Is the system fit for purpose?
It’s crucial that organisations operating across the Pharmaceutical and Medical Device industry carefully consider the impact of the introduction of computerised quality system applications.
The European Medicine Agency's (EMEA) Guidelines to Good Manufacturing Practice (GMPs) - Annex 11, Computerized Systems (aka EU Annex 11) and The Food and Drug Administration's (FDA) rule on Electronic Records/Signatures (21 CFR Part 11 aka Part 11) are crucial in the manufacture of pharmaceutical products.
Businesses operating within the Medical Device and Pharma industries are compelled through the FDA and EMEA to instigate a formal validation process to ensure that all software is fit for purpose. Whilst the legislation that governs particular sectors may vary, the principles of software validation are consistent and typically demand consideration of the following areas:
- Software Vendor Development Methodology
- Customer Requirement
- Customer System Specification
- Software Verification
- System Validation
- System Change Control and Validation
- Problem Resolution Process and Tracking
So how can we ensure that a computerised quality system is fit for purpose under either Part 11 or Annex 11?
Whether operating under Annex 11 or Part 11, all computerised systems used in GxP regulated environments require compliance for ensuring integrity of data and records.
The FDA suggests that “when computers are used as part of the quality system, the [device] manufacturer shall validate computer software for its intended use according to an established protocol. This has been a regulatory requirement of FDA's medical device Good Manufacturing Practice (GMP) regulations since 1978”
EMEA Annex 11 goes further into the requirements of computerised systems than Part 11. There are specific points in Annex 11 that relate directly to the supplier and service provider of the software. It addresses formal agreements, software review and supplier audits. It is important to note that a software supplier cannot sell a validated system; validation requires a risk-based approach that the system performs as intended in its actual environment; however a system can provide the functionality to enable compliance with the specific regulations.
When evaluating computerised quality systems, consider if the system;
- Provides access control /user management.
- Allows only authorised changes to data and documents
- Ensures data integrity including: prevention of deletion, poor transcriptions and omission.
- Provides full time stamped audit trails
- Provides Disaster recovery / Back up and retrieval
- Provides the use of Electronic Signatures where necessary
- Allows for system maintenance and change control
- Supports management of training documentation
Five tips to help ensure you select the right supplier:
- Evaluate the quality methodology of the supplier; how do they design, construct, supply and maintain the software? Do they have relevant ISO9001 and TickIT quality marques in place to underpin the way they work?
- Understand the history of the vendor’s suppliers, if they have outsourced work – was all the software built in house? If not, how are the vendor’s suppliers quality checked?
- Are any third party apps used within the software? How heavy is the vendor’s reliance upon these apps, and how reliable are the apps themselves?
- Consider any known limitations of the software package or versions and the adequacy of any corrective actions by the Supplier.
- Has the supplier supplied to GxP regulated industries previously? Was the software compliant in ensuring integrity of records and data?