EU GMP Guide Annex 11 “Computerised Systems” Edwin Lindsey Understudy: Neil Fraser
This man is an idiot
OQ PQ Project preparation Go Live and Monitoring Project progress Validation progress Validation Master Plan Vendor Audit DQ Protocol User Requirement Specification IQ Protocol OQ Protocol OQ Tests OQ Report Installation IQ Report Documentation in place Go Live PQ Protocol PQ testing Validation Summary Report PQ Report DQ IQ Qualification Stages (IQ/OQ/PQ) Change Control Risk Management
What’s it all about? Commission Directive 2003/94/EC, of 8 October 2003, laying down the “ principles and guidelines of good manufacturing practice in respect of medicinal products for human use and investigational medicinal products for human use ”2003/94/EC Commission Directive 91/412/EEC of 23 July 1991 laying down the principles and guidelines of good manufacturing practice for veterinary medicinal products.91/412/EEC
Part I - Basic Requirements for Medicinal Products Chapter 1Quality Management (last revision February 2008) Chapter 2Personnel Chapter 3Premise and Equipment Chapter 4Documentation Chapter 5Production Chapter 6Quality Control (revision October 2005) Chapter 7Contract Manufacture and Analysis Chapter 8Complaints and Product Recall (revision December 2005) Chapter 9Self Inspection
Annexes Annex 1Manufacture of Sterile Medicinal Products (February 2008) Annex 2Manufacture of Biological Medicinal Products for Human Use Annex 3Manufacture of RadioPharmaceuticals (March 2009) Annex 4Manufacture of Veterinary Medicinal Products other than Immunological Veterinary Medicinal Products Annex 5Manufacture of Immunological Veterinary Medicinal Products Annex 6Manufacture of Medicinal Gases Annex 7Manufacture of Herbal Medicinal Products (September 2009) Annex 8Sampling of Starting and Packaging Materials Annex 9Manufacture of Liquids, Creams and Ointments Annex 10Manufacture of Pressurised Metered Dose Aerosol Preparations for Inhalation Annex 11Computerised Systems Annex 12Use of Ionising Radiation in the Manufacture of Medicinal Products Annex 13Manufacture of Investigational Medicinal Products Annex 14Manufacture of Products derived from Human Blood or Human Plasma Annex 15Qualification and validation (July 2001) Annex 16Certification by a Qualified person and Batch Release (July 2001) Annex 17Parametric Release (July 2001) Annex 18Good manufacturing practice for active pharmaceutical ingredients Annex 19 Reference and Retention Samples (December 2005) Annex 20 Quality Risk Management (February 2008)
Annexes Annex 1Manufacture of Sterile Medicinal Products (February 2008) Annex 2Manufacture of Biological Medicinal Products for Human Use Annex 3Manufacture of RadioPharmaceuticals (March 2009) Annex 4Manufacture of Veterinary Medicinal Products other than Immunological Veterinary Medicinal Products Annex 5Manufacture of Immunological Veterinary Medicinal Products Annex 6Manufacture of Medicinal Gases Annex 7Manufacture of Herbal Medicinal Products (September 2009) Annex 8Sampling of Starting and Packaging Materials Annex 9Manufacture of Liquids, Creams and Ointments Annex 10Manufacture of Pressurised Metered Dose Aerosol Preparations for Inhalation Annex 11Computerised Systems Annex 12Use of Ionising Radiation in the Manufacture of Medicinal Products Annex 13Manufacture of Investigational Medicinal Products Annex 14Manufacture of Products derived from Human Blood or Human Plasma Annex 15Qualification and validation (July 2001) Annex 16Certification by a Qualified person and Batch Release (July 2001) Annex 17Parametric Release (July 2001) Annex 18Good manufacturing practice for active pharmaceutical ingredients Annex 19 Reference and Retention Samples (December 2005) Annex 20 Quality Risk Management (February 2008)
What is Annex 11 Objective – –To ensure that when computerised systems replace manual systems, product quality does not decrease.
What is annex 11? Deals with: – –Inspection of computerised systems. Provides recommendations
Overview of Annex 11 Risk Management Risk Management Personnel Personnel Validation Validation System System Software Software Data Data User testing and the system's fitness for purpose User testing and the system's fitness for purpose Security Security Accuracy Checks Accuracy Checks Audit Trails Audit Trails Signatures Signatures Change control and configuration management Change control and configuration management Printouts Printouts Data Storage Data Storage Back Up; Migration; Archiving; Retrieval Back Up; Migration; Archiving; Retrieval Business Continuity Business Continuity Incident Management Incident Management Suppliers Suppliers Batch Release Batch Release
Overview of Annex 11 Here, the validation of the systems is meant to form the foundation of trust both for the licence holder and for the supervisory authority. Here, the validation of the systems is meant to form the foundation of trust both for the licence holder and for the supervisory authority. New role of risk management. New role of risk management.
Why Changing Newer initiatives in quality were not included Newer initiatives in quality were not included With greater experience in the field greater specificity could be included in the document With greater experience in the field greater specificity could be included in the document
Other Guidance/Standards used in the Change The draft standard includes the developments of the past years, it quotes in particular from: The draft standard includes the developments of the past years, it quotes in particular from: –PIC/s Guidance PII "Good practices for computerised systems in ‚GxP' regulated environments", –ISO "A code of practice for information security management“ –GAMP 5
Sources Annex 11: Annex 11: /eudralex/vol-4/pdfs-en/anx11en.pdf /eudralex/vol-4/pdfs-en/anx11en.pdf Chapter 4: Chapter 4: /eudralex/vol-4/pdfs-en/cap4en pdf /eudralex/vol-4/pdfs-en/cap4en pdf
What has changed The concept of risk assessment in the decision making process has been clearly introduced. The concept of risk assessment in the decision making process has been clearly introduced.
“Decisions on the extent of validation and data integrity controls should be based on a justified and documented risk assessment of the computerised system in respect to its impact on product quality and safety as well as data security and integrity.” “Decisions on the extent of validation and data integrity controls should be based on a justified and documented risk assessment of the computerised system in respect to its impact on product quality and safety as well as data security and integrity.”
OQ PQ Project preparation Go Live and Monitoring Project progress Validation progress Validation Master Plan Vendor Audit DQ Protocol User Requirement Specification IQ Protocol OQ Protocol OQ Tests OQ Report Installation IQ Report Documentation in place Go Live PQ Protocol PQ testing Validation Summary Report PQ Report DQ IQ Qualification Stages (IQ/OQ/PQ) Change Control Risk Management
What has changed Inventory listings of systems with descriptions/ schematics. Inventory listings of systems with descriptions/ schematics. Introduce concept of ‘specifications’ for system and relationships. Introduce concept of ‘specifications’ for system and relationships. Design and development – new term and assessment measures for quality. Design and development – new term and assessment measures for quality.
What has changed Change and risk - controls and management. Change and risk - controls and management. Emphasise the intrinsic key differences between printed ‘audit trails’ and electronic ones. Emphasise the intrinsic key differences between printed ‘audit trails’ and electronic ones. Requirements for back up, archiving, migration and retrieval of data and records to be expanded considerably. Requirements for back up, archiving, migration and retrieval of data and records to be expanded considerably.
What has changed Term ‘business continuity’ to be introduced. Term ‘business continuity’ to be introduced. System failure section to be covered by new content – ‘Incident Management’, linking impact risk to corrective measures required. System failure section to be covered by new content – ‘Incident Management’, linking impact risk to corrective measures required. Outside agencies’ to be extended to embrace suppliers – other third parties and internal departments (where appropriate). Outside agencies’ to be extended to embrace suppliers – other third parties and internal departments (where appropriate).
What has changed Release certification – paper printouts and electronic system issues to be clarified. Release certification – paper printouts and electronic system issues to be clarified. New section on identity and electronic signature requirements New section on identity and electronic signature requirements Security controls – expand considerably (physical, procedural and electronic). Security controls – expand considerably (physical, procedural and electronic).
Areas to Consider Emphasis on risk based validation approach, Emphasis on risk based validation approach, Very strong emphasis on the inventory of systems including their validation status and risk rating Very strong emphasis on the inventory of systems including their validation status and risk rating Challenge testing evidence required (3.5) Challenge testing evidence required (3.5) Comprehensive periodic reviews must be performed, including security (3.6) Comprehensive periodic reviews must be performed, including security (3.6) Complete system specifications are needed (4.2) Complete system specifications are needed (4.2) Supplier audit reports/assessments must be available to the inspectors Supplier audit reports/assessments must be available to the inspectors Independent check of critical parameters is a requirement (9.2) Independent check of critical parameters is a requirement (9.2) Business Continuity must be tested (16.1) Business Continuity must be tested (16.1) Formal contract with suppliers including responsibility matrix (18.1) Formal contract with suppliers including responsibility matrix (18.1)
Areas to Consider The validation of databases : The validation of databases : –Provisions for data security –Recovery mechanisms –Performance tests
Areas to Consider Concerning hardware Concerning hardware –Site and purpose of the system –Risk classification for each system –Identification of the systems with impact on regulatory activities
Areas to Consider validation : validation : –User requirements –Periodic checks
Areas to Consider The following items must exist: The following items must exist: –The required system functions –Modules and their relationship –Interfaces and external connections –System limits –Hardware and software prerequisites
In Summary It also becomes clear that this new Annex 11 will again define terms of reference for the complete field of computerised systems in the Life Science industry. It also becomes clear that this new Annex 11 will again define terms of reference for the complete field of computerised systems in the Life Science industry.
In Summary Risk assessment is key to determining what is necessary– but ensure that risk aversion related to computer system development does not outweigh the benefits in accessing and using the data Risk assessment is key to determining what is necessary– but ensure that risk aversion related to computer system development does not outweigh the benefits in accessing and using the data
In Summary The updated annex 11 was out for consultation. (Review period ended 31 st October 2008) The updated annex 11 was out for consultation. (Review period ended 31 st October 2008) New version should be released early 2009 New version should be released early 2009
“I’ve not changed my style. My manager has just polished it up and brought some things that were in the background, to the foreground” Ricky Hatton, 2008
“I’ll be back. Don’t worry…….I’m sorry everybody” Ricky Hatton, 2008 Neil Fraser, 2008
Any Questions you can contact Edwin Lindsay at