User Requirement Specifications
The new version will describe more clearly the required functions of the system (based on a Risk Assessment and GxP impact) to be included in the URS document (or similar document): the requirements should detail and reflect the business and/or production processes being supported by the system, including the GMP critical functionalities. User requirements specifications should be not only traceable throughout the system life-cycle but also maintained or updated in case of system modifications (e.g. via change control management and impact assessment).
Moreover, the traceability between user requirements, functional specifications and testing activities should be documented and kept updated.
The above-mentioned updates for User Requirement Specification might affect the following validation deliverables:
- User Requirements Specifications (e.g. update of the integrity requirements such as those related to section 4.4 of Annex 11).
- System Risk Assessment (e.g. addition of new risk scenarios/potential failures related to the affected user requirements).
- Traceability Matrix (e.g. addition of the traceability between user requirement specification and functional, configuration and design specifications).
Accuracy Checks
Accuracy check consists of additional (manual and/or automatic) verification performed by a second operator/supervisor or validated device/system for manually entered data considered as critical for the GMP process (e.g. instrumental, method or recipe parameters). The next version will include useful guidelines in order to better classify the criticality of data and systems.
The above-mentioned updates for Accuracy Check might affect the following validation deliverables:
- User Requirements Specifications (e.g. update of the integrity requirements such as those related to section 6 of Annex 11).
- System Risk Assessment (e.g. addition of new risk scenarios/potential failures related to the affected user requirements).
- IQ/OQ Test Scripts (e.g. update of the Accuracy Check verification and addition of a criticality evaluation of the system data / parameters based on a risk assessment).
Audit Trail
The reviewed version will describe more adequately what a system Audit Trail should trace and how to review it. Moreover, Audit trail should be always enabled and locked and there should not be the possibility to deactivate the functionality, nor delete or modify (with no trace) the relevant information. In case deactivation and/or edition options are available, only system administrators (not involved in the GMP process) should have access. New detailed guidelines about Audit Trail review frequency will be added according to the following principle: the higher the criticality of the system, more frequently the audit trails should be reviewed.
The above-mentioned updates for Audit Trail might affect the following validation deliverables:
- User Requirements Specifications (e.g. update of the traceability requirements such as those related to section 9 of Annex 11).
- System Risk Assessment (e.g. addition of new risk scenarios/potential failures related to the affected user requirements).
- IQ/OQ Test Scripts (e.g. inclusion of additional checks for Audit Trail functionality and traceability verification for all relevant testing steps related to creation/modification of electronic records, user accounts, groups and/or privileges).
Data Security
The updated version will be more detailed about the security (i.e. physical and logical) controls to be implemented (e.g. additional security measures such as multi-factor authentication, platform management, etc.) in order to guarantee system access only to authorized users. In particular, the only use of “pass cards” will not be accepted because they might be lost or shared by different users. In such cases, depending on the system criticality, it should be recommended the use of a multi-factor authentication method.
When designing and configuring the system user groups and related privileges the “segregation of duties” and “least privilege” principles should be considered. Furthermore, creation, change and cancellation of access authorizations should be not only recorded (e.g. within access log) but also frequently reviewed given that people may assume or change their roles within the company or quit their job.
The above-mentioned updates for Data Security might affect the following validation deliverables:
- Configuration & Design Specifications (or similar document) (e.g. addition of new security parameters such as password complexity & history and multi-factor authentication features).
- User Requirements Specifications (e.g. update of the security requirements such as those related to sections 12.1 and 12.3 of Annex 11).
- System Risk Assessment (e.g. addition of new risk scenarios/potential failures related to the affected user requirements).
- IQ/OQ Test Scripts (e.g. update of the Password policy, User profile and privileges and Access Control verifications, including traceability verification related to modification of password settings).
Conclusions
The last time Annex 11 was updated to include new guidelines on computerized systems validation, it implied a significant impact on validation approach and relevant deliverables.
The revision of Annex 11 will be crucial and will implement many feedbacks received from regulated users and suppliers in order to better clarify the current applicable regulations. The guidelines is expected to introduce more “tools” and recommendations to be used for ensuring the system compliance to quality, security, integrity, traceability and accountability requirements from a validation perspective. Finally, considering that it’s been (relatively) many years since the Annex 11 was updated, the impact on system validation approach and related deliverables is expected to be important depending on the improvements and details that will be provided within the new guidelines.