Professional Documents
Culture Documents
to Computer Validation
Compliance for
the Worldwide Health
Agency GMP
Orlando López
CRC Press
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742
© 2015 by Taylor & Francis Group, LLC
CRC Press is an imprint of Taylor & Francis Group, an Informa business
This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been
made to publish reliable data and information, but the author and publisher cannot assume responsibility for the valid-
ity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright
holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this
form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may
rectify in any future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or uti-
lized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopy-
ing, microfilming, and recording, or in any information storage or retrieval system, without written permission from the
publishers.
For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://
www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923,
978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For
organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for
identification and explanation without intent to infringe.
Visit the Taylor & Francis Web site at
http://www.taylorandfrancis.com
and the CRC Press Web site at
http://www.crcpress.com
For Edelmira and Alfonso
Contents
Preface...............................................................................................xv
Author............................................................................................. xix
Contributors.................................................................................... xxi
1 Introduction..................................................................................1
References....................................................................................................5
2 SLC, Computer Validation, and Annex 11.....................................7
Life-Cycle Principles...................................................................................11
References..................................................................................................11
3 Annex 11 Principles....................................................................13
Analysis......................................................................................................13
Principle 1...........................................................................................13
Principle 2........................................................................................... 15
Principle 3...........................................................................................17
References..................................................................................................17
4 Risk Management.......................................................................19
EU Annex 11-1, General............................................................................19
Related References.....................................................................................19
Analysis......................................................................................................20
Risk Assessment.........................................................................................22
Risk Mitigation............................................................................................25
Risk Evaluation...........................................................................................25
Risk Monitoring and Control.....................................................................26
Approach....................................................................................................27
Summary....................................................................................................28
References..................................................................................................28
vii
viii ◾ Contents
5 Personnel....................................................................................29
EU Annex 11-2, General............................................................................29
Analysis......................................................................................................29
References..................................................................................................30
6 Suppliers and Service Providers.................................................33
EU Annex 11-3, General............................................................................33
Analysis......................................................................................................34
Acquisition Process.............................................................................37
Supply Process....................................................................................37
References..................................................................................................38
7 Validation....................................................................................39
EU Annex 11-4, Project Phase...................................................................39
Analysis......................................................................................................40
Primary Life-Cycle Processes.....................................................................45
Acquisition Process.............................................................................46
Supply Process....................................................................................46
Development Process.........................................................................47
Operation and Maintenance Processes.............................................48
References..................................................................................................48
8 Data............................................................................................51
R.D. MCDOWALL
EU GMP Annex 11-5, Operational Phase..................................................51
Introduction................................................................................................51
Impact of Other Sections of Annex 11.....................................................51
Preserving the Content and Meaning of Data..........................................53
Some Data Transfer Options.....................................................................54
Manually Driven Electronic File Transfers................................................55
Copy and Paste/Drag and Drop Electronic Transfers.......................55
Ensuring Data Integrity..............................................................................56
Automatic Methods of Electronic Data Transfer.......................................57
Data Migration Issues.................................................................................57
Validation Considerations for Data Transfer.............................................58
Reference....................................................................................................59
9 Accuracy Checks.........................................................................61
EU Annex 11-6, Operational Phase...........................................................61
Analysis......................................................................................................61
Contents ◾ ix
* EC (1992) Guide to Good Manufacturing Practice: Medicinal Products for Human and Veterinary
Use—Annex 11: Computerised Systems, The Rules Governing Medicinal Products in the European
Union, Volume IV. Office for Publications of the European Communities, Luxembourg, January,
pp. 139–142.
† EC (2011) EU Guidelines to Good Manufacturing Practice: Medicinal Products for Human and
Principles and Guidelines of Good Manufacturing Practice for Medicinal Products for Human Use
and Investigational Medicinal Products for Human Use, 2003.
§ European Union Directive 91/412/EEC, European Commission Directive Laying Down the Principles
and Guidelines of Good Manufacturing Practice for Veterinary Medicinal Products, 1991.
xv
xvi ◾ Preface
(CFDA). The 2014 draft GMP Annex 2, covering computer systems, incorpo-
rates the majority of Annex 11 clauses.
As of the writing of this book, the following EU member countries in which
Annex 11 is applicable are Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech
Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland,
Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and United Kingdom.
The worldwide importance of Annex 11 is noticeable. In addition to
being applicable to the EU and Canada, the following table comprises a list
of countries conforming to a guideline or following Annex 11: the regu-
latory organization members of the PIC/S* (44 participating Authorities,
including most EU Member States, Switzerland, Japan and the USA) and the
Association of Southeast Asian Nations (ASEAN).
PIC/S ASEAN
Members: Argentina, Australia, Austria, Brunei Darussalam, Cambodia,
Belgium, Canada, China (Taiwan), Indonesia, LAO PDR, Malaysia,
Cyprus, Czech Republic, Denmark, Myanmar, Philippines, Singapore,
Estonia, Finland, France, Germany, Thailand, Vietnam
Greece, Hungary, Iceland, Indonesia,
Ireland, Israel, Italy, Japan, Korea, Latvia,
Liechtenstein, Lithuania, Malaysia,
Malta, Netherlands, New Zealand,
Norway, Poland, Portugal, Romania,
Singapore, Slovak Republic, South
Africa, Spain, Sweden, Switzerland,
Ukraine, United Kingdom, United States
Partners: European Directorate for the
Quality of Medicines & HealthCare,
European Medicines Agency, UNICEF,
World Health Organization
Armenia, Belarus, Brazil, Chile,
Philippines, Mexico, Hong Kong, Iran,
Kazakhstan, Thailand, and Turkey
applied recently for PIC/S membership.
xix
Contributors
xxi
xxii ◾ Contributors
Introduction
turing practice with respect to medicinal products for human use and investigational medicinal
products for human use, October 1994.
§ Commission Directive 91/412/EEC Laying down the principles and guidelines of good manufactur-
1
2 ◾ EU Annex 11 Guide to Computer Compliance
puter systems the published PIC/S Guidance on Good Practices for Computerised Systems in
Regulated “GXP” Environments (PI 011-3) http://ec.europa.eu/health/files/eudralex/vol-10/chap4/
annex_iii_to_guidance_for_the_conduct_of_gcp_inspections_-_computer_systems_en.pdf.
‡ Stokes, T., “Management’s View to Controlling Computer Systems,” GMP Review, 10(2), July 2011.
§ Australia TGA, “Comparison between the 2009 and 2013 editions of the PIC/S Guide to GMP,” May
2013.
Introduction ◾ 3
php?download&file=cGUtMDA5LTExLWdtcC1ndWlkZS14YW5uZXhlcy5wZGY_
4 ◾ EU Annex 11 Guide to Computer Compliance
References
Commission Directive 2003/94/EC, Laying down the principles and guidelines of
good manufacturing practice in respect of medicinal products for human use
and investigational medicinal products for human use, October 2003.
6 ◾ EU Annex 11 Guide to Computer Compliance
1 Chapter 1 Introduction
US FDA 21 CFR Part 58.61; 63(a) and (c); 58.81(c) and (d);
58.33, “Good Laboratory Practice for Non-Clinical
Laboratory Studies.”
b Source:
Analysis and
11-1
Note: Based on
implementation to
listed under
“Access, Use and
Reuse” are
designed Project
preservation plan. ‡
Conclusion
into the SLC and managed accordingly during the SLC. The
implementation of robust controls may correct the behavior
of the
341
342 ◾ References
Journal for GMP and Regulatory Affairs, “Q&As on Annex 11,” 8, April/May 2012.
López, O., “A Computer Data Integrity Compliance Model,” Pharmaceutical
Engineering, Volume 35, Number 2, March/April 2015.
López, O., “Computer Systems Validation”, In Encyclopedia of Pharmaceutical Science
and Technology, Fourth Edition, Taylor & Francis: New York, Published online: 23
Aug 2013; 615–619.
López, O., Computer Technologies Security Part I—Key Points in the Contained
Domain, Sue Horwood Publishing Limited, West Sussex, UK, ISBN 1-904282-17-2,
2002.
López, O., “Annex 11: Progress in EU Computer Systems Guidelines,”
Pharmaceutical Technology Europe, 23(6), June 2011, http://www.pharmtech.
com/pharmtech/article/articleDetail.jsp?id=725378.
López, O., “Annex 11 and 21 CFR Part 11: Comparisons for International
Compliance,” MasterCotrol, January 2012. http://www.mastercontrol.com/
newsletter/annex-11-21-cfr-part-11-comparison.html.
López, O., “An Easy to Understand Guide to Annex 11,” Premier Validation, Cork,
Ireland, 2011, http://www.askaboutvalidation.com/1938-an-easy-to-
understand-guide-to-annex-11.
López, O., “EU Annex 11 and the Integrity of E-recs,” Journal of GXP Compliance,
18(2), May 2014.
López, O., “Hardware/Software Suppliers Qualification,” in 21 CFR Part 11:
Complete Guide to International Computer Validation Compliance for the
Pharmaceutical Industry, Interpharm/CRC, Boca Raton, FL, 2004.
López, O., “Requirements Management,” Journal of Validation Technology, May
2011.
McDowall, R.D., “Comparison of FDA and EU Regulations for Audit Trails,”
Scientific Computing, January 2014.
McDowall, R.D., “Ensuring Data Integrity in a Regulated Environment,” Scientific
Computing, March/April 2011.
McDowall, R.D., “Maintaining Laboratory Computer Validation—How to Conduct
Periodic Reviews?” European Compliance Academy (ECA), April 2012, http://
www.gmp-compliance.org/enews_03085_Maintaining-Laboratory-Computer-
Validation---How-to-Conduct-Periodic-Reviews.html.
McDowall, R.D., “Computer Validation: Do All Roads Lead to Annex 11?,”
Spectroscopy 29(12)December 2014.
McDowall, R.D., “The New GMP Annex 11 and Chapter 4 is Europe’s Answer to
Part 11”, European Compliance Academy (ECA), GMP News, January 2011,
http://www.gmp-compliance.org/eca_news_2381_6886,6885,6738,6739,6934.
html.
Mell, P. and Grance, T., “The NIST Definition of Cloud Computing,” NIST Special
Publication 800-145, National Institute of Standards and Technology,
Gaithersburg, MD, 2011.
MHRA, “Good Laboratory Practice: Guidance on Archiving,” March 2006.
NIST, “Guide for Conducting Risk Assessments,” 800-30 Rev 1, September 2012.
References ◾ 345
PDA, Technical Report No. 32, “Auditing of Supplier Providing Computer Products
and Services for Regulated Pharmaceutical Operations,” PDA Journal of
Pharmaceutical Science and Technology, Sep/Oct 2004, Release 2.0, 58(5).
PI 011-3. “Good Practices for Computerised Systems in Regulated ‘GXP’
Environments,” Pharmaceutical Inspection Cooperation Scheme (PIC/S),
September 2007.
Pressman, Roger S., Software Engineering—A Practitioner’s Approach, McGraw
Hill, New York, 2010.
Roemer, M., “New Annex 11: Enabling Innovation,” Pharmaceutical Technology,
June 2011.
Safe Harbor US–EU Agreement on Meeting Directive 95/46/EC http://www.export.
gov/safeharbor/index.asp.
Schmitt, S., “Data Integrity”, Pharmaceutical Technology, Volume 38 Number 7, July
2014.
Snyder, D., “Take Advantage of Control Options,” A-B Journal, March 1997.
Stenbraten, A., “Cost-effective Compliance: Practical Solutions for Computerised
Systems,” paper presented at the ISPE Brussels Conference, GAMP - Cost
Effective Compliance, 2011-09-19/20.
Stokes, D., “Compliant Cloud Computing—Managing the Risks,” Pharmaceutical
Engineering, 33(4), 1–11, 2013.
Stokes, T., “Management’s View to Controlling Computer Systems,” GMP Review,
10(2), July 2011.
TGA, “Australian Code of Good Manufacturing Practice for Human Blood and
Blood Components, Human Tissues and Human Cellular Therapy Products,”
Version 1.0 April 2013.
US FDA, 21 CFR Part 11, “Electronic Records; Electronic Signatures; Final Rule,”
Federal Register, 62(54), 13429, March 1997.
US FDA 21 CFR Part 58, Good Laboratory Practice for Non-Clinical Laboratory
Studies.
US FDA 21 CFR Part 110, Current Good Manufacturing Practice in Manufacturing,
Packing, or Holding Human Food.
US FDA 21 CFR Part 312, Investigational New Drug Application.
US FDA 21 CFR Part 606, Current Good Manufacturing Practice for Blood and
Blood Components.
US FDA 21 CFR Part 803, Medical Device Reporting.
US FDA 21 CFR 1271, Human Cells, Tissues, and Cellular and Tissue-Based
Products.
US FDA, “General Principles of Software Validation; Final Guidance for Industry
and FDA Staff,” CDRH and CBER, January 2002.
US FDA, “Guidance for Industry: Blood Establishment Computer System Validation
in the User’s Facility,” April 2013.
US FDA, Guidance for Industry: “Computerised Systems in Clinical Investigations,”
May 2007.
US FDA, “Guidance for Industry, Electronic Records; Electronic Signatures—Scope
and Application,” August 2003.
346 ◾ References