Agile Approach vs. GAMP 5 V-Model
What is the Agile Approach in CSV?
The agile approach emphasizes continuous communication between the customer and the validation team. Project phases depend on regular feedback from the client, ensuring the system aligns with end-user expectations. However, this approach offers less control over overall budget and timelines for implementing an automated system.
What is the GAMP 5 V-Model in CSV?
If managing time and budget is crucial for your organization, consider using the GAMP 5 V-model. This model outlines the essential steps and associated deliverables in the context of computerized systems validation or project lifecycle development.
The GAMP 5 V-model details the activities to be carried out and the deliverables to be produced during product development. Its name comes from its typical graphical representation in a V shape.
This model is a variation of the Waterfall model of software development, which describes a sequential process where each step must be completed before moving on to the next. While it allows for cycles, this results in the characteristic V shape.
- Planning
The planning phase focuses on defining the strategy for validating the computerized system. This strategy is crucial and will be outlined in the validation plan, but the planning phase involves more deliverables.
- Validation Project Plan: This document outlines the boundaries and interfaces related to the software scope, leading to a risk analysis to assess criticality. It includes a list of documents, responsibilities, and applicable procedures, as well as the required documentation. Tasks and roles are assigned to the validation team members.
- System Description: According to EU GMP Annex 11, clause 4, “An up-to-date description of every GxP-regulated computerized system should be available.” This information must be accessible to any authorized personnel, new users, or auditors.
- User Requirements Specifications (URS): This document captures the users’ needs from their perspective. It guides development activities and the implementation of functional controls. Requirements can be categorized as operational, process, regulatory, quality, performance, and more.
- Risk Analysis: Common risk assessment techniques are employed to identify, qualify, and quantify risks to effectively manage them. Statistical methods are used to create matrices that classify risks based on severity and probability. Priorities are determined by evaluating risk classes alongside detectability.
- Specification
User Requirements Specifications (URS) capture the end users’ expectations for the computerized system and are translated into functions, system interfaces, and system descriptions.
To ensure traceability among user requirements, functions, configurations, and subsequent testing activities, a traceability matrix is necessary. This matrix links user requirements to functional, design, configuration, and unit specifications, considering both hardware and software aspects. It also references relevant procedures (e.g., SOPs and change controls) and assesses the criticality of each requirement.
- Configuration/Coding
In this phase, the supplier applies their expertise to implement the customer’s requirements. All functionalities documented in the previous steps are put into action.
- Verification
Verification involves assessing the results in the test reports based on the configuration/coding completed earlier. These results are compared to the expected outcomes outlined in the specifications.
Verification tests include:
– Unit and Integration Testing (Integration Qualification, IQ):** Ensures the system is built as intended.
– Functional Testing (Operational Qualification, OQ):** Confirms that the system operates as required.
– User Acceptance Testing (Process Qualification, PQ):** Validates that the system meets users’ needs.
- Reporting
The validation report summarizes the project’s results and activities, serving as the final documented proof that the automated system has been validated.
Additionally, all events occurring during the validation process are documented. This includes scope changes, vendor review references, lists of activities, deliverables, deviations, corrective actions, statements of “Fit for Intended Use,” training records, and more.
Difference Between Category 4 and Category 5 in GAMP 5
In the validation context, the terms “configuration” and “customization” are often used interchangeably, particularly in vendor marketing materials. However, understanding the distinction is crucial, as it significantly affects the scope of validation work required.
Configuration: This involves modifying the functionality of a software product to align with business processes or user requirements using tools provided by the supplier. Examples include entering user-defined text for drop-down menus, toggling software functions on or off, dragging and dropping graphical elements, and generating specific reports using the standard features of the software.
Customization: This refers to the development of software modules, scripts, procedures, or applications to fulfill specific business requirements. Customization may involve using external programming languages (like C++, .NET, or PL/SQL for database procedures), macro instructions, or an internal scripting language tailored for the commercial application.
Depending on user requirements, the same implementation can fall into either Category 4 (configured software) or Category 5 (customized software).
Why is GAMP 5 Important?
While GAMP is not mandatory or legally binding, it serves as the industry standard for validating automated systems. Developers in regulated sectors often use GAMP 5 to enhance market efficiency and reduce risk. Here are some key benefits of adopting GAMP 5 guidelines in your development environment:
Avoiding Noncompliance Penalties: Regulated companies must comply with various engineering frameworks from government and regulatory bodies. Implementing GAMP helps streamline compliance with these regulations, reducing the risk of costly penalties.
Improving Automation: Many organizations face low returns on investment from their automation systems due to a lack of standardization and poor performance. Adhering to GAMP guidelines leads to higher-quality automation with fewer errors, resulting in increased productivity and better financial returns.
Boosting Scalability: GAMP 5 emphasizes the standardization of automated systems during implementation and validation. This standardization facilitates faster and easier scaling of automation throughout your operations.
What is GAMP 5 Software Categories?
When applying the GAMP 5 framework, the first step is to classify your software based on its impact on regulated processes. Here’s an overview of the different software categories within GAMP 5:
– Infrastructure: This category includes the foundational components that support your system, such as network infrastructure, operating systems, database management systems, and auxiliary software.
– Non-configurable: As the name implies, non-configurable software consists of commercial applications that do not allow for any custom modifications or configurations, such as analysis and monitoring tools.
– Configurable: Configurable software includes modifications that enable systems to align with specific workflows and processes. This type of software may impact end-user safety or product quality.
– Custom: Custom software is proprietary software specifically designed for an internal workflow or team. This category requires thorough testing and validation to ensure reliability and usability in a regulated environment.
– Bespoke: This category encompasses bespoke software, which is developed using proprietary technologies. Like custom software, bespoke solutions also require extensive testing and validation.
Defining Computer System Validation
Computer System Validation (CSV) is a documented process that ensures a computer system can consistently perform its designated tasks in regulated sectors, such as pharmaceuticals. These systems must maintain data integrity, ensure high product quality, and comply with GxP regulations. The FDA has been implementing this approach since the release of the 2003 CSV guidelines, alongside 21 CFR Part 11.
CSV applies to various computer systems, including:
– Process Control Software
– Controller-Based Systems (MP/MC)
– PLCs for Controlled Packaging Equipment
– Supervisory Control and Data Acquisition (SCADA)
– Distributed Control Systems (DCS)
– Commercial Off-the-Shelf (COTS) / Software as a Service (SaaS)
– Laboratory Information Management Systems (LIMS)
– Clinical Trial Monitoring Systems
– Chromatography Data Systems (CDS)
– Enterprise Resource Planning (ERP) Systems
– Manufacturing Execution Systems (MES)
– Batch Record Systems
– Building Management Systems (BMS)
– Cloud-Based Software Services
– Spreadsheets
Regulatory Obligations
Different countries have various regulations governing the validation of computer systems, including those from the US FDA, EU GMP, WHO, and MHRA, among others. The US FDA recognizes computer systems as equipment under 21 CFR 211.68, which mandates validation. This regulation outlines specific controls for electronic records and signatures in 21 CFR Part 11, which requires that electronic records and signatures be accurate, reliable, retrievable, and secure, ensuring full legal equivalence to paper records and handwritten signatures. Additionally, the FDA mandates the medical devices industry to validate software according to the 21 CFR 820 guideline. EU Annex 11 also offers guidance on the validation of computerized systems, while ISO 13485 standard 16 requires CSV for the medical devices sector.
Good Automated Manufacturing Practice (GAMP) consists of guidelines and procedures that pharmaceutical companies use to validate computer systems for compliance with FDA 21 CFR Part 11. While GAMP is not a regulation, it serves as a set of guidelines, meaning companies are not legally required to follow it. However, GAMP can help organizations indirectly meet global regulatory requirements.