IKEV IKEV -- IstanbulIstanbul

0022--0303 MaMayy 20022002by Danny by Danny EykholtEykholt

2

Understanding the importance of Understanding the importance of Automated System ValidationAutomated System Validation

3

Increased Focus of Regulators 483s on FDA website483s on FDA website

�www.ISPE.org

�www.GAMP.org

�www.FDA.gov

�dg3.eudra.org

4

483s on Specifications�� Specification documents for computer process control did Specification documents for computer process control did

not not detaildetail system / software developmentsystem / software development�� System specification documents were prepared and System specification documents were prepared and

signedsigned--off afteroff after vendor acceptance testingvendor acceptance testing�� Specification documents lack details to support future Specification documents lack details to support future

changes to codechanges to code�� No formal requirements for software designNo formal requirements for software design�� System developer audit was cursory and failed to System developer audit was cursory and failed to

demonstrate contractor qualificationsdemonstrate contractor qualifications�� Computer used in the shipping / receiving area to log / Computer used in the shipping / receiving area to log /

track raw materials had inadequate security (this is a direct track raw materials had inadequate security (this is a direct reflection of reflection of poor specificationpoor specification of the needs)of the needs)

5

483s on Testing�� Functional requirements Functional requirements not trackednot tracked through through

software development life cyclesoftware development life cycle�� Failed to identify and analyze system / software Failed to identify and analyze system / software

safety safety criticalcritical functionsfunctions�� Qualification criteria were not tracked through Qualification criteria were not tracked through

systems developmentsystems development�� Data transferred from working hard copy to Data transferred from working hard copy to

computer database without data computer database without data verificationverification�� Formal error / incident Formal error / incident logslogs were not kept during were not kept during

installation and qualification of softwareinstallation and qualification of software�� No procedures to No procedures to auditaudit computer generated data, computer generated data,

results and/or error correctionsresults and/or error corrections

6

483 on Comp. Systems in Labs““During the validation of the laboratory computer During the validation of the laboratory computer

system at installation only calculations producing system at installation only calculations producing results within expected ranges were verified results within expected ranges were verified versus manual calculations. No testing was done versus manual calculations. No testing was done of other conditions such as results at and outside of other conditions such as results at and outside of the expected range limits, inappropriate data of the expected range limits, inappropriate data entry, and error condition recovery. There were entry, and error condition recovery. There were no written specifications for allowable variations no written specifications for allowable variations in calculation check comparisons, and comparison in calculation check comparisons, and comparison records were not signed / dated to indicate review records were not signed / dated to indicate review and approval.”and approval.”

7

483s on Change Control�� Undocumented software changesUndocumented software changes�� MasterMaster hardcopy for all source code not maintainedhardcopy for all source code not maintained�� New revision number not issued after software New revision number not issued after software

modifications arising from IQ / OQ resultsmodifications arising from IQ / OQ results�� No records of changes to original source code made No records of changes to original source code made

prior to installation; no audit trail providedprior to installation; no audit trail provided�� Release and implementation dates of source code Release and implementation dates of source code

not recordednot recorded�� Hazard analysis for safety critical functions / Hazard analysis for safety critical functions /

components not required after software changescomponents not required after software changes

8

483s on Change Control (contd.)

�� Version numbers not assigned to all programsVersion numbers not assigned to all programs�� Not all documented software changes had clear Not all documented software changes had clear

specific rationale for the changespecific rationale for the change�� Software changes resulting from IQ / OQ were not Software changes resulting from IQ / OQ were not

documenteddocumented�� User profile codes allowing access to screen editing User profile codes allowing access to screen editing

capability were not fully validatedcapability were not fully validated�� No procedure for evaluating / updating overall No procedure for evaluating / updating overall

system configuration after code modificationssystem configuration after code modifications

9

GAMP 4 objectives

�� Assist Users and SuppliersAssist Users and Suppliers�� To easily determine the extend and scope of To easily determine the extend and scope of

validation validation �� Framework for convergence with existing Framework for convergence with existing

standards (e.g. standards (e.g. TickITTickIT, ISO 9000), ISO 9000)�� Introduce sample procedures to easy the Introduce sample procedures to easy the

introduction of the defined principlesintroduction of the defined principles

10

History

�� 1994, 96, 98, 2001 1994, 96, 98, 2001 –– GAMP v1, 2, 3, 4GAMP v1, 2, 3, 4�� 1996 links to APV and GMA/NAMUR1996 links to APV and GMA/NAMUR�� JETT (Process Ctrl USA, Can) join GAMPJETT (Process Ctrl USA, Can) join GAMP�� 2001 2001 –– GAMP becomes part of ISPEGAMP becomes part of ISPE

11

GAMP4 Contents

Table of Contents iTable of Contents iTable of Contents iiTable of Contents iiTable of AppendicesTable of Appendices

AttachmentsAttachments

12

Amsterdam keywords 3,4 Dec 01

�� Increased focus on CSVIncreased focus on CSV�� CalibrationCalibration�� Auditing, SLAAuditing, SLA�� Ongoing supportOngoing support�� Change ControlChange Control�� Risk AssessmentRisk Assessment�� System SecuritySystem Security�� Business Continuity PlanningBusiness Continuity Planning

13

Definition: Life- cycle Validation

�� Establishing Establishing documented evidencedocumented evidence

�� which provides a which provides a high degree of assurancehigh degree of assurance

�� that a specific process will that a specific process will consistently consistently produceproduce

�� a product meeting its a product meeting its prepre--determined determined specifications and quality attributesspecifications and quality attributes..

demonstrated conformanceto user, design and functionalspecifications

ongoing qualityaudits, structural,

functional andintegration

testing

Test Plans andProtocols

14

�� URS URS -- Process Oriented DescriptionProcess Oriented Description�� FS FS -- TasksTasks�� DS DS -- Technical Detailed DocumentsTechnical Detailed Documents�� BuildBuild�� IQ IQ -- install., configuration, completeness, install., configuration, completeness,

calibrationcalibration�� OQ OQ -- functionality, dry run in normal rangefunctionality, dry run in normal range�� PQ PQ -- product, repeatabilityproduct, repeatability

Phases of Qualification

DQ

15

Validation Plan & PQP

�� Validation PlanValidation Plan�� regulations.regulations.�� Validation evidenceValidation evidence

�� Project en Quality PlanProject en Quality Plan�� deliverablesdeliverables�� Progress reportingProgress reporting�� Approved by suppliersApproved by suppliers

���� Compliance

���� Quality

16

GAMP Category 1 2 3 4 5

Description of software category

Operating Systems Firmware

Standard Software packages

Configurable software packages

Custom or bespoke systems

Change Control ⟨ ⟨ ⟨ ⟨ ⟨

SOPs ⟨ ⟨ ⟨ ⟨

Training ⟨ ⟨ ⟨ ⟨

Supplier Audit (⟨) (⟨) (⟨) ⟨

User Requirements testing in OQ

⟨ ⟨ ⟨

Full Life Cycle Approach ⟨ ⟨

Address Layers of Software ⟨ ⟨

Mitigation Strategies for weakness in supplier’s development process

⟨ ⟨

Firmware = incorporated in instruments and controllers (⟨) = Optional

17

Example traceability matrix(vertical type)

User Requirements

Functional Specifications U

-FAM

-1

U-F

AM-2

U-L

EEF-

1

U-L

EEF-

2

U-L

EEF-

3

U-S

TIJL

-1

...F-VORM-1 X OKF-VORM-2 ?F-BINNEN-1 X X X OKF-BINNEN-2 X X X OKF-BINNEN-3 X OKF-ELEC-1 X OKF-ELEC-2 X OK...

OK OK OK OK OK OK

18

Life Cycle Model following GAMP4

Detailed step by step guideDetailed step by step guide

19

PROJECT

The V- model

PerformanceQualification

SystemUse

Maintain

SUPPLIER

Regulations

Criticality Analysis

Project & QualityPlans

Project & QualityPlans

Project Concept

Change Control

Process & User Requirements

Retire

FunctionalSpecifications

Technical Design

Development

ProgramBuild

SupplierTests

InstallationQualification

OperationalQualification

20

The V- model

ProgramBuild

Technical Design

SupplierTests

InstallationQualification

OperationalQualification

FunctionalSpecifications

PerformanceQualification

SystemUse

Maintain

Regulations

Criticality Analysis

Development

Process & User Requirements

Project & QualityPlans

Project & QualityPlans

Project Concept

Change Control

Retire

21

Validation Policy

�� Standardised ApproachStandardised Approach�� GXP ComplianceGXP Compliance�� System Life CycleSystem Life Cycle�� Management responsibilityManagement responsibility�� Quality AssuranceQuality Assurance�� External Supplier RelationshipExternal Supplier Relationship

22

Validation Policy

�� Internal PartnersInternal Partners�� Validation Master PlanValidation Master Plan�� Validation DocumentationValidation Documentation�� Signatures and Electronic RecordsSignatures and Electronic Records�� TrainingTraining�� Maintaining the Validated StatusMaintaining the Validated Status

23

Validation Master Plan

�� PurposePurpose�� ScopeScope�� ObjectiveObjective�� References to policies and plansReferences to policies and plans�� References to other documentsReferences to other documents�� Description of levels of planningDescription of levels of planning�� General Description of General Description of Production PlantProduction Plant�� Description and locations of the areas being Description and locations of the areas being

coveredcovered at this levelat this level�� Organisation of Validation ActivitiesOrganisation of Validation Activities

24

Validation Master Plan�� Validation TeamValidation Team�� The Validation Execution GroupThe Validation Execution Group�� Validation StrategyValidation Strategy�� Production PlantProduction Plant Validation PolicyValidation Policy�� Life Cycle Model AppliedLife Cycle Model Applied�� Validation ReportingValidation Reporting�� GxPGxP Criticality Assessment ProcessCriticality Assessment Process�� Requirements to determine Level ofRequirements to determine Level of GxPGxP�� Procedure for performing the assessmentProcedure for performing the assessment�� Status of the processStatus of the process�� Phases of QualificationPhases of Qualification

25

Validation Master Plan�� Automated System Validation ProceduresAutomated System Validation Procedures�� EU GMP Vol4, EU GMP Vol4, AnnexAnnex 11 11 requirementsrequirements�� Testing of an Automated SystemTesting of an Automated System�� CalibrationCalibration�� Deviations Deviations ((handlinghandling)) and Action Planand Action Plan�� Change ControlChange Control�� Documentation ManagementDocumentation Management�� SOPSOP’’s and Trainings and Training�� Timeline and ResourcesTimeline and Resources�� Environmental MonitoringEnvironmental Monitoring�� Process ValidationProcess Validation

26

Validation Master Plan

�� Additional ProgramsAdditional Programs�� Facility cleaning and sanitationFacility cleaning and sanitation�� Process Equipment Changeover cleaningProcess Equipment Changeover cleaning�� Preventive MaintenancePreventive Maintenance�� Equipment/System history files (log Equipment/System history files (log bbookook))�� Status Tagging and checklistsStatus Tagging and checklists�� Room history files (Room log books)Room history files (Room log books)�� Periodical Recalibration programPeriodical Recalibration program�� Periodical Revalidation programPeriodical Revalidation program�� LexiconLexicon

27

Validation Procedure

�� Overview of ValidationOverview of Validation�� The Validation ProcessThe Validation Process�� Validation ElementsValidation Elements�� User Requirement SpecificationUser Requirement Specification�� Design QualificationDesign Qualification�� Installation QualificationInstallation Qualification�� Operational QualificationOperational Qualification�� Performance QualificationPerformance Qualification�� Validation Summary ReportValidation Summary Report

28

Validation Procedure

�� Validation ProceduresValidation Procedures�� Document TemplatesDocument Templates�� Qualification ProtocolsQualification Protocols�� Validation Summary ReportValidation Summary Report�� Changes and RevalidationChanges and Revalidation�� Completion of Validation Completion of Validation documentatiodocumentationn�� Document ControlDocument Control

29

IQ Protocols

�� Targeted AudienceTargeted Audience�� ScopeScope�� ObjectivesObjectives�� Qualification MethodQualification Method�� PreparationPreparation�� VerificationVerification�� RReeporting, logging en porting, logging en resolving of deviationsresolving of deviations�� Qualification Qualification Acceptance CriteriaAcceptance Criteria

30

IQ Protocols�� Project DeliverablesProject Deliverables�� ProjectProject-- and Quality Planand Quality Plan�� Suppliers auditSuppliers audit�� User Requirements Specification DocumentUser Requirements Specification Document�� GMPGMP-- AnalysisAnalysis�� Review Review ‘‘safety Plansafety Plan’’�� Criticality AnalysisCriticality Analysis�� Functional SpecificationFunctional Specification�� Traceability matrix URS vs. FSTraceability matrix URS vs. FS�� Traceability matrix FS vs. testsTraceability matrix FS vs. tests�� Approved Design DrawingsApproved Design Drawings

31

IQ Protocols�� Systeem InSysteem In-- and Outputsand Outputs�� Installation InstructionsInstallation Instructions�� Design TestsDesign Tests�� Calibration Procedures en ProtocolsCalibration Procedures en Protocols�� UserUser�� Program DescriptionProgram Description�� User ManualsUser Manuals�� Training PlanTraining Plan�� EnvironmentEnvironment�� Access ControlAccess Control�� UtilitiesUtilities

32

IQ Protocols�� Environmental ConditionsEnvironmental Conditions�� InstallationInstallation�� AsAs--Built approved drawingsBuilt approved drawings�� Systeem InSysteem In-- and Outputsand Outputs�� Source Code for Control SystemSource Code for Control System�� System ConfigurationSystem Configuration�� Devise Inventory ListDevise Inventory List�� Instrument ListInstrument List�� Spare Parts ListSpare Parts List�� Installation Tests HardwareInstallation Tests Hardware�� Installation Tests SoftwareInstallation Tests Software

33

IQ Protocols�� System ManagementSystem Management�� GMP check SOP System ManagementGMP check SOP System Management�� Maintenance and LogbookMaintenance and Logbook�� Service Level AgreementsService Level Agreements�� VerificationVerification ListList�� VerificationVerification Notes ListNotes List�� Verification Deviation ListVerification Deviation List�� Verification General Remarks ListVerification General Remarks List�� General AcceptanceGeneral Acceptance�� ResponsibilitiesResponsibilities

34

OQ Protocol

�� General as for IQGeneral as for IQ�� Operational Tests HardwareOperational Tests Hardware�� Operational Tests SoftwareOperational Tests Software�� Operational Tests SystemOperational Tests System�� calibrationcalibration�� Verification ListVerification List�� GGeneral as for IQeneral as for IQ

35

PQ Protocol

�� General as for IQ, OQGeneral as for IQ, OQ�� Qualification Acceptance CriteriaQualification Acceptance Criteria�� Performance TestsPerformance Tests�� Verification Verification aand general as per IQ, OQnd general as per IQ, OQ

36

Test Concept

�� Categorisation of the various testsCategorisation of the various tests�� See exampleSee example

37

e Records & e Signatures

38

Definitions

�� Electronic RecordElectronic Record -- any combination of text, any combination of text, graphics, data, audio, pictorial or other graphics, data, audio, pictorial or other information representation in digital form that is information representation in digital form that is created, modified, maintained, archived, retrieved, created, modified, maintained, archived, retrieved, or distributed by a computer systemor distributed by a computer system

�� Electronic SignatureElectronic Signature -- a computer data a computer data compilation of any symbol or series of symbols compilation of any symbol or series of symbols executed, adopted, or authorized by an individual executed, adopted, or authorized by an individual to be the legally binding equivalent of the to be the legally binding equivalent of the individual’s handwritten signatureindividual’s handwritten signature

39

Definitions

Closed SystemsClosed Systems -- an environment in which an environment in which system access is controlled by persons who system access is controlled by persons who are responsible for the content of the are responsible for the content of the electronic records that are on the systemelectronic records that are on the system

�� Open SystemsOpen Systems -- an environment in which an environment in which system access is system access is notnot controlled by persons controlled by persons who are responsible for the content of the who are responsible for the content of the electronic records that are on the systemelectronic records that are on the system

40

What is 21 CFR Part 11?

�� A set of rules governing access, storage, A set of rules governing access, storage, retrieval, control and security of retrieval, control and security of electronic electronic recordsrecords

�� A set of rules governing security, control and use A set of rules governing security, control and use of of electronic signatureselectronic signatures

�� Provides the basis by which electronic records Provides the basis by which electronic records and electronic signatures may be used as and electronic signatures may be used as equivalents to paper records and traditional equivalents to paper records and traditional handwritten signatureshandwritten signatures

41

Where did the regulation come from?�� Initial drafts of ANPRM were presented in 1992Initial drafts of ANPRM were presented in 1992�� Proposed rule was issued in 1994Proposed rule was issued in 1994�� Final Rule was issued March 20, 1997 to become Final Rule was issued March 20, 1997 to become

effective August 20, 1997effective August 20, 1997�� Compliance Policy Guide was issued May 1999Compliance Policy Guide was issued May 1999

Industry comment and technical interchange was key Industry comment and technical interchange was key at each phase of development.at each phase of development.

42

What is Scope of 21 CFR 11?

�� Records maintained on site for inspectionRecords maintained on site for inspection�� Records submitted to the agencyRecords submitted to the agency�� All ER/ES created since August 20, 1997 All ER/ES created since August 20, 1997

are subject to Part 11are subject to Part 11�� Legacy systems are Legacy systems are notnot exempt if they exempt if they

continued to be used after August 20, 1997continued to be used after August 20, 1997

43

21 CFR Part 11’s Legal Status

Part 11 . . . Part 11 . . . �� is a substantive regulationis a substantive regulation�� has the force and power of lawhas the force and power of law�� is a “minimum” standardis a “minimum” standard

44

When do we have e- signature?

�� IDID�� PasswordPassword�� States what one signs forStates what one signs for�� Action to execute the “signing”Action to execute the “signing”�� Within a policy/certificate frameworkWithin a policy/certificate framework

�� =/= Records=/= Records�� =/= Security=/= Security

45

In a nutshell for closed system with no electronic signatures

�� Audit Trail (and system event log)Audit Trail (and system event log)�� SecuritySecurity�� Archiving and Record RetentionArchiving and Record Retention

46

E- signatures & security

�� Trustworthiness of information:Trustworthiness of information:

�� PrivacyPrivacy�� IntegrityIntegrity�� NonNon--repudiationrepudiation�� AuthenticationAuthentication

47

Security Considerations for Electronic Records�� limit system accesslimit system access�� use secure, independent, computer use secure, independent, computer

generated timegenerated time--stamped audit trails that do stamped audit trails that do not obscure the original datanot obscure the original data

�� selfself--monitor operational sequencesmonitor operational sequences�� use authority checksuse authority checks�� limit distribution / access to documentation limit distribution / access to documentation

for system operation and maintenance for system operation and maintenance

48

General Security Principles Common to Both ES & ER

�� Validation!Validation!�� Written procedures must govern system useWritten procedures must govern system use�� Adequate controls over access / availabilityAdequate controls over access / availability�� Appropriate training and control for all usersAppropriate training and control for all users�� Periodic testing of devicesPeriodic testing of devices�� MaintenanceMaintenance�� Change ControlChange Control

49

Storage of Electronic Records

�� What?What?�� Any record or supporting documentation Any record or supporting documentation

required by the predicate rule(s)required by the predicate rule(s)�� Electronic records must be stored with all Electronic records must be stored with all

“meta data” and must be capable of providing “meta data” and must be capable of providing records in human readable formrecords in human readable form

�� Where?Where?�� Secure locationSecure location�� Durable mediaDurable media�� Accessible for audit / inspectionAccessible for audit / inspection

50

Storage of Electronic Records (continued)

�� How?How?�� With suitable audit trails / securityWith suitable audit trails / security�� Periodically inspectedPeriodically inspected�� Transcribed (with validation) as technology Transcribed (with validation) as technology

progresses, if requiredprogresses, if required�� How Long?How Long?

�� For the duration dictated by the predicate For the duration dictated by the predicate rulerule(e.g., 1 year beyond expiration, 3 years, device life, etc.)(e.g., 1 year beyond expiration, 3 years, device life, etc.)

51

System Security (Information Protection Worksheet)

�� ProtectionProtection�� Confidentiality (access control or encryption)Confidentiality (access control or encryption)�� Integrity (access control or digital signatures)Integrity (access control or digital signatures)�� Availability of Information (redundancy or file backup)Availability of Information (redundancy or file backup)

�� Seriousness & Likelihood (H,M,L)Seriousness & Likelihood (H,M,L)�� DisclosureDisclosure�� ModificationModification�� LossLoss

�� Security = Loss PreventionSecurity = Loss Prevention�� Classify systems subject to regulatory control or Classify systems subject to regulatory control or

inspectioninspection�� Your policy must ensure the validation status of PCs Your policy must ensure the validation status of PCs

is not compromised. (office/validated data)is not compromised. (office/validated data)

52

Hybrid Systems

�� Mixing of manual records / signatures with Mixing of manual records / signatures with electronic records / signatures is permitted electronic records / signatures is permitted by the final rule by the final rule ---- so called “hybrid so called “hybrid systems”systems”

�� Ensure that all Part 11 rules are complied Ensure that all Part 11 rules are complied with for the electronic portionswith for the electronic portions

�� Ensure that manual records are not really Ensure that manual records are not really “electronic records” in disguise“electronic records” in disguise

53

E Records & E SignaturesSteps towards complianceSteps towards compliance

54

21 CFR Part 11

�� Inventory (assessment forms, architecture)Inventory (assessment forms, architecture)�� PrioritisationPrioritisation�� Assessment (GAP analysis)Assessment (GAP analysis)�� Remediation (corrective actions)Remediation (corrective actions)

AssessAssess

InventInvent

PriorPriorPriorPrior

PlanPlan

55

Step 1 - Inventory...

�� Identification of all recorded/stored data and Identification of all recorded/stored data and signatures of automated systems as signatures of automated systems as described in the scope. Such as:described in the scope. Such as:1.Operating systems (WinNT, Unix,...)1.Operating systems (WinNT, Unix,...)2. Development packages (FIX, win CC,...)2. Development packages (FIX, win CC,...)3. Application code & specific configurations3. Application code & specific configurations4. Recipe data (production parameters & info)4. Recipe data (production parameters & info)5. Operations data (audit trails, trends, reports)5. Operations data (audit trails, trends, reports)

56

...Inventory

�� Templates for collection of Templates for collection of 1. General details (system classification, 1. General details (system classification, architecture, configuration, access,…architecture, configuration, access,…2. Documented evidence for the fixed and 2. Documented evidence for the fixed and variable data types and storage, backup and variable data types and storage, backup and deletion detailsdeletion details

�� Data model & DatabaseData model & Database

57

Step 2 - Prioritisation

�� Spreadsheet used to calculate the riskSpreadsheet used to calculate the risk�� Impact on the business Impact on the business �� “Probability” of non“Probability” of non--compliancecompliance

�� Alternatively a checklist can be used to add Alternatively a checklist can be used to add all the nonall the non--compliance'scompliance's

58

Step 3 - Assessment

�� ““Compliance report” with ratings (high, Compliance report” with ratings (high, moderate, low) based onmoderate, low) based on�� GxPGxP riskrisk�� PriorityPriority

�� Indicating the type of compliance gapIndicating the type of compliance gap

59

Step 4 - Remediation

�� Plan of corrective actionsPlan of corrective actions�� Possible actions for notPossible actions for not--compliant system:compliant system:

�� Repair, retire, reRepair, retire, re--engineer, replace, engineer, replace, update controls and proceduresupdate controls and procedures

�� The classification (H,M,L) allows for the The classification (H,M,L) allows for the appropriate corrective action:appropriate corrective action:�� Resolve, manage, acceptResolve, manage, accept

60

�� TechnologicalTechnological�� ProceduralProcedural�� Procedural fixes for technological Procedural fixes for technological

problems *problems *

* cannot be used to avoid parts of the regulation* cannot be used to avoid parts of the regulation

Detailed Corrective ActionsDetermination of Solutions

61

Recommendations for Data Management

�� Automated Systems RegisterAutomated Systems Register�� Backup and Storage RegisterBackup and Storage Register�� System Access and SecuritySystem Access and Security�� Software Changes and Revision ControlSoftware Changes and Revision Control�� Recipe Creation and ControlRecipe Creation and Control�� System RecoverySystem Recovery�� Control of Programming Devices Control of Programming Devices �� Auditing of Automated SystemsAuditing of Automated Systems�� Validation and TrainingValidation and Training

62

Risk Managementand Validationand Validation

63

Relation with Validation?

�� Validation avoids intolerable risk to patient Validation avoids intolerable risk to patient safety.safety.

�� And it maximises business profitAnd it maximises business profit�� Risk Assessment answers to the question Risk Assessment answers to the question

“how much validation is required?”“how much validation is required?”�� It provides justification called for by It provides justification called for by

regulators and cost benefits sought by the regulators and cost benefits sought by the businessbusiness

64

Risk Assessment as per GAMP�� Identify ProcessesIdentify Processes�� Identify Identify GxP GxP Risk (Criticality Analysis)Risk (Criticality Analysis)�� Identify Business RiskIdentify Business Risk�� Identify Risk Scenario’sIdentify Risk Scenario’s�� Assess the LikelihoodAssess the Likelihood�� Assess the severity of the impactAssess the severity of the impact�� Assign Risk ClassificationAssign Risk Classification�� Assess Probability of detectionAssess Probability of detection�� Determine risk mitigation measuresDetermine risk mitigation measures�� Risk Assessment of ChangesRisk Assessment of Changes

65

Contingency Planning

�� It’s a regulatory requirement!It’s a regulatory requirement!

�� EU GMP annex 11 & 15 require adequate EU GMP annex 11 & 15 require adequate alternative arrangements for systems in alternative arrangements for systems in

event of breakdownevent of breakdown

66

Business Continuity Planning

�� Business Impact AnalysisBusiness Impact Analysis�� Business Business ContingencyContingency Planning Planning �� Emergency Response PlanningEmergency Response Planning�� Disaster Recovery PlanningDisaster Recovery Planning

67

BIA determines the cost of risk�� Financial ImpactsFinancial Impacts

�� Lost RevenueLost Revenue�� Lost Trade DiscountsLost Trade Discounts�� Contractual Penalties / FinesContractual Penalties / Fines

�� Operational ImpactsOperational Impacts�� Negative Public ImageNegative Public Image�� Loss of Shareholder ConfidenceLoss of Shareholder Confidence�� Employee MoraleEmployee Morale

�� Extraordinary ExpensesExtraordinary Expenses�� Rental/moving premises equipment, media Rental/moving premises equipment, media

reconstruction…reconstruction…

68

BIA�� Analysis FormAnalysis Form

�� Business ProcessesBusiness Processes�� SystemsSystems�� StakeholdersStakeholders�� Supporting InfrastructureSupporting Infrastructure�� Recovery Time Objective (RTO)Recovery Time Objective (RTO)�� Recovery Point Objective (RPO)Recovery Point Objective (RPO)�� Service Level Agreement (SLA)Service Level Agreement (SLA)�� Threats to the processThreats to the process

�� MatrixMatrix�� BIR =(B*BW)+(P*PW)BIR =(B*BW)+(P*PW)

69

BCP

�� Act of planning for the continued operation of Act of planning for the continued operation of systems and facilities in the event of a known systems and facilities in the event of a known adverse incident or fault condition occurring. adverse incident or fault condition occurring. (Procedures to prepare and respond to threats to (Procedures to prepare and respond to threats to the continuation of normal business)the continuation of normal business)

�� Backup and RecoveryBackup and Recovery�� Record Retention / Archiving and RetrievalRecord Retention / Archiving and Retrieval�� System SecuritySystem Security

70

ERP

�� The preparation of site level plans that will The preparation of site level plans that will ensure the provision of critical ensure the provision of critical infrastructure services to a site as well as infrastructure services to a site as well as timely status communications.timely status communications.

71

DRP

�� Act of planning for the restoration of a Act of planning for the restoration of a system and facilities after a major incidentsystem and facilities after a major incident

�� Detailed plans for the recovery of loss of IT Detailed plans for the recovery of loss of IT systems and data. systems and data.

�� Practice (“test”) the Procedures !!!Practice (“test”) the Procedures !!!