GMP News No. 709
19 April 2006
Two German GMP inspectors give answers on the degree of compulsion of regulations and of the interpretation of their requirements. The questions concern PIC/S 011-2, risk analysis, password quality, validation of Excel®, validation of PLCs.
Answers by Klaus Feuerhelm, District Government Tübingen, and Karl-Heinz Menges, District Government Darmstadt. Both are members of the German Expert Working Group "Computerised Systems" and of GAMP® D-A-CH.
1. Is electronic documentation mandatory?
No, every pharmaceutical company can decide itself about the form of documents it wants to use. What counts in inspections is which kind of documentation is actually used in practice.
2. Is the PIC/S document PI 011-2 compulsory?
PI 011-2 is an internal document helping inspectors with the interpretation of Annex 11. However, it can also be used by the industry for self-inspection or for the preparation prior to a forthcoming official inspection.
3. Which methodology should be applied in risk analysis?
It is left to the competent persons to choose the approach for the individual validation projects. The method should be implemented structurally. A list of common methods can be found in ICH Q9.
4. Are there concrete GMP requirements on password quality or password length?
Neither the EU GMP Guide nor Annex 11 contain any express references. As a rule, one should observe the state of the art and knowledge. Practicable recommendations on password quality and password length can be found e.g. in ISO/IEC 17799, in PIC/S PI 011-2 or in the basic IT security manual published by the federal German authority for security in information technology (BSI).
5. Does Excel® have to be validated?
Excel® does not have to be validated as a complete package. Created applications in the form of spreadsheets require, however, a more or less extensive validation. Apart from the Excel® sheet's criticality, further points have to be taken into account, e.g. whether Excel® solely serves as a data acquisition system (like a typewriter), whether it is used for the representation of numbers in a table or graph without any calculations done, if calculations are carried out by means of formulae, or if the spreadsheets contain macros and complex logics.
6. Do tools for developing and testing PLC applications have to be validated?
The GAMP® categories have decisive influence on the extent of the
validation strategy and give an indication of which software should be
validated. The GAMP® categories refer to software supporting business
processes. As a rule, tools for system development are no GxP-relevant
applications and, therefore, do not have to be validated within the
meaning of GAMP®. However, the GAMP® Guide recommends that one should have a
close look at such tools and choose them carefully. GAMP® differentiates
between these tools according to their criticality. Tools for
configuration management or testing are classified as critical. One cannot
get around assessing and verifying these tools or their suppliers.
You will be provided with further valuable answers and information on these
and other hot topics at the following events:
Dr Andreas Mangel
On behalf of the European Compliance Academy (ECA)