The New GMP Annex 11 and Chapter 4 Deadline for coming into operation: 30 June 2011
Why a New Revision? Increased use of computerised systems with Increased complexity Increased use of electronic documents
Most Significant Aspects of Revision Risk based approach to Validation Operational controls Harmonization with current industry good practice Clarification of the acceptability of electronic records and signatures
Contents of Chapter 4 Principle Required GMP documentation Record/Report type Generation and Control of documentation Good Documentation Practices Retention of Documents Procedures and records Other
Contents of Annex 11 Principle General Risk Management, Personnel, Suppliers and Service Providers Project Phase Validation Operational Phase Data, Accuracy checks, Data storage, Printouts, Audit trails, Change and configuration management, Periodic evaluation, Security, Incident management, Electronic signature, Batch release, Business continuity, Archiving Glossary
Updated Annex 11 and Chapter 4 Equivalent to the FDA’s Part 11 regulation for Electronic Records and Signatures
Annex 11 Changes Increased Scope Risk Management Roles and Responsibilities Suppliers and Service Providers Validation Ensuring Data Integrity Electronic Signatures IT Support Maintaining Validation
Increased Scope of Annex 11 Applies to all forms of computerised systems used as part of a GMP regulated activities The application should be validated; IT infrastructure should be qualified. Where a computerised system replaces a manual process there should be no resultant decrease in product quality, process control or quality assurance
Risk Management Throughout the System Life Cycle Dependent on Patient safety Product quality Data integrity Justified and documented risk assessment Very much in line with Q9 and GAMP5
New Roles and Responsibilities Close cooperation between all relevant personnel New roles defined: Process owner Person responsible for the business process System owner Person responsible for the availability and maintenance of a computerised system And the security of the data
Suppliers and Service Providers Major expansion into four classes: Formal agreements, including IT- departments Competence and reliability of supplier Audit Review documentation of COTS products Availability of quality system and audit information to inspectors
Validation Life cycle approach Manufacturers justify approach based on Risk assessment Listing of systems (link with Annex 15 & VMP) Current system description for critical systems Requirement for URS and Traceability Development within QMS Customised or bespoke systems Test methods and tools
Controls for Ensuring Data Integrity Covered by sections: Data Accuracy checks Printouts Audit trails Security Minimize risks of a wrong decision based on wrong data Data Migration Data Archiving Check after Changes to s/w or IT-infrastructure
Electronic Signatures Same impact as handwritten Be permanently linked Include date and time
IT Support of Validated Systems Backup To be checked periodically Security Incident management All incidents reported and assessed. RCA of critical incidents resulting in CAPA Business continuity Documented and tested
Maintaining Validation Change and Configuration Management Procedure defined Involves Risk Assessment Documented Periodic Evaluation (aka periodic review) Changes made Compliant with GMP Deviations and incidents Upgrades Security
Chapter 4 - Documentation Increasing use of electronic documents within the GMP environment Documentation may exist in a variety of forms, including paper based, electronic or photographic media For electronic record, read documentation
Definition of Records Provide evidence of various actions taken to demonstrate compliance with instructions Records include the raw data which is used to generate other records Define raw data, including used for quality decisions Records used for batch release must be made available to the Qualified Person if there have been any changes made to the record, then these need to be flagged for review
Generation and Control of Documentation Many documents (instructions and/or records) may exist in hybrid forms i.e. some elements electronic and others paper based Relationships and control measures for master documents, official copies, data handling and records need to be stated for both hybrid and homogenous systems. Appropriate controls for electronic documents such as templates, forms, and master documents should be implemented. Appropriate controls should be in place to ensure the integrity of the record throughout the retention period
Generation and Control of Documentation (2) Ensure a Record is True and Accurate Appropriate Controls: More Critical Records need More Stringent Controls!
Retention of Documents Batch Records: To be defined for each manufacturing activity Where each record is located Security Controls implemented Ensure Record Integrity Throughout Retention period Controls have to be Validated
Other Changes Introduction of EU GMP Vol. 4 Part III Site Master File (new) Q9 Quality Risk Management Former Annex 20, new layout Q10 Note for guidance on Pharmaceutical Quality System Link to ICH guidelines
Thanks to Dr. Bob McDowall Authors of GAMP CoP Annex 11 interpretation Winnie Cappucci Chris Clark Tim Goossens Sion Wyn
Discussion Items How to show there is “no resultant decrease in …, process control or QA”? [0.4] How to show there is “no increase in overall risk”? [0.5] Can a Risk Assessment be performed on a Computerised system? Or should this be the Computerised process! [1.2] Why is [3.3] only applicable to regulated users, as others do not require to validate? Supplier Audit information made available What to do with agreed Confidentiality? [3.4]
Discussion Items (2) What are “the relevant steps of the life cycle.”? [4.1.1] Is the required “listing of … systems … (inventory)” the same as the “summary of systems to be validated” required by Annex 15? [4.3.1] What is defined as a Critical System? Examples? [4.3.2] What are “reasonable steps, te ensure …”? [4.5] What are considered “appropriate test methods and test scenarios”? [4.7.1] How to “indicate if any of the data has been changed” on a printout? [8.2]
Discussion Items (3) Audit Trail [9.3] How to get relevant information out of an AT? What is meant by regular review of AT? How to show an AT is reviewed? What is the definition of Configuration Management in Annex 11? [10] What is a sufficient evaluation period to confirm the validated state? [11.1] What is meant by “Management systems for data and for documents”? [12.4] What is “permanently linked to … record”? [14.4] What is meant by “clearly identify … the person”? [15.1]