Find below the English translation of the German Aide Memoire:
Download: EU_GMP_Leitfaden_Anhang_11_DE_v2
This is a nonbinding translation of the so called Aide Memoire (Ref. #: 07121202) of the German ZLG (Central Authority of the Laender for Health Protection).
Please feel free to send us comments to: talk@comes-services.com
A revised version of the “Guidelines on Good Distribution Practice of Medicinal Products for Human Use
” was published in the EU Official Journal and will come into operation on 8 September 2013.
Read more on the new designed EMA website: EudraLex – Volume 4 Good manufacturing practice (GMP) Guidelines
CCS executed several GDP assessments for our customers:
Also note the new Guideline on the packaging information of medicinal products for human use authorised by the Union (July 2013)(317 KB) – e.g. identification and authenticity of products.
Several pharmaceutical companies are planning or are currently in the process of IT Outsourcing Programs. The related buzzwords are Cloud Computing, Software as a Service, or Grid-Computing. Part of cloud’s appeal is clearly financial, also GMP regulated companies require a secure solution and sufficient risk control.
Before starting such an outsourcing approach, it should be clearly defined as a project or program. The starting point should be a change control record, indicating what is planned to be changed and how it will be done (concrete steps, impacts, qualification, personnel, audit processes, validated solutions and their status, update of VMPs, licence management, dedicated networks for Production/Lab, etc.). For the management it should be clear that the return of investment can not be achieved in the first year of such a program. In addition don’t forget the process and costs of de-clouding – whenever it will be needed to do so, with respect also to the defined retention periods of GxP data.
The change control record should define the scope of the outsourcing project, e.g. PaaS, IaaS, or SaaS. Please keep in mind that for SaaS it is impossible to outsource the ultimate responsibility for the validation of applications by a GMP regulated company to any third party. A clear definition and setup of the cloud strategy is required.
Also the change control record should include a risk-based analysis of the impacts to the Pharmaceutical Quality System, e.g. Site Master File (Name and official address, contact information), current IT procedures and processes in place, manufacturing authorization (GMP certificates), Validation and Qualification procedures, and/or other contracts and quality agreements to any third party.
Please note, do not start an outsourcing program without the involvement of the QP or Quality Assurance department. Contracts, Master Agreements, Service Level or Quality Agreements, or Program Quality Plans should be reviewed or approved by the Quality Department or QP. Typically a supplier audit is required and the planning of the ongoing “internal” audits for the future. It is not sufficient just to refer to existing certification standards (e.g. ISO 20.000, ISO 27.000).
You ought to consider also that for example a “cloud” is defined as an IT infrastructure component, which should be qualified. So the question is if the “cloud” is already existing and might be in operations at the service provider (e.g. hybrid or shared clouds). Basically the so called cloud solution is not just existing from nothing – it also needs software, where it is generated from and parameters are set up (e.g. which “controlled” data centers are connected, which storage networks are used). A retrospective qualification will be nearly impossible, if such parameters are not known or properly documented during “cloud” installation (setup).
It is also strongly recommended to inform your local inspectorate / agency before any GMP related data is “outsourced”. Basis of such consultation or meeting should be the planned change control record and an impact analysis – and execution details of such a Quality Program for Outsourcing.
More information on IT Outsourcing can be found also in the ISPE GAMP 5 Guide – Appendix S5.
Recommended Further Reading: ISPE GAMP Good Practice Guide – A risk-based approach to testing of GxP Systems – Second Edition – Appendix E2- Testing of Cloud Applications – ToC
Contact as at talk@comes-services.com for more information.
For the third consecutive year CCS was selected as a preferred supplier for GMP consultancy services by a global pharmaceutical Big Player.
One of the important aspects of the collaboration between the two companies are the common GMP and GDP projects, in which CCS supports the client in reducing costs thanks to new risk-based approaches, tool solutions, and compliance processes.
Our compliance projects included:
Both parties are seeing benefits from their closer cooperation in the shape of compliance advantages and more efficient processes.
Please feel free to contact us at: talk@comes-services.com
EU GMP Annex 11 defines that:
Maybe it is also meaningful to read this sentence twice. The regulation is not stating that “computerized systems should be validated” (remember, that the title of Annex 11 is Computerised Systems; more because of historical reasons) – the “application” should be validated in the meaning of a tight correlation to GMP relevant processes, other validation activities (e.g. process validation), the quality system (PQS), and on the basis of a prospective Quality Risk Management (QRM) concept. This “application” is not only “a set of software and hardware components which together fulfill certain functionalities”, it includes also the impact to processes parameters, the management and work by operators, contract, supplier and project management, data migration from other systems, raw data management, IT security aspects, and any other environmental factor. In other words if you validate “only” a computerized system its functions will work properly right now, but it does not include that it is tailored to suit to the processes and operations today and tomorrow.
So this if for example also the reason why it is beneficial to create User Requirement Specifications on the basis of a Process Map and to write each requirement more on a process-based view instead purely on a technical or functional way.
Secondly both statements are divided by a semicolon (;). The inspector working group (authors) would also have been able to use a full stop, a comma, or an “and” or “or” between both statements – but they decided to use a semicolon. This is not just a coincidence. Basically we have two IT layers – at the bottom the technical IT infrastructure and its hardware and software (network) components and placed on this the dedicated business applications. The basis of any validated application is therefore always a qualified IT infrastructure. In principle “qualification of the IT infrastructure” is sufficient (if it under control), because each validation of an application is implicitly also testing the IT infrastructure, but only at this point of time of verification.
Now knowing that an IT infrastructure might be a very dynamic set it does not only contain the pure technical aspects (hardware and software of a network), it also requires IT services and quality principles, e.g. like a change control process to keep in under control – or to keep it qualified for all validated applications running on it.
Annex 11 stated also that: “An up to date listing of all relevant systems and their GMP functionality (inventory) should be available”. What this means in practical terms is that it is useful to maintain one inventory list for applications and one for the IT infrastructure components – and to define the criteria which elements will be related to an application and which to the IT infrastructure. Also such principles are based on a horizontal (controlled and harmonized IT infrastructure) layer and a vertical application setup.
The definition of qualification is according EU GMP: “Action of proving that any equipment works correctly and actually leads to the expected results.”
“Equipment” in this meaning might be also related to IT infrastructure components. Also it should be considered that this “Action” should provide documented evidence and proof that the IT network actually leads to the expected results – a running, stable, and validated application.
The de-facto standard ISPE GAMP 5 (not a law or regulation) is also containing this risk-based, layered approach in its definition of software categories: category 1 for so called Infrastructure Software and categories 3 to 5 for applications of different sorts (mainly based on configuration or development). In addition ISPE GAMP 5 refers on the first page (section 1. Introduction – page 11) to different other standards like ITIL, CMMI, ISO standards, development standards, etc.
For the “qualified IT infrastructure” there are mainly two fields of interest:
It might be interesting, that ISMS as a term was already used in the Draft Version of the Annex 11, but not anymore in the final revision. But this can be seen as an important hint for implementation.
So called Best Practice Standards for ITSMS and ISMS are existing for sure already – there is no need or regulatory requirement to reinvent the wheel especially for GxP compliance. The magic is more on how to implement such comprehensive standards in general and how to provide and satisfy regulatory requirements in terms of documented evidence.
The ISO/IEC 27001 standard specifies the requirements needed to implement an effective Information Security Management System (ISMS) in an organization. ISO 20000 is the first worldwide standard specifically aimed at specifying an integrated set of management processes for the effective delivery of high quality IT service management services to businesses and its customers (based on ITIL).
Such certification standards can define the WHAT, but they do not include the HOW TO. Just an integration into an existing IT structure by a tick-box mentality approach, writing some procedures around it and to stick the paid certificate an a wall will not satisfy the compliance requirements nor result in business profits or cost savings.
The implementation should be based on a well-balanced, efficient, and risk-based approach – covered by a controlled quality program considering the appropriate best practice standards and the GxP risks and processes.
In addition the current Aide Memoire on Annex 11 of the German ZLG states that purely a certificate does not replace the activity of a supplier evaluation.
Contact us now for consultancy services at: talk@comes-services.com
Die ZLG hat nun das angekündigte Aide Memoire bzgl. EU GMP Leitfaden – Anhang 11 veröffentlicht.
The German ZLG has published the Inspection Aide Memoire based on EU GMP Annex 11. The current version is available in German language only.
Download AIDE MEMOIRE – Annex 11 (German): ZLG_AM_QS_07121202
Basis: EudraLex – Volume 4 Good manufacturing practice (GMP) Guidelines
UPDATE: Please find here the English translation of the Aide Memoire.
Still on paper by CCS on GoAnimate
This article is available in German Language only.
Die folgende Tabelle beinhaltet einen Vergleich zwischen Lösungen über eine typische Personaldienstleistung oder einem spezialisierten Beratungskonzept. Im Prinzip stehen sich ressourcenbasierte und lösungsorientierte Konzepte gegenüber und sollten entsprechend betrachtet werden.
Für unsere Kunden erarbeiten wir nachhaltige und effiziente Modelle – für unsere Berater stellen wir entsprechende Konzepte und Methoden zur Verfügung.
Kontaktieren Sie uns gerne für weitere Informationen zum Thema: talk@comes-services.com
Themen und Aspekte: |
Personalagentur und Vermittler (Recruiter, Staffing Agency) |
CCS Netzwerk
|
| Ressourcenbezogene Lösungen: „Body Leasing“ oder andere Personaldienstleistungen – rein ressourcenbasierter Ansatz |
Ja |
Nein |
| Methodische Problemlösungen und strategische Konzepte – GxP Komplementärberatung (Risikomanagement, Inspektionen) |
Nein |
Ja |
| Angebotsphase, Zieldefinitionen und Leistungsumfänge, Qualitätsvereinbarungen mit einem GxP Experten |
Nein |
Ja |
| Bedarfsanalyse, Ursachenforschung und strategische und taktische Konzeptgestaltung mit einem GxP Experten |
Nein |
Ja |
| Teamintegration von Fachexperten zu den Projekt-/ Programmaufgaben durch professionelles Projekt-Management, Projektrisiken und Back-Up Lösungen (Redundanzen) |
Nein |
Ja |
| Coaching und Mentoring Konzepte zur nachhaltigen Beratungsdienstleistung, Erfahrungswissen praktikabel ein- und umsetzen |
Nein |
Ja |
| Sicherstellung des Know-how Transfers, Wissens- und Informationsmanagement, Nachhaltigkeit der Beratung |
Nein |
Ja |
| Zentraler Projekt-Ansprechpartner auf einen GxP Experte und Zugriff auf ein umfassendes Experten Netzwerk und Lösungen |
Nein |
Ja |
| Bereitstellung von Tools und Methoden, Infrastruktur, Training, Regularien, Bibliotheken, Work-Shops, Fachtagungen |
Nein |
Ja |
| Sicherstellung von Weiterbildungsmaßnahmen, fachlicher Austausch und Knowledge Management; Nachhaltigkeit und Corporate Responsibility beim Kunden |
Nein |
Ja |
| Kostentransparenz und faire Bezahlung, passende Projektrollen & Aufgaben und entsprechende Beteilungskonzepte am Gesamterfolg des Netzwerks |
Nein |
Ja |
| Unterstützung unserer Berater bei der Existenzgründung und in administrativen, operativen, steuerlichen oder finanziellen Aspekten |
Nein |
Ja |
| Marketing, Kundenportale und Marktpräsenz, Fachpresse und Ausstellungen / Messeauftritte |
Ja |
Ja |
| Anrufe (Call Center / Telemarketing / Social Engineering / Phishing) als Informationsgewinnung und Aufbereitung |
Ja |
Nein |
| Dienstleistungen für andere Branchen oder Aufgaben (Automobilbau, Konstruktion, Chemie, Lebensmittel, Gebäudemanagement, Head-Hunter, Maschinenbau, Baubranche, Montage, Akkordarbeit, etc.) |
Ja |
Nein
|
| Zentrale Sicherstellung der Geheimhaltung und Verschwiegenheit, Datensicherheit und Informationensverwaltung (Projektdokumentation, Beraterprofile, Entscheidungen) |
Nein |
Ja |
Das Netzwerk “comes compliance services” ist eine unabhängige und zentralisierte Consulting-Plattform für professionelle GXP Berater und Freiberufler. Wir bieten hochspezialisierte Dienstleistungen und Lösungen für die regulierte Industrie (GMP, GDP, GCP, GLP, GVP, MEDDEV) an. Auf der Basis der Projekt- und Marktanforderungen realisieren wir im Teamansatz eine Komplementärberatung aus Consulting, Coaching, Mentoring und Training an. Unser Ansatz basiert auf ausgewogenen Maßnahmen, die Sie mit unseren Kunden zusammen erarbeiten
Damit erreichen wir die bestmögliche Effizienz und Nachhaltigkeit gemeinsam für unsere Kunden in den anspruchsvollen Projekten. Im Vergleich zu rein ressourcenbasierten Ansätze durch z.B. Personalagenturen als Personaldienstleistungen sind unsere Beratungsdienstleistungen in der Gesamtbetrachtung um ca. 60 bis 80 Prozent günstiger.
Die CCS steht für eine vollständige Beratungsstrategie im regulierten Markt. Entscheidend für unsere Projekte ist auch der Zeitpunkt der Beratung bzw. der Anfrage an uns. Können wir beispielsweise noch eine proaktive Beratung durchführen oder handelt es sich um eine reaktive Beratung zur Schadensbegrenzung. Wenn der Beratungsbedarf erst nach einer Abweichung oder eine Mängelliste aus einer Behördeninspektion erkannt wird, herrscht leider sehr oft nur noch blinder Aktionismus, welcher in die Beauftragung von Vermittlern zur Bereitstellung schneller Kapazitäten mündet – oft ohne sauberes Konzept, Koordination oder Methoden.
Personalagenturen, Headhunter und Personalvermittler tummeln sich zahlreich am Markt und vermitteln “Berater” in den Markt, welche von vielen Kunden als Interims-Manager, “Bodyleasing”-Personal oder als Alternative zur fehlenden Festeinstellung (Fachkräfte-Mangel) eingesetzt werden. Dabei kennen die Vermittler nur selten die tatsächlichen Anforderungen aus dem GXP Umfeld und vermitteln auf Provisionen reine Ressourcen an die Kunden.
Wenn Sie selbstständiger Berater sind und Sie unser Konzept interessant finden, kontaktieren Sie uns bitte: freelancer@comes-services.com
Mehr über unsere Services und Dienstleistungsangebote finden Sie auf: www.comes-services.com
Kontaktformular: Öffen
According ISPE GAMP 5 – Page 11 – appropriate schemes for assessing and improving organization capability and maturity should be used, such as the Capability Maturity Model Integration (CMMI) for development. As such most companies which develop systems and software for the GxP related industry hold an ISO 9001 certification.
Download here the Version 1.3 of the current CMMI standard for development: DOWNLOAD DOC – CMMI_Dev-V1.3
Also a listing and mapping between ISO 9001 and CMMI can be downloaded here: DOWNLOAD PDF – CMMI_ISO-9000-2000-mapping
Contact us today for more information to GAMP compliant software and system development at: talk@comes-services.com
As Part 11 solution provider CCS provides this reference listing:
Contact us now for more information at: talk@comes-services.com
