Professional Documents
Culture Documents
Computerized System Life Cycle Management
Computerized System Life Cycle Management
Computerized System Life Cycle Management
“Computerized System
Lifecycle CMF
Management” 03-04 November 2022
HELLO!
I am Fajar Sidik
I am here as your partner during this workshop.
You can find me through fajar.sidik@cfi.co.id
2
Please share your
expectation regarding
this workshop
3
PRE-TEST!
https://s.id/csvtest
4
Chapter 1
Introduction to Computerized System
5
What is a Computerized System ?
Hardware
Software Data Procedures
Firmware
Computer System
Operating Environment
6
input output
The Regulation CDOB 2019
Aplikasi
hendaklah
divalidasi;
Infrastruktur
IT hendaklah
dikualifikasi.
8
9
What is included in Validation
Aplikasi
● Data Centre
hendaklah ● Server
divalidasi; ● Storage
● Wifi
Infrastruktur ● Switch Hub
IT hendaklah ● Router
● Firewall
dikualifikasi. ● Cloud
● Desktop Computer
● Network
● Mobile device
● Protocol
10
Guidance
11
History of GAMP 5
Source :https://ispe.org/pharmaceutical-engineering/ispeak/gamp-25th-anniversary 12
Concept of CSA
13
What's New
• Appendix D8 – Agile
• Appendix D9 – Software tools
• Appendix D10 – Distributed Ledger System
(Blockchain)
• Appendix D11 – AI and ML
• Appendix M11 – IT Infrastructure
• Appendix M12 – Critical Thinking
What’s updated
• Appendix D1 – Specifying Requirements
• Appendix S2 – Electronic Production Records
• Appendix D2 – Functional Specification (removed)
combined with requirements
• Appendix O7 – Repair Activity (removed)
• Appendix S5 – Managing Quality withing outsourced
IS/IT Environment (Removed)
14
Same Concept of GAMP Market and
Develop Produce
distribute
Medicinal Medicinal
User product Product
Medicinal
Product
Leverage Supplier
Involvement
Deliver Maintain and
Develop
products support
Supplier Product and
and product and
services
service services
15
Product and Process Understanding
Solid/ Liquid/ Injectable
OTC/ Prescription
Tangible (RM,PM,
Sample)
Intangible
(Data, metadata)
16
17
Scalable life cycle - Hardware categories
18
Scalable life cycle - Software categories
Category 5 – Custom
Category 4 – Configured
Application
Product ● Spreadsheet Macro
● ERP ● Custom Ladder logic
● LIMS ● Developed application
● SCADA
● MES
19
The Foundation
Patient Product
safety Quality
Intended Use
Data Integrity
20
Chapter 2
Perform Computerized System
Validation
21
Deviation/
Incident Change Management
Functional Risk management Decommissioning
Assessment
Development Release Business Cont.
Review and
IQ/OQ/PQ summary Operational Plan
DevelopmentRelease
testing and Use Backup- Restore
Qualification Archive-Retrieve
Functional Supplier
Specification Selection Build Performance Periodic Review
Training SOP
monitoring
Security
Configuration Traceability
Administration
Design Software Matrix
Specification Design URS development
Validation Plan
Planning
Business Risk 22
Initial Risk
Assessment
Assessment
Detaill Regulasi CPOB 2018
CPOB 2018
1. Manajemen Risiko
2. Personnel
3. Pemasok dan Penyedia Jasa
Fase Proyek
4. Validasi
5. Data
6. Accuracy Check
7. Penyimpanan data
8. Cetakan atau prinout
9. Audit Trail
10. Manajemen perubahan dan konfigurasi
11. Evaluasi berkala
12. Keamanan
13. Manajemen insiden
14. Tanda tangan elektronik
15. Pelulusan bets
16. Keberlanjutan bisnis
17. Pengarsipan
23
Planning – Business Risk Assessment
Business
Liability Security
Interruptio
Risk Risk
n Risk
24
Planning – Validation Master Plan
4.Role &
1.Scope
Responsibility System
Inventory
Supported from List
5.Validation
2.Objective Master list of available
Life cycle
system in regulated site
with detail validation state
6.List and
3.Site
timeline of
overview
validation
25
Planning - Role and Responsibility
QA System
owner
Computerized
System
Validation
SME
Process
owner
Supplier 26
Planning – Validation Master Plan
28
Planning – Validation Plan
Network
1. Scope & out of scope
Validation is for the application server based and its related component, all the qualification of
network and infrastructure not relate are out of scope
2. Objective
Validation of server based application name __________
3. System overview
Architecture of the system and intended use of the system data
29
Planning – Validation Plan – System Overview
30
Planning – Validation Plan – Initial Risk
Assessment
31
Planning - Initial Risk Assessment
CPOB aneks 7 point 4.4 Sistem kritis
● Pengaturan fisik dan logical
● Aliran data
● Interfaces dengan sistem ada proses
lain
Module ● Prasyarat perangkat keras & lunak
● Tindakan pengamanan
category
Validation Plan
Planning
Business Risk 34
Initial Risk
Assessment
Assessment
Design
What does the system
• User Requirements
have to do ?
36
Writing User Requirement Specification (URS)
Records
and
Admin
User electroni
and
control c
security
signatur
Business
Data life e
Process
cycle
Function Operatin
g Audit
Interface
environ Trails
ment
38
User Requirement Specification
Production
Engineering
Department
as User
Documented
HSE Requireme
QA Formal
nt Profile
URS
IT
QC
R&D /
Technica
l 39
User Requirement Specification
40
Writing User Requirement Specification (URS)
42
Measurable
43
Achievable
44
Realistic
Even if something is
technically achievable, it may
not be realistic due to budget
constraints, time restrictions,
regulatory requirements or
other limitations. It’s important
to be realistic when
determining your
requirements.
45
Time-bound
Requiring completion by a
specified deadline or within a
specified period of time.
46
Writing User Requirement Specification (URS)
47
Design - URS
Typical sentence: System shall able to ……... As a < type of user >, I want < some goal > so that
< some reason >.
Both are great combination of both maybe User stories used for usually a business
help the supplier to know what user flow requirement
actually want
User stories not likely used for security
feature or infrastructure
48
Design – Supplier Selection
On-site audit
49
Design – Supplier Selection Best Practice
No Assessment Description
1 Supplier established QMS 1. Set of SOP, set of standard on SDLC (ISO 12207)
2. Training of staff
3. Compliance
2 Quality Planning Any qualification plan and report
7 Provide user document and training Are training and documentation part of contract
Service Level
Agreement
Rather, it describes how the proposed system will operate, how people
or data will interact with it and what to expect when different condition
occur.
52
Design - FSDS
53
Design – Functional Sepcification An FS defines what the system should
do, and what functions and facilities are
to be provided . It provides a list of
design objectives for the system. Formal
The FS defines a system to
testing will often be based on the FS
meet the user's needs as described
in a User Requirements Specification Overview
(URS)
Function
Both users and programmers Data
should understand the FS Explain Interfaces
Non – Functional Attributes
Environment
Glossary
54
Design – Functional Specification (FS)
Overview Function Data
• Complete Architecture • Input/ output • Access speed
• GxP impact • Calculation • Update time
• Patient, Product, Data impact • Algorithm • Required filed
• Configuration tools/language/ • Performance • Validation check
standard program • Safety and security • Relationships
• Configurable function • Capacity and archiving
• Error condition • Integrity and security
• Migration
Interface Non function attribute Environment
• With user • Availability • Encryption
• With equipment • Maintainability • Physical
• With other system
• How data transmitted
• Transfer rate
• Data type, format, range, value meaning 55
Design – Configuration / Design Specification (DS)
56
Design – Configuration / Design Specification (DS)
• Main computer system • Database and collection files • Setting and parameter
• Storage • Records • Dependencies and impact to
• Peripherals • Data types & format other module
• Networks & • Data precision and accuracy • OS and layered software
interconnection • Algorithm • Tools or method used to set
• Embedded system (within • Language & Version the option
process equipment) • Reference standard *May incorporated this
• Hardware operating programming information into FS for small
environment • Input/ output system
• Database • Error handling
• Interface • Module operation
• Interface to other module
57
Deviation/
Incident Change Management
Functional Risk management Decommissioning
Assessment
Development Release Business Cont.
Review and
IQ/OQ/PQ summary Operational Plan
DevelopmentRelease
testing and Use Backup- Restore
Qualification Archive-Retrieve
Functional Supplier
Specification Selection Build Performance Periodic Review
Training SOP
monitoring
Security
Design Traceability
Administration
Specification Software Matrix
Design URS development
Validation Plan
Planning
Business Risk 58
Initial Risk
Assessment
Assessment
How will the system • Software development (methodology, source code,
be built ? compiling – modules)
System release to customers should be performed in accordance with a formal process that
describes criteria for
release, responsibilities, records to be retained, and items to be released, including software ,
hardware, and
documentation.
Release notes defining fixes , changes , and new features should accompany each release
including minor releases and patches.
Release to GxP
environment
Validation Plan
Planning
Business Risk 62
Initial Risk
Assessment
Assessment
How much validation – • Risk Assessment and Critical Thinking
testing is required?
Hard to prioritize on
planning, remediation or Repeated test on system
test focus
64
What is Critical thinking ?
65
Simplified view of critical thinking
Which is spreadsheet
have more risk ?
< <
Monitoring For Stability Design Calculating Tablet
Department Monitoring Dissolution Result
Expense 66
Identify Risk/ Assess Risk Identify Control
Requirement
HPLC Calculation of average The risk to patient The system was COTS no
and deviation standard may safety, product quality method configuration
use incorrect formula and give and data integrity is performed, final report and
incorrect result for product introduced audit trail review by
release decision reference manager
67
Function Prevention Detection
Management Control √
Data Lifecycle √ √
Training √
Incident reporting √ √
Data Review √
Supplier Management √ √
Risk Management √ 68
Functional Risk Assessment - FRA
Complexity
Criticality Out of the box Configured Custom
Direct
Medium High Very High
Indirect
Medium Medium Medium
None
Very Low Low Low
69
Deviation Handling and
Case Study CAPA Management
Start
Configurable
Direct impact
Batch
Revoke Justify
Containtment
COTS
Yes No Not Direct
End VoE impact
Custom
Release Hold
Batch
Direct impact 70
Batch
URS ID Section Description Criticality
URS-BP-01 Business Process Flow Deviation Occur - Risk Assessment - Investigation - Implementation E
plan - CAPA Log
URS-BP-02 Business process flow Deviation Occur - Batch containtment on EBR - Justification by Risk - E
Revoke containment - Continue Batch
URS-F-01 Function Justification and Revoke on URS-BP-02 should only available by QA unit I
URS-F-02 Function Risk calculation based on Severity, Probability and Detectability which E
resulting in RPN S x P x D
URS-ES-01 Electronic Signature Submission of Implementation plan must have ES before it was D
recorded to CAPA log
URS-AL-01 Access Level Minimum of 5 access level can be managed in the system E
URS-IN-01 Interface CAPA system interface to ERP system (SAP type XX version XX) for I
batch product release and hold
URS-IF-01 Infrastructure QMS application should be able to operate on the Ubuntu version 20 on E
site premises 71
Functional Risk Assessment – FRA FMEA
72
URS ID Failure Severity Occuranc Risk Class Detectabi Risk Mitigation
e lity Priority
URS- System moves incorrectly between Step Medium Medium 2 Medium Medium Configuration Test
BP-01
URS- Integration to batch record failure, system did High Medium 1 Low High Documented Test
BP-02 not contain the batch
F URS-F-
01
Batch continue without QA consent High Medium 1 Medium High Documented Test
M URS-F- Incorrect RPN calculation and formula Medium Medium 2 Medium Medium Configuration Test
E 02
URS- ES did not triggered when logging CAPA and Medium Medium 2 High Low Configuration Test
A ES-01 implementation
URS- Access level cannot be provided up to 5 levels Medium Low 3 Medium Medium Documented Test
AL-01
URS-IN- Interface problem, batch did not held before High Medium 1 Medium High Documented Test
01 CAPA fulfilment and batch maybe held forever
even if CAPA has been closed
URS-IF- System incompatible with Ubuntu 20 Medium Low 3 High Low Vendor Audit 73
01
Functional Risk Assessment – FRA Critical
Thinking
Complexity
Criticality Out of the box Configured Custom
Direct
Medium High Very High
Indirect
Medium Medium Medium
None
Very Low Low Low
74
URS ID Section Criticality Impact Software Complexity Risk Mitigation/ Test Approach
URS-IF-01 Infrastructure None Cat.4 Very Low Design Review/ Vendor Audit
75
Functional Risk Assessment - FRA
76
What is Unscripted Testing ?
Unscripted Undocumented
Verification to Demonstrate
81
URS ID Section Criticality Impact Software Complexity Risk Mitigation/ Test Approach
Installation qualification from vendor report during development on site premises server hostname, server IP)
Server OS 20
Sign Performer:
Sign Reviewer: Remark:
82
Qualification – Consideration of IQ
Service Level
Drawing List of critical
Agreements
spare parts
83
Qualification – Consideration of OQ
Critical Data
Migration
Master Data
Verification PQ may not be
done for simple
system
End to End
business
process
85
Objective of testing
Identify defects (bugs) so they can be removed or corrected before operational use
Preventing failures that might affect patient safety, product quality and data integrity
86
Design Review Traceability Matrix
Requirem
ents
Requirement
Traceability
Matrix should
also provide
deliverable
result
Specificati
Testing
on
87
Design Review Traceability Matrix
Functional/
Configuration/ Design Protocol documentation for
URS Document “001X.01”
Specification Document system “001X.01”
“XYZ01-V01”
FS - 001 - CS - 001 -
URS ID: OQ - 001 IQ - 001
Monthly Software &
DI001 - Data backup Automatic Software tools
Data Design for
automation to internal backup for backup
backup periodic
backup server IP. result and and network
periodic for backup &
192.168.1.1 restore structure
using “tools” parameter
88
Qualification – Released Decision (Handover)
system handover from the
project team to the process
Project Operational owner, system owner, and
operational users is
Handover a pre-requisite for effectively
maintaining compliance of the
system during operation
4. Supplier involvement
managing user access with management is available? rN
rN r N/A
reference from QA-G013 is
effective and in place for use? Do SOP for backup and restore rY
7. Deviation List
system has been defined, and on SOP? r N/A
rN
the personnel is deemed r N/A Risk
qualified?
8. Recommendation
Do risk identified from GAP rY
Do system administrator has rY rN
during validation have been
been assigned? rN r N/A
mitigated or accepted?
9. Released Conclusion Training
Have the end user received rY
training for operating the rN
10. Checklist system?
Do you record the evidence of rY
training? rN 90
SOP & Training
Validation Plan
Planning
Business Risk 94
Initial Risk
Assessment
Assessment
Operational and Use – Backup & Restore
Sustainable backup
Successful restore on Backup of software media
short notice include all software
component
95
Operational and Use – Archive and Retrieve
Archiving is the
process of taking
records and data
off-line by
moving them to a
different location
or system , often
protecting them
against further
changes .
96
Operational
Operational and Use – Change Management change control
(formal)
97
Operational and Use – Deviation and Incident
Management
98
Operational and Use – Periodic Review
Periodic reviews are used throughout the operational life of systems to verify that
they remain compliant with
regulatory requirements, fit for intended use, and meet company policies and
procedures
• Access change
• Action
• Backup and
restore necessary to
maintain
Component • GxP electronic
computer
archiving
system in
• Procedure
validated state
• Overall
performance
99
Operational and Use – Performance Monitoring
preventive maintenance that
obtains performance data that
is useful in diagnosing system
problems
Periodic Review
Change Incident
management Management
100
Operational and Use – Business Continuity
Planning
Risk Assessment Determine hazard possibility and assess the severity such disaster event
102
Operational and Use – Decommissioning
Execution Reporting
103
POST-TEST!
https://s.id/csvtest
104
THANKS! https://s.id/absencfi
105
Key Take Away
107