EUROPEAN COMMISSION
HEALTH AND CONSUMERS DIRECTORATE-GENERAL
Public Health and Risk Asssment
Pharmaceuticals
Brusls,
各省高考难度排行榜SANCO/C8/AM/sl/ares(2010)1064599
EudraLex
The Rules Governing Medicinal Products in the European Union
Volume 4
Good Manufacturing Practice
Medicinal Products for Human and Veterinary U
Annex 11: Computerid Systems
Legal basis for publishing the detailed guidelines: Article 47 of Directive 2001/83/EC on the Community code relating to medicinal products for human u and Article 51 of Directive 2001/82/EC on the Community code relating to veterinary medicinal products. This document provides guidance for the interpretation of the principles and guidelines of good manufacturing practice (GMP) for medicinal products as laid down in Directive 2003/94/EC for medicinal products for human u and Directive 91/412/EEC for veterinary u.
Status of the document: revision 1
Reasons for changes: t he Annex has been revid in respon to the incread u of computerid systems and the incread complexity of the systems. Conquential amendments are also propod for Chapter 4 of the GMP Guide.
Deadline for coming into operation: 30 June 2011
Commission Européenne, B-1049 Bruxelles / Europe Commissie,
B-1049 Brusl - Belgium
Telephone: (32-2) 299 11 11
Principle
This annex applies to all forms of computerid systems ud as part of a GMP regulated activities. A computerid system is a t of software and hardware components which together fulfill certain functionalities.
The application should be validated; IT infrastructure should be qualified.
Where a computerid system replaces a manual operation, there should be no resultant decrea in product quality, process control or quality assurance. There should be no increa in the overall risk of the process.
General
1. Risk Management
Risk management should be applied throughout the lifecycle of the computerid system taking into account patient safety, data integrity and product quality. As part of a risk management system, decis
ions on the extent of validation and data integrity controls should be bad on a justified and documented risk asssment of the computerid system.
2. Personnel
There should be clo cooperation between all relevant personnel such as Process Owner, System Owner, Qualified Persons and IT. All personnel should have appropriate qualifications, level of access and defined responsibilities to carry out their assigned duties. 3. Suppliers and Service Providers
3.1 When third parties (e.g. suppliers, rvice providers) are to provide, install, configure, integrate, validate, maintain (e.g. via remote access), modify or retain a computerid system or related rvice or for data processing, formal agreements must exist between the manufacturer and any third parties, and the agreements should include clear statements of the responsibilities of the third party. IT-departments should be considered analogous.
3.2 The competence and reliability of a supplier are key factors when lecting a product or rvice provider. The need for an audit should be bad on a risk asssment.
鸡蛋炒西红柿3.3 Documentation supplied with commercial off-the-shelf products should be reviewed by regulated urs to check that ur requirements are fulfilled.
3.4 Quality system and audit information relating to suppliers or developers of software and implemented systems should be made available to inspectors on request.
Project Pha
洋牡丹怎么水养
4. Validation
4.1 The validation documentation and reports should cover the relevant steps of the life cycle. Manufacturers should be able to justify their standards, protocols, acceptance criteria, procedures and records bad on their risk asssment.
4.2 Validation documentation should include change control records (if applicable) and reports on any deviations obrved during the validation process.
4.3 An up to date listing of all relevant systems and their GMP functionality (inventory) should be available.
For critical systems an up to date system description detailing the physical and logical arrangements, data flows and interfaces with other systems or process, any hardware and software pre-requisites, and curity measures should be available.
4.4 Ur Requirements Specifications should describe the required functions of the computerid system and be bad on documented risk asssment and GMP impact. Ur requirements should be traceable throughout the life-cycle.
可爱的小鸟4.5 The regulated ur should take all reasonable steps, to ensure that the system has been developed in accordance with an appropriate quality management system. The supplier should be assd appropriately.
4.6 For the validation of bespoke or customid computerid systems there should be a process in place that ensures the formal asssment and reporting of quality and performance measures for all the life-cycle stages of the system.
4.7 Evidence of appropriate test methods and test scenarios should be demonstrated. Particularly, system (process) parameter limits, data limits and error handling should be considered. Automated testing tools and test environments should have documented asssments for their adequacy.
4.8 If data are transferred to another data format or system, validation should include checks that data are not altered in value and/or meaning during this migration process.
Operational Pha
5. Data
Computerid systems exchanging data electronically with other systems should include appropriate built-in checks for the correct and cure entry and processing of data, in order to minimize the risks.
6. Accuracy Checks
车间实习报告
For critical data entered manually, there should be an additional check on the accuracy of the data. This check may be done by a cond operator or by validated electronic means. The criticality and the potential conquences of erroneous or incorrectly entered data to a system should be covered by risk management.
7. Data Storage
7.1 Data should be cured by both physical and electronic means against damage. Stored data sh
ould be checked for accessibility, readability and accuracy. Access to data should be ensured throughout the retention period.
7.2 Regular back-ups of all relevant data should be done. Integrity and accuracy of back-up data and the ability to restore the data should be checked during validation and monitored periodically.
8. Printouts
8.1 It should be possible to obtain clear printed copies of electronically stored data.
8.2 For records supporting batch relea it should be possible to generate printouts indicating if any of the data has been changed since the original entry.
9. Audit Trails
Consideration should be given, bad on a risk asssment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system generated "audit trail"). For change or deletion of GMP-relevant data the reason should be documented. Audit trails need to be available and convertible to a generally intelligible form and regularly reviewed.
10. Change and Configuration Management
Any changes to a computerid system including system configurations should only be made in a controlled manner in accordance with a defined procedure.
11. Periodic evaluation
倾心相爱Computerid systems should be periodically evaluated to confirm that they remain in a valid state and are compliant with GMP. Such evaluations should include, where appropriate, the current range of functionality, deviation records, incidents, problems, upgrade history, performance, reliability, curity and validation status reports.
12. Security
12.1 Physical and/or logical controls should be in place to restrict access to computerid system to authorid persons. Suitable methods of preventing unauthorid entry to the system may include the u of keys, pass cards, personal codes with passwords, biometrics, restricted access to computer equipment and data storage areas.
12.2 The extent of curity controls depends on the criticality of the computerid system. 12.3 Creation, change, and cancellation of access authorisations should be recorded.
12.4 Management systems for data and for documents should be designed to record the identity of operators entering, changing, confirming or deleting data including date and time.
13. Incident Management
All incidents, not only system failures and data errors, should be reported and assd. The root cau of a critical incident should be identified and should form the basis of corrective and preventive actions.
14. Electronic Signature
红油米线Electronic records may be signed electronically. Electronic signatures are expected to:
a. have the same impact as hand-written signatures within the boundaries of the
company,
b. be permanently linked to their respective record,
c. include the time and date that they were applie
d.
15. Batch relea
When a computerid system is ud for recording certification and batch relea, the system should allow only Qualified Persons to certify the relea of the batches and it should clearly identify and record the person releasing or certifying the batches. This should be performed using an electronic signature.
4g技术16. Business Continuity
For the availability of computerid systems supporting critical process, provisions should be made to ensure continuity of support for tho process in the event of a system breakdown (e.g. a manual or alternative system). The time required to bring the alternative arrangements into u should be bad on risk and appropriate for a particular system and the business process it supports. The arrangements should be adequately documented and tested.
17. Archiving
Data may be archived. This data should be checked for accessibility, readability and integrity. If relev
ant changes are to be made to the system (e.g. computer equipment or programs), then the ability to retrieve the data should be ensured and tested.
Glossary
Application: Software installed on a defined platform/hardware providing specific functionality
Bespoke/Customized computerid system: A computerid system individually designed to suit a specific business process
Commercial of the shelf software: Software commercially available, who fitness for u is demonstrated by a broad spectrum of urs.
IT Infrastructure: The hardware and software such as networking software and operation systems, which makes it possible for the application to function.
Life cycle: All phas in the life of the system from initial requirements until retirement including design, specification, programming, testing, installation, operation, and maintenance.
Process owner: The person responsible for the business process.
System owner: The person responsible for the availability, and maintenance of a computerid system and for the curity of the data residing on that system.
Third Party: Parties not directly managed by the holder of the manufacturing and/or import authorisation.
