Validation of Computerised Systems: Answers to Frequently Asked Questions to GMP Inspectors

Validation of Computerised Systems:
Answers to Frequently Asked Questions to GMP Inspectors

Answers by Klaus Feuerhelm, District Government Tübingen, and Karl-Heinz Menges, District Government Darmstadt. Both are members of the German Expert Working Group "Computerised Systems" and of GAMP® D-A-CH.

1. Is electronic documentation mandatory?

No, every pharmaceutical company can decide itself about the form of documents it wants to use. What counts in inspections is which kind of documentation is actually used in practice.

2. Is the PIC/S document PI 011-2 compulsory?

PI 011-2 is an internal document helping inspectors with the interpretation of Annex 11. However, it can also be used by the industry for self-inspection or for the preparation prior to a forthcoming official inspection.

3. Which methodology should be applied in risk analysis?

It is left to the competent persons to choose the approach for the individual validation projects. The method should be implemented structurally. A list of common methods can be found in ICH Q9.

4. Are there concrete GMP requirements on password quality or password length?

Neither the EU GMP Guide nor Annex 11 contain any express references. As a rule, one should observe the state of the art and knowledge. Practicable recommendations on password quality and password length can be found e.g. in ISO/IEC 17799, in PIC/S PI 011-2 or in the basic IT security manual published by the federal German authority for security in information technology (BSI).

5. Does Excel® have to be validated?

Excel® does not have to be validated as a complete package. Created applications in the form of spreadsheets require, however, a more or less extensive validation. Apart from the Excel® sheet's criticality, further points have to be taken into account, e.g. whether Excel® solely serves as a data acquisition system (like a typewriter), whether it is used for the representation of numbers in a table or graph without any calculations done, if calculations are carried out by means of formulae, or if the spreadsheets contain macros and complex logics.

6. Do tools for developing and testing PLC applications have to be validated?

The GAMP® categories have decisive influence on the extent of the validation strategy and give an indication of which software should be validated. The GAMP® categories refer to software supporting business processes. As a rule, tools for system development are no GxP-relevant applications and, therefore, do not have to be validated within the meaning of GAMP®. However, the GAMP® Guide recommends that one should have a close look at such tools and choose them carefully. GAMP® differentiates between these tools according to their criticality. Tools for configuration management or testing are classified as critical. One cannot get around assessing and verifying these tools or their suppliers.