4.RA, Testing, NetworkQual, Procedures V2 9feb17

RISK ASSESSMENT
Validation : ERP
URS
ERP work flow diagram
critical processes? - Risk Assessment
o E.g. Material receiving, sampling, distribution
What is the GMP data?
interfaces to other systems? Included in VP?
o E.g. interface to MES, eQMS, LIMS
Validation Planning
Any deviations/changes/incidents?
Network qualification
Operation and maintenance?
o Access & Security, BCP, backup
Connecting Pharmaceutical Knowledge ispe.org

Validation Planning
Primary Responsibility
Regulated Company
User Requirements Requirements

Specification Testing
Functional Functional
Verification
Specification
Configuration Configuration
Configure
Product
Supplier
Configurable Product
Supplier
QMS
Approach for Configured Product (Category 4)

Validation Activities & Documents
VP VR
TSR
URS
UAT-T
HLRA
Config
& Cust Integration
Func Requirements
FRD SIT-T + EIT
Doc
Config & Custom EDD
Spec DAT-T
Data take on
IDS IDT
Infrastructure tests
Validation Team FRA
DEV-T
Local ERP Supplier Tests
Supplier Build
ERP Config
ERP Provider User
Acceptance
Risk Management
PIC/S says there must be a comprehensively designed and correctly implemented
system of Quality Assurance Incorporating Good Manufacturing Practice, Quality Control
and Quality Risk Management.
Quality risk management is a systematic process for the assessment, control,
communication, and review of risks to patient safety, product quality, and data
integrity, based on a framework consistent with ICH Q9 (Reference 10, Appendix G3).
It is used to identify risks and to remove or reduce them to an acceptable level as part of
a scaleable approach that enables regulated companies to select the appropriate life
cycle activities for a specific system.
Connecting Pharmaceutical Knowledge ispe.org 5

PIC/S (Annex 20)
Initiate
Quality Risk Management Process
Risk Assessment
Risk Identification
Risk Analysis
Risk Evaluation
Risk Management tools

Risk Communication
unacceptable
Risk Control
Risk Reduction
Risk Acceptance
Output / Result of the

Quality Risk Management Process
Risk Review
Review Events

Risk-Based Approach for Configured
Product (Category 4)
GAMP5: A Risk-based Approach to Compliant GxP Computerized Systems

Initial Risk Assessment
An initial risk assessment should be performed at (or before) the beginning of the project
phase.
The assessment follows, or is in parallel with, development of the User Requirement
Specification (URS).
The assessment should be based on an understanding of business processes and
business risk assessments, user requirements, regulatory requirements, and known
functional areas. Any relevant previous assessments may provide useful input, and these
should not be repeated unnecessarily.
Risks introduced by computerization of the business process (e.g., electronic record
integrity) should be included in the assessment.
This risk assessment is likely to focus on important risks to GxP and to the business
process, rather than detailed functions and technical aspects.
The process owner and the quality unit, typically, are involved at this stage in addition to
the input of appropriate SMEs.

Functional Risk Assessment
Where these are required, functional risk assessments should be used to identify and
manage risks to patient safety, product quality, and data integrity that arise from failure of
the function under consideration.
Functions with impact on patient safety, product quality, and data integrity are identified
by referring to the URS, functional specification (FS), and the output of the initial risk
assessment.
Computerization may introduce particular risks (e.g., electronic record integrity, system
availability, security, infrastructure) not otherwise associated with the manual business
processes.
The design of computerized systems may provide controls for identified risks, but may
introduce other risks that require controlling. This should be included in the assessment.

Risk Assessment: ERP
Identify modules affect quality e.g. MM and QM in SAP
Identify GMP functions, e.g. functions for :-
material identity, status and location
GMP labels, reports
GMP transactions
GMP interfaces
Identify critical data
critical data requires additional check on accuracy of the record prior to
further processing of data by second operator or validated electronic means
Identify controls that ensure correct operation of functions
Identify controls for correct data

GMP or Non-GMP?
Financial &
Accounting
Maintenance Inventory
management Management
Warehouse Sales &

Management Marketing
ERP
Human
Purchasing
Resource
Production
Quality
Planning &
Management
Control

ERP: GMP Functions
New supplier approval
Management Management
Supplier Agreements
of Users of Suppliers
Issue Purchase order
Receiving
Verification
Place in quarantine status Management Management Management
of Raw of Packaging of Finished
Request QC testing Material Material Product
Location in warehouse
QC Approval Status change
Raw Material Management of exceptions

Packaging Material Management Management of returns to stock and reconciliation
Management
In-process of
of Sampling Management of destruction
Finished Product Production
Managements of expired stock
Shop Floor Creation

Allocate stock to order Management Preparation
Consumption of stock Management of
& Production Labelling
Distribution
orders Loading
Transportation
Management of returns to stock and reconciliation

Management of destruction Management
of Exceptions

High Level Risk Assessment
Area of Risk Evaluation:
- Risk Management
- Personnel
- Supplier/ service providers
- Validation
- Data interfacing
- Accuracy
- Data storage
- Audit trails
- Change Management
- Electronic signature
- Etc.

Business Flow Process
Marketing Print Item
plan Production
Label Planning
ERP
Update Test Change Print Item

Item No. Results Status
Label Status Label
Item: Mfg. code
Order Raw Tag
Purchasing Site, Location
Material Initiate WO
lot/Serial Ref.
Quantity Expiry RM Supplier Plan
Date Trends
Check Stock,
Planning+ Receive Materials Receipt
Warehouse
Production New Change

Plan Delivery Status Label
Place Item
Apply Item
Weighing into defined
Label Tag
Location
Order
Accepted
upon Visual
Inspection?
Awaiting
Manufacturing
Yes
Perform Transport Order
Wait for
Upload Procedure and Sample to
Sampling
Delivery take Sample QC Lab
QA/QC
RM Sampling by QC
QA: Record
data, Trends
Enter Test for RM
QC Testing
Result Suppliers

Business Blueprint

Identify all business process

- Main process e.g. master data, procurement, goods receipt, goods issue, etc.
- Process ID
- Process description
Identify GMP related
If GMP related is Yes then do detailed risk assessment

- Risk scenario
- Risk level
- Risk control
- Required testing



TESTING
Testing Objective
Identify defects before operational use
Prevent failures that might affect patient safety, product quality, data integrity
Provide documented evidence that the system performs as specified
Demonstrate that system meets its requirements
Provide confidence that the system is fit for its intended use
Provide a basis for user acceptance
Meet a key regulatory requirement

Testing Steps
Create Test Strategy/Test Plan

Create Test Protocol/Test Specification
Review and Approve Test Specification
Test Execution
Create Test Report
Review and Approve Test Report

Testing Documents
Define approach
of testing
Set of test scripts

that are suited for a
specific purpose
Include supporting
evidence e.g.
Details of tests video, screenshot,
print out, etc.
GAMP 5 A Risk-Based Approach to Compliant GxP Computerized Systems

Roles & Responsibilities
User
SMEs
Test Manager
Plan testing and write test plan
Test Analyst
Develop test cases & QA
test scripts
Test Reviewer
Review test cases, test scripts, Supplier
test results
Tester
Execute test cases
Record test results

User
SMEs
Test Manager
Plan testing and write test plan
Test Analyst
Develop test cases & QA
test scripts
Test Reviewer
Review test cases, test scripts, Supplier
test results
Tester
Execute test cases
Record test results

Concerns:
Tester Independent. Not authors of the

Execute test cases software, test scripts.
Record test results
Test Reviewer
Review test cases, test scripts,
test results Not the same person as
the Tester
Test Analyst Requires expertise and

Develop test cases & experience person.
test scripts

Types of Testing
Positive Case or Normal Case Testing
challenges the systems ability to do what it should do, including triggering significant
alerts and error messages, according to specifications.
Negative Case or Invalid Case Testing
challenges the systems ability not to do what it should not according to specifications.
Repeatability Testing
challenges the systems ability to repeatedly do what it should, or continuously if
associated with real time control algorithms.
Performance Testing
challenges the systems ability to do what it should as fast and effectively as it should,
according to specifications.

Types of Testing
Volume/Load Testing
challenges the systems ability to manage high loads as it should. Volume/Load testing
is required when system resources are critical.
Regression Testing
challenges the systems ability to still do what it should after being modified according
to specified requirements, and that portions of the software not involved in the change
were not adversely affected.
Structural/Path Testing
challenges a programs internal structure by exercising detailed program code.
Depends on Complexity and novelty of the

system, Risk & Supplier Assessment!

ERP Validation Activities & Documents
VP VR
User TSR
URS
Acceptance
UAT-T
HLRA
Config
& Cust Integration
Func Requirements FRD SIT-T + EIT
Doc
Config & Custom EDD
Spec DAT-T
Data take on
IDS IDT
Infrastructure tests
Validation Team FRA
DEV-T
Local ERP Supplier Tests
Supplier Build
ERP Config
ERP Provider

ERP Testing
Infrastructure verification
- Hardware
- Software
- Network
- Environment
Development Testing
Installation & Configuration Testing
Data take on / Data migration
- Master Data
- Transaction
System Integration Testing
- To test integrated software components, sub-systems, completed system
- E.g. Interface
User Acceptance Testing
ERP Testing

Testing
Normally the following tests are performed:-
Development Unit Test (DUT) - Proves that the developers have

done their development correctly for developed software (forms &
labels)
Functional Test - (FT) - Proves that the standard software and
developed software works correctly
Integration Test (IT) - Shows that the individual modules work
together when integrated in a process
User Acceptance Test (UAT) - End to end testing of specific
processes
The validation should reference all these tests and also cover all the
controls identified in the risk assessment and testing of the user access
levels.

Test Environments
D Q P
Development Testing Production
Where prototyping/ Where formal testing is Where the system is in
programming take performed its target environment
place Test records should be
Initial testing by clearly distinguishable
developers from production
records

Example of Unit Test for ERP

Testing Controls
Based on the risk assessment identify controls which may be system

controls and part of validation testing or can be procedural controls
(SOPs). Create test protocols to include :-
- test of master data

- testing routine operations and process scenarios
- test controls, this involves positive and negative testing depending
on risk level
- test SOPs

Example Testing
Purchasing:
Try to enter wrong material information
Try to use the unique supplier number with another supplier
Try to use a supplier not approved
Try to use a blocked supplier
Try to order material from an incorrect supplier
Try to order the wrong material from an approved supplier
Try to use the unique material number for another material
Try to operate the system outside the normal workflow
Try to operate the system with a person who is not trained

Example Testing
Material/Product Receipt:
Try to input wrong data during receipt
Try to use a material which is not approved not conform or which gives
errors during receipt process
Try to use a material with wrong Supplier number, article number, lot
number
Try to use a material without traceability
Try to use a material which has expired
Try to use a material without stock control not correct zone, type
Try to use a material with a mistake on the label
Try to operate the system with materials without records
Try to operate the system using unlabelled material

Example Testing
Quality Control:
Try to set up stock that does not conform to traceability rules and try to
use this stock
Try to change status of stock without following the rules e.g. sampling /
approval and try to use this stock
Alter lot number of stock without following the system rules and try to
use this stock
Try to operate the system with a person who is not trained / not a
qualified person
Try to release products which do not conform

Example Testing
Production Order:
Try to use a material with wrong status
Try to use wrong material
Try to issue material twice
Try to issue a material not approved (wrong status)

Interfaces
Management of the System
Set up Raw Materials
Set up Product
Set up Specifications
Request Sample in ERP Management of Users
Set up Methods Physical Movement
Set up Users
Workflow
Log on to LIMS
Management of Suppliers
New supplier approval
ERP
User ID Supplier Agreements
Verify Sample Issue Purchase order
Test
Shop Floor Management
Approve CoA by hand
Management of RM And production orders
Enter status change on SAP
Receiving RM Allocate stock to order
Material status change Verification Consumption of stock
Place in quarantine status
LIMS entered on SAP by Lab Manager
Request QC testing
Location in warehouse Management of FP:
QC Approval Status change Receiving
Verification
Place in quarantine status
Management of PM: Request QC testing
Management of the System Same as for raw materials Location in warehouse
Set up a Workstation Data transfer QC Approval Status change
Set up a Balance
Set up a User
Lot number
Production order Management of Sampling: Management of distribution:
Manage of sampling RM Creation
Material identity Preparation
Workflow Manage of sampling PM
Follow the workflow Material status Manage of sampling In-process Labelling
User ID Material quantity Manage of sampling FP Loading
Verify RM Transportation
Weigh
Check weight Management of production:
Data transfer Management of exceptions
Lot number Management of returns to stock and reconciliation
Weighing Production order
Management of destruction
Quantity weighed
System Material returned

Example Testing
Interface:
Try to test of Interface to Weighing System
Try to operate without data transmission or with double data
transmission
Try to use a material with wrong status, location, expiry dates
Try to use wrong type of stock, incorrect movement
Try to use wrong type of packaging
Try to use material with status for destruction

Example Testing
Distribution:
Try wrong input of data
Try to ship lots not released
Try to ship lots with faulty labels
Try to ship wrong product, incorrect movement from warehouse
Try to ship order made up of incorrect packs

Example Testing
Others:
Try to operate without data transmission or with double data
transmission
Try to use a material with wrong status, location, expiry dates
Try wrong type of stock, incorrect movement from warehouse
Try to use material with status for destruction
Try to operate without sterilisation process
Try to have non-conforming product pass through the system

Testing points to consider for all
systems
Power Failure Testing:
prevention against loss of critical data or loss of control action
ease of controlled restart
System access and Security features
Audit trails and logging of critical actions including manual interactions
Manual data entry features, input validation
Electronic signature features
Alarms and error messages

Critical calculations
Critical transactions

Testing points to consider for all
systems
Transfer of critical data into other packages or systems for further processing
Interfaces and data transfers
Backup and restore
Data archival and retrieval
Ability to deal with high volume loads especially if the system is accessed by many users as
part of a network application

Test Reporting
Follow Good Document Practice (GDP)

Clearly state PASSED or FAILED
Summarize activities and findings
Final conclusion
Any corrections?
Any deviations?

NETWORK
QUALIFICATION
Annex 11
The application should be validated

IT infrastructure should be qualified

IDS & IDT
The purpose of the Infrastructure Design Specification (IDS)
is to document all the information for the network including the
hardware and software details required to run the network
The following applications will run on the network:
ERP
eQMS
LIMS
BMS
The components identified in the IDS will be tested in
accordance with associated test specification document called
the Infrastructure Design Test Specification and Report (IDT)

IT Infrastructure
Network Description and Diagram

Specification of Network Hardware
Specification of Network Software
Installation Testing of Network Hardware
Installation Testing of Network Software
Network Qualification Tests

Example: Infrastructure Drawing
Interface layer
ERP, MES, etc.
HMI Layer
Control Network
Layer
Process
Controller Layer
Controlled
Equipment

Example: ERP Infrastructure

DESIGN TEST
IDS = Overall Infrastructure

Overall Infrastructure Acceptance
Design Spec (controls that all Verifies
Test (controls the sequence and
specs are defined and
responsibility)
responsibility)
Appendices References
Vendor Install and Config Specs Vendor Install and Config Specs
(e.g: werum
Vendor pasxand
Install install)
Config Specs (e.g: werum
Vendor pasxand
Install install)
Config Specs
(e.g: werum pasx install) (e.g: werum
Vendor pasxInstall
Tests install)
and Config
Vendor Design & Config Specs
tests

Network Hardware
Main Computer Systems: ERP
Primary Database Server
Primary Application Server
Test/Training Server
Database Shared Storage Array
Clients

Other Hardware
Human Interfaces
Storage Devices
Other Peripherals
Barcode Scanners
Printers
Interconnections to outside
Input/Output Devices
Scales
Environment
Electrical Supply

Network Software
Operating Systems
Oracle Server Installation
Oracle Database Installation
Specific Installations
ERP application software

Example: ERP installation
ERP Server Installation
ERP Application Server Installation
Oracle Client Installation
ERP Client Installation
ERP Interface
METTLER TOLEDO Scale Installation and Scale Configuration
Printers Installation
Barcode Scanners Installation
User Configuration
ERP specific Master Data

Interfaces
Examples:-
ERP / LIMS e.g. status
ERP / MES e.g. manufacturing order or BOM
MES / LIMS
MES / Process control e.g. recipe
MES / stand alone equipment e.g. alarms
MES / Historian e.g. data
MES / eQMS e.g. deviations
LIMS / eQMS e.g. OOS

Network Qualification - IQ
Checking the specification of the physical network design and components.
There should be a complete specification and drawings and all components
should be listed as configuration items.
Require accepted international standards for supply and installation of both
copper and optical fibre network cables, with good quality cables, good quality
fibre optic welding and good quality cable sockets.
Sockets in clean room are special ones to prevent cleaning contamination and
sockets in production, in meeting rooms and offices can be subject to heavy
wear and should be good quality.
Check the suppliers (audit) have the required knowledge and training and that
they supply good quality components.
IQ is required to check all the critical components against the specification.
A person from IT should witness the installation of network and be involved in
the IQ.

Server Room Qualification - IQ
Servers
Connection racks and patch panels
Cables
HVAC system (there is a separate HVAC for the server room)
Access Control
Fire Protection System

Network OQ Tests
Power failure test

UPS test
Diesel Generator test
Backup and restore
Data archival and retrieval
Disaster Recovery test
Access test

OPERATIONAL
PROCEDURES
Operation of GxP IT Systems

Required Operational Procedures
Service Management and Performance Management
- Service Agreements & Service Level Management
- Preventative Maintenance
- Performance Management
Security and System administration

- System Administration
- Physical Security
- Logical security
- Access management
- Anti-Virus Software
- Infrastructure management

Required Operational Procedures
Change management
- Operational Change and Configuration Management
- Repair Activity
Incident management & CAPA

Continuity management
- Backup and Recovery
- Archiving and Retrieval
- Business Continuity Planning
- Disaster Recovery
- DR Testing
- Start-up / Shut-down Power Failure
Audit and review process

Training

Security Management
Access
- Access to Site
- Access to buildings
- Access to rooms
- Access to IT systems
- Access to Laboratory systems
- Access to process control systems including cabinets

Security Management
Physical security
System access security including granting and revoking access, for
example issuing user-ids and control of passwords
3rd party access
Use of electronic messaging systems
Shared network resources
Internet access and use
Use of mobile computing resources, including, for example, laptop
computers, PDAs and smart mobile phones

More Security
Connectivity to external computer systems
Anti-virus policies
Intrusion detection
The use of controlled or verified PCs
Access rights of all the users, record in a specification document.
Access levels tested

Procedures - Testing & Training
All procedures should be tested as part of validation
Appropriate training required for procedures

4.RA, Testing, NetworkQual, Procedures V2 9feb17

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

4.RA, Testing, NetworkQual, Procedures V2 9feb17

Загружено:

Авторское право:

Доступные форматы

RISK ASSESSMENT

Connecting Pharmaceutical Knowledge ispe.org

User Requirements Requirements

Approach for Configured Product (Category 4)

Connecting Pharmaceutical Knowledge ispe.org

Connecting Pharmaceutical Knowledge ispe.org 5

Risk Management tools

Output / Result of the

Connecting Pharmaceutical Knowledge ispe.org

GAMP5: A Risk-based Approach to Compliant GxP Computerized Systems

Connecting Pharmaceutical Knowledge ispe.org 7

Connecting Pharmaceutical Knowledge ispe.org 8

Connecting Pharmaceutical Knowledge ispe.org 9

Connecting Pharmaceutical Knowledge ispe.org

Warehouse Sales &

Connecting Pharmaceutical Knowledge ispe.org 11

Raw Material Management of exceptions

Shop Floor Creation

Management of returns to stock and reconciliation

Connecting Pharmaceutical Knowledge ispe.org 12

- Supplier/ service providers

Connecting Pharmaceutical Knowledge ispe.org 13

Update Test Change Print Item

Production New Change

Connecting Pharmaceutical Knowledge ispe.org 14

Connecting Pharmaceutical Knowledge ispe.org 15

Identify all business process

Identify GMP related

If GMP related is Yes then do detailed risk assessment

Connecting Pharmaceutical Knowledge ispe.org 16

Connecting Pharmaceutical Knowledge ispe.org 17

Connecting Pharmaceutical Knowledge ispe.org 18

Connecting Pharmaceutical Knowledge ispe.org 20

Create Test Strategy/Test Plan

Connecting Pharmaceutical Knowledge ispe.org 21

Set of test scripts

GAMP 5 A Risk-Based Approach to Compliant GxP Computerized Systems

Connecting Pharmaceutical Knowledge ispe.org 22

Connecting Pharmaceutical Knowledge ispe.org 23

Connecting Pharmaceutical Knowledge ispe.org 24

Tester Independent. Not authors of the

Test Analyst Requires expertise and

Connecting Pharmaceutical Knowledge ispe.org 25

Connecting Pharmaceutical Knowledge ispe.org 26

Depends on Complexity and novelty of the

Connecting Pharmaceutical Knowledge ispe.org 27

Connecting Pharmaceutical Knowledge ispe.org

Connecting Pharmaceutical Knowledge ispe.org 30

Development Unit Test (DUT) - Proves that the developers have

Connecting Pharmaceutical Knowledge ispe.org

Connecting Pharmaceutical Knowledge ispe.org

Connecting Pharmaceutical Knowledge ispe.org 33

Based on the risk assessment identify controls which may be system

- test of master data

Connecting Pharmaceutical Knowledge ispe.org

Connecting Pharmaceutical Knowledge ispe.org

Connecting Pharmaceutical Knowledge ispe.org

Connecting Pharmaceutical Knowledge ispe.org

Connecting Pharmaceutical Knowledge ispe.org

Connecting Pharmaceutical Knowledge ispe.org

Connecting Pharmaceutical Knowledge ispe.org

Connecting Pharmaceutical Knowledge ispe.org

Connecting Pharmaceutical Knowledge ispe.org