GAMP 5A Risk Based Approach toA Risk-Based Approach toCompliant GxPCompliant GxP Computerized SystemsStephen Shields8 October 2013ASQ O S ti M ti P t 2ASQ – Orange Section Meeting – Part 2

Disclaimer

• This presentation is made at the request of ASQ.

• The presenter is a full-time employee and stockholder of Allergan, Inc.

• The information provided and opinions expressed during this presentationThe information provided and opinions expressed during this presentation are those of the presenter and are not the position of and may not be attributed to Allergan, Inc.

Agenda

Operation Phase• Hanover• Service and Performance MonitoringService and Performance Monitoring• Incident Management and CAPA• Change Management• Periodic Review• Continuity Management• Security and System Administration• Record Management

Retirement Phase• Withdrawal• Decommissioning• Disposition

Operation Phase The approach and required activities should be selected and scaled

according to the nature, risk, and complexity of the system in question. The regulated company should ensure that appropriate operational

d d l h b i l t d dprocesses, procedures, and plans have been implemented, and are supported by appropriate training.

Compliance and fitness for intended use must be maintained throughout the systems operational lifesystems operational life.

The integrity of the system and its data should be maintained at all times and verified as part of periodic review.

Opportunities for process and system improvements should be sought Opportunities for process and system improvements should be sought based on periodic review and evaluation, operational and performance data, and root-cause analysis of failures (Incident Management and CAPA).

Change management should provide a dependable mechanism for prompt implementation of technically sound improvements following the approach to specification, design, and verification.

Operation Phase – Information Flows

Operation Phase - ProcessesProcess Group ProcessHandover Handover Process

Service Management and Performance Establishing and Managing Support ServicesMonitoring Performance Monitoring

Incident Management and CAPA Incident ManagementCAPA

Change Management Change ManagementConfiguration ManagementConfiguration ManagementRepair Activity

Audits and Review Periodic ReviewInternal Quality Audits

Continuity Management Backup and Restorey g pBusiness Continuity PlanningDisaster Recovery Planning

Security and System Administration Security ManagementSystems Administration

Records Management RetentionArchive and Retrieval

Training Training Management

Handover Handover is the process for transfer of responsibility of a

computerized system from a project team or a service group to a new service group.

Typical conditions for handover to business• Fit for Intended Use• Compliant• Trained Users• Operation Security & Roles Established• SOPs Effective (operational & support)• Unique Configuration Elements Established• Issues Closed/Resolved• Rollback Strategy

Handover Process

Service Management & Performance Monitoring

Maintaining a system in a state of compliance is often dependent upon services provided by organizationsdependent upon services provided by organizations outside the direct control of the system owner.

• A Service Level Agreement (SLA) establishes responsibilities between the IT Service Provider and the Customer.

• A Operating Level Agreement (OLA) defines the goods or Services to be provided to the IT Service Provider by another part of the same Organization and the responsibilities of both parties

• An Underpinning Contract (UC) defines targets and responsibilities of a Third Party to meet d S i L l T t i SLAagreed Service Level Targets in an SLA.

Where appropriate, performance of the system should be monitored to capture problems in a timely manner. It also may be possible to anticipate failure through the use of monitoring tools and techniques.

Support Services Process

Incident Management and CAPA

Incident Management process should address:

• Categorize incidents

CAPA process should address:

• Investigation understanding• Categorize incidents• Triage to the most appropriate

resource or complimentary process

• Investigation, understanding and correcting discrepancies based on root-cause analysis

• Preventing recurrence of p• Document• Review• Prioritization

gdiscrepancies

• Preventing occurrences of a possible/predicted di i

• Progress towards resolution• Escalation• Closure

discrepancies• Effectiveness

Change Management

Critical activity fundamental to maintaining the compliant status of systems and processes

• Software (including middleware) configuration hardware• Software (including middleware), configuration, hardware, infrastructure, or use of the system

• Reviewed to assess impact and risk of implementing the change• Suitably evaluated, authorized, documented, tested, and approvedSuitably evaluated, authorized, documented, tested, and approved

before implementation, and subsequently closed• Scaled based on the nature, risk, and complexity of the change• Continuous process and system improvements based on periodic p y p p

review and evaluation, operational and performance data, and root-cause analysis of failures.

• Emergency changes performed change management process or repair SOPSOPs

Periodic Review

Verify system remain compliant with regulatory requirements, fit for intended use, and meet company policies and procedurespolicies and procedures.

• Interval appropriate to the impact and operation history of the system• Pre-defined process• Documented with corrective actions tracked to satisfactory completion• Documented with corrective actions tracked to satisfactory completion

Continuity Management Backup and Restoration

• software, records, and data are made, maintained, and retained for a defined period within safe and secure areas

• Restore procedures should be established, tested, and the results of that testing documented

Business Continuity Planningy g• Plans established and exercised to ensure the timely and effective

resumption of these critical business processes and systems

Disaster Recovery Planning Disaster Recovery Planning• Details the precautions taken to minimize the effects of a disaster,

allowing the organization to either maintain or quickly resume critical functions (focus on disaster prevention).( p )

Security and System Administration

Adequately protected against willful or accidental loss, damage, or unauthorized change

• Procedures for managing secure access including adding and• Procedures for managing secure access, including adding and removing privileges for authorized users, malware management, password management, and physical security measures

• Role-based securityy• Apply to all users, including administrators, super-users, users, and

support staff (including supplier support staff)• Procedures for administrative support for systems

Record Management

Records must be maintained and accessible throughout their retention period

• Establish policies for retention of regulated records• Retain data on-line or archive• Establish procedures for archival and retrieval

Retirement Phase

Systematic process of permanently removing a system from use

• Withdrawal system decommissioning system disposal and migration• Withdrawal, system decommissioning, system disposal, and migration of required data

• Withdraw the system from active operations, i.e., users are deactivated, interfaces disabled. No data should be added to the system from this ypoint forward. Special access should be retained for data reporting, results analysis and support.

• Decommission the system• Determine disposition of data, documentation, software, and hardware

(permanently destroyed, re-tasked, archived, migrated).

Questions?

Stephen ShieldsWWQA DirectorWWQA DirectorComputerized System Compliance and Quality

All IAllergan, Inc.Shields_Stephen@Allergan.com714-246-5320