The GAMP 5 validation describes the life cycle approach and phases, as well as the implementation methodology that ensures that the system fits its intended use and function and maintains GxP compliance throughout its life cycle. A Life Science company’s computerized system must maintain validation through every phase of its life cycle: from the system, conception to project, operation, and, finally, to its retirement. The Life Cycle approach defines a structured way to implement the well-known V-model, Figure 1, from project conception through the processes of specifying requirements, designing, and verification. QRM is used in this approach to assess, communicate, control, and review the project risk. This is critical for ensuring product quality and patient safety. It also ensures consistency of applications across systems and business functions.
Figure 1. V-model specifying the linear approach to achieve the validated system (adapted from 2nd edition of the GAMP 5 Good Practice Guide: A Risk-Based Approach to Compliant GxP Computerized Systems)
To manage data-related risks throughout the entire project life cycle and ensure GAMP 5 validation, the updated GAMP guidance introduces some new aspects for QRM. This includes:
- Process Risk Assessment: Describing business processes and data flows is one of the main aspects of ISPE’s data Integrity principles. The updated GAMP guideline recommends starting QRM activities at the business process level. By examining data flow through business processes, organizations can better identify process-specific high-level risks that can impact patient safety, product quality, and data integrity, as well as identify relevant controls. These controls can be used as requirements to design a new system with the applicable capabilities.
A process risk assessment can provide valuable inputs in terms of a company’s business process scope, description, regulatory requirements, and quality requirements. Business processes and data flow diagrams can make it easier to support risk management and data integrity across multiple systems.
- Critical thinking: Because “zero risk” is unattainable, risk management is often more effective when the responsible person is skilled in critical thinking. Risk can be context-dependent and can differ across similar processes depending on differences in patient safety, data integrity, and regulatory considerations. Critical thinking arms individuals with the skills needed to recognize worst-case scenarios in balance with a focus on the best-case scenario during this risk mitigation step.
Interfaces with other systems and the criticality of secondary business processes should be considered prerequisites for an initial risk assessment.
- Risk management of outsourced activities: GAMP’s 2nd edition includes outsourced activities in QRM, especially for cloud-computing services. The attention is focused on supplier assessment and management processes. The supplier assessment should determine whether a supplier can fulfill the regulated company’s QRM. The new guidance also advises that IT services be continuously monitored to prevent any gaps in quality.
Figure 2. The phases of system life cycle (adapted from the 2nd edition of the GAMP 5 Good Practice Guide: A Risk-Based Approach to Compliant GxP Computerized systems)
Moving from waterfall to Agile methods
The concept phase of a system life cycle justifies the commencement of the project, while the project phase describes the scope, specifications, verification processes, reporting, and release. However, regulated companies are not always clear about the scope and requirements for customized systems. This is where Agile methodology can help.
The GAMP specification and verification approach are not inherently linear. It also fully supports iterative and incremental, or Agile, methods. That’s why the GAMP 2nd edition introduces Agile methodology to support the system life cycle approach. Agile methodology can provide a framework for that starting with a discovery phase to develop initial requirements, enabling initial system deployment and subsequent development.
Agile methodology was established in 2001 in response to waterfall approaches to project management. In a waterfall approach, a project is organized as a series of linear sequences that flow from defining and collecting all requirements before transforming these into a complete set of functional and design specifications, which are then configured/coded before testing commences.
The iterative and incremental Agile model is based on the creation of deliverable sections of the software, known as Deliverable Modules. The iterative and incremental model’s mission is to collect requirements and specifications, move them into a development environment through cycles of iterations (sprint) and transform them into a set of deliverable modules.
GAMP’s focus is on how to use well-implemented standard Agile processes to deliver software for GxP applications. It does not advocate for modifying Agile in any way for GxP, such as by superimposing linear (V-model) activities. The revised GAMP 5 guideline also summarizes several Agile principles and illustrates how this methodology can be implemented in GxP environments for GAMP 5 validation.
Waterfall Model | Agile Methodology |
Figure 3. Waterfall and Agile methodology for project management (adapted from 2nd edition of the GAMP 5 Good Practice Guide: A Risk-Based Approach to Compliant GxP Computerized systems)
Using Agile tools instead of documents
Agile methodologies are typically used with software tools that control product backlog, configuration, testing, and release activities to enable shorter cycle times.
Table 1. List of tools used in an agile methodology that help shorten project management cycle times (adapted from 2nd edition of the GAMP 5 Good Practice Guide: A Risk-Based Approach to Compliant GxP Computerized systems)
These tools manage a variety of Agile activities such as user-story risk assessments, testing, and traceability. Tools provide benefits for measuring, managing, and achieving high-quality results. They can provide integrated bug or defect management and reduce the risk of human error. In fact, a comprehensive toolset can provide an integrated solution for managing all of these activities. In many cases, these tools can significantly reduce, if not eliminate, the need for documentation and manual sequencing of events.
This comprehensive toolset approach is used as part of an Agile methodology so it does not require a computerized system validation. However, it should be subject to risk assessment and assessed for adequacy by appropriate SMEs.
Approvals and acceptance
Backlog refinement and sprint planning sessions are key governance and approval steps for ensuring that the right system is built. Roles and responsibilities for approvals should be defined as part of these planning sessions.
In Agile methodologies, signatures are not the only way to secure approval, per compliance with the US FDA 21 CFR Part 11. For software life cycle deliverables, this is only the case for SaMD or software embedded in a regulated medical device. Approval can be achieved by many other means, such as status change, email, and audit trails. In many cases, evidence of acceptance, rather than approval, is sufficient.
For many GxP organizations, a system life cycle approach will involve different ways of working and organizing projects. Based on risk analysis and the use of Agile technology as a development flow for projects that require speed and flexibility, each project is broken down into small modules that must be completed and delivered. Each module is subjected to a risk assessment to verify that no errors occur that could compromise the integrity and validated state of the system.
With an Agile approach, quality and value can be delivered to the customer in a short time span and in an incremental fashion. This approach enables technical innovation and fulfills the aim of developing quality products and services to meet the needs of customers whose priorities are changing at an ever-increasing speed.
Are you ready to take a new approach to organize your next project? GxP-CC can help. Contact us today to get started.