The third principle in Annex 11 is:
“Where a computerised system replaces a manual operation, there should be no resultant decrease in product quality, process
control or quality assurance. There should be no increase in the overall risk of the process.”
This third principle is related with the expectations of the regulator regarding implementation of computer systems. Prior
to converting a process from manual to automated control or the introduction of a new automated operation, it is important
that project staff consider any quality assurance and safety issues as part of an impact assessment of the risks associated
with the process. Risk reduction measures may need to be incorporated into the systems design and operation. Additional risks
to the quality of the related products/materials should not be introduced as a result of reducing the manual involvement in
the process. As part of the process risk assessment, the manual process should be addressed and, if applicable, improvement
in the process should be introduced. The automation must make the process easier and reduce execution time. The use of a computer
system does not reduce any requirements that would be expected for a manual system in terms of data control and security.
Quality System for Computer Systems
Paragraph 4.5 in Annex 11 is a decisive principle and probably the most important:
“4.5. The regulated user should take all reasonable steps to ensure that the system has been developed in accordance with
an appropriate quality management system.”
It refers to the need to ensure that computer systems are produced under a quality system, which incorporates the applicable
system development life cycle model. The common goals in a quality system are understanding and meeting customer’s needs,
and to ensure that adequate quality standards are maintained. The components of the quality system for computer systems are
controlled process, computer system, operating procedures, and documentation.
Analysis of Main Clauses
In addition to the principles described above, Annex 11 contains a total of 17 clauses. The four main clauses are the risk
management, requirements management, e-records management, and validation.
“Risk management should be applied throughout the life-cycle of the computerised system taking into account patient safety,
data integrity and product quality. As part of a risk management system, decisions on the extent of validation and data integrity
controls should be based on a justified and documented risk assessment of the computerised system.”
There are many techniques used to implement a risk management process, but generally include risk assessment, risk mitigation,
and evaluation and assessment; here I outline one such method.
A detailed risk assessment should be performed, building on the initial risk assessment from the concept phase of the computer
system. This risk assessment process weighs risks associated with processes and functions defined in the draft requirements
specification (RS) (15). Risks found during the assessment may add requirements that need to be part of the RS. Risk assessment
activities to consider are: identification of the processes/functions/transactions (as appropriate); analysis of risk scenarios,
effects for each event, likelihood of events, severity of impact, likelihood of detection; a plan for the reduction or elimination
of those risks. Reduction or elimination of those risks is performed during the system development life cycle (SDLC). Based
on the risks identified, planning of the design validation, design verification, and qualification testing should begin. The
test plan and test cases should be developed accordingly.
Strategies for mitigation of the identified risks may include modifying the process or system design, modification of the
project approach or structure, or modification of the validation and testing approach.
During the risk evaluation, processes, systems, and/or functions should be assessed considering how possible hazards and potential
harms arising from these hazards may be controlled or mitigated. For some processes, systems, and/or functions a detailed
assessment should be performed.
To gain the most benefit from risk management, integration with the system life cycle (SLC) management and risk management
activities should be achieved. Based on the intended use and the risk associated with the computer system to be implemented,
the computer system developer/integrator should determine the specific approach, the combination of techniques to be used,
and the level of effort to be applied.
EU Annex 20 on risk management provides an approach to computer systems and computer controlled equipment risk management.
According to Annex 20, risk management should be applied to select the design of computer hardware and software (e.g., modular,
structured, fault tolerance) and to determine the extent of validation (e.g., identification of critical performance parameters,
selection of the requirements and design, code review, the extent of testing and test methods, reliability of electronic records
Requirements management is only one paragraph in Annex 11, yet it is a very critical recommendation and several processes
are required to fulfill it.
“4.4. User Requirements Specifications should describe the required functions of the computerised system and be based on documented
risk assessment and GMP impact. User requirements should be traceable throughout the life-cycle.”
This clause establishes the expectation of the EU regulator on how to manage requirements and traceability, through the SLC,
the operational and non-operational computer systems functions required by the users, applicable regulations, company standards,
product, process, and safety (16). These operational and non-operational functions must be managed based on a risk assessment.