From 15- 17 June 1999 the European Compliance
Academy organised the European Conference on Computer Validation in cooperation with
Concept Heidelberg.
Lilian Hamilton of the Swedish supervisory authority started off with an overview of the
existing GMP requirements for computer-aided systems. In Europe the 11th Supplementary
Guideline to the EC-GMP-Guide defines requirements for computer-aided systems. In
addition, requirements for the documentation are listed in Chapter 4.9. In September 1998
the PIC/S Draft "Recommendations on Implementation, Validation and Operation of
Computerised Systems" was published. This draft refers to:
References for Relevant Standards and GMP Guides/Codes
- GAMP Guide Version 3.0 1998
- PDA Technical Report No. 18
- Relevant CFR sections
- ISO Standards
IEEE Publications
When it was submitted in December 1998 the
draft, which was to be passed on to the industry for comments, was withdrawn. At present,
owing to a change in the leadership of the PIC working group, Tony Trill of MCA is
responsible for submitting a new draft. Ms. Hamilton explained that the new PIC draft will
contain additional requirements as regards electronic signature and electronic records.
Ms. Hamilton named the following as examples for critical DP systems:
She focussed particularly on two requirements
for computer systems "Security", i.e. among other things physical security,
access control, etc. as well as "Handling and maintenance" in particular (change
control, configurations management, system descriptions, etc.). In the following she
listed the deviations most frequently found during MPA inspections:
Inspection findings
- No validation performed
- No system description
- System description not complete or updated
- Irrelevant software installed
- Temperature in computer room too high
- Cables not labelled
- Passwords not changed regularly
- No self inspections
- Diskettes not stored or handled properly
- Emergency plan eight years old and not updated
- QC/QA not involved in validation
- Not testet if data can be restored
- Routines in computer room not strict enough
- Protection against fire not sufficient
The second talk was held by J.A. Norder of the Dutch GMP supervisory authority. He also
described the existing guides and guidelines. He made special mention of GAMP and the PDA
Technical Report No. 18. Although these two industrial papers are not legally binding,
they are to be regarded as an industrial standard, since the papers were compiled by
representatives of the pharmaceutical industry. He also mentioned the British "TickIT
- Scheme and Guide" which is interesting both for users as well as for suppliers of
DP suppliers.
He then described which documents for computer validation an inspector expects. The first
document he mentioned was the validation master plan with general information including
time-table, responsibilities, references to SOPs, format of the validation plans and
protocols as well as acceptance criteria. As special requirements he mentioned the five
GAMP categories which define how extensively a specific system is to be validated. Here
the computer systems are evaluated as a function of the degree of utilisation and the
state of development of the system.
Category 5, for instance, requires "customer-specific systems" (i.e. systems
written especially for a certain customer) that these systems are to be validated and the
software manufacturer audited.
According to the two points of view of the inspectors, Dr. Schumacher of Asta Medica
presented the statements of the industry concerning the international computer validation
guidelines. He also talked about the GAMP Guide which requires in accordance with the
above categories an audit of the software suppliers for the software of stages 4 and 5.
The necessity of this audit was then discussed in detail by the participants from the
industry and the authorities. Share audits , i.e. joint audits of several companies may
surely be a way out here. Dr. Schumacher finally discussed old systems. The PIC/S draft of
1998 requires the subsequent elaboration of user requirements here. Dr. Schumacher
questioned whether this demand is of any use. He appealed therefore for this item to be
deleted when the draft is revised.
From the GMP Trends and the Gold Sheet he cited findings of MCA and FDA inspectors as
listed below:
Observations of FDA and MCA during
Inspections
- Missing system specification
- Responsibilities not defined
- User training not documented
- No systematic data backup
- Charts of data flow not existing
- No internal audits of the system by QA unit
- No documentation of deviations
The last talk of the first day was held by Dr.
J. Gill of Tanvec, UK, who has already been involved in computer validation since 1990,
also as an employee of Zeneca and Novo Nordisk. He presented the most important documents
from the Life Cycle Concept:
- System Register
- Vendor - Audit Report
- User System Requirements
- Functional specification
- System Test specification (test which proves that the software meets the functional specification)
- Validation Report
He stressed the necessity of detailed and very extensive user system requirements since
these are the foundation for the additional validation activities and it is only in this
way that one can verify whether the system does what it is supposed to do. Dr. Gill
pointed out that in old systems the life cycle concept can only be conditionally used. He
also questioned whether subsequently elaborated user requirements are really of any
benefit.
The first talk on the second day was held by Mr. Nehls from Novartis. He described the
techniques, criteria and advantages of risk analyses.
On the topic of techniques he explained that the risk areas comprise four sectors:
He recommended that, in addition to the DP
department, the user (process expert), the QA department and, if possible, the suppliers
of the systems be included in the risk analysis. Care should be taken, however, that the
team does not contain more than five persons. As regards the criteria of the risk analysis
he explained that at first the regulatory requirements must be recorded which exist for a
function, e.g. electronic signature or access protection. In addition, the frequency of
use (100 times a day or once a month) must be recorded. The "technical risks"
include, e.g. interfaces and possibly calculations carried out by the system.
Finally the "user risks" (e.g. manual data input necessary?) must be recorded.
Not forgetting the last two criteria for the risk analysis:
Consequence of the error (error impact
within the meaning of drug safety)
Business risks, i.e. what costs does a
potential error cause?
Another topic which is currently being very
strongly discussed was presented by Dr. Werling from Propack data: "Electronic
Signature and Electronic Records".
Dr. Werling presented the requirements for electronic batch protocols according to 21 CFR
Part 11 as shown below. He described these requirements by comparing the GMP requirements
with a possible implementation:
Requirements of a Batch Protocol According to FDA and EU/PIC
|