Since 30 June 2011 the industry has to implement all requirements of Annex 11 "Computerised Systems" of the EU GMP Guideline. Within the context of the Conference on Computer Validation from 8 - 9 June 2011 in Mannheim, inspectors and industry experts have answered questions concerning the 17 chapters of Annex 11. You will find questions and answers on chapter 3 "Suppliers and Service Provider" below - answers were provided by Klaus Eichmüller, Regierung von Oberbayern (Local Administration of Upper Bavaria) and Dr. Jörg Schwamberger, Merck KGaA.
3. Suppliers and Service Providers
Annex 11 states: "3.1 When third parties (e.g. suppliers, service providers) are used e.g. to provide, install, configure, integrate, validate, maintain (e.g. via remote access), modify or retain a computerised system or related service or for data processing, formal agreements must exist between the manufacturer and any third parties, and these agreements should include clear statements of the responsibilities of the third party. IT-departments should be considered analogous.
3.2 The competence and reliability of a supplier are key factors when selecting a product or service provider. The need for an audit should be based on a risk assessment.
3.3 Documentation supplied with commercial off-the-shelf products should be reviewed by regulated users to check that user requirements are fulfilled.
3.4 Quality system and audit information relating to suppliers or developers of software and implemented systems should be made available to inspectors on request."
(Q) Why do inspectors want to see the supplier's audit reports? Doesn't this contradict the confidentiality agreements with the suppliers?
(A) Without the opportunity to inspect the activities concerning qualification of suppliers, inspectors may not be able to fully evaluate whether due care was applied. In principle, confidentiality agreements are subordinated legally to the relevant legislative provision. Nevertheless, it is recommended that the confidentiality agreements are adjusted accordingly. Apart from that, inspectors are bound by an obligation of secrecy ex officio.
(Q) Which points should be taken into account from the inspectors' point of view when evaluating suppliers?
(A)When evaluating suppliers it has to be ensured in general that the supplier's suitability for the task to which he is to be entrusted, is evaluated as well as his ability to accept responsibility for this task.
(Q) Are there requirements concerning the auditing of sub-suppliers?
(A) Sub-suppliers (= external suppliers, sub-contractors) must not be audited separately by the contractor if it can be ensured that the principle supplier has laid down regulations ensuring the quality of his suppliers and that these regulations are demonstrably used. The relevant revisions must be documented. The contractor's evaluation should include the ability of the supplier to evaluate the suppliers on his part.
(Q) What demands on user requirements are put on COTS (commercial off-the shelf) products?
(A) Insofar as COTS- products are used for GMP- regulated tasks, their suitability must be demonstrated accordingly within the context of validation. In doing so, the user requirement should define the intended purpose in the company.
(Q) What formal requirements exist concerning the choice of a supplier? Must the choice be documented and justified?
(A) The choice of a supplier must be documented and his suitability demonstrated by means of compliance with the pre-requisites in the user requirements.
(Q) Does the external supplier/internal IT have to have his/its own QMS? If so, what requirements does this QMS need to fulfil?
(A) If it is ensured that the external supplier/internal IT works according to the customer's regulations, the external supplier does not need his own QMS. It is recommended that this is possibly laid out in a contract and supported among other things by way of respective training. Otherwise the supplier is obliged to maintain a QMS that is demonstrably suitable for his activities.
You will find more questions and answers with regard to chapter 4 in the next GMP Newsletter. Questions and answers from chapter 5 to 17 will be published in the coming issues of the GMP Journal.
The new Annex 11 "Computerised Systems" is the main topic of the "ECA Computer Validation Conference - The new annex 11" from 15-16 May 2012 in Copenhagen. 5 European inspectors and 7 industry representatives will discuss the consequences for the European healthcare industry.