Originally the PHARMACEUTICAL INSPECTION CONVENTION / PHARMACEUTICAL INSPECTION CO-OPERATION SCHEME (PIC/s) adopted the EU GMP Guide Annex 11 on Computerised Systems on the 23 October 2012
Since that date the Annexes have been updated in 2015 and in 2017 but no changes to Annex 11.
For this issue of Call in for a Coffee we briefly review and highlight the key relevance’s for PIC/s regulated manufactures with regard to Annex 11.
Overview:
The use of electronic systems is increasing in every aspect of life and our businesses. The increase in efficiency and compliance that IT solutions can offer are leading even small and medium sized business in the regulated industries to make considerable investments. annex 11 applies to all forms of computerised systems used for GMP regulated activities.
The definition of a computerised system is “a set of software and hardware components which fulfil useful functionalities”. The key point is that the software application should be validated and the IT hardware and infrastructure should be qualified. Thus this is a total system package’ and your usage of it requires Computer System Validation (CSV) and IT procedures included as part of your overall Quality Management System to maintain control and compliance to Annex 11.
Any impact of a computerised system when applied to a previously manual operation should be no resultant decrease in product quality, process control or quality assurance, and there should be no increase in the overall risk of the process. This means that the assessment of Risk in the method of Computer Validation is fundamental to the overall approach. As follows are the main topics covered in the Annex:
- Risk Management
- Personnel
- Suppliers and Service Providers
- Validation
- Data
- Accuracy Checks
- Data Storage
- Printouts
- Audit Trails
- Change and Configuration Management
- Periodic evaluation
- Security
- Incident Management
- Electronic Signature
- Batch release
- Business Continuity
- Archiving
The key points from these topics are:
- Risk Management:
Risk management should be applied throughout the lifecycle of the computerised system, decisions on the extent of validation and data integrity controls are based on a justified and documented risk assessment of the computerised system. You should be ready to incorporate a Risk based approach to Computer Systems Validation.
- Personnel
All personnel should have appropriate qualifications, level of access and defined responsibilities to carry out their assigned duties. Training is mandated for persons who develop, maintain, or use computerized systems to ensure they have the required education, training, and experience to perform their assigned tasks. You and your people should be trained including to be training on CSV and how you apply it in your organisation.
- Suppliers and Service Providers
Formal agreements must exist between the manufacturer and any third parties who may: provide, install, configure, integrate, validate, maintain (e.g. via remote access), modify or retain a computerised system or related service or for data processing. This covers essentially any Supplier involved with your computerised system projects or operation and highly important is that your own IT-departments should be considered as suppliers if they are producing software applications for GMP use. ICH Q10 guidance on Management of Outsourced Activities and Purchased Materials is relevant and should be considered. Typically control of IT departments should include formal policies, procedures and supporting audits, as an effective way of meeting this requirement. The most common mechanism for verification of supplier quality is by supplier assessment, which may include an audit depending on risk, complexity, and novelty.
- Validation
The validation documentation and reports should cover the relevant steps of the life cycle. Manufacturers should be able to justify their standards, protocols, acceptance criteria, procedures and records based on their risk assessment. This is consistent with the overall risk-based approach taken in GAMP 5 and ICH Q9. It emphasises the risk based approach and the need for documented justification of the life cycle approach. It means that you will have to consider and apply CSV from the start of IT projects through operations and decommissioning of legacy systems, this can be a major exercise and new way of working for companies who are new to the CSV regulations.
- Accuracy Checks
For critical data entered manually, there should be an additional check on the accuracy of the data. This check may be done by a second operator or by validated electronic means. The term critical data is interpreted as meaning data with high risk to product quality or patient safety. One of the efficiency improvements that an electronic system can make is to remove the need for costly second verification- however you must understand how and where this can be implemented.
- Audit Trail
Consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system generated audit trail). For change or deletion of GMP-relevant data the reason should be documented. Audit trails need to be available and convertible to a generally intelligible form and regularly reviewed. The need for, and the type and extent of, any audit trail should be based on a documented and justified risk assessment. Often legacy systems offer no audit trails for critical data and this can be an area of risk for your use of an electronic system. Make sure you understand where such audit information is required and how your systems are handling historical data.
- Change and Configuration Management
Any changes to a computerised system including system configurations should only be made in a controlled manner in accordance with a defined procedure. All changes to the system should be reviewed, risk assessed, authorized, documented, tested, and approved before implementation. These activities should be documented. This can be also a major challenge for companies who are new to CSV or are implementing novel or unique solutions, the role of the IT subject matter expert is highly important in understanding how and when to apply formal change controls.
- Incident Management
All incidents, not only system failures and data errors, should be reported and assessed. The root cause of a critical incident should be identified and should form the basis of corrective and preventive actions. This is current industry good practice and further guidance is available in GAMP 5 Appendix O4 Incident Management. Make sure you understand how your IT system will be controlled in the operational phase, how best to support your users and how to manage problems that may lead to downtimes and data loss/issues.
- Electronic Signature
Electronic records may be signed electronically. Electronic signatures are expected to:
- have the same impact as hand-written signatures within the boundaries of the company,
- be permanently linked to their respective record,
- include the time and date that they were applied.
This clarifies that electronic signatures are allowed, but are not mandatory. It reflects current industry good practice and make sure you understand where and how you will apply Electronic Signatures.
- Batch release
When a computerised system is used for recording certification and batch release, the system should allow only Qualified Persons to certify the release of the batches and it should clearly identify and record the person releasing or certifying the batches. This should be performed using an electronic signature. The use of electronic signatures is not mandatory for batch release, but if the release is performed electronically then the requirements of Clause above apply.
- Archiving
Data may be archived. This data should be checked for accessibility, readability and integrity. This underlines that checks and controls are required to ensure the preservation of data and record content and meaning throughout the required retention period, IT subject matter experts are a good source of viable solutions for GMP data storage and archiving.