未分類

The Three Fundamental Principles of Computerized Systems

The Three Fundamental Principles of Computerized Systems

Introduction to the Principle in PIC/S GMP ANNEX 11

The Principle section of PIC/S GMP ANNEX 11 “Computerised Systems,” revised in 2011 and effective from June 30, 2011, states the following:

“Where a computerised system replaces a manual operation, there should be no resultant decrease in product quality, process control or quality assurance. There should be no increase in the overall risk of the process.”

This fundamental principle serves as the cornerstone for implementing computerized systems (automated systems) within GMP-regulated environments. When transitioning from manual operations to computerized systems (automation), organizations must ensure the following three critical requirements are met:

  1. Product quality must not be degraded
  2. Quality assurance must not be compromised
  3. Overall process risk must not be increased

Understanding the Principle Through a Practical Example

To illustrate these principles, let’s consider the evolution of rice cooking from traditional methods to modern automation. Traditionally, rice was cooked in a traditional pot (okama) using manual techniques passed down through oral tradition: “Start gently, then vigorous heat; even if the baby cries, never remove the lid.” This folk wisdom ensured consistently delicious rice through careful manual control of heat and timing.

In modern times, the traditional pot has been replaced by the microcomputer-controlled rice cooker. The term “microcomputer” refers to a microprocessor embedded within the hardware. These rice cookers are equipped with integrated circuit (IC) chips and controlled by firmware—small programs that manage the cooking process automatically.

For a microcomputer rice cooker (automated system) to successfully replace traditional manual cooking, it must satisfy the three fundamental principles:

  1. Maintain Product Quality: The rice must be cooked with the same delicious taste, texture, sweetness, and glossy appearance as when prepared in a traditional pot (no degradation of product quality)
  2. Ensure Consistent Quality Assurance: Each batch of rice must be cooked to the same standard without variation between cooking cycles (no degradation of quality assurance)
  3. Prevent Risk Increase: The automated system must not introduce food safety hazards such as foodborne illness (no increase in overall risk)

The Purpose of Validation

The fundamental purpose of validation is to demonstrate that a computerized system can perform the same functions that were previously accomplished manually, while maintaining or improving upon the level of quality, assurance, and safety. This means:

  • The automated system must reliably reproduce what was achievable through manual operations
  • All critical quality attributes must be preserved or enhanced
  • The system must operate within a validated state throughout its lifecycle
  • Any changes to the system must be controlled and their impact assessed

Current Regulatory Landscape and Recent Developments

Evolution of Regulatory Guidance

Since the implementation of the current PIC/S GMP ANNEX 11 in 2011, the pharmaceutical industry has undergone significant technological transformation. Recognizing this evolution, regulatory authorities have initiated comprehensive updates to address emerging technologies and modern manufacturing practices.

2024 Draft Revision of ANNEX 11: In 2024, the European Commission and PIC/S released a draft revision of ANNEX 11 for public consultation. This updated version, approximately four times longer than the 2011 version, introduces seven entirely new sections and significantly expands existing content. Key enhancements include:

  • Comprehensive coverage of cloud-based services and Software-as-a-Service (SaaS) platforms
  • Dedicated guidance on Artificial Intelligence and Machine Learning (AI/ML) systems
  • Enhanced cybersecurity requirements integrated throughout the system lifecycle
  • Strengthened data integrity controls addressing “data in motion” and “data at rest”
  • Expanded supplier management requirements for third-party service providers
  • More detailed requirements for identity and access management
  • Enhanced guidance on electronic signatures and audit trail management
  • Introduction of periodic review requirements aligned with equipment qualification standards

The draft revision reflects a paradigm shift toward more comprehensive digital governance, acknowledging that modern pharmaceutical manufacturing increasingly relies on sophisticated computerized systems that were not contemplated when the 2011 version was developed.

Industry Guidance: GAMP 5 Second Edition

Complementing regulatory requirements, the International Society for Pharmaceutical Engineering (ISPE) published the GAMP 5 Guide Second Edition in July 2022. GAMP (Good Automated Manufacturing Practice) provides internationally recognized guidance for the validation of computerized systems in pharmaceutical and life sciences industries. The Second Edition modernizes the framework established in 2008 to address contemporary technological and regulatory challenges:

Key Updates in GAMP 5 Second Edition:

  • Risk-Based Approach Enhancement: Strengthened emphasis on Quality Risk Management (QRM) based on ICH Q9 principles, with risk assessment integrated throughout the system lifecycle
  • Data Integrity Focus: Comprehensive incorporation of ALCOA+ principles (Attributable, Legible, Contemporaneous, Original, Accurate, plus Complete, Consistent, Enduring, and Available) throughout the validation framework
  • Agile Development Support: New appendix (Appendix D4) providing guidance on implementing Agile methodologies within GxP-regulated environments while maintaining compliance
  • Cloud Computing and SaaS: Detailed guidance (Appendix D7) on assessing cloud service providers, managing shared responsibilities, and ensuring data security across distributed environments
  • Artificial Intelligence and Machine Learning: Dedicated appendix (Appendix D11) addressing validation challenges specific to AI/ML systems, including algorithmic bias, model drift, and dynamic learning systems
  • Open-Source Software: Expanded guidance on risk assessment and control strategies for open-source software components
  • Blockchain Technology: New appendix exploring validation considerations for blockchain applications in pharmaceutical supply chain and data management
  • Computer Software Assurance (CSA): Integration of FDA’s CSA approach emphasizing critical thinking and risk-based testing strategies
  • Cybersecurity Integration: Strengthened focus on security controls as integral components of validation strategy
  • Tool-Based Validation: Guidance on leveraging automated tools for requirements management, testing, and documentation

The GAMP 5 Second Edition maintains alignment with global regulatory requirements including FDA 21 CFR Part 11 (Electronic Records and Electronic Signatures), FDA 21 CFR Parts 210/211 (Current Good Manufacturing Practice), and EU GMP ANNEX 11, providing a harmonized approach to computerized system validation across jurisdictions.

Data Integrity: A Critical Element

Data integrity has emerged as a critical focus area in recent years, driven by numerous regulatory enforcement actions globally. The principles of data integrity are intrinsically linked to the three fundamental principles of computerized systems:

ALCOA+ Principles: Modern data integrity requirements are encompassed by the ALCOA+ framework:

  • Attributable: Data must be traceable to the individual who generated it
  • Legible: Data must be readable and understandable throughout its lifecycle
  • Contemporaneous: Data must be recorded at the time the activity is performed
  • Original: The original record or certified true copy must be preserved
  • Accurate: Data must be correct, complete, and free from errors
  • Complete: All data necessary for reconstruction must be available
  • Consistent: Data must follow a logical sequence with timestamps
  • Enduring: Data must be preserved throughout the required retention period
  • Available: Data must be readily accessible for review and inspection

Ensuring data integrity requires implementing appropriate technical and procedural controls within computerized systems, including robust audit trails, access controls, data backup and recovery procedures, and validation of data transfer processes.

Practical Application to Modern Systems

Risk-Based Validation Strategy

The application of these three fundamental principles requires a systematic, risk-based approach to validation:

Risk Assessment Process:

  1. Identify GMP-relevant functions and their impact on product quality, patient safety, and data integrity
  2. Assess the severity and probability of potential failures
  3. Determine appropriate validation activities based on risk level
  4. Focus validation efforts on high-risk areas while applying scalable approaches to lower-risk components

Validation Lifecycle Activities:

  • Planning Phase: Define validation strategy, system categorization, and resource allocation
  • Specification Phase: Document user requirements, functional specifications, and design specifications
  • Verification Phase: Conduct installation qualification (IQ), operational qualification (OQ), and performance qualification (PQ)
  • Operation Phase: Implement change control, periodic review, and continuous monitoring
  • Retirement Phase: Manage data migration, archival, and system decommissioning

Supplier Management and Third-Party Services

Modern pharmaceutical manufacturing increasingly relies on suppliers and third-party service providers for system development, hosting, and maintenance. Ensuring compliance with the three fundamental principles requires robust supplier management:

  • Establish formal quality agreements defining responsibilities and deliverables
  • Conduct supplier audits to assess GMP compliance and quality systems
  • Review and approve supplier-provided validation documentation
  • Implement appropriate oversight of supplier-performed activities
  • Maintain clear accountability for GMP compliance regardless of service provider involvement

Cloud Computing and Modern Architectures

The migration to cloud-based infrastructure and SaaS solutions presents unique validation challenges:

  • Service Level Agreements (SLAs): Define performance standards, availability requirements, and data protection measures
  • Data Residency: Ensure compliance with data localization requirements and jurisdictional regulations
  • Access Controls: Implement role-based access with multi-factor authentication
  • Shared Responsibility Model: Clearly delineate responsibilities between cloud service provider and regulated company
  • Vendor Assessment: Evaluate cloud provider’s security controls, disaster recovery capabilities, and GMP understanding

Comparison Table: Traditional vs. Modern Validation Approaches

AspectTraditional Approach (Pre-2011)Current Best Practice (Post-GAMP 5 2nd Ed)
Validation StrategyPrescriptive, documentation-heavyRisk-based, outcome-focused
DocumentationExtensive paper-based documentationElectronic, tool-based information management
Development ModelWaterfall/V-model exclusivelyV-model, Agile, or hybrid approaches
Testing Focus100% requirements coverageRisk-based, focusing on critical functions
Supplier InvolvementLimited reliance on supplier documentationLeveraging supplier expertise and documentation
Data IntegrityBasic audit trail requirementsComprehensive ALCOA+ compliance
Technology ScopeOn-premises systems primarilyCloud, SaaS, AI/ML, blockchain, IoT
CybersecuritySeparate IT security concernIntegrated into validation framework
Change ManagementRevalidation often requiredRisk-based change control and impact assessment
Periodic ReviewInformal, inconsistentFormalized, risk-based periodic evaluation

Conclusion: Enduring Principles in an Evolving Landscape

The three fundamental principles established in PIC/S GMP ANNEX 11 remain as relevant today as when they were first articulated. These principles provide a stable foundation upon which modern validation approaches are built:

  1. Product quality must not be degraded: This principle ensures that automation serves to maintain or enhance product quality, never to compromise it
  2. Quality assurance must not be compromised: Computerized systems must provide equivalent or superior assurance of quality compared to manual operations
  3. Overall process risk must not be increased: The introduction of computerized systems should reduce or maintain process risk through appropriate controls and validation

While the technologies continue to evolve—from mainframe systems to cloud computing, from simple control loops to artificial intelligence—these core principles remain constant. The validation approaches may become more sophisticated, the tools may change, and the regulatory guidance may be updated, but the fundamental requirement remains unchanged: computerized systems must deliver the same outcomes that manual operations achieved, or better, without introducing additional risk.

Organizations implementing or upgrading computerized systems must maintain focus on these three principles throughout the system lifecycle. Success requires combining technical expertise with regulatory knowledge, applying critical thinking to validation activities, and maintaining a culture of quality and continuous improvement.

As we look toward the future implementation of the revised ANNEX 11 and continue to adopt emerging technologies, these three fundamental principles will continue to serve as our compass, guiding the pharmaceutical industry toward systems that protect patients, ensure product quality, and maintain data integrity in an increasingly digital world.

References:

  • PIC/S GMP Guide ANNEX 11: Computerised Systems (2011, effective June 30, 2011)
  • EU GMP ANNEX 11 Draft Revision (2024, under consultation)
  • ISPE GAMP 5 Guide Second Edition (July 2022)
  • ICH Q9: Quality Risk Management
  • FDA 21 CFR Part 11: Electronic Records and Electronic Signatures
  • PIC/S PI 011-3: Good Practices for Computerised Systems in Regulated ‘GXP’ Environments

Note: Organizations should consult the most current versions of regulatory guidance and stay informed about ongoing regulatory developments, including the finalization of the ANNEX 11 revision, to ensure continued compliance with applicable requirements.

The Declining Quality Culture in Japan: A Critical Analysis with Current Regulatory Perspectives Previous post Regulatory Requirements for Medical Device Software Development Next post

Related post

Comment

There are no comment yet.