Professional Documents
Culture Documents
&
Validation Documentation
Danilo Maruccia
Milano, 21 Marzo 2006
GAMP
Good Automated
Means Manufacturing Practice
Is
Purpose of GAMP
9To help USERS understand the requirements for
prospective validation of an automated system and
the level to which the validation should be performed
9To help SUPPLIERS ensure that systems are developed
according to good practice, and to provide
documentary evidence that their systems meet
the agreed specification
February 1994
Second Draft
January 1995
Version 1.0
March 1995
Version 2.0
May 1996
Version 3.0
March 1998
GAMP4
GAMP 4 Objectives
The
Theextent
extentand
andscope
scopeof
ofValidation
Validationneeds
needsto
tobe
be
easily
easilydetermined
determinedusing
usingsimple
simpleand
andwellwellunderstood
understood rules.
rules.The
Theexisting
existingguidance
guidanceon
on
categories
categoriesof
ofsoftware
softwareis
isvery
veryuseful,
useful,but
butshould
should
be
bedeveloped
developedfurther.Validation
further.Validationlife-cycles
life-cyclesand
and
associated
associateddocumentation
documentationneeds
needsto
tobe
bescaleable
scaleable
to
totake
takedue
dueaccount
accountof
ofthe
thesize,
size,complexity,
complexity,and
and
criticality
criticalityof
ofthe
thecomputer
computersystem.
system.
GAMP 4 Objectives
The
Thebalance
balanceof
ofvalidation
validationwork
workrequired
requiredby
byusers
users
needs
needsto
tobe
beexamined.
examined.More
Moreuse
useshould
shouldbe
bemade
made
of
ofthe
thedevelopment
developmentwork
workperformed
performedby
bysuppliers,
suppliers,
so
sothat
thatless
lesssupplementary
supplementarywork
workis
isrequired
requiredby
by
the
theusers.
users.Greater
Greateremphasis
emphasisis
isrequired
requiredon
onthe
the
benefit,
benefit,use,
use,and
andcontrol
controlof
ofconfiguration
configurationof
of
systems
systemsbased
basedsoftware
softwarepackages.
packages.
Risk central to
GPGs
Principles
GAMP4 & Framework
Guide
Procedures &
Guidelines
Good Practice
Guidance
Training and Education
Material
Detailed
Guidance on
Risk
Assessment
AAstrategic
strategicframework
frameworkfor
forcomputer
computervalidation
validation
drawing
drawingtogether
togetherthe
thekey
keyvalidation
validationprinciples
principles
and
andpractices
practices
How
Howto
toapply
applythese
theseprinciples
principlesto
todetermine
determineextent
extent
and
andscope
scopeof
ofvalidation
validationfor
fordifferent
differenttypes
typesof
of
systems
systems
9Including
9IncludingPurpose,
Purpose,Scope
Scopeand
andBenefits
Benefits
Validation
ValidationOverview
Overview
Validation
ValidationLife
LifeCycle
Cycle
Including
IncludingUser
UserRequirements
RequirementsSpecification,
Specification,Determining
DeterminingValidation
Validation
Strategy,
Validation
Reporting,
and
Maintaining
the
Validated
Strategy, Validation Reporting, and Maintaining the ValidatedState
State
Management
ManagementSystem
Systemfor
forSuppliers
Suppliersof
ofIT
IT
Systems
Systems
Process
ProcessControl
ControlSystem
SystemValidation
Validation
Benefits
Benefitsof
ofValidation
Validation
Good
GoodPractice
PracticeDefinitions
Definitions
Glossary,
Glossary,Acronyms,
Acronyms,and
andSource
SourceMaterial
Material
ISPE GAMP 4 Launch Conference 3-6 Dec. 2001, Amsterdam
AAsupporting
supportingset
setof
ofrationalized
rationalizedand
andrevised
revised
procedures
proceduresand
andguidelines
guidelinesfor
forcomputer
computersystem
system
validation
validationand
andcompliant
compliantoperation,
operation,classified
classified
into:
into:
Management
Management
Development
Development
Operation
Operation
ISPE GAMP 4 Launch Conference 3-6 Dec. 2001, Amsterdam
User
UserRequirement
RequirementSpecification
Specification
Functional
FunctionalSpecification
Specification
Hardware
HardwareDesign
DesignSpecification
Specification
Software
SoftwareDesign
Designand
andSoftware
SoftwareModule
ModuleDesign
Design
Specification
Specification
Production,
Production,Control,
Control,and
andReview
Reviewof
ofSoftware
Software
Testing
Testingof
ofan
anAutomated
AutomatedSystem
System
ISPE GAMP 4 Launch Conference 3-6 Dec. 2001, Amsterdam
GAMP 4 Themes
Defined
Defined Development
Development Lifecycle
Lifecycle
Planning
Planning
Risk
Risk And
And Impact
Impact Assessment
Assessment
User
User and
and Supplier
Supplier Partnership
Partnership
Specifications
Specifications
Traceability
Traceability
Design
Design Review
Review
Formal
Formal Testing
Testing and
and Verification
Verification
Documented
Documented Evidence
Evidence
ISPE GAMP 4 Launch Conference 3-6 Dec. 2001, Amsterdam
Description
Operating
Systems
II
Firmware
III
Standard
Software
Packages
IV
Configurable
Software
Packages
Custom
(Bespoke)
Systems
GAMP
categories
Validation Approach
VALIDATION APPROACH
1 Operating Systems
2 Firmware
3 Standard Packages
CATEGORY
VALIDATION APPROACH
5 Custom or Bespoke
Name
Infrastructure
Communication reliability
verified through PQ
Database Server
Application Server
Workstations
Standard
Software
Packages
Pervasive SQL
database
IV
Configurable
Software
Packages
ERP
Custom
(Bespoke)
Systems
Interface
ERP-MES
III
Crystal Reports
application
Functional
Specification
Risk
related to
Assessment
Risk
Assessment
related to
Performance
Qualification
Operational
Qualification
ion
Design
Specification
related to
Installation
Qualification
Testing
n
sig
De
w
vie
Re
System
Build
CS Validation Documents
GAMP
Client responsibility
Supplier responsibility
Audit Report
Validation Plans
Planning
Test Plan
Validation
Master Plan
Design Spec.
Functional Spec.
User Requirement
Specifications
Specifications
Testing
Factory/Site
Acceptance Test
SOPs
Protocolli
DQ, IQ, OQ, PQ
Master Index
Validation Report.
Report
IQR, OQR, PQR
SOPs
Validation
Summary
On-Going
User Manuals
Validation Deliverables
User
Requirements
Specifications
Decommissioning
Plan/Report
Audit
Report
De
commissioning
Functional
Specifications
SOPs
Design
Specifications
Installation
Operational
Performance
Qualification
Protocol &
Reports
Test Plan
System
Acceptance
Testing
Unit Testing
Validation Process
User Requirements
Validation Plan
Functional Specifications
Design Specifications
Design Qualification
System Configuration &
Customization
Supplier Testing Review
Unit Testing
System Acceptance Test
Installation Qualification
Operational Qualification
Performance Qualification
Validation Report
SW Vendor
Pharmaceutical Firm
Supplier Audit
Responsibilities
Requirements
Maintenance
I VE
L
O
G
Supplier
Evaluation &
System
Selection
Documentation
Operation
CUSTOMER
Specify
SUPPLIER
&
Design
AC
CE
PT
AN
CE
Validation
Testing
Supplier
Testing
Build
CUSTOMER
ItItis
isthe
theformal
formaldocumentation
documentationof
ofthe
thecomprehensive
comprehensive
validation
validationactivity
activityplan
plan(according
(accordingto
tosystem
systemlife
life
cycle).
cycle).
ItItdescribes
describesthe
theplanned
plannedvalidation
validationactivities,
activities,
responsibilities
responsibilitiesand
andapproval
approvalauthorities.
authorities.
System name
System
nameand
andversion
version
System description
System
description
System owner/responsible
System
owner/responsible
Scope of
Scope
ofvalidation
validation(System
(SystemBoundaries)
Boundaries)
Reference to
Reference
toSOPs
SOPsor
orstandards
standardsused
usedto
toperform
perform
the
thevalidation
validation
For automated
For
automatedequipment,
equipment,the
theplan
planshould
shouldbe
be
combined
combinedand/or
and/orintegrated
integratedwith
withthe
theequipment
equipment
validation
validationplan
planand
andnot
notperformed
performedseparately
separately
Criticality
Criticality
Complexity
Complexity
SW Category
SW
Category
BUT
BUT NOT
NOT
how
how itit will
will do
do itit
Mo
st of
Most
ofCS
CSdefects
defectsare
aredue
dueto
toincorrect
incorrect
requirements
requirementsspecification
specification
Regulatory Requirements
Regulatory
Requirements
Process Requirements
Process
Requirements
What ee-Records
-Records are
What
aremanaged
managedby
bythe
thesystem
system
Where ee-Signatures
-Signatures are
Where
areemployed
employed
Necessary audits
Necessary
auditstrails
trails(who,
(who,what,
what,when)
when)
Data retention
Data
retention
Security //authorization
Security
authorization
Business continuity
Business
continuityplan
plan
Unused system
Unused
systemfunctions
functions
Operating environment
s role
Operating
environment and
andthe
thecomputer
computers
role
Uniquely identified
Uniquely
identified
Unambiguous
Unambiguous
Testable
Testable
Not repeated
Not
repeated
Prioritized (if
Prioritized
(ifany)
any)
Quality
Qualityattributes
attributesof
ofRequirement:
Requirement:
Accurate
Accurate
Clear
Clear
Consistent
Consistent
Complete
Complete
The
Therequirements
requirementsshall
shallbe
bewritten
writtenwith
with
enough
enoughdetails
detailsto
toprovide
provideguidance
guidancefor
forthe
the
design
designspecifications
specificationsand
andfunctional
functionaltesting
testing
and
andmay
mayreference
referenceother
otherdocuments
documents
Business
Businessprocess
process(in
(inRequirements)
Requirements)
showing
showingwork
workflow
flowand
andparts
partsautomated
automatedby
by
system
system
Interfaces
Interfaces(in
(inRequirements)
Requirements)
showing
showinglinks
linksto
toother
othersystems
systems
System
Systemprocess
process(in
(inRequirements)
Requirements)
showing
showingthe
theinternal
internalsystem
systemprocesses
processes
Supplier Selection
RISKS OF UNRELIABLE SYSTEM
MEDIUM GMP
RISK SYSTEMS
EVALUATION
THROUGH
REFERENCES
EVALUATION
THROUGH
EXPERIENCES
REQUEST FOR
INFORMATION
3RD PARTY
AUDIT
SPECIFIC FIRM
AUDIT
COSTS
HIGH GMP RISK
SYSTEMS:
1st screening
Bekers rule
Level of Evidence
required
User Effort
User Effort
Supplier Effort
Supplier Effort
Bad SW Supplier
Good SW Supplier
NUMBER OF SW BUGS
Good
Supplier QS
Functional
Specs
Design
Specs
Source
Code
Review
Unit
Testing
Integration
Testing
Validation
Operation
TIME
Supplier
Release
GoLive
GOOD DOCS
BAD DOCS
QUALITY
QUALITY
PLAN
PLAN
Customer
docs
+
Customer
docs
Supplier docs
(Reference)
Who produced
Who
producedthe
thedocument,
document,under
underwhich
whichauthority,
authority,and
andfor
forwhat
what
purpose
purpose
The contractual
The
contractualstatus
statusof
ofthe
thedocument
document
Relationship with,
es,
Relationship
with,and
andreference
referenceto,
to,relevant
relevantpolicies,
policies,procedur
procedures,
standards
standardsand
andguidelines
guidelines(such
(suchas
asGAMP)
GAMP)
Relationship with,
Relationship
with,and
andreference
referenceto,
to,the
theValidation
ValidationPlan
Planifif
appropriate
appropriate
The
TheQuality
QualityPlan
Planshall
shalldescribe
describehow
howthe
theuser
usercompany
companyquality
quality
requirements
requirementsare
areto
tobe
bemet
metby
bythe
thesupplier.
supplier.The
Theactivities
activitiesto
tobe
be
undertaken,
undertaken,the
theprocedures
proceduresto
tobe
befollowed,
followed,and
andresponsibilities
responsibilities
should
shouldbe
bedefined.
defined.
All
r
Alluser
usercompany
companyquality
qualityrequirements
requirementsshould
shouldbe
belisted
listedhere.
here.Use
User
quality
qualityrequirements
requirementstake
takeprecedence
precedenceover
overthe
the
supplier's
supplier'sQuality
QualityManagement
ManagementSystem.
System.
System Specification
Functional
FunctionalSpecifications
Specificationsis
isnormally
normallywritten
writtenby
by
the
thesupplier
supplierand
anddescribes
describesin
indetail
detailthe
thefunctions
functions
of
ofthe
thesystem,
system,i.e.,
i.e.,what
whatthe
thesystem
systemwill
willdo.
do.The
The
user
usershould
shouldreview
reviewand
andapprove
approveFunctional
Functional
Specifications.
Specifications.ItItis
isnormally
normallyconsidered
consideredaa
contractual
contractualdocument.
document.
Design
DesignSpecifications
Specifications should
should contain
containsufficient
sufficient
detail
detailto
toenable
enablesystem
systembuild
buildand
andmaintenance
maintenance
Quality
Qualityattributes
attributesof
ofFunctional
FunctionalSpecifications:
Specifications:
Traceable to
Traceable
tothe
therequirement
requirement
Uniquely identified
Uniquely
identified
Unambiguous
Unambiguous
Detailed
Detailed
Testable
Testable
Not repeated
Not
repeated
WHEN
SUPPLIER
SUPPLIER +
USER
Requirements Traceability
User
Requirements
Functional
Specs
Design
Specification
Source Code
Review
Design Specifications
Design Specification shall describe how the system
has been developed in order to perform the functions
required
Design
DesignSpecifications
Specificationsshall
shallinclude:
include:
Standard model
Standard
modelused
usedin
indeveloping
developingthe
theapplication
application
Information flows
Information
flows
Software elements
Software
elementsof
ofthe
thesystem
system
Configuration (in
)
Configuration
(incase
caseof
ofconfigurable
configurablesystems
systems)
Design Specification shall
provide sufficient detail to build or buy a computer system or
components
Be the basis for additional activities such as module and
subsystem development, test planning, subsequent maintenance
and enhancement.
Design Specifications
Design
DesignSpecifications
Specificationsmaintained
maintainedby
bythe
thefirm
firm
shall
shalldocument
documentthe
thepart
partof
ofthe
thesystem
systemunder
under
user
s ((ie
ie firm)
users
firm)control
control
Required configuration
Required
configurationsettings
settingsor
orparameters
parameters
Reason for
Reason
forsetting,
setting,with
withreference
referenceto
tocontrolling
controlling
specification
specification
Tools or
Tools
ormethods
methodsthat
thatwill
willbe
beused
usedto
toset
setthe
therequired
required
options
options
Dependencies and
Dependencies
andimpacts
impactson
onother
othermodules
modulesor
orsystems
systems
Security of
Security
ofsettings
settings
Design Qualification
Design
DesignQualification
Qualification(also
(alsotermed
termedDesign
DesignReview)
Review)
is
isaaplanned
plannedand
andsystematic
systematicreview
reviewof
of
specifications,
specifications,design,
design,and
anddevelopment
development
throughout
throughoutthe
thelife
lifecycle.
cycle.
Design
DesignReviews
Reviewsevaluate
evaluatedeliverables
deliverables
against
againststandards
standardsand
andrequirements,
requirements,identify
identify
problems,
problems,and
andpropose
proposerequired
requiredcorrective
corrective
actions.
actions.
Functional
Specifications
Testing
The
The process
processof
ofexercising
exercisingor
orevaluating
evaluatingaa
system
systemor
oraasystem
systemcomponent
componentby
bymanual
manualor
or
automatic
automaticmeans
meansto
toverify
verifythat
thatititsatisfies
satisfies
specified
specifiedrequirements
requirementsor
orto
toidentify
identifydifferences
differences
between
betweenexpected
expectedand
andactual
actualresults
results
IEEE
IEEEStd.
Std.729
729
SOPs
VAL
REPORT
INDEPENDENCE FROM
DEVELOPMENT
Testing
Testing based
Protocols)
Testing
basedon
onTest
TestProcedure
Procedure((Protocols)
Testing performed
Testing
performedin
indedicated
dedicatedenvironment
environment
Attention to
Attention
toproduced
produceddocumentation
documentation
Production of
Production
ofthe
thetesting
testingfinal
finalreport
report
Testing
Testingshall
shallbe
bebased
basedupon:
upon:
system documents,
system
documents,which
whichdescribe
describethe
thecharacteristics
characteristicsof
of
systems
systemsthat
thatwill
willbe
bethe
thesubject
subjectof
oftests
tests
test procedures,
test
procedures,which
whichdescribe
describehow
howto
toperform
performthe
thetest
test
test results,
test
results,which
whichreport
reportresults
resultsof
ofsystem
systemtests
tests
anomaly reports,
anomaly
reports,which
whichdescribe
describeerrors
errorsand
and bad
bad
workings
workingsfound
foundby
bytests
tests
Test Procedures
Test Procedure shall describe in details how to
perform test
Uniquely Identified
Uniquely
Identified
Traceable to
Traceable
tothe
thespecification
specification
Unambiguous
Unambiguous
Accurate
Accurate
Specify expected
Specify
expectedresults
results
Testing Focus
Specify expected
Specify
expectedand
andactual
actualresults
results
Evidence of
Evidence
oftest
testresults
resultsgenerated
generatedduring
during
testing
testingmust
mustbe
berecorded
recorded(e.g.,
(e.g.,printouts,
printouts,
screen
screendumps,
dumps,display
displayof
ofalarm
alarmcolor,
color,event
event
observation)
observation)
If evidence
If
evidencecannot
cannotbe
begenerated,
generated,aasecond
second
person
person(verifier)
(verifier)may
mayneed
needto
toverify
verifycritical
critical
events
events(when
(whenspecified
specifiedby
bytest
testplan)
plan)
Deviations and
Deviations
andunexpected
unexpectedresults
resultsare
are
investigated,
investigated,resolved
resolvedand
anddocumented
documented
+
Customer
docs
Supplier docs
(Reference)
Customer
docs
Supplier Testing
Supplier Testing shall be executed through following
approaches:
White Box: Examining the internal structure of the source
code. Includes low level and high level code review, path
analysis, auditing of programming procedures and standards
actually used, inspection for extraneous dead code,
boundary analysis and other techniques.
Black Box:Testing that ignores the internal mechanism of a
system software or a software component and focuses solely
on the outputs generated in response to selected inputs and
execution conditions.
Independence of Review shall be ensured by the Vendor, i.e. at
least a testing stage shall not be executed by the persons who
developed the code
Supplier Testing
Unit Testing activities will be performed in order to test each
single software object against its Unit Design Specification and
verify the correct implementation of each single process
management functions.
Integration Test Specification Defines those tests that
demonstrate that all software modules communicate with each
other correctly and that the software system meets its design
specification. For solutions based on configurable software it
may be necessary at this point to integrate the configuration
previously tested using Package Configuration Test
Specifications
Site Acceptance Testing is performed by the Supplier in order
to verify:
system correct functionality
system coverage of User Requirements
interface suitability between systems and instruments (if
any)
User Qualification
Criticality and
Criticality
andcomplexity
complexityof
ofthe
thecomputer
computer
system
system will
willimpact
impactthe
theextent
extentand
andfocus
focusof
oftesting
testing
Results of
Results
ofthe
theSoftware
SoftwareSupplier
SupplierEvaluation
Evaluationmay
may
impact
impactthe
thequantity
quantityof
of formal
formaluser
usertesting
testing
required,
required,especially
especiallyOQ
OQ(unit)
(unit)testing
testing
Testing may
Testing
maybe
begreatly
greatlyreduced
reducedififthe
thesupplier
supplier
has
hasaareliable
reliableset
setof
offunctional
functionaltesting
testing
Vendor testing
Vendor
testingweaknesses
weaknessesmay
mayneed
needto
tobe
be
addressed
addressedwith
withadditional
additionaltesting
testing
Software
Softwarehas
hasbeen
beenloaded
loadedcorrectly
correctly
Specific
Specificsite
sitehardware
hardwareitems
itemshave
havebeen
beenassembled
assembledand
and
installed
installedcorrectly
correctly
Power
Powersupplier,
supplier,earth
earthconnections,
connections,data
dataconnections
connectionsand
and
field
fieldconnections
connectionsare
arecorrect
correctand
andenable
enablethe
thesystem
systemto
tobe
be
powered
poweredup
up
Control
Controland
andmonitoring
monitoringinstrumentation
instrumentationhave
havebeen
been
calibrated
calibratedand
andinstalled
installedcorrectly
correctly
Basic
Basicsystem
systemfunctions
functionsoperate
operateon
onpower
powerup
upand
andany
anybuilt
built
in
indiagnostics
diagnosticsare
aresatisfactorily
satisfactorily
Characteristics
Characteristicsof
ofPC
PCHW
HWand
andSW
SW
Configuration/parameterization
Configuration/parameterizationfiles
filesprint
print(if
(if
any)
any)
Quality
QualitySW
SWSupplier
SupplierCertification
Certification(if
(ifany)
any)
Software
SoftwareCertification
Certification(if
(if any)
any)
Reference
Referenceto
tospecifications
specifications(Design
(Design
Specification)
Specification)
Base
Basetests
teststo
toverify
verifycorrect
correctinstallation
installation
Name
Nameand
andversion
versionof
ofthe
thesoftware
software
Who
Whoperformed
performedthe
theinstallation
installation
Date/time
Date/timeof
ofinstallation
installation
Installation
Installationinstructions
instructions(listed
(listedor
orreferenced)
referenced)
Special
Specialset-up
set-upparameters
parameters
Verification
Verificationthat
thatthe
theinstallation
installationwas
was
successfully
successfullycompleted
completed
IfIftesting
testingis
isnot
notperformed
performedin
inthe
theproduction
production
environment,
environment,include
includedocumented
documentedevidence
evidencethat:
that:
Test
Testenvironment
environmentis
isessentially
essentiallythe
thesame
same
as
asproduction
productionenvironment
environment
Test
Testinstallation
installationmeets
meetsthe
thesame
samecriteria
criteria
as
asproduction
productioninstallation
installation
Tests
Testsmust
mustchallenge
challengenormal
normaland
andabnormal
abnormal
conditions
conditionsincluding:
including:
Security
Securitycontrols
controls
Range
Rangechecking
checkingfor
fordata
dataentry
entry
Sequences
Sequencesof
ofoperations
operations
Alarm
Alarmconditions
conditions
Additional
Additionaltesting
testingshould
shouldfocus
focuson
onportions
portionsof
ofthe
the
system
systemwhich
whichare
aremost
mostcritical
criticaland
andcomplex
complex
Functional
Specifications 1
1
2
Unit
Testing
Object
A
Object
B
Design
Specs
A
Design
Specs
B
Unit
Testing
A
Unit
Testing
B
1
2
3= 3
4
Functional
Specifications 2
Unit
Testing
Object
C
Design
Specs
C
Unit
Testing
C
Requirements Traceability
User
Requirements
Functional
Specs
Design
Specification
Source Code
Review
OQ Test Scripts
PQ Test Scripts
Validation Report
A list of deliverables generated from the
validation activities, including storage location
Documentation Archiving
Project
Documentation
User
Requirements
Implementation
Phase
Validation
Documentation
Validation Plan
Validation Protocols
and Records
Validation Report
Maintenance
Documentation
Registration
Support Agreements
for HW and SW
SOPs
Master Index
User
Documentation
OnGoing
Phase
Maintenance
Records
Training
Records
Change
Control
Documents
Backup
Log
Periodic
Review
Validation Keystones
To be in Compliance means:
Coordination (Policy & Standards)
Cooperation (sharing knowledge & support)
Capacity (make realistic Plans for big changes)
Competence (get trained to gain competence)
Consistency (use same measurements & tools)