Validation Determination

In the article Computer System Impact / Risk Assessment from May 2010 I discussed the use of the Impact Assessment for a Computerised system to determine the validation requirements. This article continues with that theme to provide guidance on performing and documenting the assessment within a Validation Determination Statement (VDS) for a computerised system.

EU Annex 11 - Computer System Inventory

EudraLex - Volume 4 Good manufacturing practice (GMP) Guidelines Annex 11 for computerised systems includes the requirement for the regulated company to maintain an up to date listing of relevant systems (GMP Computerised Systems) and their GMP functionality (inventory).

This is also a Japanese regulatory requirement and also an expectation of the FDA although not included within the regulations (21 CFR 211) it is often requested prior or during an inspection.

This post looks at the methods for developing the inventory for computerised systems to meet the requirements of EU Annex 11.

Applying Computer System Security (GAMP)

It is a regulatory requirement that access to computerised systems is limited to authorised users. This not only limited to systems that contain electronic records but all systems that are used to fulfil regulated activities.

This post focuses on the FDA and MHRA / EU requirements regulatory requirements for security management of computerised systems within the pharmaceutical and biotech industries and the application of logical security controls and procedures.

GAMP 5 Operational Appendix O11 provides guidance on security management. This article is designed to provide additional details.

EU Annex 11 - Electronic Signatures

Electronic Signatures

This is a continuation of a review of the update to EU Annex 11 and Chapter 4 (Documentation) that was issued in January 2011 to become effective on the 30 June 2011.

As stated in the previous article the EU Annex 11 update does not directly reference Electronic Records this is included in the update to EU Chapter 4 (Documentation).

The update to EU Annex 11 however does state the following relating to Electronic Signatures.

EU Annex 11 – Electronic Records

This is a continuation of a review of the update to EU Annex 11 and Chapter 4 (Documentation) that issued in January 2011 to become effective on the 30 June 2011.

Electronic Records have for so long only taken guidance from the FDA, however it has always been an expectation of the MHRA / EU that electronic records, including raw data must have the same integrity as paper records.

EU Annex 11 does not state directly requirements for electronic records. This is included with Chapter 4 (also issued in January) which states in the principles:

EU Chapter 4

Good documentation constitutes an essential part of the quality assurance system and is key to operating in compliance with GMP requirements. The various types of documents and media used should be fully defined in the manufacturer's Quality Management System. Documentation may exist in a variety of forms, including paper-based, electronic or photographic media. The main objective of the system of documentation utilized must be to establish, control, monitor and record all activities which directly or indirectly impact on all aspects of the quality of medicinal products.

This incorporates the use of electronic records into the quality management system. It continues in Record Types

Records: Provide evidence of various actions taken to demonstrate compliance with instructions, e.g. activities, events, investigations, and in the case of manufactured batches a history of each batch of product, including its distribution. Records include the raw data which is used to generate other records. For electronic records regulated users should define which data are to be used as raw data. At least, all data on which quality decisions are based should be defined as raw data

It is clear from Chapter 4 that electronic records (even in a hybrid state, paper and electronic data) must have the same integrity as paper based records. The regulated company must be able to show that the same good documentation practices are in place.

Discussion

The first step of ensuring compliance with either EU Chapter 4 or the FDA 21 CFR Part 11 is to identify what are your records or electronic raw data used first making GMP identified and documented.

The controls for electronic records should be assessed based on a documented risk assessment. The regulated company must determine the impact of the records to GMP. This can be used to support the documented risk assessment to support the level of controls required to ensure the integrity of the record.

An article on my Computer Systems Validation site provides an introduction to a Risk Based Approach to Electronic Records

ISPE GAMP Guide risk based approach to electronic records and signatures provides an excellent detailed guidance to the approach.

EU Annex 11 – Supplier Audits

This is a continuation of a review of the impact of the update to EU Annex 11, issued in January 2011 to become effective on the 30 June 2011.

Supplier Audits

The supplier audit process for software suppliers including IT systems, automation systems, etc has been around for quite some time within the guidance documents, but never directly referenced within cGMPs for pharmaceutical companies (e.g. 21 CFR 211 or EU Annex 11).

The following is included within the update of EU Annex 11 which defines the requirements for the consideration of supplier audits of computerised systems.

As stated in the earlier post EU Annex 11 has been updated and becomes effective on the 30 June 2011. This is part of a series of reviews detailing what has changed and the impact on Computer Systems Validation.

The competence and reliability of a supplier are key factors when selecting a product or service provider. The need for an audit should be based on a risk assessment.

Documentation supplied with commercial off-the-shelf products should be reviewed by regulated users to check that user requirements are fulfilled.

Quality system and audit information relating to suppliers or developers of software and implemented systems should be made available to inspectors on request.

The Quality Risk Management approach to determining whether a supplier a supplier should be audited should consider:

• The potential impact of the system being supplied based on Patient Safety and Record Data
• The novelty or complexity of the system
• The history and experience in supplying these systems

Dependant on the output from the assessment the consideration may be that controls are not required over the design of software (Commercially Off the Shelf systems), postal audit (supplier evaluation) for systems which are medium to low impact computer systems or where suppliers have a proven track record within the industry and the required design. A full site audit should be performed for medium to high impact systems which have some level of complexity.

The following diagram shows a simple risk matrix to support the decision process. Those shown in red the user should consider a full audit, yellow a minimum of a postal audit should be considered and then those in green no further controls should be required.

It is the requirement that regulated company determines and documents the approach to determining which suppliers should be audited.
The decision and the audit findings should be documented and approved by the Quality Assurance department. They form a part of the validation lifecycle and must be available for inspection.

Links

Supplier Audits – Part 1

EU Annex 11 – Risk Management

As stated in the earlier post EU Annex 11 has been updated and becomes effective on the 30 June 2011. This is part of a series of reviews detailing what has changed and the impact on Computer Systems Validation.

Risk Management now underpins the whole process of Computer Systems Validation. This has been a driving force since the introduction of GAMP4 and even more so through GAMP5.
In the revised EU Annex 11 risk management is placed at the heart of the lifecycle of computerised systems

1. Risk Management

Risk management should be applied throughout the lifecycle of the computerised system taking into account patient safety, data integrity and product quality. As part of a risk management system, decisions on the extent of validation and data integrity controls should be based on a justified and documented risk assessment of the computerised system.

This aligns with Annex 15 Qualification and Validation which states

A risk assessment approach should be used to determine the scope and extent of validation.

The ISPE GAMP5 was issued in 2008 and providing a process incorporating a risk based approach. However it is still taking companies time to integrate a risk based approach in to their process. Although a risk based approach based on process understanding can save a lot of work in the implementation and operation of computerised systems it is a major change the current process.
The steps to incorporating a science and risk based approach to computer systems validation is to determine and document in validation procedures the points where risk assessments will be performed and which tools are the most appropriate.

Although risk management should be a continuous process the key stages in a project where risk assessments should be performed and the suggested risk tools.

• Identification of User Requirements - Preliminary Hazard Analysis
• Design Review (Functional Design Specification) – Failure Mode Effects Analysis (FMEA)
• System Handover – Update of FMEA
• Incident Management – Fault Tree Analysis / Fishbone (Ishikawa) Diagrams / Statistical Tools
• Change Control - Update of FMEA

The FMEA should be the underpinning quality risk management tool for computerised systems and this should be updated regularly based on process data (incidents, changes, etc) to ensure that the risks that were initially identified during the project phase and the perceived risk scores are supported by operating data and the controls that have been put in place to reduce risk are affective. As a minimum the FMEA should be checked and updated during the periodic review of the computerised system.

See Article Quality Risk Management for more information.
Your comments on implementing a Quality Risk Management approach within computerised systems validation and also Annex 11 are welcome.

EU Annex 11 (Update)

In January 2011 the European Commission (EudraLex) released Annex 11 Computerised Systems (revision 1) which comes in to effect on 30 June 2011.

This has been a long awaited release of the GMP Guideline for Computerised Systems which was first issued for comment in April 2008 for public consultation. The final release of Annex 11 has been reduced considerably to that put out for public consultation however the principles are present in the final version.

Annex 11 has been revised in response to the increased use of computerised systems and the increased complexity of these systems.

In addition to the revision of EU Annex 11, Chapter 4 has also been revised to take in to account the increasing use of electronic records (and signatures) in support of the release of batches and other GMP. This also becomes effective on 30 June 2011.

This is a major revision of the GMP for Computer Systems (last updated in 1997). Regulated pharmaceutical and biotech companies will need to ensure that the requirements of the GMPs are met.

While following the ISPE GAMP guidance will cover the majority of requirements relating to the revised EU Annex 11, it is important that the regulated pharmaceutical company reviews the requirements.

EU Annex 11 Post Update

Since the original I have added a page dedicated to EU GMP Annex 11 Computerised Systems. This page provides the full text from the EU Annex 11 guidance and links to comment and analyis against the relevant section.


Additionally you can check latest posts relating to EU Annex 11 update.

Link
The EudraLex Volume 4 Good manufacturing practice (GMP) Guidelines.