Professional Documents
Culture Documents
20.10.2021
Regulatory Requirements
The regulatory requirements are sparse and especially EU GMP Annex 11 "Computerised Systems" is
rather modest regarding the requirements. The only requirement here is as follows:
Annex 11 - 10. Change and Configuration Management: Any changes to a computerised system including
system configurations should only be made in a controlled manner in accordance with a defined procedure.
In addition, the requirements stated in EU GMP Annex 15 "Qualification and Validation" must also be
taken into account. A first essential reference can be found under the section "Principles": Any planned
changes to the facilities, equipment, utilities and processes, which may affect the quality of the product,
should be formally documented and the impact on the validated status or control strategy assessed.
In Chapter 18T of the PIC/S Guidance PI 011, change control is addressed in detail. It starts by stating
basic requirements for documentation. What should be documented?
Inspection Practice
What kind of deficiencies were found during GMP inspections? Here are some examples of the most
frequent ones:
Example 1
It makes sense to classify changes into different classes. Also the AiM 07121202 (Aide mémoire - catalog
of specifications, questions and recommendations; serves for harmonization in the preparation,
execution and follow-up of an inspection) of the EFG 11* describes a classification. From the class results
then the expenditure in connection with the change. For classification, different classifications can be
made in practice. Here are some variants that can be found in practice:
Class 1, 2, 3, etc.
Major, Minor
Critical, Significant, Insignificant, ...
Critical, less critical, very critical, ...
Example 2
The company had established a change control system. However, it was unclear which changes were to
be processed via this procedure. There were only instructions on how to handle software updates. The
following points were not regulated in the handling of
Hardware defects
Security patches
Changes to user accounts
Necessary changes due to detected software errors
Changes to the test system
About the security patches please find a note from PIC/S PI 041-1:
PIC/S PI 041-1
Security patches for operating systems and network components should be applied in a controlled and
timely manner according to vendor recommendations in order to maintain data security. The application of
security patches should be performed in accordance with change management principles.
Example 3
Concrete specifications for time intervals until a change must be completed are not documented. There
should be a documented concept here for the time intervals within which a change is to be completed
(scheduling). It is advisable to introduce a graduated procedure for this purpose. Specifications such as
one year after application are extremely long and not acceptable for a hot-fix. This example, by the way, is
a deficiency that is encountered again and again in connection with change control and computerised
systems.
Sources:
PIC/S PI 011-3
PIC/S PI 041-1
AiM 07121202
© 2021 ECA Foundation, Mannheim