The new version of EU GMP Annex 11 brings a regulatory requirement to conduct periodic evaluations on computerised systems for the first time. This is currently best practice in the GAMP Good Practice Guide for Maintaining Validation which already contains an appendix for conducting a periodic review. In detail, clause 11 of Annex 11 mandates that "Computerised systems should be periodically evaluated to confirm that they remain in a valid state and are compliant with GMP. Such evaluations should include, where appropriate, the current range of functionality, deviation records, incidents, problems, upgrade history, performance, reliability, security and validation status reports". However it is not all it seems as clause 1 of Annex 11 requires that risk management be carried out throughout the life cycle and periodic reviews are no exception to this.
Having a regulation and knowing how to conduct a periodic review are two different things. To quote that great computer validation expert George Orwell: all systems are created equal but some systems are more equal than others. Therefore the driver for a periodic review needs to be based on an understanding of the risk posed by the system to patient health, product quality or the integrity of the data generated by it which is used to determine the criticality of the system and hence frequency of the periodic review. Typically periodic reviews are conducted annually or every two or three years depending on the risk level assigned. However, there can be many different computerised analytical systems so can it be feasible to conduct periodic reviews on all systems in an individual laboratory?
Therefore, a structured approach to periodic reviews is required where laboratory management working with Quality Assurance has an inventory of all computerised systems (another specific requirement of the new Annex 11) used in the laboratory, including spreadsheets that define the criticality of each computerised system. This will determine the frequency of periodic review for each level of criticality. Critical systems need to be reviewed more frequently and in more depth than minor ones and the SOP for the periodic reviews should reflect this. However is it feasible to review all systems on the inventory within a 2 - 3 year cycle or should additional risk management be applied?
The ECA course entitled Maintaining Laboratory Computer Validation will have a presentation about how to conduct periodic reviews and the principles of the lecture will be reinforced with a workshop where you will review the observations from a periodic review of a laboratory computerised system to see if there are any findings or non-compliances. If there are findings, each one needs to be classified according to severity.
Bob McDowall PhD,
Director R.D.McDowall Limited
Principal, McDowall Consulting