Since 30 June 2011 the industry has been to implement all requirements of Annex 11 "Computerised Systems" of the EU GMP Guideline. Within the context of the Conference on Computer Validation from 8 - 9 June 2011 in Mannheim, inspectors and industry experts have answered questions concerning the 17 chapters of Annex 11. You will find questions and answers on chapters 1 "Risk Management" and 2 "Personnel" below - answers were provided by Klaus Eichmüller, Regierung von Oberbayern (Local Administration of Upper Bavaria) and Dr. Jörg Schwamberger, Merck KGaA.
1. Risk Management
Annex 11 states: "Risk management should be applied throughout the lifecycle of the computerised system taking into account patient safety, data integrity and product quality. As part of a risk management system, decisions on the extent of validation and data integrity controls should be based on a justified and documented risk assessment of the computerised system."
(Q) What can elements of risk management contribute towards defining the extent of testing of specific elements (such as validation, data integrity)? What does the following mean: "base the extent of validation on risk management"? Does it mean the number of test cases or the depth of the test?
(A) Using elements of risk management, validation measures such as design specifications, extent and depth of testing as well as type and frequency of tests/reviews after putting into operation (periodic evaluation) etc. can be determined precisely.
Annex 11 states: "There should be close cooperation between all relevant personnel such as Process Owner, System Owner, Qualified Persons and IT. All personnel should have appropriate qualifications, level of access and defined responsibilities to carry out their assigned duties."
(Q) What should be understood by "close cooperation between all relevant personnel …"? What formal requirements should be observed?
(A) No defined formal requirements exist for close co-operation between all relevant personnel during validation. But efforts must be made to ensure that a corresponding division of roles and tasks between the relevant personnel is clearly defined and implemented, including IT.
(Q) What training is expected of the relevant personnel?
(A) Requirements concerning training result from the relevant operational provisions on validation. This means that the relevant personnel should know the main regulations concerning their tasks and be able to demonstrate the internally required qualifications to perform the tasks in question. This already arises from the general GMP- requirements over and above Annex 11.
(Q) Is a formal qualification required (such as ITIL training or something similar)?
(A) Annex 11 contains no further formal requirements concerning personnel qualification other than that resulting from the operational context (see answer above).
(Q) What role should QP play in validation?
(A) QP does not have to play a formal role in validation. But inclusion of QP is recommended as it is the task of QP to finally release the manufactured product. This release can only be authorised knowing the quality systems used for the proper validation.
(Q) Does the QP substitute QA in validation?
(A) The exact responsibilities need to be laid down in the operation procedures. Annex 11 proposes a division into roles that may, however, be independent of QP and/or QA. Thus the role of QA has to be defined internally and independently of the function of QP.
You will find more questions and answers with regard to chapters 3 and 4 in the next GMP Newsletters. Questions and answers from chapter 5 to 17 will be published in the coming issues of the GMP Journal.
The new Annex 11 "Computerised Systems" is the main topic of the "ECA Computer Validation Conference - The new annex 11" from 15-16 May 2012 in Copenhagen. 5 European inspectors and 7 industry representatives will discuss the consequences for the European healthcare industry.