What is the correct title of this publication? What is the current status of understanding and implementation?

Transcription

1 GMP Rules and Guidelines in 2013 for Computer System Validation / Computerises Systems / Electronic Records and Signatures/ IT Infrastructure and Application Compliance: What is the correct title of this publication? What is the current status of understanding and implementation? Annex 11 ( Computerised Systems ) and Chapter 4 of January 2011 have been revised in response to the increasing use of electronic documents within the GMP environment by the EMA (European Medicines Agency). Two years later (January 2013) we would like to reflect the current status of the implementation at some agencies and the pharmaceutical industry. At the start of Annex 11, the principles section statement is that The application should be validated; IT infrastructure should be qualified. The application should be validated not computerised systems Annex 11 is titled to Computerised Systems, in the meaning of systems used as part of GMP regulated activities. Most probably the given title has historical reasons, which was named in In today s world it would have been named to IT & System Compliance or similar. But anyhow, Annex 11 is not saying that the computerised system should be validated the application should be validated. And the meaning is not only limited to an application program (a software program that runs on the computer) like it is nowadays understood often as an App (thanks to Smartphone and tablet vendors), it also includes the usage, practice and/or operations of a pharmaceutical process within a pharmaceutical system (not only IT-System), which together fulfil certain GMP functionalities. So if a client is asking us: Can you help us to validate our ERP System? (as simple example) the question itself is basically wrong. The GMP related activities, supported by the application on the basis of e.g. the ERP system s functions and the operations within the pharmaceutical quality system should be validated. Most of the implementation and validation projects are purely based on a direct relation to one single IT system, instead of an application basis surrounded by trained operators, qualified environments, etc. which should be validated holistically. The goal of a risk-based, efficient validation approach is to validate the application (usage) of computerised system(s), which are used as part of GMP regulated activities. Hence one of the initial questions is which regulated activities (processes) are executed by a system (application) and what is the output (documents, records) and will the output/record be on paper or electronically. What and where the master document is required by GMP (e.g. Batch Processing Record for EU or Batch production and control records for US-FDA) and should it be signed (ref. to GMP rules stating should be approved / signed etc.). Just by starting on a (wrong) limited system-based question it might be impossible to drive a risk-based approach, on the basis of the real pharmaceutical processes and regulatory requirements.

2 If we then do check the ERP system functions (modules) as a basis, a lot of questions or open issues may arise: Will the Qualified Person release batches in the system electronically, and if so, by an electronic signature and which type? Are quality control functions included, e.g. for goods receipt or sampling? Are suppliers listed and qualified is it possible to approve them by the quality department? Will labels be printed by the system? What about material flow control in production, document / records management, electronic batch records, and/or warehouse management module in ERP included or with interfaces to sub-systems and so on... It might be stated that even if computer systems have been validated, such systems or so called IT solutions still didn t operate correctly for the GMP intended use, also all system functions were successfully tested! This is the reason why Annex 11 states that the application should be validated. Today there is a wild mix-up of widely used terms like computer (system) validation, part 11 compliance, ERES compliance, IT validation, and other bizarre constructions of words and definitions. Let s agree on: Applications (in the correct meaning) should be validated. By the way that applications can t be validated, if the controlled processes are not defined, known, or validated. Secondly Annex 11 states that IT Infrastructure should be qualified (not validated). This is based on the basic principles of a (simplified) two layer model, where applications (the software parts) are run on the IT infrastructure (network) layer; if operated that way, otherwise stand-alone solutions should be validated. The so called IT infrastructure consists of two parts: The technical hardware and software (e.g. servers, network, middleware, etc.) and the IT service management processes (e.g. IT change control, security, etc. according ITIL). This was in 2011 not a new idea by Annex 11 this is the approach by ISPE GAMP 5 since 2008 ref. software category 1 (=IT infrastructure) and categories 3 to 5 (=software). The regulatory requirement itself of the qualification of the IT Infrastructure was basically new, compared with the Annex 11 from 1993, but it does reflect the current state-of-the-art of science and technology and the reality of today s operations. To make it short: Annex 11 (revision 2011) is the best rule in place for the topic of computerized systems used in the GMP (or GxP) environment(s). Also Annex 11 provides clear and transparent regulatory requirements and results in a practical approach or methodology for compliance of computerised systems. But just the difference between system validation and applications / IT infrastructure is still not fully understood or implemented by the industry. Also this might be required and would be extremely beneficial on the basis of new quality paradigms (modern PQS), process validation concepts (QbD) and Quality Risk -Management (QRM), cost-savings or quality improvements are still searched in wrong areas and places or with wrong approaches (e.g. cloud computing, outsourcing, etc.).

3 What s new and updated in 2012 or 2013? In 2012 EMA published revision 3 of GMP Chapter 1 and renamed it to Pharmaceutical Quality Systems (ref. ICH Q10) and Chapter 7 Outsourced Activities. The deadline for coming into operation of both chapters is 31 st January The regulatory requirements for process validation and/or qualification have also been updated in Europe and the US. Also the requirements for GDP will be updated and will have an impact on the approach for computerised systems GMP Annex 11 does apply in Europe. The Pharmaceutical Inspection Convention (PIC) and the Pharmaceutical Inspection Cooperation Scheme (PIC Scheme) short PIC/S updated the GMP Guide, including PE (Annexes) Version 10! The revised PIC/S GMP Guide will enter into force on 1 January The PIC/S members can be found at: European Medicine Agency (2011): EudraLex - Volume 4 Good manufacturing practice (GMP) Guidelines - Annex 11 revision January 2011 Ref: The new PIC/S GMP Guide is referencing to the revision 2011 of Annex 11 ( The application should be validated; IT infrastructure should be qualified. ). It might be interesting how each of the PIC/S members will implement and interpret this mind change. For example, the US FDA is a PIC/S member and one of their widely know predicate rules is 21 CFR Part 11 for electronic records and signatures. By the way: Trying to compare Annex 11 with Part 11 results is a systematic and logical error It will be interesting to know how the interpretation will be in 2013! European Medicine Agency EudraLex - Volume 10 Clinical trials guidelines (GCP): The EMA did a very good job with the Annex 11 for GMP. What happened in parallel in GCP Volume 10 in 2008? The GCP Annex III (one-pager) just links to the PIC/S Guidance on Good Practices for Computerised Systems in Regulated GXP Environments (PI011-3 from 2007) maybe a too short or incomplete reference. Now PI011-3 is in general a GMP inspection guidance document and was created on the old Annex 11 (1993) and on the basis of ISPE GAMP 4 (2002) this guidance document should be updated by PIC/S. An update or correction of this reference in Volume 10 by the EMA would be required or useful. With some exception or modifications the modern Annex 11 requirements might be referenced or used as a basis. Irrespective of the current softish requirements we validate GCP applications and qualify the IT Infrastructure. European Medicine Agency EudraLex - Volume 9 A + B - Good Pharmacovigilance Practices (GVP) Volume 9B from October 2011: According EMA this legislation is the biggest change to the regulation of human medicines in the European Union (EU) since The European Medicines Agency is progressing with the implementation of the electronic submission of information on medicines.

4 However the requirements for computer system validation are on a very low level and it seems that primarily the technical aspects are in focus of the GVP regulations. Maybe this setup is similar as to ectd (ref. EuraLex Volume 2B respectively ICH M2), where it is hard to find a rational or clear regulatory requirement to validate related applications or systems, but with no doubt a validated application should perform these GVP or ectd actions. Most of the companies using such applications are coming from the GMP area and are aware of the need for validating such solutions. Also compared with the innovative GMP Annex 11, the statement given in Volume 9B (October 2011) that [GVP] should be provided including a statement regarding the validation status of the database systems, this seems to be a return to the Dark Ages of computer system validation and quality risk management. Beside a most probably written statement (not even a validation report) of the validation status of a database system, whatever logical definition of such used terms may apply; this Volume is suggesting a staged test procedure for GVP applications. This is really nothing new or groundbreaking and not providing a tiny value to a validated application during operations and usage. However, in a professional understanding, GVP and ectd applications should be validated and the IT infrastructure qualified. Remark: GVP as a term is relatively new and the ISPE GAMP 5 Guide (2008) states that it covers the areas of GMP, GCP, GLP and medical devices (with exception of software embedded in devices) GVP is missing. US-FDA 21 CFR Part 11 (1997) Electronic Records / Electronic Signatures: First it should be noted that this rule is not named to a title like computer system validation or computerised systems like the EU Annex 11. It is about Electronic Records and Signatures. The first requirement in 21 CFR Part 11 (ref a) requires Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records as a general basis. Validation of processes (and related systems, equipment etc.) is already required in the predicate rules for e.g. GMP (Part 210/211) or medical devices (Part 820) and so on. Let s have a look also in the history book: 21 CFR Part 11 was written in 1993 and the final rule was effective in It also seems that Part 11 was created to demand a very high level of compliance with electronic records and signatures. In deed in 1993 we all had different ideas or expectations to electronic systems and basically this was the time when Mr. Spock and Captain Kirk and others were showing us some fantastic options some that we are even using today with our mobile phones. From 1997 to 2003 the pharmaceutical industry spent millions of Euros and Dollars to comply with 21 CFR Part 11, but with only little results and improvements. Since the publication of 21 CFR Part 11 in 1997, FDA has issued or announced a great number of Draft Guidance for Industry documents as interpretation aid. However, rather than facilitating the implementation of 21 CFR Part 11, these documents have shown the tendency to make it even more difficult. For example there was a Guidance for Industry Validation naming Internet Validation and other topics for several validation approaches and references (ref.

5 It seemed like a small revolution by the industry when ISPE published a White Paper named to - Risk-Based Approach to 21 CFR Part 11 stating: Without careful interpretation, however, the requirements can lead to over-engineered solutions that adversely impact the productivity of the industry without providing added benefit to patient health. The idea was to follow a top-down approach ( is it a GxP record? ), rather than a bottom-up approach ( is it an electronic record? ). This ISPE White Paper from February 2003 was answered by the FDA quickly in August 2003 with a document: Guidance for Industry - Part 11, Electronic Records; Electronic Signatures Scope and Application. This Guidance document stated that the FDA is re-examining part 11 as it applies to all FDA regulated products and announced the withdrawal of several draft guidance for industry on part 11. However this re-examination is still ongoing (from 2003 to 2013) and in 2010 (when Annex 11 was about to be published), there was only a brief announcement that the FDA will be conducting a series of inspections in an effort to evaluate industry s compliance and understanding of Part 11 in light of the enforcement discretion described in the August Today it seems that Part 11 was getting a second, refreshed impulse by the Annex 11 (revision 2011), which is basically not correct or appropriate. Maybe this happens just because the same number 11 is in both names. Even it seems to be funny or bizarre, that companies are trying again to implement Part 11 compliance with the bottom-up approach, in the meaning of following a system-based validation methodology instead of a correct records-based approach (quality risk management / application). What might happen in 2013? Knowing that the US FDA obtained the full PIC/S Membership in 2011 and with the PIC/S GMP Guide, effective 1 st January 2013 (ref. PE ), the Annex 11 revision 2011 might be also applicable for the US FDA. It will be interesting what will happen and how the agency will implement it (or not). And any news/updates on part 11 to expect we don t think so. Japan PMDA (2010) Guideline for computerized systems: Let s go to the regulations of the Pharmaceuticals and Medical Devices Agency, Japan. In October 2010 the PMDA published a guideline for computerized systems: Guideline on Management of Computerized Systems (ref. This Guideline has really deserved its name as guideline, which guides the reader through the entire validation process like a SOP document. Especially Appendix 1 is showing a practicable picture of a modified V-model including several stages and Appendix 2 is based on ISPE GAMP 5. Basically Annex 11 from Europe might serve as the predicate rule (requirements) and this document as the implementation guide (how-to). The Q&A document related to this Guideline states, that Appropriate alternative approaches, includes guidelines equivalent to the major guidelines in Western countries, such as ISPE GAMP guide and PIC/S Good Practices for Computerized Systems in Regulated GXP Environments, may be applicable also again the problem with the required update of PIC/S PI011-3 in mind.

6 Australia GMP TGA Therapeutic Goods Administration Australian TGA is a PIC/S Member and referencing on its web-site to PE Annexes ( and not to the current PE including Annex 11 revision It might be understood that the current revision is valid and the web-site just needs an update. Also the TGA presentation in June 2012 is very interesting: The new Annex 11 might help in future inspections. Canada GMP - Health Canada - PE (Annexes) - April 2007 Canadian Health Products and Food Branch Inspectorate (HPFBI) is a PIC/S Member and referencing on its web-site to PE Annexes ( and not to the current PE including Annex 11 revision It might be understood that the current revision is valid and the web-site just needs an update. Conclusion: The PIC/S PE (Annexes) to the PIC/S GMP Guide will enable PIC/S members to reference to the Annex 11 and its requirements: The application should be validated; IT infrastructure should be qualified. The revised PIC/S GMP Guide came into force on 1st January The PIC/S Guidance PI (2007) requires an update in 2013 to the PIC/S GMP Guide anyway. There is no ICH Quality Guideline in place for computerised systems, e.g. like for the topics of quality risk management or quality systems. Maybe this is not really required in practical terms and already covered by current PIC/S guides and by the ISPE GAMP standard, such an ICH integration might be useful for regulatory or legal conditions. Is Annex 11 applicable as a global regulatory standard requirement? China plans in 2013 to comply with the EU GMP guidelines PIC/S GMP is referencing to the European annexes. And Annex 11 is a well-balanced, up-to-date, and transparent rule for computerised systems. And also mentioning ISPE GAMP 5 and different GAMP Good Practice Guides like IT Infrastructure Control and Compliance or A Risk-Based Approach to Operation of GxP Computerized Systems : GAMP 5 is often misunderstood as a regulatory requirement or rule; it is in deed THE globally accepted standard for risk-based validation of computerised systems.

7 Validation: Last but not least: What does validation mean? Sometimes persons try to discuss about the validation efforts or needs for specific systems. Is this really the right question to ask if a system should be validated or not? If a system is used as part of GMP regulated activities, the application should be validated and the IT infrastructure qualified, according Annex 11. This might also apply not only to GMP, also to GCP, GLP, GDP, and GVP and to medical devices (all covered by the term: GxP). If a system is not used as part of GxP regulated activities, the application does not need to be validated and the IT infrastructure not qualified. So what is the difference between a validated and a not-validated system or application? Validation is often defined to establish documented evidence which provides a high degree of assurance that a specific process will consistently produce a product meeting its predetermined specifications and quality attributes. GMP (or GxP) compliance is based on the risk-based analysis of impacts on product quality, process control or quality assurance (patient and product safety) these are covered and demanded by the definition of regulated activities in the related predicate rules. Performing a validation is resulting in validation documents and records ( documented evidence ), which might be seen wrongly as additional efforts only for validation. But irrespective if a system / application should be validated or not, both implementations will follow a pre-defined system- and record life cycle according best practice standards. The project management will be based on e.g. PMI PMBOK or Prince2 or similar standards, user requirements (requirements engineering and management) and functional specifications / configurations will be documented, possible suppliers and vendors will be evaluated and qualified, a licence or service contract and quality agreement will be approved, software will be developed according CMMI or similar standards and applicable methods, installation and testing will be professionally performed, user acceptance tests recorded, users and administrators trained, IT service management performed according ITIL or similar standards, and so on. Is there really a difference between performing validation and professional best practice methods execution? And following best practice methods correctly will require also the creation of project records (delivery plans and proof of delivery and execution). No, there is basically no difference. If a computerised system / application is not required to be validated, nobody in an organisation will create ideas not to define requirements, not to proof the correct coding and installation, not to test the application before go-live, not to train the users and not to manage the operational phase of the system to reduce efforts.