Search

Loading

If you find the information within this blog useful please take the time to support the site and visit one of the Google advertisers.


Share

24 Feb 2011

EU Annex 11 – Supplier Audits



This is a continuation of a review of the impact of the update to EU Annex 11, issued in January 2011 to become effective on the 30 June 2011.

Supplier Audits

The supplier audit process for software suppliers including IT systems, automation systems, etc has been around for quite some time within the guidance documents, but never directly referenced within cGMPs for pharmaceutical companies (e.g. 21 CFR 211 or EU Annex 11).

The following is included within the update of EU Annex 11 which defines the requirements for the consideration of supplier audits of computerised systems.

As stated in the earlier post EU Annex 11 has been updated and becomes effective on the 30 June 2011. This is part of a series of reviews detailing what has changed and the impact on Computer Systems Validation.

The competence and reliability of a supplier are key factors when selecting a product or service provider. The need for an audit should be based on a risk assessment.

Documentation supplied with commercial off-the-shelf products should be reviewed by regulated users to check that user requirements are fulfilled.

Quality system and audit information relating to suppliers or developers of software and implemented systems should be made available to inspectors on request.

The Quality Risk Management approach to determining whether a supplier a supplier should be audited should consider:
  • The potential impact of the system being supplied based on Patient Safety and Record Data
  • The novelty or complexity of the system
  • The history and experience in supplying these systems

Dependant on the output from the assessment the consideration may be that controls are not required over the design of software (Commercially Off the Shelf systems), postal audit (supplier evaluation) for systems which are medium to low impact computer systems or where suppliers have a proven track record within the industry and the required design. A full site audit should be performed for medium to high impact systems which have some level of complexity.


The following diagram shows a simple risk matrix to support the decision process. Those shown in red the user should consider a full audit, yellow a minimum of a postal audit should be considered and then those in green no further controls should be required.

It is the requirement that regulated company determines and documents the approach to determining which suppliers should be audited.
The decision and the audit findings should be documented and approved by the Quality Assurance department. They form a part of the validation lifecycle and must be available for inspection.

Links

Supplier Audits – Part 1

No comments:

Post a Comment

All comments on the computer systems validation blog are welcome.

Share