Commission Européenne, B-1049 Bruxelles / Europese Commissie,
B-1049 Brussel - Belgium
Telephone: (32-2) 299 11 11
Principle
This annex applies to all forms of computerised systems used as part of a GMP regulated
activities. A computerised system is a set of software and hardware components which
together fulfill certain functionalities.
The application should be validated; IT infrastructure should be qualified.
Where a computerised system replaces a manual operation, there should be no resultant
decrease in product quality, process control or quality assurance. There should be no increase
in the overall risk of the process.
General
1. Risk Management
Risk management should be applied throughout the lifecycle of the computerised system
taking into account patient safety, data integrity and product quality. As part of a risk
management system, decisions on the extent of validation and data integrity controls should
be based on a justified and documented risk assessment of the computerised system.
2. Personnel
There should be close cooperation between all relevant personnel such as Process Owner,
System Owner, Qualified Persons and IT. All personnel should have appropriate
qualifications, level of access and defined responsibilities to carry out their assigned duties.
3. Suppliers and Service Providers
3.1 When third parties (e.g. suppliers, service providers) are used e.g. to provide, install,
configure, integrate, validate, maintain (e.g. via remote access), modify or retain a
computerised system or related service or for data processing, formal agreements must exist
between the manufacturer and any third parties, and these agreements should include clear
statements of the responsibilities of the third party. IT-departments should be considered
analogous.
3.2 The competence and reliability of a supplier are key factors when selecting a product
or service provider. The need for an audit should be based on a risk assessment.
3.3 Documentation supplied with commercial off-the-shelf products should be reviewed
by regulated users to check that user requirements are fulfilled.
3.4 Quality system and audit information relating to suppliers or developers of software
and implemented systems should be made available to inspectors on request.
Project Phase
4. Validation
4.1 The validation documentation and reports should cover the relevant steps of the life
cycle. Manufacturers should be able to justify their standards, protocols, acceptance criteria,
procedures and records based on their risk assessment.