Risk Based Approach for Life Cycle Computerized System in Pharmaceutical Industry

Pharmaceutical industry is one of the industries that heavily regulated in most of country in the world. Regulation made by the regulatory is intended to ensure the system or process in the industry produce the product without impacting the safety, efficacy, integrity and quality of the product. 
Computerized system are commonly used by pharmaceutical manufacturing activities from planning, warehousing, production, engineering and testing in laboratories. Computerized system that used not only as information system or processing the data the system also used by the company to control their proses such automation system in production area. 
Recent report from regulatory showing there is increasing reports from regulatory regarding company failure in maintain their computerized system to comply with cGMP (current good manufacturing practice) from regulator.


Background
One of the requirements that asking by many regulatory regarding the computerized system is on managing their computerized system based on risk based approach. Manage risk of computerized system that required not only on the phase when we want to use or we want to buy the system, it's required for pharmaceutical industry to have risk based approach in all life cycle of computerized system itself. The best approach to manage the system is by using the risk management system approach for the computerized system. (European Commission, 2010) • Product and Process Understanding Understanding the product or manufacturing process where computerized system used is the fundamental to ensure the system fir for purpose for the activities. Understanding process also include on the quality critical parameter and regulatory requirement which need by the industry to ensure the system is fit for purpose. • Life Cycle Approach Life cycle of computerized system approach provided organize and control on planning, design, develop, verify, implement and decommissioning or retirement the system. • Scalable Life Cycle Activities Within the GAMP 5 guidelines GAMP outlines that lifecycle activities should be scaled according to: • System impact on patient safety, product quality, and data integrity (Risk Assessment) • System complexity and novelty • Outcome of supplier assessment There may be other factors that companies may want to consider when making assessments.

• Science Based Quality Risk Management
Approach for activities in computerized system should be based on quality risk assessment result. Risk assessment evaluation should be as driver for the computerized system program. Differentiation of the program for each system will defined also by the risk assessment.

• Leverage Supplier Involvement
Supplier involvement on the computerized system also as one of the important key on the delivering fit for purpose of the computerized system. risk based approach used to defined supplier and which technology that will be implemented especially for new system.

Validation V Model Framework
To build a good computerized system for Building Management System (BMS) is not just only on design and coding development to fulfill what is the requirement for user. Regulatory want to the system builds on the all life cycle development of the BMS based on risk-based approach

User Requirement Specification (URS)
The first stage of V model of validation is user requirement specification, the process starts by defining what is the requirement form user for the new BMS. In this stage user also should able to understand of the regulatory and product risk and requirement and also their operational requirement With understanding of those requirements and the expectation we continue to assess impact on the system to the Good manufacturing practice (GMP) data evaluation to define the BMS system is it will have the GMP data or not, those GMP data is very important for the regulatory. To conduct on the evaluation of GMP data we can use the following flowchart on figure 2. GMP data evaluation The system required to control AHU, chiller steam in the manufacturing process to ensure the manufacturing process supplied with air, temperature, RH as intended for each room Operational and cGMP 2 The system should able to record all data from the result of measurement from BMS and the record should be able to show anytime cGMP 3 The system should have access management system to avoid the system accessed by unauthorized person cGMP 4 The system should have capability to record all activities that conduct in the system by each person (login, logout, deleting, changing, setting, etc.) cGMP 5 The system should have alarm system to notify on the alarm occurs on the system that might impact the process or product Operational and cGMP 6 The system should be able to have strong password (combination of alpha numeric, lowercase and uppercase) cGMP 7 The system should be able to backup, restore and archieve data routinely cGMP 8 The system should be user friendly operation Operation 9 The system should have level privilege for operation (administrator, supervisor and operator) cGMP

Initial GMP Data SYSTEM Evaluation
Does the "SYSTEM" produce or maintain GMP data?
Not in Scope, no action TYPE 1 From the flowchart and URS shown that BMS is system which produced data environment that required by regulatory, where the BMS have capabilities to store configuration and parameter, the system produce GMP record and the system also store and maintain GMP record electronically.

Software Categorization
During design or in process of system specification it required for us to categories the system into GAMP 5 software. During this phase we normally already know what kind of type software that we will used for BMS. The categorization of the software will follow table 2. GAMP 5 software categorization (ISPE, 2008)

Risk Assessment
Next phase of the lifecycle BMS system for GMP computerized system is conducted risk assessment on the impact of BMS into several consideration such as product safety, system use, category -technology, complexity. The following table is the guidance question of risk assessment to assess BMS system. Table 3. Risk assessment question.

No. Risk Assessment Guidance 1.0 Category -Product Safety
1.1 Does this system impact or capture data about the quality of the final commercial / clinical product or the quality of final submissions data for a product? 1.2 Does this system generate or store records (hardcopy or electronic) that are used in creation of submissions or in support of manufacturing processes (i.e training, procedures, calibration, maintenance, investigations, study reports) 1.3 Is this system used to track distribution of the product? 1.4 Is this system involved in capturing information that would alert Pfizer to the need to take an action or support the execution of an action that impacts product quality (i.e process change, product recall, labelling change, adverse event / safety reporting)?
1.5 Is this system used in the creation or verification of product labelling (inserts, outserts, cartons, advertising, packaging, physician advisories)?

2.1
Does the same system have a history of prior quality issues or regulatory inspection findings?
2.2 If this system uses electronic records or electronic signatures, how is compliance achieved?
3.0 Category -Technology 3.1 Is the system / technology new or well-known for its ability to perform the function?

3.2
Is the vendor who offers this system or internal support staff experienced and stable?
3.3 Is the system networked or stand alone?

4.1
Is this a complex system and have a potential to imply higher risk for failure due to factors like buggy code, incorrect configuration or improper implementation? 4.2 Does this system have interfaces with one or more systems and / or separate and distinct components?
From the answer of the question for severity, probability and detectability we can see that our BMS system is minor risk, major risk or critical risk. To define BMS system under which categories of risk we can flown risk value number on figure 3. Risk Value Number

System Specification
System specification used to provided high level of function that require by the system, in the case of project for building management system (BMS) the system specification as follow but not limited to: • Function on how the systems control AHU, chiller and steam.
• Function of recording data.
• Function of audit trail.

Technical specification
In the technical specification mostly talking about the hardware. In this case of BMS project the technical specification talking about; • Drawing or P&ID that used for the system • Specification of the PLC system that used by system to control BMS • Programming ladder diagram for the PLC system • etc

Program development
After all the design stage system specification and technical specification made then it's time for the system build to implement the requirement on the user requirement system. During the development of the system all the system specification and technical specification should be follow by the manufacturer to ensure the system built as required by the user and follow the regulatory requirement

Testing Stage
This stage is the stage where the testing conduct to the system to ensure the system is fit as intended and comply with the requirement.

Unit Test
Unit test is the stage after development to ensure system made as required by the user. Normally before the manufacturer send the system to customer, the manufacture will have a testing in their factory with customer normally call as factory acceptance test (FAT)

System Integration (installation qualification)
In this stage is the stage where all the hardware related to the system tested commonly call as installation qualification. During this testing normally vendor and user will conduct the testing for all the hardware. The following testing normally conducted: • Review the installation of each component against the P&ID or drawing • Review the cable installation and ensure all the component connected with right cable • Review the installation of PLC and ensure the PLC and component associated connected properly • Etc.

System Installation
In this stage is the stage where the software function to the related system tested commonly call as operational qualification. During this testing normally vendor will conduct the testing for all the software configuration or installation. The following testing normally conducted: • Review the process of function control on the AHU in the system, ensure the system able to control the AHU event there any variation in the system such as temperature outside increase during day time • Review the function of showing the data result from measurement of the PLC system and sensor • Review the function of approval activities for any deviation from out of specification measurement from BMS

Operation (Performance Qualification)
In this stage is the stage where the basic requirement from the user tested , this testing commonly call as performance qualification. During this testing normally testing all basic requirement from user requirement specification stage. The following test normally conducted but not limited to: • Review the user access function, such as testing login in the application ensure the system only accept the proper login in the system • Review the capability system to capture all the activities or audit trail, such as conduct the test by doing several activities in the system then ensure all the activities capture by the system and recorded Review alarm process of the system, such as conduct the verification system by challenge the alarm up until the limit of the and ensure the raise alarm will show on the system and recorded

Validation Planning
Based on all the assessment that already made for new computerized system of BMS, we can make a planning for validation of BMS. the validation planning of computerized system we cannot make general for all the computerized system, the planning should be based on the assessment of computerized system that already made on section 2.

Conclusion
V Model of GAMP 5 already provided the framework validation of computerized system in pharmaceutical industry, the framework clearly defined and giving the guidance step by step on how the company conduct validation process from design, build/development, implementation and qualification of the system based on risk based approach as required by regulatory. As we do understand there are many computerized system in the pharmaceutical industry, we cannot make validation planning or management all computerized system all are the same, the system should be differentiate based on risk based approach.