1st Edition

EU Annex 11 Guide to Computer Validation Compliance for the Worldwide Health Agency GMP

By Orlando Lopez Copyright 2015
    379 Pages 22 B/W Illustrations
    by CRC Press

    Good Manufacturing Practice (GMP) ensures medicinal products are produced consistently and controlled to the quality standards appropriate for their intended use and as required by product specifications or marketing authorization. Annex 11 details the European Medicines Agency (EMA) GMP requirements for computer systems.

    The purpose of Annex 11 is to provide the EMA healthcare industry with consistent criteria for effective implementation, control, and use of computer systems. EU Annex 11 Guide to Computer Validation Compliance for the Worldwide Health Agency GMP supplies practical information to facilitate compliance with computer system GMP requirements, while highlighting and integrating the Annex 11 guidelines into the computer compliance program.

    The ideas presented in this book are based on the author’s 25 years of experience with computer validation in the healthcare industry with various computer systems development, maintenance, and quality functions. The book details a practical approach to increase efficiency and to ensure that software development and maintenance are achieved correctly.

    Examining the implementation of the computer systems validation entirely based on EU Annex 11, the book includes examples from laboratory, clinical, and manufacturing computer systems. It also discusses electronic record integrity associated with stored information.

    Introduction
    References

    SLC, Computer Validation, and Annex 11
    Life-Cycle Principles
    References

    Annex 11 Principles
    Analysis
         Principle 1
         Principle 2
         Principle 3
    References

    Risk Management

    EU Annex 11-1, General
    Related References
    Analysis
    Risk Assessment
    Risk Mitigation
    Risk Evaluation
    Risk Monitoring and Control
    Approach
    Summary
    References

    Personnel
    EU Annex 11-2, General
    Analysis
    References

    Suppliers and Service Providers
    EU Annex 11-3, General
    Analysis
         Acquisition Process
         Supply Process
    References

    Validation
    EU Annex 11-4, Project Phase
    Analysis
    Computer Systems Validation
    Primary Life-Cycle Processes
         Acquisition Process
         Supply Process
         Development Process
         Operation and Maintenance Processes
    References

    Data; R.D. McDowall
    EU GMP Annex 11-5, Operational Phase
    Introduction
    Impact of Other Sections of Annex 11
    Preserving the Content and Meaning of Data
    Some Data Transfer Options
    Manually Driven Electronic File Transfers
         Copy and Paste/Drag and Drop Electronic Transfers
    Ensuring Data Integrity
    Automatic Methods of Electronic Data Transfer
    Data Migration Issues
    Validation Considerations for Data Transfer
    Reference

    Accuracy Checks
    EU Annex 11-6, Operational Phase
    Analysis
    Accuracy Checks Performed by Computer Systems
    Reference

    Data Storage
    EU Annex 11-7—Operational
    Analysis
    Inputs and Outputs
    Storage
    Retention
    References

    Printouts
    EU Annex 11-8, Operational Phase
    Analysis

    Audit Trails—Ensuring Data Integrity; R.D. McDowall
    EU GMP Annex 11-9, Operational
    Introduction
    Relationship of Clause 9 to Other Sections in EU GMP
    Chapter 4: Documentation Essentials
    Security Section Clause 12.4
    Annex 11 Audit Trail Requirements
    Additional Audit Trail Requirements
    Reference

    Change and Configuration Management
    EU Annex 11-10, Operational Phase
    Other References
    Analysis
    Types of Maintenance
    Data Migration
    Retirement (If Applicable)
    References

    Periodic Evaluation: Independent Review to Ensure Continued Validation of Computerized Systems; R.D. McDowall
    EU Annex 11-11, Operational Phase Analysis
    Overview of a Periodic Review
    Objectives of a Periodic Review
    Reviewer Skills and Training
    How Critical Is Your System?
    When to Perform a Review?
    Types of Periodic Review
    Writing the Periodic Review Plan
    Preparation for a Periodic Review
    Activities during the Periodic Review
    Who Is Involved and What Do They Do?
    Review of the Last System Validation
    Reviewing Requirements: Role of Traceability
    Other Areas for Review
    Operational Review
    IT Department Involvement
    Reviewer’s Closed Meeting
    Observations, Findings, and Recommendations
    Closing Meeting
    Documenting the Periodic Review
    References

    Security
    EU Annex 11-12, Operational Phase
    Related References
    Analysis
    Physical Security
    Network Security
    Applications Security
    Database Security/Integrity
    References

    Incident Management
    EU Annex 11-13, Operational Phase
    Analysis
    Process Equipment Related Malfunction
    Software/Infrastructure Component Malfunction
    Incorrect Documentation or Improper Operation
    Emergency Incidents
    References

    Electronic Signatures: Electronic Signing Requirements; R.D. McDowall
    EU GMP Annex 11-14, Electronic Signatures
    Introduction
    Interpretation of Annex 11 Electronic Signature Regulations
    Impact of Annex 11 Electronic Signature Requirements on Software Design
    References

    Batch Certification and Release; Bernd Renger
    EU Annex 11-15, Operational Phase
    Related References
    Introduction
    Legal and Regulatory Background
    The Qualified Person
    Certification, Confirmation, and Certificates
    IT Systems and QP Certification/Confirmation
    The QP Relying on the Pharmaceutical Quality System
    Control of Batch Release

    Business Continuity

    EU Annex 11-16–Operational
    Introduction
    Analysis
    Business Continuity Plan
    Reference

    Archiving
    EU Annex 11-17–Operational
    Analysis
    Method of Archival
    Retirement
    References

    SLC Documentation
    Related References
    Analysis
    Summary
    References

    Relevant Procedural Controls
    Introduction
    Reference

    Maintaining the Validated State in Computer Systems
    Introduction
    Operational Life
    Operation Activities
    Maintenance Activities
    Summary
    References

    Annex 11 and the Cloud; R.D. McDowall and Yves Samson
    Overview of the Chapter
    EU GMP Annex 11
    Legal Requirements
         Data Privacy
         Intellectual Property
         Physical Location of the Server
    Summary of GXP and Legal Requirements
    What is Cloud Computing?
    Customer Requirements for Cloud Computing
    Cloud Service Models
    Cloud Services Delivery Modes
    Managing and Mitigating Regulatory Risk
    SaaS Service Cloud Options
         Single or Multi-Tenant Options
    Requirements for Compliant IT Infrastructure
    IT Infrastructure Elements
    Service Providers: Requirements for Audits and Agreements
    Auditing a Cloud Provider
    Audit Objectives
    What Are We Auditing Against?
    Does ISO 27001 Certification Provide Compliance with GXP Regulations?
    Methods of Auditing a Supplier
         Questionnaire
         Questionnaire plus Follow-Up
         Questionnaire Plus On-Site Audit
    How to Select an IT Service Provider
         Stage 1: Review Provider Websites
         Stage 2: Remote Assessment of the Quality Management System (QMS)
         Stage 3: On Site Audit of the Service Provider
    What Do We Need in an Agreement?
    Contract Management: How to Write a Contract
    Operation and Monitoring Phase
    References

    EU GMP Chapter 4–Documentation and Annex 11; Markus Roemer
    Introduction
    Overview EU GMP Chapter 4 Documentation
    Documentation—Basic Setup and Requirements
    Paper versus Electronic Records
    What Is a Computerized System?
    What Is Software?
    What Is Data?
    Timelines and Life Cycles
    And Again Something about Audit Trails
    Quality of Decisions
    Data Rich—Information Poor (DRIP)
    GMP Datability
    Validation and Data Integrity

    Annex 11 and Electronic Records Integrity
    Introduction
    Data Integrity
    Annex 11 Erecs Integrity Basis
    Annex 11 Erecs Integrity Approach
    Conclusion
    References

    Annex 11 and 21 CFR Part 11: Comparisons for International Compliance

    Introduction
    Comparing the 11s
    Electronic Signatures
         11.50(a)(1) and (3); 11.50(b) 
         11.100(c)(1) and (2) 
         11.200(a)(1)(i) and (ii); 11.200(a)(3); 11.200(b) 
         11.300
    Controls for Closed Systems
         Validation (11.10(a)) 
         The Ability to Generate Accurate, Complete Copies of Records (11.10(b)) 
         Protection of Records (11.10(c) and (d)) 
         Use of Computer-Generated, Time-Stamped Audit Trails (11.10(e), (k)(2) and Associated Requirements in 11.30) 
         Use of Appropriate Controls over Systems Documentation
         System Access Be Limited to Authorized Individuals (11.10(d), (g) and (h))
    Conclusion
    References

    Appendices:

    Computerized Systems
    Glossary of Terms
    Abbreviations and Acronyms
    Crosswalk Between EU Annex 11 and US FDA–211, 820, 11; Other Guidelines and Regulations
    Case Study SCADA and Annex 11
    References

    Biography

    Orlando López

    E-records Integrity SME

    Durham North Carolina USA

    Orlando Lopez has significant understanding and experience with worldwide regulatory authorities regarding CSV, e-records integrity, and related requirements/guidelines related to Production Manufacturing Systems, IT Systems, Analytics, and Business Intelligence.

    He has knowledge and experience in the development of governance and SLC deliverables. Wrote and deployed CSV methodology to computer infrastructure J&J worldwide. Several times he had re-engineered the computer validation methodology to regulated companies.

    Orlando Lopez has experience with direct participation in FDA agency remedial action plans, regulatory inspections, response activities, and consent decree remediation related verifications.

    He is published in the Encyclopedia of Pharmaceutical Science and Technology, 4th Edition - Chapter 56 Computer Systems Validation (Taylor & Francis Group, LLC) and had written 25+ publications, including 9 computer compliance related books - amazon.com/author/orlandolopez/

    Familiar with gap assessment, remediation planning and remediation execution activities.