The new version will describe more clearly the required functions of the system (based on a Risk Assessment and GxP impact) to be included in the URS document (or similar document): the requirements should detail and reflect the business and/or production processes being supported by the system, including the GMP critical functionalities. User requirements specifications should be not only traceable throughout the system life-cycle but also maintained or updated in case of system modifications (e.g. via change control management and impact assessment).
Moreover, the traceability between user requirements, functional specifications and testing activities should be documented and kept updated.
The above-mentioned updates for User Requirement Specification might affect the following validation deliverables:
Accuracy check consists of additional (manual and/or automatic) verification performed by a second operator/supervisor or validated device/system for manually entered data considered as critical for the GMP process (e.g. instrumental, method or recipe parameters). The next version will include useful guidelines in order to better classify the criticality of data and systems.
The above-mentioned updates for Accuracy Check might affect the following validation deliverables:
The reviewed version will describe more adequately what a system Audit Trail should trace and how to review it. Moreover, Audit trail should be always enabled and locked and there should not be the possibility to deactivate the functionality, nor delete or modify (with no trace) the relevant information. In case deactivation and/or edition options are available, only system administrators (not involved in the GMP process) should have access. New detailed guidelines about Audit Trail review frequency will be added according to the following principle: the higher the criticality of the system, more frequently the audit trails should be reviewed.
The above-mentioned updates for Audit Trail might affect the following validation deliverables:
The updated version will be more detailed about the security (i.e. physical and logical) controls to be implemented (e.g. additional security measures such as multi-factor authentication, platform management, etc.) in order to guarantee system access only to authorized users. In particular, the only use of “pass cards” will not be accepted because they might be lost or shared by different users. In such cases, depending on the system criticality, it should be recommended the use of a multi-factor authentication method.
When designing and configuring the system user groups and related privileges the “segregation of duties” and “least privilege” principles should be considered. Furthermore, creation, change and cancellation of access authorizations should be not only recorded (e.g. within access log) but also frequently reviewed given that people may assume or change their roles within the company or quit their job.
The above-mentioned updates for Data Security might affect the following validation deliverables:
The last time Annex 11 was updated to include new guidelines on computerized systems validation, it implied a significant impact on validation approach and relevant deliverables.
The revision of Annex 11 will be crucial and will implement many feedbacks received from regulated users and suppliers in order to better clarify the current applicable regulations. The guidelines is expected to introduce more “tools” and recommendations to be used for ensuring the system compliance to quality, security, integrity, traceability and accountability requirements from a validation perspective. Finally, considering that it’s been (relatively) many years since the Annex 11 was updated, the impact on system validation approach and related deliverables is expected to be important depending on the improvements and details that will be provided within the new guidelines.
