safety Tag

The current EU GMP Guidance Annex 11 “Computerised Systems” has been issued in 2011 and does not give sufficient guidance within several areas. There has been discussion for some time about revising this annex to meet current technological and regulatory developments. On 16 November 2022, the EMA (European Medicines Agency) published a “Concept-Paper on the revision of Annex 11 of the guidelines on Good Manufacturing Practice for medicinal products – Computerised Systems” that addresses the need to update Annex 11.

 

Proposed timetable until the publication of the new EU GMP Annex 11

  • Deadline for comments on the concept paper: 16 November 2023.
  • Publication and commenting of a draft of the new Annex 11: March 2025.
  • Approval and publication by the European Commission: June 2026.
  • Reasons for the revision of Annex 11.

 

Where is there a need for change and adaptation?

In 33 points, based on the structure and chapters of the current Annex 11, new points to be included and topics to be updated are presented.

Which topics should be included in the new Annex 11?

The following is an excerpt from the Concept Paper of some chapters in Annex 11 that have been identified as needing adaptation:

  1. Suppliers and Service Providers

The topic of cloud service providers should be addressed in particular:

  • [3,1] “For critical systems validated and/or operated by service providers (e.g. ‘cloud’ services), expectations should go beyond that “formal agreements must exist”. Regulated users should have access to the complete documentation for validation and safe operation of a system and be able to present this during regulatory inspections, e.g. with the help of the service provider.”
  1. Validation
  • [4.1] The meaning of the term ‘validation’ (and ‘qualification’), needs to be clarified. It should be emphasised that both activities consist of a verification of required and specified functionality as described in user requirements specifications (URS) or similar.
  • [4.1] Following a risk-based approach, system qualification and validation should especially challenge critical parts of systems which are used to make GMP decisions, parts which ensure product quality and data integrity and parts, which have been specifically designed or customised.

The topic of “agile methods” should be integrated here regarding deviations from previous classic development documents.

  • [4.5] It should be acknowledged and addressed that software development today very often follows agile development processes, and criteria for accepting such products and corresponding documentation, which may not consist of traditional documents, should be clarified.
  1. Audit Trails

Most of the new topics are mentioned here. What has been a very short chapter so far, topic should be described much more comprehensively in the new Annex 11. The points to be addressed include:

  • Audit trails must not be editable
  • Audit trails must not be able to be switched off for the “normal user” of a system.
  • Statements should be made about the frequency of audit trail reviews.
  • Audit trail data as GMP requirements are often created together with log data. It should be possible to be able to sort these data.
  1. Security

This topic should also be integrated more strongly under the aspect of external threats.

  • [12.1] The current section has only focus on restricting system access to authorised individuals; however, there are other important topics. In line with ISO 27001, a section on IT security should include a focus on system and data confidentiality, integrity and availability.

Security techniques, information security management systems and requirements are specifically mentioned here.

  • [12.1] The current version says that “Physical and/or logical controls should be in place to restrict access to computerised system to authorised persons”. However, it is necessary to be more specific and to name some of the expected controls, e.g. multi-factor authentication, firewalls, platform management, security patching, virus scanning and intrusion detection/prevention.
  • [12.1] It should be specified that authentication on critical systems should identify the regulated user with a high degree of certainty. Therefore, authentication only by means of a ‘pass card’ might not be sufficient, as it could have been dropped and later found by anyone.
  • [12.1] Two important expectations for allocation of system accesses should be added either here or elsewhere; i.e. ‘segregation of duties’, that day-to-day users of a system do not have admin rights, and the ‘least privilege principle’, that users of a system do not have higher access rights than what is necessary for their job function.

 

Conclusion

The current Annex 11 is partly superseded by technological and regulatory developments and that there is a corresponding need for adaptation.

The latest version (version 16) of the “How to do” document – Interpretation of ICH Q7 Guide and “Review form” for active pharmaceutical ingredients was finalised in July 2022 and published on the new website of the APIC (Active Pharmaceutical Ingredients Committee) at the end of October.

The document aims to facilitate the implementation of the ICH Q7 guideline and provides recommendations on how it can be interpreted.

In this new version, the responsible task force of the APIC Quality Group, has made formal changes, additions and updates in the chapters (1) Introduction, (6) Documentation and Records, (10) Storage and Distribution and (12) Validation.

Following are some examples of relevant changes:

 

Chapter 6 Documentation and Records

This chapter has been thoroughly revised and contains many adjustments and innovations as well as formal changes. For example, in the first paragraph 6.1 “Documentation System and Specification” the acronym ALCOA has been replaced by ALCOA+, and more attention has been paid to electronic documentation and hybrid documentation systems.

In section 6.14, the sub-heading “Electronic systems” has been added; in sections 6.15, 6.16 and 6.17 have been almost completely reworded.

The following paragraphs have also been updated and revised:

  • 2 “Equipment Cleaning and Use Record”,
  • 3 “Records of Raw Materials, Intermediates, API Labelling and Packaging Materials”,
  • 4 “Master Production Instructions (Master Production and Control Records)”,
  • 5 “Batch Production Records (Batch Production and Control Records)”,
  • 6 “Laboratory Control Records”,
  • 7 “Batch Production Record Review”.

 

Chapter 10 Storage and Distribution

This chapter in the current version contains, in addition to formal changes, an adjustment in the second paragraph of section 10.11. All other steps in this chapter are left unchanged.

 

Chapter 12 Validation

In addition to numerous formal adjustments, this chapter has been fundamentally updated and reformulated.

In the first paragraph 12.1 “Validation Policy”, section 12.11 “Critical Parameters/Attributes General considerations” has been expanded to include the term Critical Quality Attribute (CQA) and its meaning has been described in detail.

In the same way, in paragraph 12.3 “Qualification” the term engineering has been added and in paragraph 12.8 “Validation of Analytical Methods” the sentence “The level of the validation required for in-process controls should be evaluated depending on the influence on the final API quality.” has been added.

Source: https://apic.cefic.org/wp-content/uploads/2022/03/ICH-Q7-How-To-Do-version16-final-version-published-on-24-oct-22.pdf

The ICH Q5A(R2) Expert Working Group is working on the revision of the of the Guideline Q5A(R1) “Quality of Biotechnological Products: Viral Safety Evaluation of Biotechnology Products Derived from Cell Lines of Human or Animal Origin”, providing additional recommendations on the established and complementary approaches to control the potential viral contamination of biotechnology products:

  • selecting and testing cell lines and other raw materials;
  • assessing the capacity of the production process to clear infectious viruses;
  • testing the product at appropriate steps of production.

The draft guideline text is currently at step 2 of the ICH process and was endorsed on 29 September 2022.

On 10 October 2022, EMA published a revised version, which is open for comments until 10 February 2023.

Scope

The previous guidance refers to products derived from cell cultures obtained from characterised cell banks. It covers products derived from in vitro cell cultures, such as interferons, monoclonal antibodies and recombinant DNA products, including recombinant subunit vaccines. It also includes products derived from hybridoma cells grown in vivo as ascites, for which special considerations apply.

In the new guidance, the following statement can be found in comparison:

“This document covers products produced from in vitro cell culture using recombinant DNA technologies such as interferons, monoclonal antibodies, and recombinant subunit vaccines. It also covers products derived from hybridoma cells grown in vivo as ascites: special considerations apply for these products, and Annex 1 contains additional information on testing cells propagated in vivo. The document also applies to certain genetically-engineered viral vectors and viral vector-derived products, which can undergo virus clearance without a negative impact on the product. These products may include viral vectors produced using transient transfection or from a stable cell line, or by infection using a recombinant virus. It also includes viral vector-derived recombinant proteins, for example, baculovirus-expressed Virus-Like Particles (VLPs), protein subunits and nanoparticle-based vaccines and therapeutics. Furthermore, the scope includes Adeno-Associated Virus (AAV) gene therapy vectors that depend on helper viruses such as baculovirus, herpes simplex virus or adenovirus for their production. Specific guidance on genetically engineered viral vectors and viral vector-derived products is provided in Annex 7. Inactivated viral vaccines and live attenuated viral vaccines containing self-replicating agents are excluded from the scope of this document.”

Next Generation Sequencing (NGS) and Nucleic Acid Amplification Techniques (NATs) may be appropriate for broad and specific virus detection, respectively. The introduction of these tests may be done without a systematic head-to-head comparison with the currently recommended in vitro and in vivo assays.

 

Objective

All biotechnological products derived from cell lines are at risk of viral contamination, which could have serious side effects or clinical consequences for the patient. This can be due to viral contamination of the starting material or contamination during the manufacturing process.

It is assumed that the safety of these products with respect to potential viral contamination can be ensured by applying a virus analysis programme and evaluating the virus removal and inactivation achieved by the manufacturing process through the appropriate measures described in this guidance document.

Summarized is the purpose of this document to provide a general framework for viral testing, experiments for the assessment of viral clearance and a recommended approach for the design of viral testing and viral clearance studies.

The guideline mentions three different, complementary approaches to controlling the potential viral contamination of biotechnology products:

  • Selecting and testing cell lines and other raw materials, including media components, for the absence of undesirable infectious viruses;
  • Assessing the capacity of the production processes to clear infectious viruses;
  • Testing the product at appropriate steps of production for the absence of contaminating infectious viruses.

Source: “ICH Guideline Q5A(R2) on viral safety evaluation of biotechnology products derived from cell lines of human or animal origin”