OR WAIT null SECS
How will the new revision of EU GMP Annex 11 on Computerized Systems and Chapter 4 on Documentation affect chromatographers?
January 2011 saw the publication of the new revision of European Union (EU) GMP Annex 11 on Computerized Systems and Chapter 4 on Documentation. What will the impact be of these two revised regulations on computerized chromatography systems and chromatography data systems (CDSs) used in regulated GMP laboratories?
Regulations and guidance for the pharmaceutical industry have been changing at an increasing rate over the past 10 years. The latest of these was from the European Medicines Agency (EMA) in January 2011 and was the long awaited revision of Annex 11 on computerized systems together with consequential changes in Chapter 4 on documentation.1,2 These two updates become effective on 30 June 2011. This column looks at the major changes in the two revisions and explores their impact on any regulated GMP laboratory that has to comply with these regulations. This will be a selective look and readers are encouraged to look at the EMA web site to read the whole of these documents.3 The question posed by the title is "Is Annex 11 Europe's answer to 21 CFR 11 on electronic records and electronic signatures?"4 We will explore this question as we analyse the new regulations.
At first glance EU GMP5 is structured very differently from United States GMP for pharmaceuticals: European GMP is split into three parts plus 20 annexes. Part 1 is concerned with finished pharmaceutical products and Part 2 with active pharmaceutical ingredients (this is ICH Q76 adapted into European law). The annexes are regulations on specific topics applicable to both Parts 1 and 2 with Annex 11 focused on computerized systems.
Annex 11 has been part of EU regulations since 1992 and unchanged until now. Since it was published there have been many technology changes but also organizational changes such as outsourcing and software as a service (SaaS). In 2008, a proposed draft of Annex 11 was published for industry comment and over 1400 replies were received by the EMA. In January's version, many of the more wacky proposals in the 2008 draft have been removed or toned down. However, the new version is an expansion of the current regulation and there are new requirements that laboratories must consider when working under these regulations or exporting medicines to Europe.
I will give an overview of the changes that will be effective from the end of June 2011 in this article. Owing to the amount of space available this will not be a comprehensive discussion of all changes so please read the whole document yourself.1 The various sections and topics of the new version of Annex 11 are presented in Table 1.
Table 1: The structure and content of the revised EU GMP Annex 11.
Increased Scope of Annex 11
The first section to discuss is the Principle that covers the scope and application of the new regulation. The key elements of the Principle are:
This is a wide scope statement and includes all laboratory computerized systems such as chromatography data systems (CDSs), plus the spreadsheets and databases developed in your laboratories, as well as statistical analysis software programs.
This is the major item: the ten words that mean so much — validate applications and qualify infrastructure. Validate applications — OK, this has been a given for the last 25 years, although we tend to consider systems which includes the infrastructure. However, for the first time in any regulation there is a specific and explicit requirement for IT infrastructure qualification. Many regulated organizations do qualify infrastructure, but there is now a regulatory requirement to do so. For the companies that have not done so this becomes a major retrospective qualification exercise.
In a carry over from the current version of Annex 11 with the additional requirement of process control systems that may be relevant when a chromatograph and CDS is used in a Process Analytical Technology (PAT) project. In essence, it requires that as a minimum, the quality of a computerized system should be as good as the manual system it replaces. In reality, the computerized system should be much better because the human factor (i.e., the liveware that makes most of the mistakes), is usually taken out of the process.
Annex 11 has always had risk management but it was buried in the section on validation of systems: "the amount of validation work required was dependent on the nature of the software and if novel elements (i.e., custom software) were incorporated". Now we have a new section requiring risk management to be applied throughout the life cycle of a computerized system to ensure patient safety, data integrity and product quality. The work done should be based on a "justified and documented risk assessment". Hmm, I wonder where this wording came from? That's right, the Europeans have stolen the phrase from the FDA's Part 11 scope and application guidance!7 The good side of this is that we are getting harmonization of regulations which can only be a good thing. There is a further and specific mention of risk management under the new section on change control and configuration management.
In section 2 on personnel there still remains the requirement for close cooperation between all involved with the system including IT from the original version of the regulation. However. we have new two new roles mentioned in the text and defined in the glossary:
This area is a major expansion of Annex 11 that moves from a single sentence into four clauses in an attempt to catch up with technology and organisational changes that have occurred since the original version was issued. When third parties are used to carry out any work (supply of product or service) on a computerized system there needs to be a formal agreement (contract or service level agreement). Clause 3.1 notes that there should be "clear statements of the responsibilities of the third party". Then there is a short sentence stating "IT departments should be considered analogous" which means that even if an organization's own IT department is used to support a validated computerized system, there needs to be a contract or service level agreement (SLA) in place with the regulated laboratory. There is also the requirement for audits of a supplier or service provider, with the decision for this being based on a risk assessment, which, of course, will be documented and approved. The issue of cloud computing, if used by a regulated laboratory, may be partially addressed though service contracts but how will the requirement for IT infrastructure to be qualified be met? An interesting issue that may prevent take up by conservative pharmaceutical companies.
When an audit of a supplier or service provider is performed, the new regulation requires that the "quality system and audit information" is available to inspectors on request. This is a major departure from current practices, typically an audit report is seen as an internal quality assurance (QA) document by many companies and only the evidence that an audit took place will be a certificate given to an inspector. However, currently there is major regulatory concern with the quality of the whole pharmaceutical supply chain, which includes software and services. The European regulators are taking a hard line and want to read the supplier and service provider audit reports to satisfy themselves that the service of product for critical operations has the quality built into it.
Gazing at my crystal ball, I think that an implicit requirement in this new regulation will be the emergence of vendor management8 where pharmaceutical companies will monitor suppliers to ensure that corrective actions following audits of quality management systems, products and services have been implemented effectively. For supplier and service providers where lip service is paid to quality it will also mean increased number of audits by the same customer to ensure corrective actions have been completed (e.g., follow-up audits over perhaps a number of years). For further information about managing the risks associated with the software supply chain, I would suggest reading a report, published in December 2010, from the Software Engineering Institute (SEI) at Carnegie Mellon University.9 Some of the main conclusions of this report are:
Finally in this section, any documentation supplied for commercial off the shelf products needs to be reviewed to see that user requirements are fulfilled (this is not the user manuals by the way). Hmm, I suggest you read an earlier "Focus on Quality" column from Spectroscopy magazine, about my views on material supplied by vendors in this area10 as it can often be quicker to write your own user requirements.
The validation section has been expanded from one to eight clauses in the new version. The key changes are that a life cycle should be used to validate a system and that manufacturers should be able to justify their approaches based on risk assessment. The Annex 11 update does not mandate any validation approach but whichever one is selected for a specific system it needs to be justified and documented to withstand regulatory scrutiny. Some administrative requirements for validation are an inventory for computerized systems, although this would have been useful to link with the validation master plan11 in Annex 1512 and the earlier PIC/S source document.13 For critical systems there needs to be a current system description. In effect, the new requirement for an inventory formalizes what is usually required for an inspection and the system description is now limited to critical rather than all systems, as required by the old version of the regulation.
For each computerized system validation there needs to be a user requirements specification to describe the required functions of the system based on risk assessment and GMP impact.
Furthermore, there is now the need for requirements traceability throughout the life cycle, again for the first time in a regulation a traceability matrix14,15 is required. The test methods and test scenarios need to be documented and testing should include the overall process with consideration of data limits, parameter limits and error handling. The latter is particularly important to know before a system becomes operational, rather than when discussing this with an inspector. Annex 11 also allows the use of automated test tools and test environments, providing that they have documented assessments for their adequacy for the task. Before you all rush off and spend money on automated test tools bear in mind an assessment by Frewster and Graham16 that you need to be able to operate a test tool between 8 and 11 times before you break even on your investment. There will be very few laboratory systems that will require automated testing.
Sections 5, 6, 8, 9 and 12 cover the main elements of data integrity (data, accuracy, audit trails and security) in the new Annex 11. In summary, these sections are looking for checks for correct and secure entry (both manually entered and automatically captured data) and the subsequent data processing to minimize the risks of a wrong decision based on wrong results.
The identities and access privileges of authorized individuals carrying out work need to be recorded and maintained for each validated system. Further controls are required to secure data by both physical and electronic means against damage and stored data needs to be checked for accessibility, readability and accuracy and this applies to both paper and electronic records.
Audit trails are not mandatory for all computerized systems but their implementation should be based on a documented risk assessment. Personally, I think that if you are working electronically, then an audit trail is essential for ensuring data integrity. Mirroring some of the recent FDA warning letters, the new Annex 11 requires audit trails to be "available and convertible to a generally intelligible form and be regularly reviewed". The problem is that many audit trails implemented for commercial laboratory systems are simply depositories of unintelligible rubbish; moreover, how will a vendor implement a function in their system to meet the requirement that an audit trail has been reviewed? In addition, the audit trail needs to include the date and time stamps of record entries, changes and deletions which brings the EU regulation close to the US Part 11 requirements on the same subject.
Print outs, both of electronically stored data and any records used to support batch release, need to be available. There is also a further and specific requirement for any print out supporting batch release to indicate if any data has been changed since the original entry. This is so that the Qualified Person (under EU GMP a batch can only be released by suitably trained individual called a Qualified Person or QP) can check what changes have occurred. However, most vendors will point to the audit trail search function as the means to fulfil this requirement.17 This is inadequate. What is required is that when the result is printed out, there is an annotation or equivalent to indicate if the result has been changed or not. Chromatography Data Systems (CDSs) have this for baseline fits: unchanged baseline fits are in capital letters and manually changed ones are in lower case.
In addition, there are requirements for data migration (section 4.8) and archiving (section 17) to ensure that electronic records acquired in one version of software can be read in a new version as well as allowing data to be archived. However in the latter case, the data should be assessed for "accessibility, readability and integrity" especially after changes made to the backup software or the system itself.
The new version of Annex 11 also sees the formalization of electronic signatures in EU GMP. Many laboratories have implemented electronic signatures based on 21 CFR 114 but Annex 11 does not appear as stringent or as overly bureaucratic as the US regulation. The European requirements for electronic signatures simply state that electronic signatures are to have the same impact as hand written signatures within the boundaries of the company, be permanently linked to the respective record and include the time and date that a signature was applied. There is not the heavy bureaucracy and formality of 21 CFR 11 to send letters to the FDA, nor is there the need to have training in nonrepudiation of an electronic signature or description of the three different types of signature. However many of the same requirements are implicit, as the European legislation simply states that electronic signatures have the same impact as handwritten signatures and hence all of the nonrepudiation requirements apply immediately. The advantage of the European legislation is that practicing inspectors have drafted the regulation rather than lawyers. Perhaps if the FDA ever gets around to reissuing Part 11, could it look and read like Annex 11? Now that IS an interesting thought.
The current Annex 11 IT requirements of backup, security, incident management and business continuity have been carried over to the new version and expanded. Backups (section 7.2) need to be performed regularly but the new version has expanded requirements for checks for the integrity and accuracy of backup data (which, of course, will be documented) and the ability to restore data that is checked during a system validation and also periodically thereafter (you guessed it — which is also documented). This is intended to ensure that backup media can still be read throughout the record retention period. The security section also includes the network as well as individual applications so the extent of controls depends on the criticality of the application but also if you are accessing it from inside or outside an organization.
Incident management has changed from a simple statement of "any failures and remedial action should be recorded" to "all incidents, not only system failures and data errors, should be reported and assessed". So the scope has been widened greatly. However, the new version goes further "The root cause of a critical incident should be identified and should form the basis of corrective and preventative actions". So implied within this process should be a means to assess and classify errors and then for the critical ones only to undertake a root cause analysis and then formulate both corrective and preventative action plans. It is this portion of the new regulation that will impact many incident management processes and have the IT department scrabbling to understand root cause analysis.
Again, business continuity was covered in clauses 15 and 16 in the old regulation which have been consolidated into clause 16 in the new version. What is required is to have plans available to ensure continuity of support for critical processes as well as knowing the time required to bring alternatives into operation based on risk assessments. However the new regulation specifically requires that these arrangements be documented and tested adequately before use. There is no use having a business continuity plan that fails as the last set of backup tapes are corrupted and that your alternative computer site is not available when you need it, or perhaps the plan was written and has not been updated to account for the latest technology.
A brand new Annex 11 requirement comes in the shape of a formal periodic evaluation, otherwise known as a periodic review, to ensure that computerized systems remain in a validated state. This formalizes what a number of companies already do and should cover the last full validation, any changes made since then versus current functionality, deviations and incidents, procedures and training, upgrades and security which will be documented in a report.
Change control has been an original part of Annex 11 and it remains in the new version with an extension that includes configuration management. Controlling changes is the most important part of maintaining the validation status of a computerized system and a procedure needs to be defined, which under the validation section earlier should involve risk assessment (clause 1) and be documented (clause 4.2). The problem with clause 10 is that it mentions configuration management but this is not defined in the glossary nor mentioned in the text. Another fine (regulatory) mess! What is required? We do not know if configuration management is meant in the context of management of modules of software code, components of the computerized system (configuration items) or both.
There are two major items from the current version that have not been carried through into the new version of Annex 11:
Therefore there have been some changes in the new version of Annex 11, the omission of parallel testing is good and reflects current validation practice. Omitting the ability to validate systems retrospectively may catch out slow companies or start-up companies moving from R&D into manufacturing for the first time.
So back to the title of this column, reading through the requirements there are some similarities with data integrity controls and the ability to use electronic signatures. However the answer to the question is no — because there is no mention of electronic records in Annex 11, only controls for validation and control of computerized systems, data integrity, migration of data and archiving. So why you may ask did I pose the question? If you remember at the start we are also going to discuss the impact of Chapter 4 on documentation. Here is the sting in the tail and we come closer to answering the title question as yes.
The new version of Chapter 4 onDocumentation2 of the EU Guideline to GMP was also published at the same time as Annex 11 and will also become effective on 30 June 2011. The clue to its impact comes in the reason for change of the sections on generation and control of documentation and retention of documents sections "in light of the increasing use of electronic documents within the GMP environment". Furthermore, in the Principle section it states that "Documentation may exist in a variety of forms, including paper-based, electronic or photographic media". This is close to the definition of electronic record in 21 CFR 114 except in Europe for electronic record read documentation.
The European regulators have defined the expected GMP document types in far more detail, as shown in Table 2, than their US counterparts, thus making it far easier to understand and implement required GMP documentation in practice.
Table 2: Types of required EU GMP documents.
Of particular interest in our discussion are records, which are defined as:
This means that if you follow a procedure or an analytical method there needs to be evidence that the procedure or instruction was followed each time. Traditionally, this is by printing data or results but, as you remember the reason for the update of Chapter 4 was the increased use of electronic documentation, so the next section states:
Now we come to the one of the major impacts of Chapter 4, the requirement to define the raw data in GMP regulated activities including paper, hybrid and electronic records. Therefore electronic records which are used to make quality decisions should be defined as raw data. Moreover, if you convert the raw data to generate other records such as a dissolution profile using, say a spreadsheet program, these additional records and the printout are raw data and should also be defined. You will, of course, realize that when a regulation says "should" it really means "must".
In clause 4.1, it states that all types of documents should be defined and adhered to and they apply to all media types. This clause then discusses hybrid and homogeneous documents as follows:
Many documents (instructions and/or records) may exist in hybrid forms, i.e., some elements as electronic and others as paper based. Relationships and control measures for master documents, official copies, data handling and records need to be stated for both hybrid and homogenous systems. Appropriate controls for electronic documents such as templates, forms, and master documents should be implemented. Appropriate controls should be in place to ensure the integrity of the record throughout the retention period.
So let us dissect this section in a little more detail. Regardless of the fact that a document (including a record such as an analytical result) is homogeneous (either all paper or fully electronic) or hybrid (electronic with a paper printout) the control mechanisms for these records need to be defined, documented and implemented. One key requirement that both the FDA and Europeans agree on is record or data integrity: what controls are needed to ensure that the record is a true and accurate one? The typical response from the regulator is "appropriate" — therefore more critical records need more stringent controls than non-critical records. This has been discussed in some detail in the GAMP Good Practice Guide on Part 11 Electronic Records and Signatures compliance18 and is outside of the scope of this column.
However, the major change that this section combined with the Principle brings is the nail in the coffin of the "my raw data are paper" argument. During audits of laboratories I can discuss with managers and QA that the definition of raw data from CDS systems must include the electronic files from which the paper records are generated. Now both the Europeans and Americans have equivalent regulations that recognise the de facto situation of hybrid systems that are common in the majority of laboratories. Therefore the impact of the new Chapter 4 regulation is to ensure that both the signed paper printout and the underlying electronic records that generated it are defined as raw data and the electronic records maintained and protected.
The section on record retention has been extensively updated in the new version of Chapter 4 and this brings us two main changes with major ramifications.
4.10 It should be clearly defined which record is related to each manufacturing activity and where this record is located. Secure controls must be in place to ensure the integrity of the record throughout the retention period and validated where appropriate.
So not only do you have to define what the raw data are, you also have to state where they are stored. For paper this will be relatively easy — no, not on the shelves in your office but in a secure location. However, for hybrid systems you will have the problem of two locations, one for the signed paper records and one for the corresponding electronic records. Please do not use USB sticks or CDs for this task — keep the electronic records on the network with the IT department backing them up, as security of the storage location is essential. When electronic records are stored, regardless of source (hybrid or electronic), then validation of the security and integrity data repository is required.
4.12 For other types of documentation, the retention period will depend on the business activity which the documentation supports. Critical documentation, including raw data (for example relating to validation or stability), which supports information in the Marketing Authorisation should be retained whilst the authorization remains in force. It may be considered acceptable to retire certain documentation (e.g., raw data supporting validation reports or stability reports) where the data has been superseded by a full set of new data. Justification for this should be documented and should take into account the requirements for retention of batch documentation; for example, in the case of process validation data, the accompanying raw data should be retained for a period at least as long as the records for all batches whose release has been supported on the basis of that validation exercise.
This clause splits the record retention, including raw data, requirements, into two main areas: records supporting release of a batch of material and records supporting the marketing authorization (the European equivalent of a New Drug Application or NDA in the US). Batch related material must be stored for at least a year past the expiry date of the batch or for at least five years after certification of the batch by the QP, whichever is the longer. However in 4.12 there is the need to retain material for the time it supports the marketing authorization (e.g., stability reports and the associated raw data, should be retained as long as the authorization is valid). As aspirin has been on the market for over 100 years, I hope you have enough disk space for this.
So back to the original question, but modified slightly: are Annex 11 and Chapter 4 Europe's answer to Part 11? Yes. Although looking on the bright side Annex 11 / Chapter 4 are certainly not as bureaucratic as 21 CFR 11 and there is less detail about the controls required for electronic records and electronic signatures. However, there are many implicit requirements contained in the simple wording of many of the clauses as we have seen with the short discussion of electronic signatures. To get the full impact of the new regulations it is imperative to read Annex 11 in conjunction with Chapter 4 in their entirety.
1. European Union GMP Annex 11 Computerized Systems, effective 30th June 2011.
2. European Union GMP Chapter 4 Documentation, effective 30th June 2011
3. EudraLex web site: http://ec.europa.eu/health/documents/eudralex/vol-4/index_en.htm
4. 21 CFR 11: Electronic Records; Electronic Signature final rule, 1997.
5. European Union, EU Guidelines to Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use, 2007 (available for download from reference 3).
6. International Conference on Harmonisation (ICH) Q7, Basic Requirements for Active Substances used as Starting Materials, 2000.
7. FDA Guidance for Industry, Part 11 Scope and Application, 2003.
8. R.D. McDowall, Validation of Chromatography Data Systems, Meeting Business and Regulatory Requirements, Chapter 10, Royal Society of Chemistry, Cambridge, 2005.
9. Robert J. Ellison et al., Software Supply Chain Risk Management: From Products to Systems of Systems, Technical Note CMU/SEI-2010-TN-026, Software Engineering Institute, Carnegie Mellon University, December 2010.
10. R.D. McDowall, Spectroscopy, 25(9) (2010).
11. R.D. McDowall, Spectroscopy, 23(7) (2008).
12. European Union GMP, Annex 15, Qualification and validation, 2001.
13. Pharmaceutical Inspection Convention (PIC/S), Recommendations on Validation Master Plan, Installation and Operational Qualification, Non-Sterile Process Validation and Cleaning Validation (PI006), 2001
14. R.D. McDowall, Spectroscopy, 23(11) (2008).
15. R.D. McDowall, Spectroscopy,23(11) (2008).
16. M Frewster and D Graham, Automated Software Testing, Addison Wesley, 1999.
17. R.D. McDowall, Spectroscopy, 22(4) (2007).
18. GAMP Good Practice Guide, Part 11 Compliant Records and Signatures, ISPE, Tampa, FL, 2005.
Questions of Quality" editor Bob McDowall is principal at McDowall Consulting, Bromley, Kent, UK. He is also a member of LCGC Europe's Editorial Advisory Board. Direct correspondence about this column should be addressed to "Questions of Quality", LCGC Europe, 4A Bridgegate Pavillion, Chester Business Park, Wrexham Road, Chester CH4 9QH, UK or e-mail Alasdair Matheson, the editor, at firstname.lastname@example.org