GAMP5 CATEGORIES &

VALIDATION DELIVERABLES
CSV & CSA

-ARIJIT DASGUPTA
 GAMP
Full Form of GAMP is Good Automated Manufacturing Practices

Founded in U.K in 1991 by ISPE

To achieve computerized system that are fit for intended use &
meet current regulatory requirements
 GAMP5 CATEGORY
CATEGORIES WHAT COMES UNDER? DESCRIPTION
Category 1 Infrastructure Software Operating Systems
(Standard Software)
Category 3 Non Configurable Software Products cannot be Configured or Sometimes can be Configured, Only
the default Configuration can be Used.
Commercial off the shelf software (COTS). For example; Laboratory
Instruments Software
Category 4 Configurable Software Configuration can be done to meet user specific needs.
For example; To meet end user requirements, few modules in Enterprise
System (LIMS, DMS) to be implemented as per User requirements.
Data migration requirements between two or more software.

Category 5 Customized Application These applications are developed to meet the specific needs of the
regulated company.
For example; Bespoke/ Tailor Made Software, Customized Application
 TYPE V MODEL AS PER GAMP 5
 Planning Reporting

 Specification Qualification/ Verification


 Configuration & Coding
 VALIDATION DELIVERABLES BASED
ON GAMP5 CATEGORIES
SOFTWARE VALIDATION DELIVERABLES
CATEGORY
IRA URS SA VP FS CS/DS IQ OQ PQ RTM VSR
Category 1 √ √ - - - - √ - - - -

Category 3 √ √ - √ - - √ √ √ √ √

Category 4 √ √ √ √ √ √ √ √ √ √ √

Category 5 √ √ √ √ √ √ √ √ √ √ √
 COMPUTER SYSTEM VALIDATION
(CSV)
 Computer System Validation (CSV) is a process used to test, validate and formally
document that a regulated computer based system does exactly what it is
designed to do in a consistent and accurate manner that is secure, reliable and
traceable.

 CSV was introduced in 2003 in addition to 21 CFR Part 11 Guideline.

 FDA’s “Guidance for Industry Computer Systems Used in Clinical Trials” applies
to
the computerized systems used to create, modify, maintain, archive, retrieve or
transmit clinical data intended for submission to FDA.
 HOW TO PLAN CSV DOCUMENTATION
PROCESS
 1) What will be Validated?
 A~ Software’s name and version number

 2) What will be the acceptance criteria?

 A~ The anticipated test results for different types of specifications such as
 URS, FS/ FRS and DS
 HOW TO PLAN CSV DOCUMENTATION
PROCESS
 3) How will it be Validated?
 A~ It relates to 3 Qs of Software Validation-IQ, OQ and PQ.
 Written strategies and tests shall be performed in each Qs.

 4) Who will validate?

 A~ This is the Stakeholders role and responsibility.
 VALIDATION DELIVERABLES
 1. Initial Risk Assessment (IRA) or GxP Document
 2. User Requirement Specification (URS)
 3. Vendor Assessment/ Supplier Assessment (VA/SA)
 4. Functional Requirement Specification (FRS/ FS)
 5. Configuration/ Design Specification (CS/ DS)/ Design Qualification (DQ)
 6. Project Validation Plan/ Validation Plan (PVP/ VP)
 7. Factory Acceptance Test (FAT)
 8. Site Acceptance Test (SAT)
 VALIDATION DELIVERABLES
 9. Functional Risk Assessment (FRA)
 10. Installation Qualification (IQ)
 11. Operational Qualification (OQ)
 12. Performance Qualification (PQ)
 13. Requirement Traceability Matrix (RTM)
 14. Validation Summary Report (VSR)
 15. System Release Certificate (SRC)
 SPECIFICATION AND QUALIFICATION
RELATIONSHIPS V-LIFE CYCLE MODEL
 IRA/GxP

 PVP
 Verifies VSR
URS PQ
FRS Verifies OQ
DS Verifies IQ

System Build
 SUPPLIER/ VENDOR ASSESSMENT
 Supplier/Vendor Assessment should be evaluated based upon reputation,
experience, competition and certifications.
 The inspection will be performed using a questionnaire which includes, but not
limited to:
 1) Supplier Organizational Structure
 2) Supplier Reputation and Experience
 3) Business Process
 4) Quality Process
 5) Product Development Life Cycle
 SUPPLIER/ VENDOR ASSESSMENT

Complexity Low Medium High

Category
Category-1 Public Assessment Public Assessment Public Assessment

Category-3 Public Assessment Public Assessment Postal Assessment

Category-4 Postal Assessment Postal Assessment Postal/ On Site

Category-5 On Site Audit On Site Audit On Site Audit

 SUPPLIER/ VENDOR ASSESSMENT
No need to perform Supplier/ Vendor Assessment in following cases:

1) System is of low complexity

2) Supplier qualified by other business verticals
3) Supplier has a long standing relationship
 USER REQUIREMENT SPECIFICATIONS

 URS should be developed based on the business process

 URS is required for all GxP Computerized Systems
 All the stated requirements should be SMART
 Thisdocument must be prepared by System Owner and reviewed by Process
Owner and SME and approval by Q.A
 USER REQUIREMENT SPECIFICATIONS
 This document shall incorporate the below regulatory requirements, but are not
limited to;
 1) Security and Administration
 2) Functionality
 3) Electronic Records and Audit Trail Requirement Number Requirement Description

 4) Back up and Restoration XXX-URS-010-001 System should have provision to

employ two distinct identification
 5) Environmental Conditions components such as User Name and
Password for Authorization
 INITIAL RISK ASSESSMENT (IRA)
 IRA shall be performed before or parallel with the development of User
Requirement Specification (URS)
 IRA shall determine potential GxP implications arising from the computerization of
the process
 IRA shall assist in determining the following, but are not limited to;
 1) Level of Vendor/ Supplier Assessment
 2) GAMP5 Software Categorization
 3) Risk Category
 4) Potential Impact and Complexity of the System
 FUNCTIONAL REQUIREMENT SPECIFICATION
(FRS)
 FRS specifically describes the following:

 1) Whocan enter data into the system

 2) Description of data to be entered into the System
 3) Description of Operations performed by each screen
 4) Description of Work flow performed by the system
 5) Description of System reports or other outputs
 6) How the System meets the applicable regulatory requirements
 DESIGN SPECIFICATION (DS)/ CONFIGURATION
SPECIFICATION (CS)
 DS/CS specifically describes the following technical elements of software or
system

 1) Database
Design- Field definitions, File Structures, Entity relationship diagrams,
 Data Flow Diagrams

 2) Logic/ Process Design-Pseudo code for calculation

 3) Security Design- Cybersecurity Protection from Hacker/ Virus

 DESIGN SPECIFICATION (DS)/ CONFIGURATION
SPECIFICATION (CS)
 4) Interface Design- What data transfer will occur from one system to another;
 with what frequency and how to handle failure in data transfer activities

 5) Architectural Design-Required Hardware Support, Operating System, Application

 Version etc.

 6) Network Requirements
 7) Specific peripheral device requirements such as scanners, printers etc.
 VALIDATION PLAN
 A Validation plan must be produced for each computerized System
 The Validation plan will define the activities to be undertaken to demonstrate that the GxP
Computerized System is in complaint state and fit for intended use.
 The Validation plan should include the below mentioned areas, but are not limited to:
 1) Project and System Overview
 2) Vendor
 3) Roles and responsibilities
 4) Validation Strategy
 5) Supporting Process
 6) Validation Deliverables
 VALIDATION deliverables


A. Planning B. Specifications

Validation Deliverables

C. Verification
D. Reporting
 VALIDATION deliverables
 A. Planning- Validation Plan, Supplier Assessment and Initial Risk
Assessment
 B. Specifications-User Requirement Specifications, Functional
Requirement Specifications and Configuration Specifications
 C. Verification-Installation Qualification, Operational Qualification,
Performance Qualification, Requirement Traceability Matrix (RTM)
 D. Reporting-Validation Summary Report
 INSTALLATION QUALIFICATION (IQ)
 A. IQ should demonstrate correct software and hardware are installed and
configured in line with specification documents in applicable environments
(Production/ Quality).

 B. IQ should include below mentioned areas, but not limited to;

 1. Equipment/ Instrument Details

 2. Server Hardware Configuration
 3. Workstation Hardware Configuration
 OPERATIONAL QUALIFICATION (OQ)
 A. OQ verifies that the system operates according to written and
preapproved specifications.

 OQ Testing should demonstrate correct operation of the functionality

that supports specific business process.
 OPERATIONAL QUALIFICATION (OQ)
 OQ should include the below mentioned areas, but not limited to;

 1) Security & Administration

 2) User Privileges
 3) Functionality in accordance to Approved Privilege Matrix
 3) Audit Trail Requirements
 4) Data Back up & Restoration
 PERFORMANCE QUALIFICATION (PQ)
 PQ verifies
that the system is capable of performing the activities of the
process according to written and pre approved specifications.

 PQ is carried out in applicable environment (Production/ Quality).

 Testing of the system demonstrate fitness for intended use.

 PQ shall be performed so as to confirm Business Requirements.

 REQUIREMENTS TRACEABILITY MATRIX
(RTM)

 RTM ensures that the requirements are verified and can be traced and
shows that the requirement has been meet.

 Relationship between URS, FS, DS and Verification as applicable shall be

mapped.
 VALIDATION SUMMARY REPORT (VSR)
 VSR summarizes Validation effort and to assess the associated
activities.

 VSR should also summarize changes from Validation Plan, Resolution of

all defects and a statement of fitness for intended use.

 VSR should summarize list of validation deliverables.

 VALIDATION SUMMARY REPORT (VSR)
 VSR should include the below mentioned areas, but are not limited to:

 1) SOPs
 2) Defects experienced during Qualification
 3) Training
 4) Change Control and Final System Validation Approval
 COMPUTER SYSTEM ASSURANCE (CSA)
 CSA is a risk based approach for establishing and maintaining
confidence that the software is fit for its intended use.

 FDA’s draft guidance on CSA for Production and Quality System

published on 27th October 2022.
 FOUR STEPS TO ENSURE CSA
 1) Identify
Intended Use
 As per 21 CFR 820.70 (i) need to identify Software’s intended use as
Direct, Support or Not Used in Production/ Quality System

 2) Determine Risk based Approach

 3) Determining appropriate assurance activities

 4) Establishing an appropriate record

 TRANSITIONING FROM CSV TO CSA
CSV Approach
Documentation Testing Critical Thinking

CSA Approach
Critical Thinking Targeted Testing Documentation
 TRANSITIONING FROM CSV TO CSA
CSV focuses heavily on documentation. Whereas; CSA focuses a high
priority on areas affecting patient safety and product quality.

CSA is based primarily on conducting verification activities to ensure

GxP based upon risk based activity.
RISK BASED ASSURANCE PROCESS IN CSA

Risk Impact Assurance Method

High Directly impact on product quality Scripted Testing based upon

or patient safety Identified Risks
Medium Indirectly impact on product quality Unscripted Testing based
or patient safety upon Identified Risks

Low Not High nor Medium Risk Ad-Hoc Testing which include
User list, Roles and Privilege
Matrix
 ADVANTAGES OF CSA
1) A reduction in cycle times (Test creation, Review and Approval) as
there is reduction in test scripts and test errors

2) Less generated documents

3) Better use of Supplier Qualification

4) Maximize use of knowledge from CSV and Project resource experts

THANK
YOU