Computerised systems – EU GMP Annex 11
1. Appropriate controls for electronic documents such as templates should be implemented. Are there any specific requirements for templates of spreadsheets? H+V February 2011
Templates of spreadsheets help to avoid erroneous calculations from data remaining from previous calculations. They should be suitably checked for accuracy and reliability (annex 11 p7.1).
They should be stored in a manner which ensures appropriate version control (chapter 4 p4.1).
2. What type of accuracy checks (annex 11 p 6) are expected for the use of spreadsheets? H+V
February 2011
Data integrity should be ensured by suitably implemented and risk-assessed controls. The calculations and the files should be secured in such a way that formulations are not accidentally overwritten.
Accidental input of an inappropriate data type should be prevented or result in an error message (e.g.text in a numeric field or a decimal format into an integer field). So-called ‘boundary checks’ are encouraged.
3. Are there any specific considerations for the validation of spreadsheets? H+V February 2011
Validation according to paragraph 4 of annex 11 is required at least for spreadsheets that contain custom code (e.g. Visual Basic for applications). Formulas or other types of algorithm should be verified for correctness.
4. What measures are required to ensure data security of databases? H+V February 2011
Data security includes integrity, reliability and availability of data. During validation of a data base or inclusive system, consideration should be given to:
- implementing procedures and mechanisms to ensure data security and keeping the meaning and logical arrangement of data;
- load-testing, taking into account future growth of the database and tools to monitor the saturation of the database;
- precautions for necessary migration of data (annex 11 p17) at the end of the life-cycle of the system.
5. At which phases of the system life-cycle is risk management recommended? H+V February 2011
Risk management should be applied throughout the whole life-cycle. A first risk assessment should be performed to determine the GMP criticality of the system, i.e. does the system have an impact on patient safety, product quality or data integrity? User-requirement specifications are usually developed with consideration of potential risks and form the basis for the first formal risk assessment.
Complex systems should be evaluated in further more detailed risk assessments to determine critical functions. This will help ensure that validation activities cover all critical functions.
Risk management includes the implementation of appropriate controls and their verification.
6. Are user requirements needed as part of the retrospective validation of legacy systems? H+V
February 2011
The way to check whether a computerised system is fit for its intended purpose is to define user requirements and perform a gap analysis to determine the validation effort for retrospective validation. These user requirements should be verified.
7. When do I have to revalidate computerised systems? H+V February 2011
Computerised systems should be reviewed periodically to confirm that they remain in a validated state. Periodic evaluation should include, where applicable, the current range of functionality,deviation records, change records, upgrade history, performance, reliability and security. The time period for revaluation and revalidation should be based on the criticality of the system.
8. What are the requirements for storage time of electronic data and documents? H+V February 2011
The requirements for storage of electronically data and documents do not differ from paper documents. It should be ensured that electronic signatures applied to electronic records are valid for the entire storage period for documents.
9. What are the relevant validation efforts for small devices? H+V February 2011
Small devices are usually off-the-shelf pieces of equipment that is widely used. In these cases, the development life-cycle is mainly controlled by the vendor. The pharmaceutical customer should therefore reasonably assess the vendor’s capability of developing software according to common standards of quality.
A vendor assessment needs to be performed and the application needs to be verified against the requirements for the intended use. From the perspective of the regulated industry, the implementation of such a device is driven by an implementation life-cycle. At minimum the following items need to be addressed:
requirement definition for the intended use including process limitations. This should also include a statement indicating whether data are stored or transferred to another system. As per the definition of a small device, data are not stored permanently but temporarily and are not to be modified by a user. Therefore, limited user access handling is acceptable. It needs to be ensured that parameter data influencing the device’s behaviour may not be altered
without suitable permission;
risk assessment, taking into consideration the intended use and the risk to patients for associated with the process supported by the small device;
vendor assessment;
list of available documentation from the vendor, especially those describing the methodology used and the calculation algorithm, if applicable. A vendor certificate or equivalent detailing the testing performed by the vendor may also be included;
calibration certificate, if applicable;
validation plan according to the risk-assessment results;
verification testing proving that the device fulfills the requirements for the intended use. It may be equivalent to a PQ-phase.
Small manufacturing devices are sometimes only equipped with microprocessors and firmware and are not capable of high-level administration functions. Moreover, data is often transient in nature in these devices. Due to the latter there is no risk of inadvertently modifying data. An audit trail is therefore not necessary and user access may be limited to those functions of parameter control.
10. What alternative controls are accepted in case a system is not capable to generate printouts
indicating if any of the data has been changed since the original entry? H+V February 2011
As long as this functionality is not supported by the supplier, it may be acceptable to describe in a procedure the fact that a print-out of the related audit trail report must be generated and linked manually to the record supporting batch release.