Forum: Technologietransfer & Kooperationen in Life-Sciences – so funktioniert’s!

Wie kann der Transfer von Wissen und Technologien in Life Science beitragen, eigene Produkte zu entwickeln und zu verbessern?

Anhand von Praxisbeispielen zeigen Unternehmen vom Bodensee Erfolgswege auf bei einem gemeinsamen Networking-Forum von BioLAGO und der IHK Bodensee-Oberschwaben in Weingarten.

Termin: 26. September 2013 , 17.30 – 20.00 Uhr
Ort: Geschäftsstelle IHK Bodensee-Oberschwaben, Lindenstraße 2, D-88250 Weingarten

Link Veranstaltung öffnen

Qualification of IT Infrastructure in GMP

EU GMP Annex 11 defines that:

  “The application should be validated; IT infrastructure should be qualified.”

Maybe it is also meaningful to read this sentence twice. The regulation is not stating that “computerized systems should be validated” (remember, that the title of Annex 11 is Computerised Systems; more because of historical reasons) – the “application” should be validated in the meaning of a tight correlation to GMP relevant processes, other validation activities (e.g. process validation), the quality system (PQS), and on the basis of a prospective Quality Risk Management (QRM) concept. This “application” is not only “a set of software and hardware components which together fulfill certain functionalities”, it includes also the impact to processes parameters, the management and work by operators, contract, supplier and project management, data migration from other systems, raw data management, IT security aspects, and any other environmental factor. In other words if you validate “only” a computerized system its functions will work properly right now, but it does not include that it is tailored to suit to the processes and operations today and tomorrow.

So this if for example also the reason why it is beneficial to create User Requirement Specifications on the basis of a Process Map and to write each requirement more on a process-based view instead purely on a technical or functional way.

Secondly both statements are divided by a semicolon (;). The inspector working group (authors) would also have been able to use a full stop, a comma, or an “and” or “or” between both statements – but they decided to use a semicolon. This is not just a coincidence. Basically we have two IT layers – at the bottom the technical IT infrastructure and its hardware and software (network) components and placed on this the dedicated business applications. The basis of any validated application is therefore always a qualified IT infrastructure. In principle “qualification of the IT infrastructure” is sufficient (if it under control), because each validation of an application is implicitly also testing the IT infrastructure, but only at this point of time of verification.

Now knowing that an IT infrastructure might be a very dynamic set it does not only contain the pure technical aspects (hardware and software of a network), it also requires IT services and quality principles, e.g. like a change control process to keep in under control – or to keep it qualified for all validated applications running on it.

Annex 11 stated also that: “An up to date listing of all relevant systems and their GMP functionality (inventory) should be available”. What this means in practical terms is that it is useful to maintain one inventory list for applications and one for the IT infrastructure components – and to define the criteria which elements will be related to an application and which to the IT infrastructure. Also such principles are based on a horizontal (controlled and harmonized IT infrastructure) layer and a vertical application setup.

How to qualify an IT Infrastructure – what is it?

The definition of qualification is according EU GMP: “Action of proving that any equipment works correctly and actually leads to the expected results.”

“Equipment” in this meaning might be also related to IT infrastructure components. Also it should be considered that this “Action” should provide documented evidence and proof that the IT network actually leads to the expected results – a running, stable, and validated application.

The de-facto standard ISPE GAMP 5 (not a law or regulation) is also containing this risk-based, layered approach in its definition of software categories: category 1 for so called Infrastructure Software and categories 3 to 5 for applications of different sorts (mainly based on configuration or development). In addition ISPE GAMP 5 refers on the first page (section 1. Introduction – page 11) to different other standards like ITIL, CMMI, ISO standards, development standards, etc.

For the “qualified IT infrastructure” there are mainly two fields of interest:

  1. IT service management services to businesses and its customers (ITSMS)
  2. Information Security Management System (ISMS)

It might be interesting, that ISMS as a term was already used in the Draft Version of the Annex 11, but not anymore in the final revision. But this can be seen as an important hint for implementation.

So called Best Practice Standards for ITSMS and ISMS are existing for sure already – there is no need or regulatory requirement to reinvent the wheel especially for GxP compliance. The magic is more on how to implement such comprehensive standards in general and how to provide and satisfy regulatory requirements in terms of documented evidence.

Best Practice and Certification Standards – and the real world

The ISO/IEC 27001 standard specifies the requirements needed to implement an effective Information Security Management System (ISMS) in an organization. ISO 20000 is the first worldwide standard specifically aimed at specifying an integrated set of management processes for the effective delivery of high quality IT service management services to businesses and its customers (based on ITIL).

Such certification standards can define the WHAT, but they do not include the HOW TO. Just an integration into an existing IT structure by a tick-box mentality approach, writing some procedures around it and to stick the paid certificate an a wall will not satisfy the compliance requirements nor result in business profits or cost savings.

The implementation should be based on a well-balanced, efficient, and risk-based approach – covered by a controlled quality program considering the appropriate best practice standards and the GxP risks and processes.

In addition the current Aide Memoire on Annex 11 of the German ZLG states that purely a certificate does not replace the activity of a supplier evaluation.

Read more at CCS.

Contact us now for consultancy services at: talk@comes-services.com

Aide Mémoire 07121202 der ZLG (Annex 11): Überwachung computergestützter Systeme

Die ZLG hat nun das angekündigte Aide Memoire bzgl. EU GMP Leitfaden – Anhang 11 veröffentlicht.

The German ZLG has published the Inspection Aide Memoire based on EU GMP Annex 11. The current version is available in German language only.

 

Download AIDE MEMOIRE – Annex 11 (German): ZLG_AM_QS_07121202

Basis: EudraLex – Volume 4 Good manufacturing practice (GMP) Guidelines

UPDATE: Please find here the English translation of the Aide Memoire.

 

GMP for pharmaceutical excipients – IPEC

IPEC Europe, the International Pharmaceutical Excipients Council Europe,  is an association that serves the interests of producers, distributors  and users of pharmaceutical excipients. IPEC Europe represents the views of its members to appropriate  regulatory bodies (European Commission, EMA, European Pharmacopoeia) and  is recognised by Government agencies around the world as the voice of  European producers and users of pharmaceutical excipients.

The IPEC guidelines can be downloaded at: OPEN LINK

For Example: The IPEC-PQG Good Manufacturing Practices Guideline, Quality Agreement Template, Qualification of Excipient, The IPEC-PQG Good Manufacturing Practices Audit Guideline, The IPEC Good Distribution Practices Guideline

Visit the IPEC site: Home > Publications > Guidelines

Choose the proper Risk Management Tool

Everyone talks about Quality Risk Management or a risk-based approach, but what does it mean and what are the results – added-value for projects and products?

The new WHO guideline contains a section for choosing the appropriate Risk Management Tool for the day-to-day risk management decision-making process. Read it online here.

Also refer to Table 3 – Examples of common risk management tools, which is defining the attributes and potential applications of the mostly used and referenced methods, which helps to find the right QRM Tool.

Contact us for more information at: talk@comes-services.com

 

GAMP 5 compliance – CMMI Version 1.3

According ISPE GAMP 5 – Page 11 – appropriate schemes for assessing and improving organization capability and maturity should be used, such as the Capability Maturity Model Integration (CMMI) for development. As such most companies which develop systems and software for the GxP related industry hold an ISO 9001 certification.

Download here the Version 1.3 of the current CMMI standard for development: DOWNLOAD DOC – CMMI_Dev-V1.3

Also a listing and mapping between ISO 9001 and CMMI can be downloaded here: DOWNLOAD PDF – CMMI_ISO-9000-2000-mapping

 

Contact us today for more information to GAMP compliant software and system development at: talk@comes-services.com

Gute Vertriebspraxis GDP 2013/C 68/01 Leitlinie

Download the EU GDP Guideline here in German or English language.

Die überarbeitete Leitlinie tritt 6 Monaten nach der Veröffentlichung am 8. September 2013 in Kraft.

The guideline will enter into force in six months from the date of publication, on 8 September 2013.