GAMP 5 Quality Risk Management Approach: by Kevin C. Martin and Dr. Arthur (Randy) Perez
GAMP 5 Quality Risk Management Approach: by Kevin C. Martin and Dr. Arthur (Randy) Perez
GAMP 5 Quality Risk Management Approach: by Kevin C. Martin and Dr. Arthur (Randy) Perez
5,
A Risk-Based Approach to Compliant GxP Computerized Systems,
8
used with permission from ISPE)
4 PHARMACEUTICAL ENGINEERING MAY/JUNE 2008
Quality Risk Management
Copyright ISPE 2008
could be considered Category 4. A simplified approach
(Category 3) is allowed; however, a user can choose not to
configure a simple configurable product and applies the
default configuration.
Categories 4 (Configured Software) and 5 (Custom or
Bespoke Software) remain essentially unchanged with the
exception that supplier assessments are suggested (i.e.,
discretionary), depending on the overall criticality of the
system, as opposed to requiring supplier audits for all
systems within the category.
The GAMP 5 software categories represent a broad indicator
of likelihood of software failure. They can be a factor in
planning test rigor but not the only one. Large systems often
comprise components of several categories; therefore, each
category can help assess overall risk/impact of the compo-
nents. The complexity of the components also can be useful in
evaluating rigor needed for supplier assessment. Risk is a
continuum and because the GAMP 5 categories are generali-
zations, they are not absolute, but can be useful as a tool used
in the overall risk process - Figure 1. Other significant factors
related to the risk of software includes the quality processes
of the supplier (it is certainly possible to make bad infrastruc-
ture software), the integrity of the implementation process,
and of course the use to which the software is put.
The key to maximizing the usefulness of the GAMP catego-
ries is to fully realize that they represent general conclusions
about wide classes of software, and that they should only be
one of the factors considered when planning a validation/
verification strategy for a system.
Figure 3. Risk assessment effort scaled according to function impact. (Source: GAMP
Guide
that will present an alternative approach, and aligns well
with the recently published ASTM 2500-07 standard. Al-
though there are many existing standards available, ISO
14971 and particularly ICH Q9 were selected as the founda-
tion for the GAMP 5 Quality Risk Management (QRM)
approach.
The central tenet of the GAMP 5 approach is to define
acceptable practices and apply stronger measures only where
warranted. The approach should be simple in that an assess-
ment result should indicate where additional controls are
needed based on the relative risk. An added benefit by
keeping the approach simple is that there should be only
minimal impact when a company transitions from old compli-
ance programs to new ones.
Process Description
It should be noted that organizations may have already
established processes for risk management. While GAMP 5
provides one suggested approach, it does not intend that
companies discard their current practices, rather that they
continue to be used as appropriate within the overall quality
risk management framework consistent with ICH Q9.
The GAMP 5 Quality Risk Management approach is based
on a simple five step process - Figure 2, where the emphasis
is on constantly narrowing the focus to the point where
rigorous testing and additional controls are only applied
where the risk warrants.
Step 1 Initial Assessment
An initial assessment should be performed based on an
understanding of the business processes. The understanding
can be derived from user requirements, design specifications,
operating procedures, regulatory requirements, and known
functional areas. The assessment should include a decision
on whether the system is GxP regulated and include an
overall assessment of the system impact. Further, it should
include an evaluation of the process for impact to patient
health, as many of the later steps in this process are depen-
dent on this for the purpose of determining the scale of effort.
Since this step is geared toward understanding the busi-
ness process, it is critical to ensure user involvement in the
assessment and their acceptance of the outcome.
Step 2 Identify Functions with Impact on
Patient Safety, Product Quality, and Data
Integrity
Building upon the information obtained in Step 1, the specific
functions that have impact on patient safety, product quality,
and data integrity can be identified and addressed. It must be
remembered that no function can be assessed as having
higher risk or impact than the process itself. The functions
are typically listed in tabular form to be used in Step 3.
Similarly to Step 1, user involvement is important to ensure
that the impact of a system function on the business process
(and ultimately on patients) is understood.
Step 3 Perform Functional Risk Assessments
Figure 4. GAMP 5 risk assessment method. (Source: GAMP