cGMP COMPLIANCE QUESTIONS TO AUTHORITY REPRESENTATIVES AND INDUSTRY EXPERTS.
QUESTIONS & ANSWERS
Authority representatives and industry experts regularly answer questions frequently asked during courses and conferences. The following set is the third and last part of Q&As with respect to Annex II that were asked during the German Computer Validation Conference and answered by various speakers.
Q&As on Annex II
Since 30 June 2011 the industry has to implement all requirements of Annex II "Computerised Systems" of the EU GMP Guideline. Within the context of the Conference on Computer Validation in Mannheim, Germany, in June 2011, authority representatives and industry experts have answered questions concerning the 17 chapters of Annex LL. Here you will find the questions and answers on some of these chapters. Further Q&As were published in the GMP Journal October/November 2011 and April/May 2012 issues.
Chapter I2 - Security
Speakers:
- Karl-Heinz Menges, Regierungspräsidium Darmstadt (Regional Council, Darmstadt)
- Sieghard Wagner, Chemgineering Business Design
Annex II: "12.1 Physical and/or logical controls should be in place to restrict access to computerised system to authorised persons. Suitable methods of preventing unauthorised entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, restricted access to computer equipment and data storage areas.
12.2 The extent of security controls depends on the criticality of the computerised system.
12.3 Creation, change, and cancellation of access authorisations should be recorded.
12.4 Management systems for data and for documents should be designed to record the identity of operators entering, changing, confirming or deleting data including date and time."
Does "Operators" mean the users of the system? If so, what is the difference to the audit trail requirement?
The audit trail targets documents of the record/report type. In the case of instruction-type documents, documentation is expected, for example, on who has entered when what version of an SOP in the electronic document system as valid document or suspended it and when.
The identity of operators of management systems for data and for documents should be recorded. What does management systems mean and is this requirement not valid for control systems?
It refers primarily to DMS; this requirement is not applicable to control systems.
How often do users have to change their passwords? How often must user profiles be checked?
The frequency of change as well as the frequency of control of user profiles depends on the risk. Annex II does not pose any requirements on the frequency of password changes.
Recommendation
Berlin, Germany4/5 December 2024
Root Cause Analysis
Chapter I3 - Incident Management
Speakers:
- Dr. Christa Färber, Staatliches Gewerbeaufsichtsamt Hannover (State Labour Inspectorate, Hannover)
- Frank Behnisch, CSL Behring
Annex II: "All incidents, not only system failures and data errors, should be reported and assessed. The root cause of a critical incident should be identified and should form the basis of corrective and preventive actions."
What exactly does "all incidents" mean? Does it also mean service requests (such as resetting a password)?
It means per definition all incidents. But the company can define what an incident is and what the intended use is. Resetting a password, for instance, can be a regular task of the administration and therefore it is no incident since the system documents resetting via log files. Here, you can limit the incidents.
Are workarounds accepted for preventive actions?
Yes, provided they are described and regulated - for instance, in SOPs.
Chapter I4 - Electronic Signature
Speakers:
- Klaus Eichmüller, Regierung von Oberbayern (Government of Upper Bavaria)
- Dr Wolfgang Schumacher, F. Hoffmann-La Roche
Annex II: "Electronic records may be signed electronically. Electronic signatures are expected to: a. have the same impact as hand-written signatures within the boundaries of the company, b. be permanently linked to their respective record, c. include the time and date that they were applied."
Is it intentional that the "meaning" (as in Part II) is not required in Annex II?
Eichmüller/Samson: In GxP processes, the meaning of a signature is always part of a signature. For the GMP sector, this is regulated in Chapters 1 and 4 of the EU GMP Guideline. This is the reason why this requirement was not repeated in Annex II. A repetition of this requirement would have ensured improved clarity - without causing unnecessary redundancy. But principally, the actual wording is not confusing.
How long must data concerning electronic signatures be kept?
Eichmüller/Samson: What data? The signed data may no longer be separated from the signature. Signature and signed data must be kept for an equal period of time. The retention period to be specified must be defined according to the underlying requirements, such as GxP requirements (other requirements may also be relevant: commercial law, liability law etc.). Data concerning the undersigned has to be kept at least as long as the signed data (data concerning the undersigned is in fact metadata of the signed data). In any case, the user data should be kept as long as the system is operated and as long as the signed data must be kept.
What significance does the requirement of the binding legal force in the internal relationship of the company have?
Samson: The legal context differs between the USA and the European Union. The USA is one state and does not have a general law on electronic signatures. The EU is a Union consisting of 27 states, subordinated to European law. But these states are obliged to transpose this subordinated law into specific national legislation. This means that the national provisions on electronic signatures may differ slightly from state to state. Where electronic signatures are concerned, there are two directives valid in the EU: Directive I999/93/EC on a Community framework for electronic signatures and Directive 2000/3I/EC on electronic commerce. In Germany, the signature law is also valid. The sentence: "Electronic signatures are expected to have the same meaning as hand-written signatures in the internal relationship of a company …" means that external regulations such as the Signature Law are not applicable for GxP-relevant electronic signatures within a regulated pharmaceutical organisation.
Eichmüller: Because of the different possibilities of the Member States with regard to regulations on the binding legal force of electronic signatures in external relationships, Annex II only describes the binding legal force in the internal relationship.
What does "same impact within the boundaries of the company" mean?
Eichmüller/Samson: As a logical consequence of the information above, GxP-relevant electronic signatures can be recognised as equivalent to hand-written signatures within the regulated pharmaceutical organisation.
Chapter I5 - Batch Release
Speakers:
- Klaus Eichmüller, Regierung von Oberbayern (Government of Upper Bavaria)
- Dr Wolfgang Schumacher, F. Hoffmann-La Roche
Annex II: "When a computerised system is used for recording certification and batch release, the system should allow only Qualified Persons to certify the release of the batches and it should clearly identify and record the person releasing or certifying the batches. This should be performed using an electronic signature."
Is this approach also valid for hybrid systems where the release is paper-based, but the release is recorded in an electronic system?
Eichmüller: The requirement that the relationships of the single documents need to be stated in an unambiguous way in a hybrid system is decisive. If documentation of the release decision is paper-based, Annex II is to be applied only with regard to the supporting documents. A mere reproduction of a paper-based release decision in an electronic system implies the application of the requirements of Annex II but not the requirement of a further electronic signature.
Is there an electronic release?
Eichmüller: A release is carried out by a human being, in the case of a release according to §16 AMWHV or Annex I6 by the Qualified Person (QP).
Is an automatic release possible in the case of real-time release?
Samson: In order to make that absolutely clear, it has to be noted that the so-called Real Time Release has to be understood as Real Time Release Testing (RTRT). There has never been an intention to carry out batch releases automatically. Rather, and in the sense of ICH Q8, it is possible to replace release-relevant quality controls in the laboratory with real-time testing as long as the process and validation permit such testing.
Eichmüller: It is true that automated aggregations of data are possible by means of validated processes but the release is carried out by people. In terms of RTRT, further possibilities of application can be anticipated for the future (compare EMA's relevant Concept Paper) but I don't see the possibility of an automated release yet. (Annotation: At the end, there also is the question about responsibility and the related liability).
Chapter I6 - Business Continuity
Speakers:
- Klaus Eichmüller, Regierung von Oberbayern (Government of Upper Bavaria)
- Dr Wolfgang Schumacher, F. Hoffmann-La Roche
Annex II: "For the availability of computerised systems supporting critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (e.g. a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and appropriate for a particular system and the business process it supports. These arrangements should be adequately documented and tested."
Is a high availability of critical processes required independently of the question as to whether such availability is necessary?
Samson: The availability of a process should be proportionate to the needs. This means that a process which is applied only seldom needs not to have a high availability even if it is a critical process from the GxP point of view. The process should only be available if needed. It has to be noted however that a process which is applied often or continuously might be assessed as being more critical from a business perspective than it is according to GxP.
Eichmüller: Chapter I6 focuses on the criticality of restoring process support. This leaves room for manoeuvre for GxP-critical processes. But the relevant decisions must be substantiated rationally on the basis of risk assessments.
Must the system availability of each single system be tested or is a general test sufficient?
Eichmüller/Samson: First of all the systems requiring higher availability must be identified. The availability of a group of systems can not only be tested "generally". To be efficient and in conformity with the requirements, contingency plans need to be designed system-specifically and sufficiently in detail. Contingency plans can either be defined as SOP or be accompanied by SOPs. In any case, the contingency plans should be trained and practiced regularly. They must invariably be directed so that plans and measures are reviewed and possibly adapted in the case of hardware or software changes or organisational changes. Furthermore, the co-operation by the emergency measures of the individual systems should be reviewed and trained in the case of complex processes with embedded or interconnected systems.
Chapter I7 - Archiving
Speakers:
Klaus Eichmüller, Regierung von Oberbayern (Government of Upper Bavaria)
Dr Wolfgang Schumacher, F. Hoffmann-La Roche
Annex II: "Data may be archived. This data should be checked for accessibility, readability and integrity. If relevant changes are to be made to the system (e.g. computer equipment or programs), then the ability to retrieve the data should be ensured and tested."
Recommendation
22/23 January 2025
HPLC Data Integrity - Live Online Training
How often should the readability of archived data be checked?
Eichmüller: This is to be defined by the company and depends on a set of further factors (see below) - apart from the type of system or data.
Samson: There is no simple and general answer to this question since the readability of a data storage device depends on various factors; including the technology used, the storage conditions of the data storage devices and the reliability of the requisite disk drives. That is the reason why the period of review should be defined based on the identified risks, the criticality of the data and, if applicable, experience. This point should in any case be a subject of the periodical evaluation.
Is a single test enough to demonstrate the readability of archived data?
Eichmüller: A single test does not at all fulfil the requirement of ensuring readability. The frequency of testing depends on different factors such as the archived process and the software and hardware used (see above and below) and should, for logical reasons, be defined individually. Samson: A single readability test is definitely not enough, since the aging process of the data storage devices and the disk drives used can not be taken into account in that case. Furthermore, the availability of the requisite hardware and system software can play an important role asgards very old systems. This is the reason why periodic control of readability is indispensible.
Compiled by Dr Andreas Mangel
CONCEPT HEIDELBERG