GAMP 5 Compliance

This document provides guidance on applying GAMP 5 (Good Automated Manufacturing Practice) principles to Cohera platform validation. GAMP 5 is the industry standard for risk-based validation of computerized systems in pharmaceutical environments.

Overview

GAMP 5, published by ISPE, provides a risk-based approach to compliant GxP computerized systems. The framework emphasizes:

• Risk management: Focus validation effort on areas of highest risk
• Scalable approach: Validation scope proportional to system complexity and GxP impact
• Supplier involvement: Leverage vendor documentation and testing
• Lifecycle approach: Maintain compliance throughout system operation

System Classification

GAMP 5 Software Categories

Category	Description	Cohera Classification
Category 1	Infrastructure software	Not applicable to Cohera core
Category 3	Non-configured products	Not applicable
Category 4	Configured products	Cohera Platform
Category 5	Custom applications	Customer-specific integrations

Cohera as Category 4 Software

Cohera is classified as Category 4 - Configured Product because:

• It is a commercial off-the-shelf (COTS) product
• It is configured through administration settings, not custom code
• Standard features meet common use cases
• Configuration options are well-defined and documented

Note

Custom integrations developed specifically for your organization may be classified as Category 5 and require additional validation activities.

Risk-Based Validation Approach

Risk Assessment Process

┌─────────────────────────────────────────────────────────┐
│                    RISK ASSESSMENT                       │
├─────────────────────────────────────────────────────────┤
│  1. Identify GxP processes supported by system          │
│  2. Identify potential failure modes                    │
│  3. Assess impact on product quality and patient safety │
│  4. Assess likelihood of occurrence                     │
│  5. Assess detectability                                │
│  6. Calculate risk priority                             │
│  7. Define mitigation controls                          │
└─────────────────────────────────────────────────────────┘

Risk Categories

GxP Function	Typical Risk Level	Validation Focus
Certificate management	High	Data integrity, workflow controls
Supplier qualification	High	Approval workflows, e-signatures
Quality event management	High	Audit trails, state transitions
Document control	Medium-High	Version control, access controls
Reporting	Medium	Data accuracy, calculation verification
User management	Medium	Authentication, authorization
Integration sync	Medium	Data mapping, conflict resolution

Validation Effort by Risk

Risk Level	Validation Approach
High	Full IQ/OQ/PQ with detailed test cases
Medium	Streamlined testing focused on critical functions
Low	Verification of configuration, user acceptance

Validation Lifecycle

V-Model Approach

SPECIFICATION                              VERIFICATION
    │                                           │
    ├── User Requirements ◄─────────────► Performance Qualification
    │                                           │
    ├── Functional Spec ◄───────────────► Operational Qualification
    │                                           │
    └── Design Spec ◄───────────────────► Installation Qualification
                         │
                    IMPLEMENTATION
                         │
                 Configuration & Setup

Phase 1: Planning

Activity	Deliverable	Cohera Support
Define scope	Validation Plan	Template provided
Risk assessment	Risk Assessment Report	Risk categories documented
Define team	RACI Matrix	Roles documented
Define timeline	Project Schedule	Typical timeline guidance

Phase 2: Specification

Activity	Deliverable	Cohera Support
User requirements	URS	Template provided
Functional requirements	FRS	Functional specification provided
Configuration spec	Configuration Specification	Configuration guide

Phase 3: Verification

Activity	Deliverable	Cohera Support
Installation Qualification	IQ Protocol & Report	IQ protocol template
Operational Qualification	OQ Protocol & Report	OQ protocol with test cases
Performance Qualification	PQ Protocol & Report	PQ guidance
Traceability	RTM	Traceability matrix

Phase 4: Operation

Activity	Deliverable	Cohera Support
Release for use	Validation Summary Report	Report template
Change control	Change Control Procedure	Change notifications provided
Periodic review	Periodic Review Report	Review checklist
Incident management	Incident Reports	Incident notification process

Specification Documents

User Requirements Specification (URS)

Key areas to address in your URS:

1. INTRODUCTION
   - System purpose
   - Scope of use
   - Regulatory requirements

2. FUNCTIONAL REQUIREMENTS
   - Certificate management
   - Supplier management
   - Quality event handling
   - Workflow and approvals
   - Reporting needs

3. DATA REQUIREMENTS
   - Data types and volumes
   - Retention requirements
   - Integration requirements

4. COMPLIANCE REQUIREMENTS
   - 21 CFR Part 11
   - EU GMP Annex 11
   - Data integrity (ALCOA+)

5. TECHNICAL REQUIREMENTS
   - Performance expectations
   - Availability requirements
   - Security requirements

Functional Requirements Specification (FRS)

Cohera provides detailed functional specifications covering:

• Entity management (CRUD operations)
• Certificate lifecycle
• Supplier qualification workflows
• Quality event management
• Workflow engine
• Audit trail functionality
• Electronic signatures
• Integration capabilities
• Security controls
• Reporting functions

Qualification Protocols

Installation Qualification (IQ)

IQ verifies that Cohera is correctly installed per specifications:

Test Area	Verification Items
Access	URL accessible, SSL certificate valid
Authentication	SSO integration functional (if applicable)
Integration	Connectivity to SAP/Veeva verified
Configuration	Organization settings correct
Users	Initial users created with correct roles

Operational Qualification (OQ)

OQ verifies that Cohera functions correctly under normal operating conditions:

High-Risk Functions:

Function	Test Cases
Certificate Upload	Upload various file types, verify storage and display
Certificate Validation	Test approval workflow, verify e-signature capture
Expiry Tracking	Verify expiry alerts generated correctly
Supplier Qualification	Test qualification workflow end-to-end
Quality Events	Test deviation/CAPA creation and closure
Audit Trail	Verify all changes logged with required fields
E-Signatures	Test signature capture with meaning text
Access Controls	Verify role-based permissions enforced

Medium-Risk Functions:

Function	Test Cases
Data Export	Verify export formats and completeness
Reporting	Verify report accuracy
Notifications	Verify email notifications sent correctly
Search	Verify search returns correct results

Performance Qualification (PQ)

PQ verifies that Cohera performs reliably with production data and users:

Test Area	Verification
Data Volume	System performs acceptably with expected data volumes
Concurrent Users	Multiple users can work simultaneously
Integration Sync	Real data flows correctly between systems
Business Processes	End-to-end processes complete successfully

Traceability Matrix

Example traceability structure:

URS ID	Requirement	FRS Reference	Test Case	Result
URS-001	System shall capture certificate expiry dates	FRS-CERT-003	OQ-TC-015	Pass
URS-002	System shall alert on certificates expiring within 90 days	FRS-CERT-012	OQ-TC-022	Pass
URS-003	All changes shall be recorded in audit trail	FRS-AUDIT-001	OQ-TC-040	Pass
URS-004	Electronic signatures shall include meaning	FRS-ESIG-005	OQ-TC-055	Pass

Supplier Assessment

Cohera as Software Supplier

When assessing Cohera as a supplier, consider:

Assessment Area	Cohera Evidence
Quality Management	ISO 27001 certification
Development Process	Documented SDLC, change control
Testing	Automated testing, release testing
Security	SOC 2 Type II audit, penetration testing
Support	SLA, support procedures
Compliance Knowledge	GxP-aware development team

Supplier Audit

Cohera supports customer audits:

• Remote audit via documentation review
• Virtual audit via video conference
• On-site audit (Enterprise customers)

Change Control

Platform Changes

Cohera provides with each release:

• Release notes detailing changes
• Validation impact assessment
• Updated documentation as needed
• Recommended regression testing

Customer Configuration Changes

Configuration changes should follow your change control process:

1. Document the change request
2. Assess GxP impact
3. Approve the change
4. Implement in non-production first
5. Test the change
6. Implement in production
7. Document completion

Caution

Significant configuration changes may require revalidation. Assess impact using your risk-based approach.

Periodic Review

Annual validation review should include:

Review Item	Evidence
System changes	Change control records
Incidents	Incident log review
User access	Access review report
Audit trail	Audit trail integrity check
Backup/restore	Recovery test results
Training	Training records current
Documentation	Documentation current

Documentation Package

Cohera provides validation support documentation:

Document	Description
System Overview	Architecture and components
Functional Specification	Feature documentation
URS Template	Template for customer URS
IQ Protocol Template	Installation qualification
OQ Protocol Template	Operational qualification
OQ Test Scripts	Pre-written test cases
Traceability Matrix	RTM template
Configuration Guide	System configuration
Administrator Guide	Administration procedures
User Guide	End user documentation

Tip

Contact your Cohera account manager to request the complete GAMP 5 validation documentation package, including protocols, test scripts, and traceability matrices.