docSynopse: EU-GMP- Leitfaden Annex 11 - GMP
download 
Denúncia Transcrição
Synopse: EU-GMP- Leitfaden Annex 11 - GMP
LOGFILE Nr. 2 / Januar 2011 Maas & Peither AG – GMP-Verlag Synopse: EU-GMP- Leitfaden Annex 11 Computerised Systems Am 3. Januar 2011 wurde die neue Fassung des Annex 11 „Computerised Systems“ durch die Europäische Kommission freigegeben. Der Annex wurde überarbeitet, weil heute Computersysteme aus der pharmazeutischen Herstellung nicht mehr wegzudenken sind. Zusätzlich wurden die Systeme kontinuierlich komplexer. Die neue Fassung zeigt, dass die Behörden mittlerweile den risikobasierten Ansatz überall favorisieren und aus dem heutigen Qualitätsmanagement nicht mehr wegzudenken ist. Der neue Anhang 11 ist völlig neu und mit der Vorversion kaum mehr zu vergleichen. Dennoch haben wir den Versuch gestartet, die beiden Versionen in einer Synopse gegenüber zu stellen. Dies macht es ein wenig leichter die Neuerungen zu erkennen. Legende: Gelb unterlegte Paragraphen wurden überarbeitet oder neu hinzugefügt. Unterstrichene Passagen wurden ggü. der Vorversion neu hinzugefügt. Durchgestrichene Passagen in der Vorversion sind in der neuen Version nicht mehr zu finden. EudraLex The Rules Governing Medicinal Products in the European Union Volume 4 Good Manufacturing Practice Medicinal Products for Human and Veterinary Use Annex 11: Computerised Systems Version Januar 2011 Version 1997 Legal basis for publishing the detailed guidelines: Article 47 of Directive 2001/83/EC on the Community code relating to medicinal products for human use and Article 51 of Directive 2001/82/EC on the Community code relating to veterinary medicinal products. This document provides guidance for the interpretation of the principles and guidelines of good manufacturing practice (GMP) for medicinal products as laid down in Directive 2003/94/EC for medicinal products for human use and Directive 91/412/EEC for veterinary use. http://www.gmp-verlag.de © 2011 Maas & Peither AG – GMP-Verlag, Deutschland, alle Rechte vorbehalten Seite 1 LOGFILE Nr. 2 / Januar 2011 Maas & Peither AG – GMP-Verlag Status of the document: revision 1 Reasons for changes: the Annex has been revised in response to the increased use of computerised systems and the increased complexity of these systems. Consequential amendments are also proposed for Chapter 4 of the GMP Guide. Deadline for coming into operation: 30 June 2011 1997 Principle Principle This annex applies to all forms of computerised systems used as part of a GMP regulated activities. A computerised system is a set of software and hardware components which together fulfill certain functionalities. The introduction of computerised systems into systems of manufacturing, includingstorage, distribution and quality control does not alter the need to observe the relevant principles given elsewhere in the Guide. Where a computerised system replaces a The application should be validated; IT infra- manual operation, there should be no resulstructure should be qualified. tant decrease in product quality or quality assurance. Where a computerised system replaces a manual operation, there should be no resul- Consideration should be given to the risk of tant decrease in product quality, process losing aspects of the previous system which control or quality assurance. There should could result from reducing the involvement of be no increase in the overall risk of the proc- operators. ess. General 1. Risk Management Risk management should be applied 5. The software is a critical component of a throughout the lifecycle of the computerised computerised system. The user of such system taking into account patient safety, software should take all reasonable steps to http://www.gmp-verlag.de © 2011 Maas & Peither AG – GMP-Verlag, Deutschland, alle Rechte vorbehalten Seite 2 LOGFILE Nr. 2 / Januar 2011 Maas & Peither AG – GMP-Verlag data integrity and product quality. As part of ensure that it has been produced in accora risk management system, decisions on the dance with a system of Quality Assurance. extent of validation and data integrity controls should be based on a justified and documented risk assessment of the computerised system. 2. Personnel Personnel There should be close cooperation between all relevant personnel such as Process Owner, System Owner, Qualified Persons and IT. All personnel should have appropriate qualifications, level of access and defined responsibilities to carry out their assigned duties. 1. It is essential that there is the closest cooperation between key personnel and those involved with computer systems. Persons in responsible positions should have the appropriate training for the management and use of systems within their field of responsibility which utilises computers. This should include ensuring that appropriate expertise is available and used to provide advice on aspects of design, validation, installation and operation of computerised system. 3. Suppliers and Service Providers 3.1 When third parties (e.g. suppliers, service providers) are used e.g. to provide, install, configure, integrate, validate, maintain (e.g. via remote access), modify or retain a computerised system or related service or for data processing, formal agreements must exist between the manufacturer and any third parties, and these agreements should include clear statements of the responsibilities of the third party. IT-departments should be considered analogous. 18. When outside agencies are vide a computer service, there formal agreement including a ment of the responsibilities of agency (see Chapter 7). used to proshould be a clear statethat outside 3.2 The competence and reliability of a supplier are key factors when selecting a product or service provider. The need for an audit should be based on a risk assessment. 3.3 Documentation supplied with commercial off-the-shelf products should be reviewed by http://www.gmp-verlag.de © 2011 Maas & Peither AG – GMP-Verlag, Deutschland, alle Rechte vorbehalten Seite 3 LOGFILE Nr. 2 / Januar 2011 Maas & Peither AG – GMP-Verlag regulated users to check that user requirements are fulfilled. 3.4 Quality system and audit information relating to suppliers or developers of software and implemented systems should be made available to inspectors on request. Project Phase 4. Validation Validation 4.1 The validation documentation and reports should cover the relevant steps of the life cycle. Manufacturers should be able to justify their standards, protocols, acceptance criteria, procedures and records based on their risk assessment. 2. The extent of validation necessary will depend on a number of factors including the use to which the system is to be put, whether the validation is to be prospective or retrospective and whether or not novel elements are incorporated. Validation should be considered as part of the complete life cycle of a computer system. This cycle includes the stages of planning, specification, programming, testing, commissioning, documentation, operation, monitoring and modifying. 4.2 Validation documentation should include change control records (if applicable) and reports on any deviations observed during the validation process. 4.3 An up to date listing of all relevant sys- 4. A written detailed description of the systems and their GMP functionality (inventory) tem should be produced (including diagrams should be available. as appropriate) and kept up to date. It should describe the principles, objectives, security For critical systems an up to date system measures and scope of the system and the description detailing the physical and logical main features of the way in which the comarrangements, data flows and interfaces with puter is used and how it interacts with other other systems or processes, any hardware systems and procedures. and software pre-requisites, and security measures should be available. http://www.gmp-verlag.de © 2011 Maas & Peither AG – GMP-Verlag, Deutschland, alle Rechte vorbehalten Seite 4 LOGFILE Nr. 2 / Januar 2011 Maas & Peither AG – GMP-Verlag 4.4 User Requirements Specifications should describe the required functions of the computerised system and be based on documented risk assessment and GMP impact. User requirements should be traceable throughout the life-cycle. 4.5 The regulated user should take all reasonable steps, to ensure that the system has been developed in accordance with an appropriate quality management system. The supplier should be assessed appropriately. 4.6 For the validation of bespoke or customised computerised systems there should be a process in place that ensures the formal assessment and reporting of quality and performance measures for all the life-cycle stages of the system. 4.7 Evidence of appropriate test methods and test scenarios should be demonstrated. Particularly, system (process) parameter limits, data limits and error handling should be considered. Automated testing tools and test environments should have documented assessments for their adequacy. 7. Before a system using a computer is brought into use, it should be thoroughly tested and confirmed as being capable of achieving the desired results. If a manual system is being replaced, the two should be run in parallel for a time, as a part of this testing and validation. 4.8 If data are transferred to another data format or system, validation should include checks that data are not altered in value and/or meaning during this migration process. Operational Phase 5. Data Computerised systems exchanging data electronically with other systems should in- http://www.gmp-verlag.de © 2011 Maas & Peither AG – GMP-Verlag, Deutschland, alle Rechte vorbehalten Seite 5 LOGFILE Nr. 2 / Januar 2011 Maas & Peither AG – GMP-Verlag clude appropriate built-in checks for the correct and secure entry and processing of data, in order to minimize the risks. 6. Accuracy Checks For critical data entered manually, there should be an additional check on the accuracy of the data. This check may be done by a second operator or by validated electronic means. The criticality and the potential consequences of erroneous or incorrectly entered data to a system should be covered by risk management. 6. The system should include, where appropriate, built-in checks of the correct entry and processing of data. 9. When critical data are being entered manually (for example the weight and batch number of an ingredient during dispensing), there should be an additional check on the accuracy of the record which is made. This check may be done by a second operator or by validated electronic means. 7. Data Storage 7.1 Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability and accuracy. Access to data should be ensured throughout the retention period. 3. Attention should be paid to the siting of equipment in suitable conditions where extraneous factors cannot interfere with the system. 7.2 Regular back-ups of all relevant data should be done. Integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically. 14. Data should be protected by backing-up at regular intervals. Back-up data should be stored as long as necessary at a separate and secure location. 13. Data should be secured by physical or electronic means against wilful or accidental damage, in accordance with item 4.9 of the Guide. Stored data should be checked for accessibility, durability and accuracy. If changes are proposed to the computer equipment or its programs, the above mentioned checks should be performed at a frequency appropriate to the storage medium being used. http://www.gmp-verlag.de © 2011 Maas & Peither AG – GMP-Verlag, Deutschland, alle Rechte vorbehalten Seite 6 LOGFILE Nr. 2 / Januar 2011 Maas & Peither AG – GMP-Verlag 8. Printouts 8.1 It should be possible to obtain clear 12. For quality auditing purposes, it should printed copies of electronically stored data. be possible to obtain clear printed copies of electronically stored data. 8.2 For records supporting batch release it should be possible to generate printouts indicating if any of the data has been changed since the original entry. 9. Audit Trails Consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system generated "audit trail"). For change or deletion of GMPrelevant data the reason should be documented. Audit trails need to be available and convertible to a generally intelligible form and regularly reviewed. 10. The system should record the identity of operators entering or confirming critical data. Authority to amend entered data should be restricted to nominated persons. Any alteration to an entry of critical data should be authorised and recorded with the reason for the change. Consideration should be given to building into the system the creation of a complete record of all entries and amendments (an "audit trail"). 10. Change Chan and Configuration Management Any changes to a computerised system including system configurations should only be made in a controlled manner in accordance with a defined procedure. 11. Alterations to a system or to a computer program should only be made in accordance with a defined procedure which should include provision for validating, checking, approving and implementing the change. Such an alteration should only be implemented with the agreement of the person responsible for the part of the system concerned, and the alteration should be recorded. Every significant modification should be validated. http://www.gmp-verlag.de © 2011 Maas & Peither AG – GMP-Verlag, Deutschland, alle Rechte vorbehalten Seite 7 LOGFILE Nr. 2 / Januar 2011 Maas & Peither AG – GMP-Verlag 11. Periodic evaluation Computerised systems should be periodi- 17. A procedure should be established to cally evaluated to confirm that they remain in record and analyse errors and to enable cora valid state and are compliant with GMP. rective action to be taken. Such evaluations should include, where appropriate, the current range of functionality, deviation records, incidents, problems, upgrade history, performance, reliability, security and validation status reports. 12. Security 12.1 Physical and/or logical controls should be in place to restrict access to computerised system to authorised persons. Suitable methods of preventing unauthorised entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, restricted access to computer equipment and data storage areas. 8. Data should only be entered or amended by persons authorised to do so. Suitable methods of deterring unauthorised entry of data include the use of keys, pass cards, personal codes and restricted access to computer terminals. There should be a defined procedure for the issue, cancellation, and alteration of authorisation to enter and amend data, including the changing of personal passwords. Consideration should be given to systems allowing for recording of attempts to access by unauthorised persons. 12.2 The extent of security controls depends on the criticality of the computerised system. 12.3 Creation, change, and cancellation of access authorisations should be recorded. 12.4 Management systems for data and for documents should be designed to record the identity of operators entering, changing, confirming or deleting data including date and time. 13. Incident Management http://www.gmp-verlag.de © 2011 Maas & Peither AG – GMP-Verlag, Deutschland, alle Rechte vorbehalten Seite 8 LOGFILE Nr. 2 / Januar 2011 Maas & Peither AG – GMP-Verlag All incidents, not only system failures and data errors, should be reported and assessed. The root cause of a critical incident should be identified and should form the basis of corrective and preventive actions. 14. Electronic Signature Electronic records may be signed electronically. Electronic signatures are expected to: a. have the same impact as hand-written signatures within the boundaries of the company, b. be permanently linked to their respective record, c. include the time and date that they were applied. 15. Batch release When a computerised system is used for recording certification and batch release, the system should allow only Qualified Persons to certify the release of the batches and it should clearly identify and record the person releasing or certifying the batches. This should be performed using an electronic signature. 19. When the release of batches for sale or supply is carried out using a computerised system, the system should allow for only a Qualified Person to release the batches and it should clearly identify and record the person releasing the batches. 16. Business Continuity For the availability of computerised systems supporting critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (e.g. a manual or alternative system). The time required to bring the alternative arrangements into use should be 15. There should be available adequate alternative arrangements for systems which need to be operated in the event of a breakdown. The time required to bring the alternative arrangements into use should be related to the possible urgency of the need to use them. For example, information required to http://www.gmp-verlag.de © 2011 Maas & Peither AG – GMP-Verlag, Deutschland, alle Rechte vorbehalten Seite 9 LOGFILE Nr. 2 / Januar 2011 Maas & Peither AG – GMP-Verlag based on risk and appropriate for a particular effect a recall must be available at short nosystem and the business process it supports. tice. These arrangements should be adequately 16. The procedures to be followed if the sysdocumented and tested. tem fails or breaks down should be defined and validated. Any failures and remedial action taken should be recorded. 17. Archiving Data may be archived. This data should be checked for accessibility, readability and integrity. If relevant changes are to be made to the system (e.g. computer equipment or programs), then the ability to retrieve the data should be ensured and tested. Glossary Application: Software installed on a defined platform/hardware providing specific functionality Bespoke/Customized computerised system: A computerised system individually designed to suit a specific business process Commercial of the shelf software: Co Software commercially available, whose fitness for use is demonstrated by a broad spectrum of users. IT Infrastructure: The hardware and software such as networking software and operation systems, which makes it possible for the application to function. http://www.gmp-verlag.de © 2011 Maas & Peither AG – GMP-Verlag, Deutschland, alle Rechte vorbehalten Seite 10 LOGFILE Nr. 2 / Januar 2011 Maas & Peither AG – GMP-Verlag Life cycle: All phases in the life of the system from initial requirements until retirement including design, specification, programming, testing, installation, operation, and maintenance. Process owner: The person responsible for the business process. System owner: The person responsible for the availability, and maintenance of a computerised system and for the security of the data residing on that system. Third Party: Parties not directly managed by the holder of the manufacturing and/or import authorisation. Die Synopse wurde erstellt durch: Maas & Peither AG, GMP-Verlag Karlstrasse 2, 79650 Schopfheim, Deutschland 13. Januar 2010 EU-GMP-Leitfaden Ringordner + CD-ROM Preis Seiten ISBN 98,- € zzgl. MwSt. 650 978-3-934971-24-0 Weitere Infos unter www.gmp-verlag.de/de/gmp-spezial.html http://www.gmp-verlag.de © 2011 Maas & Peither AG – GMP-Verlag, Deutschland, alle Rechte vorbehalten Seite 11
