26-28 February 2020
GMP News No. 418
6 May 2004
ComputerValidation:Frequently Asked Questions on GMP/FDA Compliance
Current requirements on the validation of computerised systems seen againstthe background of the new PIC/S Guidance"Good Practices for Computerised Systems in Regulated 'GXP'Environments"
On the topic of computer validation, a greatnumber of regulations and guidelines were published during the past years.The most recent documents were published by the American FDA on"Electronic Records/Electronic Signatures" and by thepharmaceutical industry: "GAMP 4." Just as the FDA provides itsinspectors with interpretation guidelines in the form of the "Guidesto Inspection," PIC/S (Pharmaceutical Inspection Co-operation Scheme)also furnishes its members' inspectors with such guidelines, i.e. thePIC/S Guidances. The interpretations are based on the EU GMP Guide and,particularly, on Annex 11 "ComputerisedSystems."
In September 2003, the PIC/S Guidance "Good Practices for computerised Systems inRegulated 'GXP' Environments" came intoforce, which is primarily directed at the authorities' inspectors, butwhich also points out the state of the art and knowledge to thepharmaceutical industry and its suppliers. It is perfectly clear that theauthors of this guidance did not intend to reinvent the wheel. Theirintention was to set out in detail the state of the art and knowledge byreferencing current documents, e.g. GAMP 4 and 21 CFR Part 11.
The Guidance is divided into the 3 parts:
Above all part 3 is very interesting because it contains checklists andaide-memoires that can be used by inspectors during inspections.
Within the framework of the Computer Validation Conference 2004, thePIC/S Guidance and its interpretations by representatives of the Germansupervisory authorities were the definitive documents. Members of theGerman expert group "computerised systems" demonstrated theapplicability of this document to the most diverse partial aspects of thevalidation of computerised systems. Representatives from thepharmaceutical industry commented on this guidance and its applicabilityfrom an industry viewpoint. Here, it became clear that above all thetopics risk analysis/risk management or change management have meanwhileassumed a pivotal role in the regulations, but also in daily practice.
While the broad outlines of the correct validation of computerisedsystems have in the meantime become generally known in the industry andare also observed (especially GAMP 4 should be mentioned here as astandard), a greatnumber of partial aspects still gives rise to uncertainty as to theirimplementation. The conference also included a panel discussion, duringwhich a variety of such questions was debated.
In the following, we would therefore like to repeat some of thequestions and the respective answers given by the representatives fromauthorities and the industry.
In which intervals do systems have to be validated?
Generally, concrete intervals are not defined in the regulations,whereas an interval of 5 years is considered to be definitely too long.The companies should set their own intervals, above all with regard tochange management. In this context, a yearly assessment is recommended -e.g. within the framework of the required self-inspections - during whichthe changes are again assessed (many small changes that do not give causefor revalidation individually may in their sum be reason enough forrevalidation). In the case of major changes (e.g. an upgrade to a new SAPrelease), a revalidation must however be carried out.
Does a software supplier have to be audited at all events, or wouldit be sufficient if the supplier filled in a questionnaire which wouldthen be assessed by the QA unit?
A software supplier has to be assessed at any rate. This can bedone by means of an audit, but it is not absolutely necessary. Thequestion whether a questionnaire is sufficient should be answered by thepharmaceutical entrepreneur in dependence on the criticality of thesoftware, but also on experiences with the supplier. If the supplier"only" provides personnel working according to SOPs created bythe customer, an audit is not necessary. However, it must be proved thatthese persons have been trained.
Is it necessary to approve hardware and software suppliers formally?
A formal approval of the hardware and software suppliers is notnecessary. However, it has to be ensured that orders are placed only withsuppliers that have before been assessed and accepted.
How detailed do specifications have to be?
Specifications always define the desired quality. Therefore, they have to describe the requirements so that they can be used as thebasis for the tests. Thus, they have to be testable, i.e. the customershould be able to test whether he has received what he had ordered. Forcommercial reasons alone the customer will describe in sufficient detailwhat he expects/orders.
What is standard software? Does standard software have to bevalidated?
GAMP 4 classifies standard software as category 3 and requires for it:recording of the version (and of the environment configuration) andverification of the performance against the user requirements. Here, ithas to be determined whether the requirements laid down by the softwareprovider coincide with the customer's own requirements. In the end, a riskassessment has to decide about the question which scope of validation isnecessary (certainly the scope will be narrower than for category 4software).
Traceability matrix – what is necessary? Must an end user have a traceabilitymatrix, administrate it and validate it?
The user has to be able to show that his user requirements were checkedduring the validation. A traceability matrix is an instrument for provingthis. What is essential in this context is that the requirements can betraced from the specification via the risk analysis to the test. It should beseen as a checklist that asks whether the specified requirements have beenimplemented and where the proof can be found.
Which significance do the PIC/S Guidances have?
The PIC (Pharmaceutical Inspection Convention) was founded in 1970between the EFTA states as a treaty for the mutual recognition ofinspections of the manufacture of pharmaceutical products. Little bylittle, further European and non-European countries entered into thisagreement. Owing to the European interpretation of the law, from thebeginning of the 90s, it has not been possible any more for member statesof the European Union to become members of this convention. For this reason, the PICwas developed further to become the PIC/S in 1995 (PharmaceuticalInspection Co-operation Scheme). The PIC/S is no longer an agreementbetween states, but a less formal and more flexible co-operation between inspection authorities forthe purpose of information and experience exchange. The main basis forofficial inspections is the EU GMP Guide, and for the field of"computerised systems," Annex 11. Both of them usebasically the same wording as the respective PIC documents. With the"Good Practice Guidance," the PIC/S wants to provide theinspectors with background information and recommendations for theinspection of computerised systems. It is meant to reflect the state ofthe art and knowledge and should not hinder technological progress either.This guidance is not mandatory for the pharmaceutical industry; however,fulfilling these requirement is generally considered to be sufficient. Itis to be expected that, in the future, European inspectors will keep veryclose to the requirements of this guidance as to questions concerning theinspection of computerised systems.