If you find the information within this blog useful please take the time to support the site and visit one of the Google advertisers.


7 Dec 2011

EU Annex 11 - Computer System Inventory

EudraLex - Volume 4 Good manufacturing practice (GMP) Guidelines Annex 11 for computerised systems includes the requirement for the regulated company to maintain an up to date listing of relevant systems (GMP Computerised Systems) and their GMP functionality (inventory).

This is also a Japanese regulatory requirement and also an expectation of the FDA although not included within the regulations (21 CFR 211) it is often requested prior or during an inspection.

This post looks at the methods for developing the inventory for computerised systems to meet the requirements of EU Annex 11.

What Systems To Include In the Computer Inventory?

EU Annex 11 applies to all forms of computerised systems used as part of a GMP regulated activities. Therefore this should be the basis of which systems should be included. Computer systems are used throughout the business with every desk having a PC. So the definition of a GMP computerised system is critical to defining what systems to include within the system register.

Some guidance can be taken for the definition of GMP computerised systems guidance can be taken from ICH Q7 which states.

the term manufacturing is defined to include all operations of receipt of materials, production, packaging, repackaging, labelling, relabeling, quality control, release, storage and distribution.

Also the scope of the Japanese regulations can also help in the definition of a GMP Computerised System.
(1) Systems to make decisions on market release of drugs and quasi-drugs, and to create and retain market distribution records
(2) Systems to create and retain manufacturing orders and manufacturing records, etc.
(3) Systems to control/manage manufacturing processes and to retain relevant data
(4) Systems to manage storage and inventory, etc. of raw materials and products (including intermediates; the same shall apply hereinafter)
(5) Systems to control/manage laboratory instruments used for QC tests and systems to retain QC test results and relevant data
(6) Systems to control/manage equipment and facilities, including HVAC and water supply systems, etc., which may have a significant impact on quality of products, and systems to retain relevant data
(7) Systems to create, approve and retain documents (SOPs, Quality Standard Code, Product Standard Code, etc.)

The regulated company within the Site Validation Master Plan or Computer Systems Validation Policy / Procedure must define the scope of GMP Computerised Systems to be included within the system inventory.

What To Include In The System Inventory

To comply with EU Annex 11 Computerised Systems the minimum that must be included within the system register is the list of the computer systems and details of the functions of the computerised system.

The Inventory is key to supporting inspection readiness and therefore other useful information should be included including

  • Validation Status
  • Software Category (Commercial Off The Shelf or Bespoke)
  • Electronic Records / Signatures
  • Periodic Review Schedule
  • Business Process Owner
  • System Owner

Other decisions may also be recorded within the computer systems inventory, such as the decision to validate. Computer Systems may reside within the GMP classification but do not have any impact to Product Quality or GMP Requirements.

For example a Building Management System (BMS) used for environmental control of a GMP area (e.g. a warehouse) which has a fully independent monitoring system for recording and alarming the environmental conditions will not need the same level of controls as the Monitoring System. The monitoring system is a Direct Impact system while the BMS is Indirect Impact system. The level of validation and the operational controls will be more stringent for the monitoring system than the BMS which can be handled following Good Engineering Practices (GEP).

Note that using GEP is not an excuse for not applying any controls. Commissioning will be need to be performed and documented for the system to ensure that it meets with requirements and operational controls (such as change management) will need to be addressed. However the level of formal Validation and Quality Oversight (e.g. Periodic Review, etc.) will not necessarily be required.

The decision as to the Impact of the system should be documented and approved by the quality unit.

Developing the Computer System Inventory

The system inventory should be searchable and provide the facility to be filtered to provide information during regulatory inspections or customer audits. This should allow computerised systems to be filtered based on the processes (products) they are used in.

To provide this functionality an electronic system (e.g. spreadsheet, database, etc.) should be considered. However unless a fully integrated electronic inventory is used which would provide the electronic approval (electronic signatures) for the rationale then a hybrid system should be considered.

The paper record provides the primary record with the approval of the rationale and should include:

  • Details of the system Boundary
  • Description of the use of the system
  • System Impact
  • Supplier / Integrator Details
  • List of components
  • Classification of Hardware (Standard / Bespoke)
  • Classification of software (COTS, Bespoke, etc.)
  • Details of Electronic Records
  • Details of Electronic Signatures
  • Validation Status

While this list is not exhaustive other items can be included as required. For example the reference to the initial validation report may be included, the reference to the last periodic review and / or the next periodic review.

Validation of the Electronic Inventory

I often asked whether the electronic inventory requires validation. I suggest that you register the inventory, perform your initial impact / risk assessment to determine the level of controls which should be applied.

In general the paper record should be considered as the master record and therefore the level of controls should be minimal. Security access controls should be considered so that only authorised users can have access.

The output for regulatory inspection (list of associated computerised systems) should be checked against the paper records and approved for issue by the person responsible within the QA or Validation departments.

No comments:

Post a Comment

All comments on the computer systems validation blog are welcome.