COMPUTERIZED SYSTEM

VALIDATION (CSV)

26
th

JANUARY 2024
SPEAKER PRESENTATON CREDIT
12.30 – 16.00 MS. SIRILUK BUACHAROEN MS. TASSANA PRAWISAT, MR. CHETNIPHAT PONGSRITHONG
Head of QC Section 2 IT Quality and Documentation Section
Quality Control Division 2 Compliance and Quality System Division 2
Handout RANGSIT PHARMACEUTICAL PRODUCTION PLANT 1
PDF FILE THE GOVERNMENT PHARMACEUTICAL ORGANIZATION
OUTLINE • Introduction of computerized systems validation

• Computerized system risk management

• Periodic review of GxP Computerized System

• User account and user privilege maintenance

on Windows operation

• Restriction on Windows operation

• Backup and Restore of GxP Computerized System

• Key Takeaway
INTRODUCTION OF
COMPUTERIZED
SYSTEMS
VALIDATION
C O M P U T E R I Z E D ใน
รวมถึ งกันนีทั
้ ้งก่ อน
ฐื ๋ นํขุ
า ทู น

S Y S T E M ระบบทีใช้
่ คนพิ วเตอร1อยใชคํานี ้ Software
Operating
mn nn.nu
Procedures
and People
err
“A computerized system consists Hardware
of the hardware, software, and Firmware Equipment
network components, together nnn
Computer System Controlled Function
with the controlled functions and (Controlling System) or Process
associated documentation”
Computerized System
Operating Environment
ฐานฅู นํามีคน
(including other networked or standalone computerized systems,
other systems, media, people, equipment and procedures)

Computerized system from PIC/S Guidance

 ⁿ หา1
กับ
CSV is a ระหง ว่ า
คม to
ทําvalidate
งาน ๊ มีว่ื ้ า
นทณ่ หื๋ฌืฬ
COMPUTERIZED process a computerized
system to ensure that the system operates
and provides data or information correctly,

SYSTEM and consistently according to predefined

าาาาด กี่ กใน

requirements
renrnⁿ ่
งานครัง้ ผล นอน
คดโกง
เหมื อนเดิ ม security

VALIDATION The outcome of the CSV is to show that the

computerized system is fit for intended use in
the proper environment.
 การอุงทํ า
ทําไม
WHY WE NEED TO DO CSV?
นากาอ.
กํา า ํา ื ๊
กืนํท
• Pharmaceutical manufacturing and medical
device use a computerized system to ศํ า
operate, maintain, and/or report which is
impact quality and decisions. Gพู ด๓๓ ว่าดูใสบ้าง
ภาพรวม
• In another word, they are relying on the
data/information from the computerized
system.
ทําให้
Therefore, howมั่to
นใจ ว่า
ระบบก. thatทํthe
ทํานา าให้
ฑี ฐ ๊ fยื ๊ ุ
๊ ืญ
• make sure
computerized system is working correctly.

CSV is a regulatory
•
เชนกฎหมายในGMP
เนกาเกาmumrequire
1. VALIDATION COMPUTERIZED SYSTEM

2. CSV DOCUMENTATION
กิ จกรรม กิ จกรรม ถ้ไ
ส ทุ ก าม่ มDocument
ี ก่can t ยื นยันได้ว่ าเราได้ทําสิ่ น
ง ้น
ั
IF IT IS NOT DOCUMENTED,
IT DID NOT HAPPEN.
HOW DO YOU VALIDATE
A COMPUTER SYSTEM?
GAMP 5
แต่GAMPเชนแก่PracticalGuiHeให้ปฏิ บตั ิ ตาม
ส ยังไม่ ใช่กฎหมาย

4เล่ ม5เป็นเล่ มหลักของ

Riskbasedapproachให้
What is GAMP?
nun มาฐ practice
ทําตาม

“Good Automated Manufacturing Practice”

nnnnrn
Global organization, GAMP guidance are accepted by
regulators and referenced by FDA & PIC/S

GAMP also want to;

• Focus attention on computerized systems that most
impact patient safety, product quality, and data
integrity.
• Leverage supplier activities to the maximum possible
extent while ensuring fitness for the intended use.
• Recognize that most computerized systems are now
based on configurable packages.
CATEGORIES OF
SOFTWARE AND HARDWARE
These software and hardware categories may then be used along with risk assessment
and supplier assessment to determine a suitable life cycle strategy.
It should be noted that software Categories 3 to 5 are effectively a continuum with no
TEEIgomiittobyntiay.im
absolute boundaries, and that activities recommended for another category might be
appropriate for a system or component that falls between categories.

2 MAIN WAYS TO USE THE CATEGORIES:

ได้
ประเมิ นภาพรวม
1. Whole-system ทั้งsystemก่ได้ส่วนใหญ่Cateเดี ยวกันงี ๋
assessment

r หรื อประเมิ นแcomponent

2. Detailed เลยก็ ได้บางPart
ยกส่ วน คนละCategoryกันงี ้ ประเมิ น
เป็น
อาจ
assessment แยก
 CATEGORIES OF
SOFTWARE AND HARDWARE
SOFTWARE ญะ ได้
แรน เลยแล้วแต่โช
Cate
ทุ ก งาน. HARDWARE มี2Cate
Cat. GAMP 4 GAMP 5 Cat. GAMP 5

ง่าย 1
valid Operating Infrastructure software 1 Standard Hardware
component

nnnex.io
System (OS) (OS,DB, MW, etc.)
aiaeT
mmen 2 Custom Built Hardware
2 Firmware -Removed-
nnrnTe จิ ม
component
้ เลื อตาม
ก spec
3 Standard
ไม่ มแล้
ี จ ไป3 4 5แล้ว
วํากระจาย
Non-configurable software
พวก
นต้ท้ไ นฐปุ
office
software
Microsoft
T
4 Configurable ญู ญื้ฐื ๊
Configurable software ๊ โอผู
ญื น ้
นั้น
software ยู่
นตาแหอ
5 Custom
ฃู ้ญืญ
๊ ืด
๊ ุ ้ตืฒ
๊ ู ญืญ ื ๊ ญู ๊
๊ กุ
ʰCustom software
v
valid
อ
softwareงอ นา ฐาน สามค. สแกน ไส
เลยอยากไรกให้
็ นัก ทํา
develop

ยา ซับซ้อนภาระ ทดสอบ
 ยก๓vระบบ ของGPORangsit
คอม
COMPUTER SYSTEM VALIDATION
RANGSIT PHARMACEUTICAL PRODUCTION PLANT 1

ERP ทําชุ
ญืญู๊ ๊ฐ่ื ฑื
Enterprise Resource Planning

ได้
ว่ งาาน
กําหนด
ทํไร
ในการ าบาวเข้าไปre

รุ ้
แกน
กุญ
๓
MES
1รต ณื
ืงําํ๊ าญื ้
LIMS
ญุ
CDS
นองเอไม่ตาย
ถุ
นํรุา่ น
โอโผู
พ่ ์ ร
นุ ่
eQMS
้ งาน
ยุ่ ฐืฐ
นั่ ๋ ืญ
ง ๊ ืญ
๊ ืฏ
๊ ั่
๊ กูกูSystem
คํานวณเที ยน
Manufacturing Execution Laboratory Information Management System Chromatography Data System electronic Quality Management System

า จนคงได้Anayareport µ
ทํออกมา ถึขัง้นตอน
เชน4mg

OPC BAS BAS SCADA PLC

ไรเนอ
Main Plant Pilot Scale
1เครื่อจังกร.
OLE for Process Control Building Automation System Building Automation System Supervisory Control and Data Acquisition : Programmable logic Control
SCADA for water processing system
4มักมาในเครื่องจักวีร ้.
ฐื ญ ๊ นํฒื
๊ ื ้ญืญ ืา๊ น.๋ BMS EMS
Building Management System Environmental Monitoring System

ทุ นฑุใน
กับฐานะ
สภาวะ
Validation OVERVIEW model

GPO shall establish, maintain and r ทาspec ก

Planning Reporting ทํ็ า
เสร็ จ
apply a quality system as part of Report
their existing quality system to
ensure that regulated (GxP)
computerized systems are validated. Specification Verification

All computerized systems used by

GPO shall be completed and
Configuration
registered to start the validation
and/or Coding
process which follows a life cycle
4Partน์ก็เถี ยก
model (figure 1) that is consistent งบักทํ. าFabrication อื่ นอ่ ะ
Part
ของ
with the GAMP guidance. Supporting Processes including Risk Management

Figure 1: A General Approach for Demonstrating Compliance and Fitness for Use
Source: Figure 3.3 GAMP5: A Risk-Based Approach to Compliant GxP Computerized Systems.
 ส ได้
ไม่ อบทด Vmodel กยัง
ม ก
ั Continueใน ไป
งาน จะมีก.ปรับแก้
ไป ปรัแ
เรื่ อย พอ บ ก้
ละก็ต้องมีการประเมิใหม่
น อี กครัง้

Validation OVERVIEW
นทู gงี ้ แล้พ
ว อทดสอบ
ตอน ก่ทดสอบ เปลี่ ยน
ฐฑุ ๋ ก ทดสอบ
Plan
น้อยลง
แก่เฉพาะทีแก้
่ This describes the overall GxP system life

ะ
cycle from the perspective of the regulated
Report Specify
company. The life cycle and specification
and verification approach described in the
new guidance are not inherently linear.
Configure
Verify The guidance supports the use of Agile
and/or Code
approaches for product development, the
development of custom applications, and
Supporting Processes including Risk Management incremental product configuration. Factors
for the successful adoption of Agile include
Figure 2: Incremental Approach to Achieving
Compliance and Fitness for Intended Use a robust QMS within an appropriate
Source: Figure 3.4 GAMP5: A Risk-Based Approach organizational culture.
to Compliant GxP Computerized Systems.
Validation OVERVIEW
h สหมีTeamในก.ทําValidate บาง ่ QAดู แลหรือ คนชะคนดูCompliance
ทีอาจ ต้าSoftwareกัสทมี
Engineers 1มีSupplier
• As stated in GAMP guidance, the validation
approach ,and deliverables may be tailored
to the type, criticality ,and complexity of the
system. This must be documented within a
Computer Validation Plan.
• A Computer Validation Report with Computer
Validation Team and Quality Assurance
approval must be made effective prior to the
computerized system being put to productive
use.
• All validated computerized systems must be
subject to change control or complete
revalidation.
เอาQualityriskมากด
ั ร่ วม
บริ หารั การภายใน
จด Cmrgecontrol ่ ว่าต้อทํง าทุกกีป่ ี
ไม่ มตัี วเลขตายตัวทีบอก
ดูว่ าตาRevalidationใหม่มั้ย 1เลย
Validation OVERVIEW
Within the application of this approach a number of key concepts are to be applied for management of the
validation of a computerized system. These are:

ส
• Use of a มา จับ
amsquality
ตลอดlifecycle
managed lifecycle from the concept of the system, through
implementation and normal operation including the retirement of the system.
rเอาrisklife
• Scalable based จับactivities will be performed based on the outcome of one
มา
cycle
or a number of risk assessments and supplier assessments. The validation
effort should be practical and defensible to an auditor.
supplierมามก.
ของuser แต่ ยังสแมค effort and งี ้
น่ าเชื่ อถื อ
rลด งาน
ภาระ
• Scientific nvalid
risk ลดจะ
assessments ทําsignificantly
ก.
can งนก.valid น่ าเชื่ อถื อ เอา
reduce ผู ข้validation
the อมูจ
ลาก
provide a documented justification for the scale of the activities.
• System complexity, maturity and the underlying process must be considered
when evaluating risk.
• Leveraging supplier involvement throughout the system lifecycle activities.
The supplier may be able to provide a considerable degree of expertise
through the process that can provide justification for a reduction in the
validation activities.
Validation OVERVIEW
Based on: 3 หลักการเมฐ.

ประเมิ นrisk ของกวน

ประเมิ นCate ละSoftware ประเด็ นSupplier
RISK ASSESSMENT ASSESSMENT AND SUPPLIER
CATEGORIZATION OF ASSESSMENT
SYSTEM ว่ าชํน
า าญน่ าเชื่ อถื อมั้ย
COMPONENTS ถ้าคะแนนสู ง 9กชข้อมู ลคํ 1า
มาอ้างอิได้
ง เลยลด กิ จกรรมได้
Planning Reporting

Specification Verification

Configuration
and/or Coding

Supporting Processes including Risk Management

Phase7

PLANNING กําหนดค.ต้องการ
4 ประเมิ นriskt คส
h ใน ว่phase
บอก ส
Purpose of the planning
หู หุ ๋
ฐาน µ บยาsoftware
าsoftwareเอามใา นทําอะไร11 1ประเด็ใน
น สองให้
กํากับห้ามผิ ดเลย
จุ ไหนเป็น
ด criticalpointกทํ. างาน โจทย์
“Assess the risk and complexity of the system and to identify จะ
softwareกาย มัand
เรา ้ย
the key activities
resources required for the implementation of the system”.
o The user requirements will be developed
during the planning phase.
Risk Management
o The degree of validation required depends should be applied throughout the
on system size, complexity, intended use, lifecycle of the computerized system to
and the potential risk to data integrity, determine the extent of the validation
ดูว่ าsoftwareปรัไบด้ มั้ ย
ดูว่ จําาเป็กนาร
อาบรบั ป่าว product quality and patient safety. The activities required at each phase.
4ชั่นงน.ดูว่ อะไร
า Sop ควบคุแทน
ม outcome of the supplier assessment should This ensures the scale of the effort is
ฑืกุ๊ ตื ้น พื ้น
ญื ๋นู. be considered within the validation
planning.
appropriate to a specific system.
PLANNING

Supplier Assessment
oThe technical knowledge, experience and reliability of a supplier are key factors when selecting
a product or third-party service provider.
oThe need for an audit should be based on risk assessment.
The Validation Plan รา ว่ าเป็นทนmไหน มีกิ จกรรมไรกําหนดครับนัด
ดู ชอย.
oThe validation plan will define the activities to be undertaken to demonstrate the system is
compliant to regulatory requirements and is fit for purpose. It will also describe how this is to be
documented and reported.
oIt is the Process Owner’s responsibility to ensure that the Validation plan is prepared.
Preparation may be delegate to a project manager, validation lead or system owner.
Planning Reporting

Specification Verification

Configuration
and/or Coding

Supporting Processes including Risk Management

 Phase
วะ
SPECIFCATION ราSoftwareมี functionalspeccontispecเพิ่ มจากURSปกติด้วย

ที
่
ชน
จัดทําDocument
ที ่
Requirement ชัดเจน define ว่ าจะเกิ ดกิ จกรรมไรขึ้น Hไหนเป็นriskระดัไหน
บ
Specifications provide distinct measures against which the system can be tested. The
specifications define the user’s needs, how the system operates, the build and the configuration.

Specification documents should be self-contained, precise, and unambiguous.

User is responsible for the preparation, control, approval

“The risk assessment process should
be applied to the specifications to
identify potential risks. Subsequent
verification must be appropriate to the
level of risk identified”.
and maintenance of the specification documents.
However, the preparation may be supported by supplier.
Depending on system complexity, subject matter experts,
including suppliers and other third parties, may be
required in development of the specification documents.
Planning Reporting

Specification Verification

สาสนCustom1cm
ต้องมีเวลาใน
อาจ ก.ทํา
ใน
กสร้
า าเพิ
ง ่ มเติ ม
Configuration
and/or Coding

Supporting Processes including Risk Management

 Pm.se3

CONFIGURATION / CODING

These documents will typically be prepared by ทํ า

the supplierทั้ง and
ร่ วมกัน เรา
และ
Supplier
will be available for
review and approved by User responsible person / team.

o The requirement and the level of configuration activities will be dependent on the type of software
and hardware components of the computerized system.
o The documents developed to describe the necessary configuration activities must be suitably
detailed to allow persons of suitable expertise to perform the operation in a repeatable manner.
o Where appropriate, it must be possible to link specifications to configuration and verification
activities.
CONFIGURATION / CODING

For standard and non-configurable systems,

detailed design specifications are not usually
required as a deliverable. However, availability For configurable systems, a Configuration
ยัไงม่ตาทําDocument
of detailed design specifications ารงverified
เธมbe
may ี้ Specification will usually be required.
as part of the Supplier Assessment process.
For custom systems, where a level of
For systems of lesser complexity, the custom coding is performed, detailed design
Configuration Specification and Functional specifications may be required. This will be
Specification may be combined in a single defined as part of Risk Assessment.
document. มีDo mentแยกออกมากะเรื่ อของ
ง
Configuretimโดยเฉพาะ
Planning Reporting

Specification Verification

Configuration
and/or Coding

Supporting Processes including Risk Management

 สPmse4
VERIFICATION 1เริ่มทําFATSAT IQ 0A Pa
ั เยอะอ่ะงวง
ไม่ ทน
All GxP computerized system require verification testing.

o The nature and extent of the verification activities will be scaled according
to the system complexity, use, novelty and outcome of supplier audit. The
approach must be justified rชั้น กั
asบก.part
ประเมิofนกาaสแทล
documentedละfunction
risk assessment.
oTypical testing will include structural testing, functional testing, and
performance testing.
oTesting should be performed in both theทําท (asทัper
้งั Positive
positive normaltest
thee ว่ท
้งNega ได้ดูกการ
าํางาน
operation)
and the negative (challenge testing) – based on complexity.
ใส่ข้อมู ลผิด1คนทํางานผิ ดข้อมู ลก็ต้อง1ดงั เตื อนงั้.
 VERIFICATION พอกดสายเสร็ จสิ ้หน มด

The verification activities should demonstrate that the system ;

o The system is installed, configured and operating in accordance
วน
with the specification documents. ราน ทา คลากบัTpecthPM.se2
ทํ่ ไาปากสท
o The system is fit ทีfor กับกสทการเรา
its intended ไม่ มค.
purpose and poses no ี เรื่ อก
risk ง ก.2
to data
integrity, product quality and patient safety.
o The system is robust ทําซ้าละ ยังได้ผadequate
with ลแบบเดิ ม back up and failure recovery

systems.
ฬื ๊ ท่ านณื .๊
Planning Reporting

Specification Verification

Configuration
and/or Coding

Supporting Processes including Risk Management

REPORTING
Purpose of the report ดูว่ าReportcanแก้canจํากัดสิทเข้ธิ ์ าถึ งได้มั้ย
“Summarize the validation effort and to assess the associated activities in terms of data integrity, product
quality and patient safety”. The report should also summarize deviations from the validation plan and
any outstanding corrective actions and a statement of fitness for intended use.มบี รู ป ว่
ก.test า
มันตอบโจทย์
ครบ
ทุ กfh
ครบ requirement
ทุ ก มัย.
o In addition to reviewing the completed activities, the report should outline how the compliant status of the system will
be maintained.
o Interim reports may be prepared in order to allow the release of phases or sections of the validated system and will
be documented in the Validation plan.
o The validation report should be reviewed by SMEs where appropriate but must always include the process owner
and head of QA/designee.
o Acceptance and release of computerized systems will require the approval of the process owner, system owner and
the Quality unit.ต้อง
อนุ มต ิ Andityunit
ั โดย
Validation ACTIVITIES
ไม่
ฑูตฐุ ผู ้นําผฺ
Record
ไหนแชสupdateวั
ทํา version (include
ion
service pack)
Category 1 : Operating System
Challenge OS0s instoneได้
ครบ
bycan
therun ไก
รสร.
น
program
nnnr indirectly functional

ทํา
เชน version
Configuration limited to environment and parameters
IQทํ า name
moving
ดูว่ าinsaneแบบ เก
สวน versionมัย.
ห์
verifies and version
Category 3 : Std Software Packages 04ว่user
าrequirement ไไรด้
มีfunctionการ
ทํา บ้าง
ยื Audit for critical applications7มาทําPa
OQ test requirements
neve
Supplier

Category 4 : Configurable Software Treat like Category 5 if platform and package

การ
Packages not mature and well-known
จไม่
ทําะซับซ้อเนท่ าCare5
มีจนถึPG
ง

Category 5 : Custom Software Execute complete Validation Life Cycle

ʰ จนseenerioมากขึ ้น
ยุ นก ุ
ฎk ซุ ้ Test มา
105k
ตฺ ซ
CATEGORY 3
STANDARD SYSTEM
COMPONENTS
STANDARD SYSTEM ัอ่ ะ
ไม่ ทน

COMPONENTS
A simplified life cycle approach may be applied to Requirement Requirements
systems that predominantly consist of Category 3 Specification Testing
components and have limited or moderate GxP
impact. The need for, and extent of supplier
assessment should be based on risk and any
intended leveraging of supplier specifications and Standard Product
verification activities. User requirements are
necessary and should focus on key aspects of
intended use in the regulated environment.
Standard or Configurable Product

All changes to software should be controlled,

including supplier-provided patches. Configuration
or parameterization choices should be managed,
recorded, and verified
STANDARD SYSTEM
COMPONENTS
• Requirements definition for key functionality and intended use
• Life cycle approach scaled based on system complexity
• A risk-based approach to supplier assessment
• Demonstrate supplier has adequate QMS
• Record version number, verify correct installation
• Risk-based testing and leveraging of supplier testing to demonstrate
application works as designed in a test environment.
• Procedures in place for managing data
• Procedures in place for maintaining compliance and fitness for
intended use
CATEGORY 4
CONFIGURED COMPONENTS
MANUFACTURING EXECUTION SYSTEM (MES)

REF: HTTPS://WWW.KOERBER-PHARMA.COM/EN/UP-TO-98-HIGHER-QUALITY-USING-PAS-X-MES-FOR-DIGITAL-PHARMACEUTICAL-PRODUCTION
แก่แนนทํา
ฑูยุณู หืญื้ ถ๊ k.ทืนํ่ าภื ๊
0
MES ENHANCEMENT
MODULE 5 PRODUCTION
PAS-X V3.1.8

MES
Manufacturing Execution System
 The MES provides interfaces to enable
integration with the following systems :

• Enterprise Resource Planning : SAP

• Laboratory Information Management System (LIMS)
• Weigh Scales interface directly with PAS-X
• Building Automation System (BAS) via OPC Server
• Production Machines via OPC Server
PARTNER
SYSTEM มอง อาศสะ
ภาพรวม
 Supplier impact
สายนราจบprog
Data retention
Handover
ฟุ น
Migration
Destructionตาล
New project Assessment
required

มี
Plan Report

VALIDATION
Operational sopvr.mn
ทํางาน
Maintenance
Calibration Retirement
Procedure Change Control
Sot นานา
Specify Verify
Security &
ใช้
งา
LIFECYCLE
Backup
Build
Internal Audit
ญืนํ๊าฑุ ว่ญ
control
Cmnge ึานใบ
๊ําn
This section defines the validation จะ งอ
ต้อทํ าโร
บาว.
ฒื่
๊ ู่ ญื ฒ
๊ ่ื
lifecycle that is divided into phases.

พื ญ
Phase Concept Project Operation Retirement
The validation life cycle is based on
the model described in GAMP5 m
Guidance. Each Phase is divided into
tasks and for every task there are Supplier
Involvement*
activities, roles & responsibilities and
associated Documents.
* Supplier may provide knowledge, experience, documentation and services throughout lifecycle
 Verified by บด
เล่ ม
report

cg
Validation Plan Operational
Validation Report SOPs

เป็น tinveria
รูญื่ ญ๊ ฐั่ ืน๊ น
พังพอน Verified by Performance MBR
User Requirement Business Process Qualification (PQ) Verification
Specification Description
Verified by

สะเมนRisk Operational

ญู ๊ฐูฒ
๊ หืู ๊ ้อ
Process Qualification (OQ)
Analysis

VALIDATION
Verified by

ขระที่ ลม
Site Acceptance
Functional
Specification
ทดสอบ Test (SAT)

STRATEGY
Verified by
Functional Risk and Factory Acceptance
Impact Assessment Test (FAT)

for PAS-X MES at Local Site Configuration Master Data &

Verified by Master Data Load
Description Config. Spec Verification

Tatea
Specification

Infrastructure Design Verified by Installation Qualification (IQ) &

Specification Config. Verification

Verified by
กกam
base
ต่ าง
Installation Infrastructure network
Specification Verification

mooring ทํา
conti
PAS-X Product

Project Phase Operational Phase

Risk Management
VALIDATION STRATEGY FOR PAS-X MES AT LOCAL SITE

Validation Plan (VP)

The Validation Plan defines how Validation Plan
Verified by
Validation Report
Operational
SOPs
compliance and fitness for intended use
is to be achieved (validation strategy) Verified by Performance MBR
and how the process is to be User Requirement
Specification
Business Process
Description
Qualification (PQ) Verification

documented and reported. Verified by

Operational
Process Risk Qualification (OQ)
Analysis

Verified by
Functional Site Acceptance

User Requirement Specifications (URS) Specification Test (SAT)

The URS document defines requirements for PAS-X MES, Verified by

e.g. system functionality, compliance, security etc. Functional Risk and

Impact Assessment
Factory Acceptance
Test (FAT)

Configuration Master Data &

Verified by Master Data Load
Description Config. Spec Verification
Specification

Business Process Description (BPD) Infrastructure Design Verified by Installation Qualification (IQ) &
Business Process Descriptions was documented in Specification Config. Verification

the form of process flow diagrams to illustrate the

activities and workflow of the business processes to Installation
Verified by
Infrastructure
be supported by PAS-X MES. Specification Verification

PAS-X Product

Project Phase Operational Phase

Process Risk Analysis (PRA) Risk Management

A Process Risk Analysis (PRA) was conducted following

the flow diagrams in the Business Process Description,
so that each step and the links between steps were
analyzed to identify risks and establish necessary
mitigation controls. Process Risk Analysis also consider
risks which may arise from Infrastructure upon which
PAS-X shall operate.
BUSINESS PROCESS
FLOW

หstep
กวางผา
รน
่ ก.ทํางาน
ญูกู๊ นู.

REF: RPP-DIG-QA-001 BUSINESS PROCESS FLOW OF COMPUTERIZED FOR MANUFACTURING PROCESS

 สช่ วงPlaningดูว่ าfRไหนเสี ยไป
ง บ้าง ตยโจท
ปครอกต้องการเรายงั
PROCESS RISK ANALYSIS (PRA)

จารนา
ฑู ๊
0
Functional Specifications (FS)
The FS document specifies the functions Validation Plan
Verified by
Validation Report
Operational
of the system which covers all the SOPs

requirements listed in the URS. Verified by Performance MBR

User Requirement Business Process Qualification (PQ) Verification
Specification Description
Verified by
Operational
Process Risk Qualification (OQ)
Analysis

Verified by
Functional Site Acceptance
Test (SAT)
Configuration Description (CS)
Specification

Verified by
A Configuration Description [10] was provided by Factory Acceptance
the Supplier and defines the configuration
Functional Risk and
Impact Assessment Test (FAT)

parameters to be set during the system installation.

Configuration Master Data &
Verified by Master Data Load
Description Config. Spec Verification
Specification

Infrastructure Design Verified by Installation Qualification (IQ) &

Specification Config. Verification

Verified by
Installation Infrastructure

Infrastructure Design Specification (IDS)

Specification Verification

IDS define the infrastructure components and critical GxP

PAS-X Product
configuration parameters required to support the system,
including hardware, software and network components. Project Phase Operational Phase

Risk Management

VALIDATION STRATEGY FOR PAS-X MES AT LOCAL SITE

 MES FUNCTIONAL

Warehouse Master Batch Weighing Batch Record

Management Records & Dispensing Report
(WMS) (MBR) (W&D) (BRR)

Material Flow Equipment

Electronic Batch
& Inventory Management
Recording
(MFI) (EQM)
(EBR)
 Performance Qualification (PQ)
PQ is an activity to verify the system’s
functionality in the Production Environment
is conforming to the design as defined by
Verified by
the URS.
Validation Plan Operational
Validation Report SOPs

Operational Qualification (OQ)

OQ is an activity to verify that system’s
Verified by Performance MBR
User Requirement Business Process Qualification (PQ) Verification
Specification Description
functionality in the Test Environment
Verified by
Operational (Quality) is conforming to the design as
Process Risk
Analysis
Qualification (OQ) defined by the URS.
Verified by
Functional Site Acceptance

Site Acceptance Test (SAT)

Specification Test (SAT)

Verified by SAT is a test activity performed by supplier in

Functional Risk and
Impact Assessment
Factory Acceptance
Test (FAT) the Test Environment (Quality).

Configuration Master Data &

Verified by Master Data Load
Description Config. Spec
Specification
Verification
Factory Acceptance Test (FAT)
FAT is a test activity performed by the
Infrastructure Design Verified by Installation Qualification (IQ) & supplier in the qualified test environment.
Specification Config. Verification

Verified by
Installation
Installation Qualification (IQ)
Infrastructure
Specification Verification

IQ is an activity to qualify the installation

PAS-X Product of the system as per the design.
Project Phase Operational Phase

Risk Management

VALIDATION STRATEGY FOR PAS-X MES AT LOCAL SITE

SUPPORTING PROCESSES

Change and Incident /

Performance Continuity
Configuration Deviation
Monitoring Management
Management Management

Backup and Periodic

Security Data Archival
Restore Review

Execution of
Training Validation
RPP-SOP-QA-045
Activities
 EXECUTION OF
VALIDATION ACTIVITIES
RPP – Stands for Rangsit Pharmaceutical Production Plant 1

forมType
สเอกสาร
AA – Stands น
ั บ้างof
แล้วแต่ระบบ
Documentยาโรงงาน
as following ว่ า
แต่ต้องมbut
ข้อกําหนด กตา
ี not limited ไนบัท.
อจะทําW
าลามto;
VMP – Validation Master Plan VMR – Validation Master Report
RPP-AA-IT-XXX VP – Validation Plan VR – Validation Report
URS - User Requirement Specification FS – Functional Specification
HDSมี –ใน
แค่ระบบ IT
Hardware Design Specification HAT – Hardware Acceptance Test
SAT – Site Acceptance Test FAT – Factory Acceptance Test
IQ - Installation Qualification OQ – Operational Qualification
PQ – Performance Qualification

IT – Stands for IT division that be document owner and shows the group of
documents.

XXX-The sequential number of document starting in each type of document

with 001.
PERFORMANCE QUALIFICATION (PQ)
USER ACCEPTANCE TEST (MES, LIMS, PCS AND ERP INTERFACE) :
METFORMIN HYDROCHLORIDE TABLETS 500 MG
Protocol Approval
หลับ
 System Information

Purpose & Scope

Test Case &
Test Step
Test Result Deviation

แหอืทู๋. นู ฟูยู
Attachment ง เอกสารไป
ต้อแนบ ด้วย

หน้าlabelสอดคล้อกั
งบ

Att: Screenshot Att: Label มัย.

ที่ กําหนด
Conclusion Post-Execution
Approval
After Follow up
Approval

Cd งให้
และมช่ี วที ไปแก้ไข
่ นกจะ
deviation r เซ ได
บัดDeviation
นหจง
Q&A
COMPUTERIZED
SYSTEM
RISK ในProj phase Routineoperation
MANAGEMENT
 RISK ASSESSMENT WITHIN
THE SYSTEM LIFE CYCLE
แต่จะPhaseไทMใน
ชนไหนบ้าง

ั ในแต่ ลStep
riskมาจบ ะ
เอา Risk Management should be
Quality
an integral part of the continuing หป
ระ
non ่ แนว
าดเก็ บทีมีจะ
เมิวนจั่ Data
ตามDam int
lifecycle of the computerized system.
The flow shows the use of risk
venom
ม.
management, throughout the lifecycle and
not just the planning and installation
phases, but also during the operation
phase of the life cycle to assist in incident
management and change control.

ตุฒู๊ฒู๊ ญื ๋ r หแ.

ที่ นา
ผึ ๋
RISK ASSESSMENT WITHIN
THE SYSTEM LIFE CYCLE
R7
The risk assessment at the time
R1
of system replacement can
The initial risk assessment
identify practical approaches to
should determine potential GxP
critical considerations such as
implications arising from the
data migration or managing
computerization of the process.
data within the legacy system.

R2
A Risk based decision process
should be used to determine: R6
• If a supplier assessment is Risk assessment within the
warranted, and if so the change control process can
appropriate type. help to determine the extent of
• Outcome of the vendor the verification activities
assessment and the required.
approached and the scale of
the validation activities

R3
A functional risk assessment may
be appropriate should identify
risks to product quality, data
integrity, patient safety and
business continuity, resulting from
the failure of functionality of the
computerized system.
R4
Risk assessments are used to
determine the level of verification
testing required and to assess the
outcome of testing performed.
Depending on the size, and complexity
of a system it may be necessary to
perform several such assessments.
R5
Assessments of the hardware and
software configuration, and the
operational process can be used
identify the need for supporting such
as those detailed in Global Directive.
 ทําซทุ ก2 3ปีงี้
ส0หมักกลับมา
RISK MANAGEMENT PROCESS ICHQ9

The risk management process aims to identify the risk from

any source that may impact upon data integrity, product
quality, or patient safety.
น.
ผื ฐ
๊ ื ๊ ตื ๋ The flow describes the process used.

nnwnสนคะเน1 จัดลําดับ • The hazards are first identified. Once identified the
hazards are analyzed and evaluated. The identification
ที ม
ใน
พ่
criteria and subsequent analysis and evaluation processes.
ns
พู น • Actions and controls are implemented to eliminate or to
reduce the risk to an acceptable level.
ลด
risk
rihruwr.im • Following implementation of the mitigation strategy,
further review or reassessment may be required.

• The assessment process should be primarily concerned

with identifying and evaluating potential risks to data

ฐูพู่ นµญื ฐ๊ ื .๊
Review
integrity, product quality and patient safety.

Risk to business continuity should also be considered within

the risk assessment procedure.
1 RISK ASSESSMENT
The risk shall be assessed on three categories •
•
GMP impact
Likelihood of occurrence
• Severity of impact

GMP Impactราcriteria ระเสน

ในการ แต่ ลs
ะ oft
wane
ต่ อกิ จกรรมในGxpมัย.
Does the requirement support manufacturing, distribution,
วาระwนัน
Yes
กระทบ
A determination will be made as to whether a requirement,
pharmacovigilance, documentation management or the training of
personnel in these activities?
hazard or an event has an impact on GMP processes. Hazards
that will impact will be assigned a value of 1 or “yes”, events Yes
that don’t will be assigned a value of 0 (zero) or “No”. Does the requirement impact the safety, quality, identity, strength or
purity of the product or its components?

ทั่ ได้กําหนด
Paarไม่
ฑู ฒกูณู
ู ๊ ฑุ นฑู ๊ p Does the requirement control, record, change, monitor, transmit or
make decisions about data related to products or components for the
product?
Yes

ตอบYesอย่ าน้
งอ ยาข้อ GXPimpactจํา1.1
Yes

เชเกบาValid ประเมrisk
เพิ่ ง
Does the requirement define what materials (raw materials,
components, formula, batch cards, etc.) are to be used for the product?

Does the requirement impact the status of raw materials, batches, Yes
packaging components, work-in-process materials, or finished
products in the factory, warehouse, or distribution centre?

No

Requirement is not GxP Relevant. Requirement is GxP Relevant.

1 RISK ASSESSMENT
Likelihood of occurrence softwareกําลัสนใจ ที่ ไหน
ง ระดับriskขนาด
ณ.ทกิ้งั จกรรมทีทํ่ า ค.ถใน
่ี ก.monitor
The occurrence will be assigned a score of 1, 2 or 3 as per the criteria outline.

คถู่ ญcญฐI หฺ
LOW (1) Expected to happen
Occasional Occurrence less than once in 12 months

MEDIUM (2) Expected to happen

Probable once or more in 3 – 12 months

Expected to happen
HIGH (3) once or per 3 months period.
Regular Occurrence This risk is highly likely to occur.
1 RISK ASSESSMENT
Severity
Detailนิ ยามก็จะแต่บ.
The severity of the risk is assigned a score of 1, 2 or 3 as per the criteria defined in table 2, Severity criteria

Score Occurrence Frequency

้ GAMPi
อันนีความ
• No loss of or change to data
Low (1) • Risk to business continuity

Moderate (2) • Non adherence to procedure or QMS

• Would result in critical observation or formal warning from regulatory authority

• Results in loss of or change to GxP Data

High (3) • Incorrect or inaccurate data may arise leading to inappropriate quality decision

• Potential for product recall

• Underlying process cannot be controlled or continue to function as expected.

1 RISK ASSESSMENT
Risk evaluation

The significance of the risk is calculated by multiplying each of the numbers assigned.

(GMP/Business impact) x (Likelihood) x (Severity) = risk score

1-2 = Low, 3-4 = Medium, 6-9 = High

Within the evaluation, a justification for the assigned score should be given.
2
ประเมิ น จัดลําดับจัดกลุ่ มจะก่ควบคุ มriskด้วยวิ ธต่ี าๆ ควบคุ มจากMในsoftware
RISK CONTROL จากวิชก
ปารติบอาหนง.งี ้
• The purpose of risk control is to eliminate or to
reduce the risk to an acceptable level. The amount of
effort used for risk control should be proportional to
the significance of the risk.

• Risk elimination/reduction can be achieved through

system design and/or configuration.

• A typical design example is the use of redundant

components in a critical system will reduce the
probability that the system will not be available due
hardware failure.

• A typical configuration example is the use of defined

user roles to control assignment of privileges to end
user. This prevents users from completing actions
that they are not authorized or trained to complete.
2 RISK CONTROL
Risk elimination/reduction can also be achieved through
the (re)design of the process controlled by the
computerized system.

• Additional controls such as automated alarms,

dialog boxes and procedural based controls may
also be considered.

• Vendor knowledge may be leverage in identifying

suitable controls for risk reduction.

ในค.รู ว้ ่ า riskไหนทีการที
ช่ วย ่ ได้1สา
่ ระบบ ไม่ได้เราแบงไสชาง.
แก้
โปรแกรม
มีworkalarmมั้ยหรีนาหมีdoublecheck
มีSOPมาธ่หม้อ
3 RISK REVIEW
• Following implementation of the risk mitigation
control, it may necessary to reassess where the
risk has been eliminated. Where appropriate,
documented testing should be performed to
ensure that the risk has been
reduced/eliminated as anticipated.

• The review process must also consider if any

additional risks have been introduced by the
mitigation activities.

• Where the residual risk is still unacceptably high,

the risk control cycle should be reinitiated.
FURTHER RISK ASSESSMENT
METHODOLOGIES วิ ธีการ1too มีหลายอย่ าง
แต่ก็มักคุ ้นเคยFMEAกันแหละ
หรื อชRisk rem
kingวั.

There are several formalized methodologies that are suitable

for use within the risk management process and throughout
the product life cycle. These specific processes are beyond
the scope of this document; however information is available
in GAMP5 (Good Automated Manufacturing Practice), and ICH
Q9 and supporting documents to ICH Q9.
RISK MANAGEMENT PROTOCOL AND REPORT
The concerned team members shall record the activity description and
ทําออกมา
•
ป็นเอกสารหลักฐาน activity flow chart in the Protocol. The risk owner, reviewer and approver
ี ก่เหมื อนไม่ทํา
ไม่ มDoc shall also sign their signatures for protocol approval in eQMS.

• The identified risks, corrective and preventive actions, re-evaluation,

reference documents, abbreviations and relevant attachments associated
with the particular risk shall be recorded in respective format and shall be
enclosed with the report as attachments.

• Training to concerned personnel shall be imparted upon analysis and

evaluation of the risk management for the particular process/ system/
equipment/ instrument.

• It shall be ensured that the recommended corrective and preventive

actions for the identified risks are in place, before closing the particular
Risk Management Report.

• Corrective and preventive actions are subject to change control

procedures

• The risk management protocol and report shall be re-evaluated/reassessed

every two years or due to regulatory changes.
RISK MANAGEMENT PROTOCOL AND REPORT
RISK MANAGEMENT PROTOCOL AND REPORT
FAILURE MODE AND EFFECTS ANALYSIS (FMEA)
การ

วัดmE rIsmk
แา ไไบ้าง
ส บ nn
RISK MANAGEMENT PROTOCOL AND REPORT
บ้างผู SOP ง้.
ขอ1ดูว่ าทําไรไชcontrolได้
cm1
 RISK MANAGEMENT
COMPUTERIZED SYSTEM CATEGORIZATION

PERIODICᵗ
REVIEW
โดลําําาแนานนานนนนนอบแค่ใน
RISK MANAGEMENT PROTOCOL

ก็ประเมิลํนาดับrisk
RISK
MANAGEMENT
PROTOCOL
 RISK MANAGEMENT REPORT

hr
isk
ญูดู ใน
review
Periodic
แค่ไหน
บ่ อย
Q&A
PERIODIC REVIEW
OF GXP
COMPUTERIZED
SYSTEM
 RESPONSIBILITY
RESPECTIVE DIVISION/SECTION
o Maintaining the review schedule and
Managing requests for data related to the
review.
o Assembling the data and draft report,
including circulation for approval.
o Internal review of the preliminary report and
evaluation of items for corrective and
preventive action (CAPAs).
o Tracking of CAPAs to completion.
QA MANAGER
o Final evaluation of the suitability of the
computerized system to perform GxP-related
activities (including approval of identified
corrective and preventive actions).
o Reviewing and approving the periodic
review.
COMPUTER VALIDATION (COMVAL)
o Ensuring the validation
activities are performed in
full and in compliance with
regulatory requirements.
SUPPLIER
o Providing technical information
and supporting about the
product/services and quality
system/process used.
QUALITY ASSURANCE (QA)
o Assess current criticality of
systems in use within their area.
Be present, or represented (by
ComVal), during a Periodic
Review.
RISK EVALUATION สอบสถานะก.V91Idว่ ายังคงอยูมั่ ้ย
สทวน

Computerized system that perform GxP related activities are

categorized by risk according to the risk of the data to product
and patient safety. Computerized Systems that perform multiple
GxP-regulated functions are ranked according to the highest
category of GxP activity performed.

• High GxP Risk: The Computerized System contains data which

directly impacts the safety, purity and efficacy of product, or
directly impact patient safety.
• Medium GxP Risk: The Computerized System contains data
which indirectly supports the safety, purity and efficacy of
product. These systems are often used to support the operation
of the quality systems used to produce drug products.
• Low GxP: The Computerized System contains data which has a
negligible impact on product quality or safety. The data may be
used to support regulated activities, but is not key evidence of
compliance.
VALIDATION OVERVIEW

• As stated in GAMP guidance, the validation approach and

deliverables may be tailored to the type, criticality and
complexity of the system. This must be documented within
a Computer Validation Plan.

• A Computer Validation Report with Computer Validation

Team and Quality Assurance approval, must be made
effective prior to the computerized system being put to
productive use.

• All validated computerized systems must be subject to

change control or complete revalidation.
ทําperiodicตามวงรอบที่ กําหนด
SCHEDULES AND FREQUENCY OF REVIEW

High GxP Risk:

every 12 months ทุกาบี
The frequency of review may be increased by

ทุ ก2บี
management directive if operational deficits Medium GxP Risk:
that have the potential to impact the every 24 months
validated state of the system are found.
Low GxP Risk:
every 36 months ทุ ก3ปี

โรงงาน
 กาทีต้่ อง
Review
PARAMETERS OF THE REVIEW
Each category of the review is examined and evaluated as acceptable,
acceptable with deviations or unacceptable. Deviation or unacceptable
results require a CAPA.

I n c i d e n t M a n a g eใน
ที่ เกิ ด วงรอบreview
incident
ment
•
•
ใร
Incidents since the last periodic review are managedว่ เากิ ดชาง
Any critical incidents since the last periodic review have been resolved

•
with corrective and preventive actions.incident
ไง
แสวง ทํ า บาง
Repeating incidents found during examination of data since the previous
มี
review CAPA
มัน มัน
ทําลาย

Review for Resolution of CAPAs

• Review and evaluate Thai FDA or any Agency audit observations related
to operation of the Computerized System for impact on the validated
state.
PARAMETERS OF THE REVIEW

C h a nrg1ก
eด a nไร
ั Mกวา agมีe m e n t a n d R e l e a s e M a n a g e m e n t
• Change and Releases to Computerized System since the previous periodic
review are managed.
• Review the cause and resolution of any change
• Emergency changes performed since the previous periodic review must be
appropriately documented and approved.

Security Management ปรับเปลี่ ยน

• มัก มัย.servers and databases.
Review privileged access to the application,
• Review a sampling of system user added since the last periodic review.
• rเข้of
Review the users าออก
ย งั ไง to ensure that terminated user no longer have
system
access to the system on its data.
• Review any security incidents relating to the application or its server and
databases since the previous periodic review.
PARAMETERS OF THE REVIEW

nบริ
C o n t i ก.u iหtาร 0เนืa่ อnงa g e m e n t
yก M
การ
• Backup and restore functions of the system shall be managed as applicable.
• Review the backup data to ensure that any deviations of the backup schedule

•
have been addressed. กําหนด
ดใน
ี
คะ ensure
Review data restoration process toก.
backup มย
ั .
theทํadequacy
าครบ of the restoration
process.
• If the system has been identified as critical, the system must be included in
disaster recovery planning.
• Identify and review the result of disaster recovery testing performed since the
previous periodic review.

n ใช้
t iมูoลไม่ ปัeกชาย
D a t a P r o t e cข้อ ที่ a nห
Mละครaมา
คูอูนชุกุนุ ก ญื ๊ ฒุ ์
จะm
ge nt
r
If data archive exist, access to the archive must be authorized.
•
• 0
Data in an archive must be readable to authorized users throughout the
retention period.
 PARAMETERS OF THE REVIEW

Validation Management
• Validation Documents must be managed as controlled documents.
• Examine the validation plan and report to determine whether the provisions of

•
อะไรส
the plan and report have been met.ทํ า 1 มาส
ขมับหลังCmngeกวน ว่าเอกสารครบมื อ
สอย
The trace matrix must show that the requirements continue to be met by
testing.
•
มี updateเนมมีv
ไร
A GxP risk assessment is required.
•
•
Audit trails are implemented and tested where required.
กายใสมีบปรับเปลี่ ยน ได้
Electronic signatures are implemented and tested where required.
ได้ไม่
• The descriptions of system architecture are current and correct.

Training
• Employees who operate and maintain the Computerized System must have
evidence of training on SOPs applicable to their job function.

หัวข้อ จะต้องreview เยอะ แนบหลักฐานมาเป็นtam

หนาๆ
COMPUTERIZED SYSTEM
PERIODIC REVIEW
LABORATORY INFORMATION MANAGEMENT
SYSTEM (LIMS): 2020-2023

PROTOCOL AND REPORT

PROTOCOL ก่ อน
คํส
า องคําProtocolก่ อนว่ าจะreviewไร
บ้าง
REPORT

าสรุ ป
แต่ ลdetail
ะ ออกมา
่ ใส
ตรวจ ทีเอกสารบ้าง
ฬุ
REVIEW AND APPROVE
ทํ า ไร
ไม่ ม
ละ ง ช้ยา ก็approveว่ าcanmaintainได
ี ผิ ดปกติsoftwareยัใ อะ
• The periodic review report, including
any corrective and preventive
actions, is reviewed for approval by
both the System Owner and Process
Owner.

• QA Manager is responsible for the

final evaluation of the suitability of
the Computerized System to perform
GxP-regulated activities, including
approval of identified corrective and
preventive actions.
Q&A
COMPUTERIZED
SYSTEM
ั ใช้
Softwareไร ขันทvบัญชีsoftware
INVENTORY
ั ชีดูว่ า
pทําบญ มก
โรงงาน บ้าง auditor มา ก.
ชอบ ดู

MAIN SYSTEM
กุ่ น ยื ๋
COMPUTERIZED
SYSTEM
INVENTORY
LABORATORY
SYSTEM
c c c

เชาห
จอย ทํากน
twerk ั
rมัก.reviewในPeriodicreview
USER ACCOUNT &
USER PRIVILEGE
MAINTENANCE ON
WINDOWS OPERATION
GENERAL
REQUIREMENTS
• Users are necessary to fulfill their roles and responsibilities.

• Requests for user’s account and access privileges must be

formally documented and appropriately approved.
การนําเอกสารรี วิวลทั ธิก.เข้าถึ ง1กอง
• A verification of the user’s identity must be performed by
Director of IT Division, Help desk, or designate before
granting a new password.
USER REGISTRATION 1
01
New • Access to RPP information system and network resource
is controlled through a formal user registration process
Users beginning with a formal notification from a Head of each
section.

• Each user is identified by a unique user ID so that users

can be linked to and made responsible for their actions.

• A request for service must be documented by the

newcomer and then must be reviewed by supervisor.

• Access to all RPP systems is provided by IT and can only

be started after proper procedures are completed.
USER REGISTRATION 1
01 Userใหม่ต้อดง ่ ไาง
มี
New • A new user will be set up on receipt of written notification
by issue of password.
Users • IT willจัดmaintain
ไง เป็aนform
การ ่ างีall้ ส่requests
ไปปof งticketat IT division.
I1T record

• Access to the machine and instrument software is

controlled through a formal user registration process. A
request for service must be documented by the newcomer
and then must be reviewed by the supervisor. Document
for user account and user privilege maintenance in the
software application.
USER REGISTRATION 2
02
Change pdateสิ ทธิ ์
มีการ requirements will normally relate to an alteration
• Changed
to the applications used but may also involve network
User access. Requests must be documented and must be
directed to the user account administrator.

Requirements • Changes will be made on receipt of an approved request,

the same details as shown above are required and
requests will be filed under “access change requests” in
the request form.
USER REGISTRATION 3
03
Change มีบาลา โปรแกมมา ซหมักกําหนด
Where ยา อายุ
a user has forgotten his/her
Password
password, the helpdesk
is authorized to issue a replacement. Upon receipt of such a
Password request the Helpdesk/designate will

1 Ensure the request is logged.

มักยกunlockไรงีมั้ กยื นยันตัวตน
2 Confirm the identity of the user by question about
existing services/access or by reference to a work
colleague

3 Issue a temporary, single use, password which

will require the user to set up a formal password.
USER REGISTRATION 4
04 ศกรกupdateuser
เสา00กอทอา
Removal As soon as an individual leaves the Trust’s employment,
all his/her system logons must be revoked.

Users
As part of the employee termination process Head of
Section or Supervisor will inform IT operations of all
leavers and their date of leaving.

Unless otherwise advised, IT operations will delete

network access for all leavers. This will include access to
all network services. IT operations will inform application
owners of leavers where their systems are affected.

The Trust expects all leavers to hand over current files

within their workgroup, however IT operations can move
a leavers files to specific areas if requested.
USER ACCOUNT
มีกบpdqte ในแต่ ละปี
PRIVILEGE
MANAGEMENT
Access must be authorized by the Director of IT Division
and Process Owner, using the IT Helpdesk request form as
shown in Attachment I and Attachment II. All completed
forms, will be held by the User Account Administrator who
is authorized by the completed form to set up the access
specified. The Privileges for each respective system have
been described in Master List of Privileges Users.
PRIVILEGE
MANAGEMENT
For standalone machine and instruments, user
privilege management access authorized by
the Director of IT Division and Process Owner,
using the documented request form System
registration in computerized inventory.
For standalone laboratory instruments, user
privilege management including detail of
laboratory instrument and their software’s
shall follow SOP “ACCESS CONTROL FOR
SOFTWARE OF INSTRUMENT”.
USER PASSWORD
MANAGEMENT
Password format and general rules are held within the
Information Security – A Guide to Staff.

Systems logon requires that all passwords be of a

minimum of 6 characters and the password will be
expired within 180 days after the first changing date.
เจ้าลื มฟั งก่อนพระ
USER PRIVILEGE
REVIEW OF USER
ACCESS RIGHTS
The User Account Administrator or designated
person will institute a review of all network access
rights at least once a year, which is designed to
positively confirm all users.
Any lapsed or unwanted logons, which are
identified, will be disabled immediately and will be
deleted unless positively reconfirmed.

Annually, the User Account Administrator or

designated person will institute a review of access
to applications. This will be done in cooperation with
the process owner and will be designed to
positively re-confirm all users.
REVIEW OF USER
ACCESS RIGHTS
The review will be conducted as follows. The User
Account Administrator or designated person will
generate a list of users, by application.
• The appropriate list will be sent to each
Application owner who will be asked to
confirm that all users identified are authorized
to use the system.
• The User Account Administrator or designated
person will ensure a response.
• Any user not confirmed will have his/her
access to the system removed.
• Application owner responses
• A record of action taken
IT HELPDESK ใน
1Tทําไรก่ทองผ่านระบบticketงั้.

6S
ส แจ้ง

{eQMS, LIMS, MES, CDS, BAS, SCADA}

REGISTER
4
มีอุ ปกรณ์เข้ใา นโรงงาน
Q&A
RESTRICTION
ON
ดูผ่ าน
WINDOWS
OPERATION
 มีก.controlsecure exไม่อนุ ญาตให้Create folderเอา
LOCK ไปให้เอาไพล่จากภายนอกไดรฟ์จากภายนอก

DRIVE
Verify using user logon.
The user will not be able to write (paste) a file on the drive
 กําหนดpolicy hw น ไม่ ให้ เอาFiteจากกายน ยา
มี Software Antivirus ไรวี ้.

LOCK
DESKTOP
IN CLIENT
COMPUTER Verify using user logon. The user will not be able to
write (paste) a file on the drive (Client Desktop).
LOCK TASK
MANAGER run ไม่ได้veerกํใ
กด าสแค่
กดrestartเกรี ยงงี ้
IN CLIENT
COMPUTER
Verify using user logon. The user will not be able to
access the Task Manager.
 แก tรันโปรแกรมได้งั.

LOCK TASK
MANAGER
IN CLIENT
COMPUTER
When select Ctrl+Alt+Del Options, Windows is
show follow picture
Q&A
BACKUP AND
RESTORE OF GXP
COMPUTERIZED
SYSTEM
 สํ ารองข้อมู ล มีหลากหลายวิ ธี
B A nrnrrnr
CKUP AND RESTORE

CONCEPT
Software Backup are created in order to ensure that in the
case of a failure, or after modifications during development
or during operation, that the latest and correct software
versions are available and can be restored at short notice,
without error. At predetermined points, such as prior of
formal testing and prior to handover, a baseline version of
each software component should be established, and
backup taken and retained.

มีกลุ่ ม ว่ า ทีBack มัน เปิได้ ใหม่ ใได้

ด restore จริ งมัร.
้ Software backups should be performed while the system is
The backup test ่
ข้อมู ลfor software
process เทา the system in จะ
UP once
operation should be defined and documented. This can in operation. A log of software backups should be
occur: After every software modification, in which case maintained. Software backup and restore instructions
backup of the modified software components may be should be stored securely with backup media.
sufficient. This should be documented as part of Change
control. At regular intervals as a complete backup.
ค.สก.
เ
Backupสขัน
กบั riskassessment สาHighriskก็อาจ ทุ กวันงี ้
จะBackup ในgapน้อทีย่ สุด
ยม
BACKUP AND RESTORE
ที่ ใน
กําหนดก.restore กําหนดเวลา ยอม ระบบ
The backup and restoration strategy ได้
มันdown เท่ าไหร่
should address
the defined RPO and RTO. Several backup approaches
can be adopted including cloud backups and historical
approaches using portable media.

Backup appliances may be used to manage backups.

Backup appliances are commercially available
solutions that include backup software and storage
capability. The most recent backup is typically
retained in the backup appliance in addition to being
stored in a secondary location.

Backups should be stored in a separate secure location.

The geographical separation of backups should be
based on risk. Backups should be physically secured
and protected from fire, water, and other hazards. The
storage process, standards, and access should be Autobackupมักverityเอาพบว่ าbackup
defined and documented. สาเร
จมัง.
BACKUP INSTRUCTIONS
FullBackupครัง้ แรก
• Server backups will be performed every business night,
upแค่เฉพาะ
บ้าน
ที่ ในแต่ ละวัน นฑูกุ น.
Incrementalbackups
เพิ่ม
ทca11m
ุ นกจัดเก็ บ
including holidays

• System Administrator (IT Personnel) shall take the

พอครบukก็FullBackup
ตลอดงั.
backup of data along with corresponding audit trial
record, acquired on computerized system.

• The last backup of everyday will be considered the

weekly backup and kept for a month transfer to
second backup media.

• Monthly second backup media will be stored in a

fireproof safe.

• The last two monthly seconds will be stored off-site

in a fireproof safe.

• Backups will be performed and monitored by a full-

time IT administrator.

• Backups shall always be performed before

upgrading or modifying a server.

• The environment condition of backup data storage area is

followed by Data Center Room Condition requirement.
RESTORATION INSTRUCTIONS
• Once loss of data is discovered, evaluated, and minimized. System
administrator will proceed to restore the data from backup media.

• The system administrator shall determine the time and date of the
lost data and select the appropriate backup media to restore the
data.

• The selected backup media shall be inserted into the appropriate

server.

• The system administrator shall invoke the Backup/Restore software,

such as Veritas Backup.

• The system administrator schedules the restoration of the

appropriate data within the Backup/Restore software and monitors
the restoration of data.

• Upon restoration, the administrator evaluates the integrity of the

restored data.

• The system administrator will contact the end-user of the data to

finalize restoration. Upon approval from the end-user, the restore is
considered finished.
LOSS OF DATA
• If loss of data is discovered, evaluation and investigation by
administrator is immediately dispatched.

• In most cases, loss of data is related to file corruption, virus,

security or human error.

• If loss of data is related to data corruption, the system

administrator must troubleshoot and determine preliminary cause
of the problem is hardware or software related to prevent
addition file corruption.

• If the data loss is related to a virus, the system administrator must

determine the extent of the virus and remove it to prevent
further data loss. If the system cannot remove the virus and the
technique is broken, the system needs to restore it from the
backup file.

• If the loss of data is related to security or a compromised system,

the system administrator must determine the extent of the
compromise and fix the vulnerability quickly to prevent further
loss of data.

• If the loss of data is related to human error, The system

administrator must immediately inform and train the appropriate
personnel to avoid further loss of data.
 บริ หารจด ภัยคุ กคาม
ั การ
่ คาดคิ ดไว้ด้วย ผุ ไปแม้
สหdesignseenerioทีไม่
DISASTER RECOVERY
PLANNING
• Disaster Recovery (DR) focuses on restoring computerized system and data to a
known point (RPO) within an agreed time (RTO) Considerations include loss of
application components, Loss of IT infrastructure, Loss of a service provider,
Loss of access to premises, Network failures, Cyber attacks, and Pandemics.
• A DR plan may involve multiple organizations responsible for facilities, IT
infrastructure, and computerized systems. The DR plan should include a clear
process for prioritizing system restoration as the disruption may involve the
failure or unavailability of multiple systems that may be within or outside the
regulated company.
• DR plans should be immediate steps to be taken to minimize further impact and
actions to be taken to recover the situation including the order in which systems
must be brought online if relevant.
 มน
ทําAUtoaมาดวู่ า ั 911ม
อ

หลายโปรแกรมก่ตามักจัดลําดับก.backupไว้
สมี
BACKUP
RECORD
 การยก กูคื้ นnwสุ่ ม
RESTORE RECORD
ทุ กวัน ๗ไม่ได้Restoreทุ กวัน อาจ
Backup า ก3เดื อนงั้
ทํทุ
Q&A
เน้นCSVด้านหน้า 1อิ่ บ ลีมทัง มาชนนะ

มีทั้งขกผิ ด ชอบ ตัมคําบรรยาย

I วางยาเก่ ง0น ยังคําสุ ดท้าย

KEY TAKEAWAY
 E-mail: Siriluk.b@gpo.or.th

THANK YOU
RANGSIT PHARMACEUTICAL PRODUCTION PLANT 1
THE GOVERNMENT PHARMACEUTICAL ORGANIZATION