GAMP5 Webinar (Transcript)
Print
Mary Kay Lofurno: Hi, and welcome to the first in a series of webinars on compliance and validation topics put on by Veracord and its division, 21 CFR Consulting. This series is sponsored by SyberWorks, Incorporated.
Veracord and its division, 21 CFR Consulting is headquartered in San Jose, California, and serves the FDA-regulated life sciences industry, which includes pharmaceuticals, biotechnology, and medical device companies.
Veracord offers compliance consulting services nationwide, specializing in validation, IT compliance, clinical, medical, and regulatory affairs. SyberWorks specializes in custom e-learning solutions and learning management systems in regulated FDA-compliant industries.
I am Mary Kay Lofurno, the Marketing Director for SyberWorks, and your host today.
Today, I’d like to introduce our speakers. David Park Schutz, Veracord founder and CEO, currently heads Veracord’s global sales division, serving Fortune 100 clients in the validation and compliance sectors.
Under Mr. Schutz’s leadership and vision, Veracord’s clients now include leading pharmaceutical, biotechnology, and medical device companies. Veracord remains the premier vendor for three of the top ten global medical device companies. Park’s unwavering business development efforts have strengthened Veracord’s signature in the industry as a company with integrity and uncommon commitment to clients.
Mani Mohammed, Senior Director of Compliance and Validation at Veracord, has spent the past 15 years in FDA-regulated industries focusing his skills and expertise in GxP-compliant manufacturing quality systems, including quality, policies and standards development, validation quality, risk management, data migrations, calibration and asset management, alarm and facilities monitoring, lab systems, or LIMS, drug product process development systems and tools, clinical systems, validation process automation systems, electronic imaging systems, and learning management systems. With a passion to improve best practices, Mani has directed companies in the biotech and pharmaceutical industry in translation of FDA, CFR, GAMP, SQA, and ICH guidelines.
After the presentation, we will be having a question and answer session, so please feel free to email us your questions. Park and Mani will look at those and do their best to answer those questions. Don’t worry, if we don’t get to your question right away during the question and answer period, we will email you a write up of all the submitted questions and answers in the days following our web conference today.
So, without any further ado, I’ll turn the conference over to Park.
David Park Schutz: Hello, everybody. Thank you very much for joining our webinar today. This is again titled, “GAMP 5 Meets National and International Regulations.”
The purpose of this presentation is to share Veracord’s viewpoints and experiences in the global standardization and harmonization of guidelines and methodologies. Again, my name is Park, I’m the founder and CEO of Veracord, a consulting firm that supports the life sciences industry with validation compliance and various other types of consulting services.
Mani Mohammed: Hello, everyone. This is Mani with Veracord. I’m glad to join this conference. Thank you.
David: OK, essentially the important part of what’s going on is, this is instigated by an initiative, and announced by Deputy Commissioner of the FDA, Lester Crawford, on the 21st of August, 2002. But, this whole alliance and framework has changed significantly over the last few years, so we wanted to give you a brief sense of what all this means.
The FDA’s GAMP initiative really seeks to integrate quality systems and risk management approaches into the existing programs, and it encourages adoption of modern and innovative technology.
The GAMP initiative is essentially designed around having the FDA audit teams trained, and their idea is to have them understand this more focused approach. Additionally, the goal of this is to use existing and emerging science and analysis to ensure that limited resources are best targeted to address important quality issues, especially those associated with predictability or identifiable health risks.
One of the things that came out of this GAMP initiative is they pretty much dissolved any distinction between medical device and pharma.
Here we’ve got the whole history of the evolution of the FDA and regulatory guidelines. We’re not going to go into tremendous detail on this, but I do want to give you some highlights.
In 1990, the ICH, or the International Conference of Harmonization, was formed from the regulatory authorities of Europe, Japan, and the United States, and experts from the pharmaceutical industry.
Originally, GAMP members were mainly from the medical device industry, with additional members from pharma and biotech, both from Europe and the United States. This was also the beginning of the partnership between ISPE and GAMP.
China came into play by using ISO9001 as a basis for the development of its Decree 360, and Japan also developed comparable standards prompted by their lead in lean manufacturing techniques.
From 1992 to 2000, the ICH worked on pharmaceutical engineering, and developed regulations Q1A through Q7A, which are global in nature. And then in 2000, the medical device industry introduced ISO14971 based on risk methodology. This was incorporated into GAMP 4 in 2001 and embraced by the FDA.
The ICH then developed Q8, Q9, and Q10, with Q9 offering the same risk approach as 14971, but focused on the pharmaceutical industry. And as you’re aware, GAMP 5 was introduced in 2008 to address the movement towards globalization and the need to address automated systems.
GAMP 5 is applicable regardless of international borders or industry bias. And that takes us up to where we are now.
Essentially the background is, again, that over four years of rework, GAMP 5 was released in February of last year. It’s a major rewrite of GAMP 4 with many significant changes; primary goals being procedures in line with the dynamic life science industry and reducing the cost of compliance.
With respect to the key drivers for GAMP 5, recall that’s since GAMP 4, the FDA cGMPs for the 21st century, the PIC/S Guidance and the final rule for Part 11 came out, as well as ICH Q8, Q9, and Q10. Additionally, there was the clinical guidance that was released in 2007 that also commented on Part 11. And then add to that the fact that risk management concepts have matured and there’s been a significant movement towards software solutions.
Really the biggest change is to provide more clearly defined scalability for efforts and deliverables and to align with the various regulatory bodies’ emphasis on risk and science-based GxP.
So, some of the history on these things is that GAMP 5, again, leverages risk management from GAMP 4 and addresses the entire life cycle of automated systems. And again it aligns with these very significant and important ICH guidelines, and ASTM E2500. Mainly, the other part of it is its embrace of automated systems.
With respect to ASTM E2500, basically the reality of the validation role within the framework of this guidance is that the role shouldn’t diminish, but should be integrated in the life cycle activities to provide guidance and ensure that quality built in is documented from the beginning.
You notice here it uses, in the third bullet, the term verification, which is now a systematic approach to prove the critical elements acting singly or in combination are fit for intended use. This is an important consideration here that they’re using this term “verification” and it really points to this whole concept of semantics.
Some industry groups want to eliminate the term validation and qualification and IQ/OQ/PQ based on the concern that these terms carry baggage that will lead to sort of over documentation. The use of verification based on good engineering practice is now preferred, yet many companies are more comfortable maintaining terminology that works for them.
GAMP 5 is now striving to be terminology neutral with the whole concept being that older terms still work with new concepts. The general idea is do what makes sense. If you want to call it verification, fine. If you want to call it validation, fine. Remember, the objective of these things is that they are guidances. They are not telling you exactly what you have to do, but giving you pointers on what the options are and what good solid approaches are.
The objective here is really to focus on risk. A great deal has been said about this topic, a great deal has been written about this topic, and it has its roots going back almost 60 years into the aerospace and food industry. A risk based approach was mentioned in GAMP 4 and the ISO14971 standard for medical devices, and it’s probably the most effective tool for reducing project compliance cost.
With the release of GAMP 5, the risk based methodology was implemented and so this is now the industry standard. With respect to risk management, remember it’s basically a system for identifying and assessing and mitigating, controlling and communicating risk based on good science, process and product understanding. Remember that zero risk is impractical and unattainable. There’s such a thing as the Law of Diminishing Returns. So, the objective is to really aim for acceptable risk.
Risk management also, again, aligns with GAMP and ISO14971, with ICH Q9 and also the ASTM E2500. So this is how a lot of these international regs all come together.
Mani: So, Park, if I may join over here. Zero risk is impractical like you mentioned, but also I want to share the companies, leaders in the biotech and pharmaceutical industries such as Genentech, that I recently worked for.
They have actually implemented a policy and quality standard that clearly defines, on a scientific and numerical methodology, a risk-based approach to their validated quality systems. What that means, it reduces the risk to the patient safety and quality of the product, improve the quality of the product.
So, that’s where this risk based approach is headed. You know, you want to reduce the risk to the patient’s safety and you want to improve the product quality. And there are ways to do it and we’ll share more information shortly. Thank you, Park.
David: OK, so thanks, Mani. Again, the core purpose of GAMP is really essentially to provide documented common sense. The clear objective is to produce, as Mani said, a minimum risk to patient at a minimum cost. So, the driver is really to improve patient safety and reduce the cost of compliance. GAMP 5 represents a general alignment with the global regulatory movement, regarding the use of a risk-based approach to qualification and validation for automated systems and for new equipment.
It’s also designed around being really a practical guidance. It facilitates the interpretation of regulatory requirements. Remember GAMP and ISP are associations that work with international regulatory agencies and interpret the guidances into a practical approach to supporting those guidances. That’s how it really serves you. It’s designed around establishing this common language and terminology and promoting the system life cycle approach based on good practices.
With respect to the drivers and automation, remember that the focus here is to focus your attention on computerized systems with the most impact on patient safety, product quality, and data integrity. But, it’s also to avoid the duplication of activities, leverage supplier audit and testing towards compliance. Clarify the roles of subject matter experts in the quality unit and scale all life cycle activities and associated activities according to their risk and complexity.
Other thing is that, essentially, remember that in 2002 the FDA announced the CGMPS for the 21st century with the objective to enhance and modernize the regulation of pharmaceutical manufacturing and product quality. Some of the key elements include its objective to encourage early adoption of technological advances, to improve quality management techniques, and to encourage the risk-based approach.
The ICH guideline Q8 on pharmaceutical development, Q9 on quality risk management, and Q10 on pharmaceutical quality systems most explicitly lay out the expectation for manufacturers to implement quality by design into their own operations.
The evaluation of risk to quality should be based on scientific knowledge and ultimately linked to the protection of the patient. The level of effort, testing, and documentation should be commensurate with the level of risk. And GAMP 5, by the way, has very good risk evaluation examples to help out with these things. They’ve actually got a bunch of templates in there.
Remember that Q9 doesn’t introduce new requirements or expectations, but should be considered a resource document that can be used together with existing quality related guidelines when this risk based approach is taken.
So, PQLI is from ISPE and it is essentially focused on aligning industry and regulatory leaders to develop a pragmatic and practical implementation of ICH guidelines based on sound scientific, engineering and business principles. Quality by design states that quality should be built into a product as opposed to being tested for flaws after manufacture.
This concept isn’t new. It’s based really very much on commonsense. So, really the whole concept that quality would be omitted in the design stage is ridiculous, but the general concept here is to do it right in the design phase. It saves money in the production phase.
Mani: So Park, if I may join again. Really, I want to share the example of the quality by design. What does that mean in practical terms in the validation world or in the quality world is, you build your quality in every document that’s been produced. So such as when you’re discussing the impact assessment for the system, you want to make sure that’s there, the quality of that document and that discussion with the team members is there.
Then more importantly is the user requirement specification and design specification. So, URS and SDS as we know in the industry or functional specifications, those are the key documents that has to have the design and requirements quality built in.
What that means is that requirements need to be specifically written line by line or in a section where they are explainable and testable. Therefore, you reduce the risk of overdoing the validation or redoing the validation. Same thing with this design concept. If the design concepts in the IT systems and so forth, you test the code up front.
Even though we’re deploying a lot of commercial, off-the-shelf cost systems, if you do the testing up front, it reduces the cost of quality of cost of validation in the validation environment when you’re launching the code, and eventually in the production environment.
So, this is one example of how you would do the quality by design in the IT systems as you're launching a new project, based on this risk-based validation approach and implementing quality by design throughout the lifecycle of those projects. Thank you, Park.
David: You bet. So, in May of 2007, the ASTM committee voted to approve a new standard for the specification design and verification of pharmaceutical and bio-pharmaceutical manufacturing systems and equipment. The objective was to really design things and set it up so that things are fit for their intended use.
The cGMPs don’t mention the terms “qualification,” “IQ,” “OQ,” or “PQ.” Remember again, it’s really just terminology. The point is it’s what we do that counts. Critical aspects in acceptance criteria identified using scientific knowledge of the process and an analysis of risk to the patient that may arise through the manufacturing process, equipment, or the systems.
Remember to be aware of the quality by design through this product quality lifecycle and approve any associated verification plan. The final approval: determination that a manufacturing system contains critical elements or is fit for intended use.
So, the update of the GAMP guide, as you’re all aware, was really eagerly awaited by everybody. GAMP has become the de facto guideline for regulated companies and the industry alike, and has provided this extremely welcome common ground on which to approach the validation of automated systems. It’s also the cornerstone, incidentally, of Veracord’s quality management system.
GAMP 5 is a major rewrite of the guide and contains some significant changes in approach. The changes are intended to bring the guidance in line with the changing nature of the industry and to reduce the cost of compliance.
You can see all kinds of different drivers, but probably one of the main drivers was the agreement within the GAMP Council that future GAMP activities needed to focus on areas where it could add the most value to established industry best practices. However, there are many other drivers, as you can see here.
So, what are some of the key concepts? The lifecycle approach within the quality management system essentially focuses on adopting a complete computerized lifecycle, which entails defining activities in a systematic way from a systems conception to retirement. That enables management control and a consistent approach across systems.
Scalability of lifecycle activities is incredibly important, and GAMP 5 recommends that lifecycle activities should be scaled according to system impact on patient safety, product quality, and data integrity, system complexity integrity and the outcome of the supplier assessment.
Another key concept is process and product understanding, which essentially focuses on an understanding of the supported process which is fundamental to determining system requirements. Product and process understanding was really the basis for making science and risk based decisions to ensure that systems are fit for intended use.
Here’re some of the real examples and benefits to using this GAMP 5 approach. I know that Mani had a couple of things that he wanted to comment on here.
Mani: Yeah, sure. Actually, one of the examples that I wanted share with the audience is one project that I just recently completed this year was the facilities monitoring system, FMS, which is based basically out of the Siemens Apogee software. Apogee Go software.
In that particular project what we did, we were able to reduce the cost of validation down to about 30% to 35%. And the way we did that, we accomplished the risk-based validation and really defined the URS, like I mentioned earlier, and out of those URS we started ranking each individual line item, and functional specification we did the same thing.
So we find that the ranking for the risk, how close is it to the patient safety? How close is it to the product quality? And we also built the quality by design into this by doing that.
So, we then separated the two buckets, if you would. One was the high-risk items. We said, OK, these items are going to be critical to the product quality and potentially risk to the patients’ safety, but we really did the thorough validation, we did the boundary testing, negative testing, and stress testing on those critical requirements.
So, let’s just say there were 100 requirements. We ended up doing at least 30 or 40 of those, the critical testing of that requirement. The remainder, we called that commissioning. And when I say commissioning testing, that means it didn’t really… We still did the testing. We still performed against the URS and functional specs and the design specs, but in that how we cleverly did it… The quality department was involved up front. They agreed that they’re not going to review those requirements’ testing packages.
And they are purely up to the IT validation group to manage. And, therefore, we were able to reduce the review cycle time and the testing time as well. So, we did perform a formal validation testing, we did the commissioning testing. And that had a different template.
The way we were able to reduce the cost also, when we were executing the tests we had an expedited template, which had a pass/fail at the end of each page instead of writing the actual result in each line item like you would in a typical validation package.
So that’s one example that I can share. Those are little tricks that you can implement. But, please make sure that your quality assurance department is fully on board and they are supportive of this approach. And your entire team is involved in risk assessments. Everyone has their say, but they have to be following a quality standard like I mentioned. That has to be clearly defined, and the risk-based approach and ranking has to be identified in that standard.
So, that’s one way to reduce the costs. That really works. I’ve done a few projects. Similarly I’ve done another project like Calibration Manager, CalMan. And we were able to reduce the cost down, again, to 30 percent of the typical validation cost that otherwise we would have to pay if we did the normal validation approach.
So, that’s a benefit, and a real example of ICH Q9 and GAMP 5. Thank you, Park.
David: Yeah, there’s actually some other great guidances that are out there that focus on this. What is it? I can’t remember off the top of my head.
There’s a technical information report, TIR36, I believe, that talks about the critical thinking approach to validation, which also lends to this general concept.
In TIR36, what they’re essentially saying, once again, is avoid the habit of just doing things the way that you’ve just always done them. Look at what really has to be done. It’s more and more common now to combine documents, among other things, which can save time in the appropriate areas.
So, what I’m showing you here now is this sort of new concept of the new V model. GAMP 5, remember, is really all about risk. Increasing complexity and/or novelty equals higher risk, which equals more effort and deliverables.
Moving away from traditional qualification and terminology, the traditional IQ/OQ/PQ, remember that terminology confuses people outside of validation and QA departments. It’s still available, but it’s optional. So, look at the V model to the right, and you’ll see this new approach.
Mani: So, again, this is a key slide. If you would, take a look at the right side of the slide here. As you can see, the risk management is really built into the process. It’s really an iterative process throughout the life cycle of validation.
Whether you are in the plan phase or verify phase or you’re in the reporting phase, really, risk management or risk assessment is constantly going on within the project. So, there are different milestones that you can set, and you can assess the risk and mitigate those risks as you go along with this process, as opposed to the older model on the left side, that’s the typical, traditional validation life cycle that we are all used to.
So, that’s the key difference here. We’re implementing risk management throughout the life cycle of validation here. Thank you, Park.
David: You bet. One of the things that I use as an analogy for myself on stuff like this, I personally have done a lot of building of homes in a previous life, and bringing validation in early helps to prevent wasted effort.
For instance, in homes, codes change all the time. The distance between outlets on walls, for instance, changes. And you wouldn’t want to go ahead and build a whole home and put all the outlets in the house and then sheet-rock the whole thing and get it all painted, only to discover that your outlets were at 12 feet apart when they should have been at eight feet apart. It’s a big waste to have to take things apart and have to do it again later.
The concept of bringing in this risk early on allows you to consider what things are potentially going to impact your project and take care of those at the beginning of the project. At the end of the day, it really comes down to more effectively planning and determining the risk. At the end of the phase, basically, it drives down the costs of compliance.
What we’re trying to do here is show a little bit of how the E2500 process and GAMP 5 now overlap. You saw these same terms in the last slide, where we’re focused on planning, specifying, building, verifying, and reporting.
This ASTM E2500 was finalized, again, in November 2005. It was published in 2006, and it really details the entire risk process, of which risk assessment, as you can see, is right in the first phase.
This replaces the traditional GAMP 4, a V model, and it really presents three steps, overall, to the assessment process, which include identification, what might go wrong and clearly defining the risk in question, to analysis - in other words, what’s the likelihood, or how bad would it be - and finally, evaluation - what are the levels of risk criteria. And those need to be defined in advance.
So, there’s a variety of different principles that come out here that are all key to GAMP 5. Again, we’ve focused on a lot of these different things, focusing on what affects product quality, remembering that requirements are the key to acceptability. Risk assessments are required to identify the critical features, to focus on critical features for formal qualification.
To remember that all the activities have to contribute value, that almost seems like a redundant statement, but it’s amazing how some activities that occur really wind up being there because it’s the way we’ve always done it.
It’s not taking a zero-based approach to things. A lot of companies will say, “Well, this is the way that we’ve always done it,” without regard to whether or not individual activities actually provide significant value.
Remember that different systems and equipment require different levels of attention. Again, higher complexity equals greater risk equals greater effort. Documents have to serve a useful purpose. Again, you might use the whole document set for a very complete and high-risk process, but for something simple, fine to go ahead and combine documents.
So, those are some of the general things. Also, number eight. Most suppliers are now providing documentation, or providing templates for everything. Leverage that. It’ll save you time and energy.
Mani: On that note, Park, if I may, the supplier documentation, obviously, is the key. But, one thing I would add is definitely do a vendor audit to make sure that the supplier has a quality system that’s in place as well, because in the industry the trend is now, more and more, to go with a carts systems, and that means that you are not doing any in-house development for the software code.
Most of that burden is shifted to the supplier and, therefore, the supplier has to also comply with that. So they have certain obligations to the standards and guidelines as well. So make sure, when you do perform the vendor audit, that the supplier can substantiate their quality system, their documentation, in support of these guidance, and their code is well-written, their testing is well-documented. So, you can use that. Then, therefore, you can leverage that documentation as well. Thank you, Park.
David: You bet. So, these are all logos of different regulatory-guiding agencies around the world. As you can see, we’ve arrived now at this point where international trade has created a course towards global alignment in regulations, and with it the guidelines for achieving compliance.
As far as the global trends are concerned, well, standards are going to continue to become aligned globally with the CFRs and ISOs, as the promotion continues through the efforts of such organizations as the World Health and ICH and driven by the increase in international trade and offshore manufacturing.
The alignment of the life sciences industries will continue with the assistance of guidelines like GAMP 5 and good practices. There’s also going to be increased vigilance on the capabilities of individuals on the selection of both employees and consultants.
There’s a rapidly growing realization that from a strong base of subject competency in all departments that make up an organization, the goal of compliance to the applicable standards and the regulations with the assistance of the good-practice guidelines, such as GAMP, can be more efficiently achieved. Therefore, the basis of knowledge becomes the foundation, as it once was before the information revolution. Without this basis, one can’t hope to understand any standard, any regulation or guideline.
So, what we have is that GAMP 5 is a pragmatic and practical guidance to achieve compliant computerized systems fit for intended use in an efficient and effective manner. GAMP 5 presents a flexible, risk-based approach to compliant GxP-regulated computerized systems, based on scalable specification and verification. And it points to the future of computer-systems compliance by centering on principles behind major industry developments such as the Product Quality Life Cycle Initiative, ICH Q8, 9, and 10, and ASTM E2500.
And that is all we have. Thank you very much for attending.
Mary Kay: OK. Well, that sounds great. Thank you, Park. This is Mary Kay Lofurno, Marketing Director here at SyberWorks. Thanks for joining us today on our webinar, “GAMP 5 Meets National and International Regulations.”
Join us for our next webinar on 21 CFR Part 11, and it’s titled, “21 CFR Part 11 and its Application in a Compliant Environment,” which will be held on October 27 from 11:00 AM to 12:00 PM Pacific Standard Time. Additionally, that would be 2:00 PM to 3:00 PM Eastern Standard Time. Look for upcoming announcements to cover details and registration.
We hope this webinar was informative and you enjoyed the presentation today. Have a great day.
