Two German GMP inspectors give answers on the degree of compulsion of
regulations and of the interpretation of their requirements. The questions
concern PIC/S 011-2, risk analysis, password quality, validation of Excel®,
validation of PLCs.
Answers by Klaus Feuerhelm, District Government Tübingen, and
Karl-Heinz Menges, District Government Darmstadt. Both are members of the
German Expert Working Group "Computerised Systems" and of GAMP®
D-A-CH.
1. Is electronic documentation mandatory?
No, every pharmaceutical company can decide itself about the form of
documents it wants to use. What counts in inspections is which kind of
documentation is actually used in practice.
2. Is the PIC/S document PI 011-2 compulsory?
PI 011-2 is an internal document helping inspectors with the
interpretation of Annex 11. However, it can also be used by the industry
for self-inspection or for the preparation prior to a forthcoming official
inspection.
3. Which methodology should be applied in risk analysis?
It is left to the competent persons to choose the approach for the
individual validation projects. The method should be implemented
structurally. A list of common methods can be found in ICH Q9.
4. Are there concrete GMP requirements on password quality or password length?
Neither the EU GMP Guide nor Annex 11 contain any express references.
As a rule, one should observe the state of the art and knowledge.
Practicable recommendations on password quality and password length can be
found e.g. in ISO/IEC 17799, in PIC/S PI 011-2 or in the basic IT security
manual published by the federal German authority for security in
information technology (BSI).
5. Does Excel® have to be validated?
Excel® does not have to be validated as a complete package. Created
applications in the form of spreadsheets require, however, a more or less
extensive validation. Apart from the Excel® sheet's criticality, further
points have to be taken into account, e.g. whether Excel® solely serves as
a data acquisition system (like a typewriter), whether it is used for the
representation of numbers in a table or graph without any
calculations done, if calculations are carried out by means of formulae, or
if the spreadsheets contain macros and
complex logics.
6. Do tools for developing and testing PLC applications have to be
validated?
The GAMP® categories have decisive influence on the extent of the
validation strategy and give an indication of which software should be
validated. The GAMP® categories refer to software supporting business
processes. As a rule, tools for system development are no GxP-relevant
applications and, therefore, do not have to be validated within the
meaning of GAMP®. However, the GAMP® Guide recommends that one should have a
close look at such tools and choose them carefully. GAMP® differentiates
between these tools according to their criticality. Tools for
configuration management or testing are classified as critical. One cannot
get around assessing and verifying these tools or their suppliers.
|
