EudraLex EU Annex -11
Introduction :- EU GMP Annex 11 for
computerized systems has been an Active part of EU GMP since 1992. In
2008, the European Medicines Agency issued a proposed update that also
consisted of a Principle and 19 clauses but the length of text was four times
as long as the current version. This was a major change to the regulation that
incorporated regulatory concerns noted by inspectors with all types of
computerized systems. There were also consequential changes to Chapter 4 on
documentation that were also issued for industry comment. Within the six month
comment period, over 1,400 responses from industry were received by the Agency.
The final version of
Annex 11 was issued in January 2011 and becomes effective on 30th June 2011.
The structure of the released document has a Principle and 17 clauses but the
text is still longer than the current version it replaces. Some of the more
stringent requirements from the 2008 draft have been removed from the final
version of the regulation.
Major changes in Annex
11 include:
v Applications must be
validated IT infrastructure must be qualified
v risk management in both
computer validation and change control
v The life cycle
validation phase has been extensively expanded
v Requirements
traceability throughout a life cycle moves from a regulatory expectation to a
regulatory requirement for the first time.
v New requirements for
data integrity, availability and confidentiality
v Vendor audit reports
should be available for inspectors to review .
v Explicitly allows the
use of electronic signatures for signing documents including records
Principle:- This annex
applies to all forms of computerized systems used as part of a GMP regulated
activities. A computerized system is a set of software and hardware components
which together fulfill certain functionalities. The application should be
validated; IT infrastructure should be qualified. Where a computerized system
replaces a manual operation, there should be no resultant decrease in product
quality, process control or quality assurance. There should be no increase in
the overall risk of the process.
The principles of Annex
11 and the new section on risk management will be discussed and compared with
the old version to understand the impact of the changes in these
sections.
Scope : Qualify IT
infrastructure and validate applications
Risk management in
computer validation – Has anything changed in the new version.
Roles and Responsibility
in Computerized System Validation: - The new Version of EU added part of
Roles and Responsibility.
v Process Owner
v System Owner
v Information Technology
v Supplier
v Service Provider
Data Integrity
Requirements for Computerized Systems :- The requirements for data integrity
are split over several clauses of Annex 11 and we will explore the updated
sections for this topic as follows: „
v Accuracy checks
v Printouts of data
v Audit trail
requirements
Regulatory Issues around
the Information Technology Department
Security of Networks and Computerized Systems:- Physical and/or logical controls
should be in place to restrict access to computerized system to authorized
persons. Suitable methods of preventing unauthorized entry to the system may
include the use of keys, pass cards, personal codes with passwords, bio-metrics,
restricted access to computer equipment and data storage areas.
v The extent of security
controls depends on the criticality of the computerized system.
v Creation, change, and
cancellation of access authorizations should be recorded.
v Management systems for
data and for documents should be designed to record the identity of operators
entering, changing, confirming or deleting data including date and time.
Security is a key
requirement of computerized systems, applications and networks;
v Security of networks and
applications
v Access control
requirements in the new Annex 11 „
· Procedures
and records for security and access control
Batch Release :- When a computerized
system is used for recording certification and batch release, the system should
allow only Qualified Persons to certify the release of the batches and it
should clearly identify and record the person releasing or certifying the
batches. This should be performed using an electronic signature
Change Control and
Configuration Management :- Change control is an existing requirement of
Annex 11; the clause has been streamlined in the new version. However the title
also mentions configuration management but does not define the term which is
confusing as there are at least two definitions used in software engineering. „
v Review and
interpretation of the new Annex 11 requirements „
v Issues in implementing
the requirements
Electronic Signatures:- Electronic records
may be signed electronically. Electronic signatures are expected to: a. have
the same impact as hand-written signatures within the boundaries of the
company, b. be permanently linked to their respective record, c. include the
time and date that they were applied. Electronic Signature requirement same as
CFR 21 Part -11.
New Requirements for
Vendor Audits:- Annex
11 mandates that vendor audit reports should be available for review by
inspectors, this talk will explore the issues surrounding this area.
v Identifying the changes
in approach from the old to the new version of Annex 11
v What will this mean for
vendor audits in the future? „
v Will vendor management
be an undocumented requirement for software suppliers that fail audits?
GMP Chapter 4 on
Documentation:
What are the major changes? The new version of Chapter 4 was revised in the
light of the increasing use of electronic documents within the GMP environment
and it brings requirements for the definition of raw data and the handling of
electronic records.
v Types of records: Site
Master File, instructions and records / reports „ Definition of
electronic raw data.
v Management requirements
of electronic records
v Hybrid and electronic
systems under EU
v Retention of documents
Periodic Evaluation of Computerized Systems:- The new version of Annex 11
formalizes the periodic review of computerized systems and the talk will
present the regulatory requirements and practical interpretation of them.
Computerized systems
should be periodically evaluated to confirm that they remain in a valid state
and are compliant with GMP. Such evaluations should include, where appropriate,
the current range of functionality, deviation records, incidents, problems,
upgrade history, performance, reliability, security and validation status reports.
Requirements of the new
Annex 11
Practical interpretation
of the new requirements – are all systems the same?
Change and Configuration
Management :- Any
changes to a computerized system including system configurations should only be
made in a controlled manner in accordance with a defined procedure.
Audit Trails Consideration
should be given, based on a risk assessment, to building into the system the
creation of a record of all GMP-relevant changes and deletions (a system generated
"audit trail"). For change or deletion of GMP-relevant data the
reason should be documented. Audit trails need to be available and convertible
to a generally intelligible form and regularly reviewed.
Incident Management:- All incidents, not
only system failures and data errors, should be reported and assessed. The root
cause of a critical incident should be identified and should form the basis of
corrective and preventive actions.
Archiving:- Data may be
archived. This data should be checked for accessibility, readability and
integrity. If relevant changes are to be made to the system (e.g. computer
equipment or programs), then the ability to retrieve the data should be ensured
and tested.
Data Storage:- Data should be
secured by both physical and electronic means against damage. Stored data
should be checked for accessibility, readability and accuracy. Access to data
should be ensured throughout the retention period.
Regular back-ups of all
relevant data should be done. Integrity and accuracy of backup data and the
ability to restore the data should be checked during validation and monitored
periodically.
Validation
v The validation
documentation and reports should cover the relevant steps of the life cycle.
Manufacturers should be able to justify their standards, protocols, acceptance
criteria, procedures and records based on their risk assessment.
v Validation documentation
should include change control records (if applicable) and reports on any
deviations observed during the validation process.
v An up to date listing of
all relevant systems and their GMP functionality (inventory) should be
available. For critical systems an up to date system description detailing the
physical and logical arrangements, data flows and interfaces with other systems
or processes, any hardware and software pre-requisites, and security measures
should be available.
v User Requirements
Specifications should describe the required functions of the computerized
system and be based on documented risk assessment and GMP impact. User
requirements should be traceable throughout the life-cycle.
v The regulated user
should take all reasonable steps, to ensure that the system has been developed
in accordance with an appropriate quality management system. The supplier
should be assessed appropriately.
v For the validation of
bespoke or customized computerized systems there should be a process in place
that ensures the formal assessment and reporting of quality and performance
measures for all the life-cycle stages of the system.
v Evidence of appropriate
test methods and test scenarios should be demonstrated. Particularly, system
(process) parameter limits, data limits and error handling should be
considered. Automated testing tools and test environments should have
documented assessments for their adequacy.
v If data are transferred
to another data format or system, validation should include checks that data
are not altered in value and/or meaning during this migration process
Reference :- EU Annexure-11 Guideline
0 Comments