Attachment No. 11
to the Rules of Good Manufacturing Practice
1. This Attachment shall apply to all types of computerized systems used in activities governed by the requirements of these Rules.
2. A computerized system is a combination of software and hardware components that together fulfil certain functions.
3. Use of a computerized system shall be validated, the IT infrastructure shall be subject to qualification.
4. If a computerized system replaces manual control, it shall not result in a decreased quality of products, process control or quality control. Total risks of the process shall not increase.
II. GENERAL REQUIREMENTS
Risk management (1)
5. Risk management shall be used during the life cycle of the computerized system to ensure the safety of patients, data consistency and product quality. Within the framework of the risk management system decisions on the scope of validation tests and data consistency tests shall be based on well-grounded and documented risk assessment of the computerized system.
6. It is necessary to support close collaboration among all significant staff members engaged in this process, such as the owner of the process, the owner of the system, authorized persons and the technical staff. All staff members shall have appropriate qualification, access level and definite powers in order to perform assigned duties.
Suppliers and service providers (3)
7. (3.1) If third parties (namely, suppliers, service providers) are employed to deliver, install, set up, configure, integrate, validate, provide maintenance services (including by remote access), modify or maintain computerized systems, provide services connected with them or to process data, the manufacturer and the said third parties shall sign contracts. It is recommended to indicate in these contracts that third parties shall duly fulfil their obligations.
8. (3.2) The expertise and reliability of suppliers shall be the key conditions for the selection of a supplier of a software product or services. The necessity to assess the supplier shall be based on the risk assessment.
9. (3.3) Documents provided with commercial software products that are ready for use shall be studied by authorized employees of the manufacturer for their conformity with the manufacturer’s requirements.
10. (3.4) The information of the quality system and assessment of suppliers or developers of software and installed computerized systems shall be available for provision to persons conducting audits at their request.
III. DESIGN STAGE
11. (4.1) Validation documents and reports shall cover corresponding stages of the life cycle of a computerized system. The manufacturer shall base its standards, protocols, acceptance criteria, procedures and records on the risk assessment results.
12. (4.2) Validation documents shall contain change management records (if applicable) and reports on any deviations detected in the validation process.
13. (4.3) There shall be a current list (register) of all used computerized systems indicating their functions governed by the requirements of these Rules.
14. Critical computerized systems shall have a detailed and updated description of physical and logical interrelations, data flows and interfaces with other systems or processes, resource requirements of all hardware and software components, and available safety measures.
15. (4.4) User requirements specifications shall describe the required functions of the computerized system on the basis of the documented assessment of the risk and the influence with regard to conformity to these Rules. User requirements shall be controlled during the whole life cycle of the computerized system.
16. (4.5) The manufacturer shall take all measures which guarantee that the computerized system has been designed in accordance with the appropriate quality management system. The supplier shall be properly evaluated.
17. (4.6) In order to validate computerized systems made to order or modified according to the requirements of the client, it is necessary to develop a documented procedure for assessing the quality and performance characteristics of the computerized system at all stages of its life cycle and preparing corresponding reports.
18. (4.7) It is necessary to provide evidence of correspondence between testing methods and test architecture of the computerized system. In particular, it is required to study the limits of the system (process) parameters, data boundaries and error processing. The assessment of conformity of use of computer-aided test tools to their operation modes shall be documented.
19. (4.8) It data are transferred into another format or data system, the validation shall include checking of the invariability of the value and content of the data during their migration.
IV. OPERATION STAGE
20. Computerized systems interchanging electronic data with other systems shall comprise corresponding built-in tools to control the correctness and safety of data entry and processing in order to minimize risks.
Accuracy control (6)
21. If critical data are entered manually, the accuracy of their entry shall be subject to additional verification. Such accuracy control may be made by a secondary operator or with the help of validated electronic means. The severity and potential consequences of an erroneous or incorrect entry of data in the system shall be covered by the risk management system.
Data storage (7)
22. (7.1) Data shall be protected from damage by both physical and electronic means. Saved data shall be checked for availability, readability and accuracy. Access to the data shall be provided for the whole period of their storage.
23. (7.2) All necessary data shall be regularly backed up. The safety and accuracy of backups, as well as the possibility to restore the data shall be checked in the process of validation and periodically controlled.
Hard copies (8)
24. (8.1) It is necessary to make it possible to get clear printed copies of the data stored in soft copy.
25. (8.2) It shall be possible to get records accompanying a permit for a batch release in a printed form indicating whether any data have been changed after their initial entry.
Audit trails (9)
26. Based on the risk assessment attention shall be paid to the integration into the system of a possibility to make records of all existing changes and deletions related to the scope of application of these Rules (a system creating ‘audit trails’). The reasons for such changes or deletions of data connected with these Rules shall be documented. Audit trails shall be available, allow their transformation into a form that is clear for the user and shall be regularly checked.
Change and configuration management (10)
27. Any changes in a computerized system, including its configuration, shall be made only by a controlled method in accordance with the set procedure.
Periodic assessment (11)
28. Computerized systems shall be periodically assessed to confirm that they remain in a validated condition and meet the requirements of these Rules. Such assessment shall include, if necessary, an evaluation of the current range of functional capabilities, records of deviations, failures, problems, update history, reports on the performance, reliability, safety and validation status.
29. (12.1) To provide access to the computerized system only to those persons who have right to it, it is necessary to apply physical and (or) logic control elements. Appropriate methods of preventing unauthorized access to the system may include use of keys, access cards, personal codes with passwords, biometric data, restricted access to the hardware and data storage areas.
30. (12.2) The degree of protection shall depend on the importance of the computerized system.
31. (12.3) Creation, change and annulment of access rights shall be registered.
32. (12.4) It is necessary to develop a data and document management system to identify operators entering data and to register changes, confirmation or deletion of the data, including their date and time.
Incident management (13)
33. All incidents (unexpected events), including system failures and data errors, shall be recorded and assessed. The main cause for critical failures shall be determined and this information shall be used as a basis for corrective and preventive measures.
Electronic signature (14)
34. Records presented in soft copy may be signed by an electronic signature. Electronic signatures shall:
а) (a) have the same importance as handwritten signatures within the organization;
b) (b) be inseparably linked with corresponding records;
c) (c) contain the time and date when it is written.
Batch release (15)
35. If a computerized system is used to register the procedure for approving and releasing a batch, this system shall provide access for the batch release only to one authorized person and shall clearly identify and register the authorized person who approves and releases the batch. These operations shall be performed subject to an electronic signature.
Continuity of operation (16)
36. To ensure the operation of computerized systems supporting critical processes it is necessary to take precautionary measures and guarantee a continuous support of these processes if the systems fails (e.g. with the help of a manual or alternative system). The time required for switching on the alternative means shall take into account risks and correspond to the specific computerized system and the supported work process. These measures shall be properly documented and checked.
37. Data may be archived. These data shall be checked for availability, readability and consistency. If a computerized system requires significant changes (e.g. in the hardware or software), the possibility of the data recovery shall be ensured and checked.
V. TERMS AND DEFINITIONS
38. For purposes hereof, in addition to the terms and definitions stipulated in Chapter II of these Rules, the following basic terms are used:
process owner: a person responsible for the work process;
system owner: a person responsible for the availability and maintenance of the computerized system and the safety of the data stored in this system;
life cycle: all stages of existence of a computerized system from preparation of initial requirements to the end of use, including its design, determination of specifications, programming, testing, installation, operation and maintenance;
IT infrastructure: hardware and software, such as network software and operating systems that enable using them to fulfil specific functions;
computerized system made to order: a customized computerized system supporting a particular work process;
application: software installed on a particular platform or hardware and providing special functional capabilities;
packaged software: commercially available software whose suitability has been proven by a great number of users.