A Brief Discussion on the Management of Computerized Systems in Pharmaceutical Companies

By Xianliang, A Na

A Brief Discussion on the Management of Computerized Systems in Pharmaceutical Companies

Xianliang, A Na

ABSTRACT: This article discusses 12 aspects of the management of computerized systems in pharmaceutical companies, based on relevant regulations and guidelines from both domestic and international pharmaceutical industries. It provides opinions and suggestions on various management aspects, serving as a reference for pharmaceutical companies to implement GMP management of computerized systems.

KEYWORDS: computerized systems; GMP; pharmaceutical companies

1. Introduction

Recently, the National Medical Products Administration released the “Good Manufacturing Practice for Drug Production (2010 Revision)” Appendix “Computerized Systems”【1】, which came into effect on December 1, 2015. The implementation of this appendix will further standardize the management of computerized systems in the pharmaceutical industry, ensuring more reliable product quality under its control. This appendix outlines the basic management requirements for computerized systems used in the drug production quality management process, but does not describe the specific details of management items. This article combines the validation of computerized systems from the Parenteral Drug Association (PDA), the GAMP5 guidelines from the International Society for Pharmaceutical Engineering (ISPE), and the compliance practice guidelines for computerized systems in GxP environments from the Pharmaceutical Inspection Co-operation Scheme (PIC/S) (PI011-3 guidelines), along with the basic situation of domestic pharmaceutical companies, to elaborate on the management content and methods of computerized systems, which will benefit pharmaceutical companies in fulfilling the requirements of the GMP appendix “Computerized Systems”.

2. Definition and Scope of Computerized Systems

The 2010 version of the appendix “Computerized Systems” defines computerized systems as: “A computerized system consists of a series of hardware and software to meet specific functions.” The definition in the PIC/S PI011-3 guidelines states: A computerized system consists of a computer system and the functions or processes it controls. GAMP5 defines a computerized system as consisting of hardware, software, network components, and controllable functions and related documentation. The definition in GAMP5 is more precise, distinguishing computerized systems from computer systems, as it encompasses both the computer system and the functions and processes it controls.

Based on the above definitions, a computerized system refers to a system that integrates a suitable computer system with specific processes or operations to achieve final management and control objectives. For drug production quality control, this means operating specific production processes and quality control procedures under comprehensive monitoring by relevant software and participation of hardware components, thereby achieving automation, paperless operation, and integrated information management【2】.

A Brief Discussion on the Management of Computerized Systems in Pharmaceutical Companies

Figure 1: Composition Relationship Diagram of Computerized Systems

3. Definition of Management Responsibility Departments

Unclear responsibilities and shifting blame can lead to reduced work efficiency and increase management costs. Therefore, in promoting the management of computerized systems in pharmaceutical companies, it is necessary to clarify the main management responsibility departments for computerized systems. Based on the actual situation of domestic pharmaceutical companies, computerized systems can be divided into three categories, each managed by a different department as the primary responsible department:

a. The IT department manages purely software systems or systems that are primarily software-based, such as ERP, LIMS, and QMS;

b. The engineering department manages systems integrated with equipment, commonly seen in PLCs;

c. The quality department manages systems related to laboratory instruments, such as chromatographic data workstations.

The management principles and content for these three categories of computerized systems are detailed in specific GAMP5 guidance documents:

a. IT department-managed pure IT systems, refer to GAMP: A Risk-Based Approach to Compliant GxP Computerized Systems.

b. Engineering department-managed engineering IT systems, refer to GAMP GPG: A Risk-Based Approach to GxP Process Control Systems.

c. QA-managed laboratory IT systems, refer to GAMP GPG: A Risk-Based Approach to GxP Compliant Laboratory Computerized Systems.

4. Classification of Computerized Systems

According to the definition of computerized systems, their application in pharmaceutical companies is extensive【3】, covering everything from conductivity meters and pH meters to electronic regulatory code systems and enterprise resource planning systems (ERP). Due to the large number and variety of systems, they need to be classified to focus management on complex systems while simplifying management for simpler systems, avoiding unnecessary management costs and achieving lean production.

Category 1: Embedded Computer Systems. These computerized systems are characterized by having no user interface, generating raw data and test results without storage or processing; software programs are embedded in the system’s internal memory; they can input and store operating parameters but cannot modify or configure the software.

Examples:

a. Smart sensors and display instruments installed on-site (embedded computers) for temperature, pressure, flow, wind speed, rotational speed, pH, conductivity, etc.

b. Smart instrument automatic control systems installed on-site (embedded computers) such as temperature control instruments, pressure controllers, and smart instruments with adjustment signals and alarm signals.

c. Electronic scales, digital inspection and testing instruments, testing tools, offline instruments, etc.

Category 2: Industrial Process Control Computer Systems. These computerized systems are characterized by having a single user interface, configurable parameters that can be stored and reused, but the software cannot be configured; they generate, store, and process raw data and test results, and have display and control functions.

Examples:

a. HMI+PLC control systems for production process equipment (reactors, mixing tanks, washing and drying filling lines, sterilizers [only controlled by PLC], grinders, granulators, mixers, tablet presses, capsule filling machines, bottle washing machines, filling machines, etc.); purified water systems, injection water systems, pure steam systems, etc.

b. IPC industrial computer control systems consisting of computers + IO interfaces (industrial control bus) + input and output signals.

Category 3: Single Interface Data Analysis Processing Computer Systems. These computerized systems are characterized by having a single user interface, configurable parameters that can be stored and reused, but the software cannot be configured; they generate, store, and process raw data and test results, and have display, control, software data processing, and storage functions.

Examples:

a. Laboratory equipment computer control/data acquisition processing analysis systems such as HPLC (liquid phase), GC (gas phase), IR (infrared spectroscopy), UV (ultraviolet), CDS chromatographic workstations, etc.

b. DCS systems, which are distributed control systems for factory-level process automation control, consisting of computers + system networks + computers + industrial buses + field controllers + IO interfaces + input and output signals.

Examples: Sterilizers with computer control and data analysis systems.

c. SCADA systems, which are distributed data acquisition and monitoring systems that combine the field measurement and control capabilities of PLC systems with the networking communication capabilities of DCS systems, offering high cost-effectiveness, mainly used for large systems and remote data acquisition and monitoring.

Examples: Clean area environmental monitoring control systems.

Category 4: Multi-Interface Management Computerized Systems. These computerized systems are characterized by having multiple user interfaces, configurable parameters that can be stored and reused; they generate, store, and process raw data and test results, and have display, control, software data processing, and storage functions.

Examples: LIMS systems (Laboratory Information Management Systems); warehouse material management systems; GMP quality management systems; ERP enterprise resource planning management systems; electronic regulatory code systems, etc.

5. Management of Computerized System Inventory

To facilitate internal management of computerized systems, it is essential to establish a timely updated inventory of computerized systems. The inventory should meet the following requirements:

5.1. The inventory should include all computerized systems involved in the drug production quality management process, which can be managed using GMP document management mode numbering.

5.2. The content of the computerized system inventory should at least include: system name, installation location, hardware name, software name, functions related to drug quality management, category, etc. The category should be determined based on the classification principles mentioned above.

5.3. The computerized system inventory should be updated promptly when new systems are added, systems are decommissioned, installation locations change, software is upgraded, or functions change.

6. Management of Computerized System Suppliers

Pharmaceutical companies have established management procedures for raw material suppliers according to GMP regulations, and the management procedures for computerized system suppliers can be referenced accordingly. The management of computerized system suppliers should pay attention to:

6.1. Pharmaceutical companies should establish supplier profiles based on risk levels and categories of computerized systems. For systems that play a crucial role in production quality control and management, particularly categories 2, 3, and 4, comprehensive supplier profiles must be established, including supplier contact information, introductions, qualifications, audit records, approval reports, quality assurance agreements, etc.

6.2. Supplier audits for computerized systems should also be conducted based on risk levels and categories. The audit team should include technical personnel from the user department, equipment management department, IT department, and quality management department. Audit methods can include three approaches:

a. Historical experience (judgment based on available information), which is preferable for experienced companies or groups, as audit results from one subsidiary can be shared within the group;

b. Survey questionnaires for postal audits;

c. On-site audits, which are more costly but necessary for high-risk and complex computerized system suppliers. Supplier audits should primarily focus on the supplier’s quality system, software development project management, software development methods, testing, configuration management, manufacturing, project implementation management, on-site change management, GMP implementation experience, documentation management, security management, training management, and after-sales support.

7. Validation of Computerized Systems

The scope and extent of validation for computerized systems should be based on scientific risk assessments, fully considering the usage scope and purpose of the computerized systems. In principle, computerized systems of categories 1 and 2, which have display and control functions without independent application software operating systems, should focus on confirming the accuracy of their display and control functions, along with equipment operation confirmation. For categories 3 and 4, which have display, control, software data processing, and storage functions with independent application software operating systems, validation should include hardware confirmation and software validation【4】. The overall framework for confirming computerized systems is similar to that of ordinary equipment confirmation, including Design Qualification (DQ), Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ). However, the characteristic of computerized system confirmation is that, in addition to confirming the system hardware, it should also emphasize confirming the software, including display, control, data acquisition and storage, data processing, storage, alarm, security control, power failure/recovery, disaster recovery, etc. Specific validation content has been detailed by Liang Yi【4】 and Xue Shishuai【5】.

8. Security Management of Computerized Systems

The security of computerized systems and data is crucial in GxP management. Backup storage devices or media and backup programs must ensure data integrity. The SOP for backup operations should describe the frequency of backups, the retention period for backup copies, methods and responsibilities for regular backups, and the management of backup copies【6】.

Both small and complex computerized systems require clear definitions of security management responsibilities and must meet the following requirements:

a. Clearly define and set access permissions for all personnel to computerized systems, including physical and logical access, controlled through user passwords, passes, and relevant regulations. After several unsuccessful login attempts, such as incorrect password entries, measures should be in place to prohibit further access attempts.

b. At least two superusers should manage each computer system, and they should not be on business trips or vacations simultaneously. If necessary, temporary authorization should be granted, and it should be revoked immediately after the trip or vacation.

c. Regular checks of identification codes and passwords should be conducted, with verification procedures in place. Identification codes and passwords should be changed regularly.

d. If someone leaves their position or resigns, a security evaluation and change should be conducted for the computerized systems they used.

e. If a computerized system is no longer in use, at least one instrument must be able to access the original data within five years.

9. Maintenance of Computerized Systems

Pharmaceutical companies should establish management systems (SOPs) for the daily use and maintenance of computerized systems and maintain logs for hardware and software. Regular inspections and maintenance of computerized systems should be conducted. The maintenance content varies depending on the computerized system, such as data organization, backups, etc., and should be documented. The SOP for computerized system use and maintenance should specify emergency plans and procedures for handling system failures or damages, and if necessary, relevant content of the operating methods and procedures should be validated. Issues and resolutions should be documented, including at least: problem description, date of occurrence, actions taken, executor, date of actions taken, and related change control management documents. The problem handling process must refer to deviation control management procedures to determine the potential impact of the problem.

10. Changes to Computerized Systems

Changes may occur during the design, installation, operation, and use of computerized systems based on actual conditions, including changes in installation locations, hardware modifications, software upgrades, changes in key parameters, and functional changes. When changes occur, they should be recorded according to GMP requirements and the company’s change control procedures, analyzing the impact of the changes on system status and control, reviewing the content of the changes, and documenting the review process. A comprehensive evaluation of the change plan should include assessing its technical value, potential side effects, comprehensive impact on other configuration objects and system functions, and GMP risks. Any changes to validated computerized systems must be approved by system users and QA personnel. Confirmation and documentation should be completed after changes.

11. Management of Electronic Records

According to the US FDA 21 CFR Part 11, electronic records refer to any collection of information in digital form generated, modified, maintained, archived, retrieved, and distributed by a computerized system. The management of electronic records must meet GMP requirements for records, namely authenticity, timeliness, and compliance. With the widespread application of computerized systems in the pharmaceutical industry, some excellent software designers have designed electronic records to comply with GMP requirements. Pharmaceutical companies need to establish management procedures for electronic records, standardizing their management. In cases where electronic data and printed documents coexist, it should be clearly defined whether electronic data or printed documents are the primary data. When electronic data is the primary data, the following requirements should be met【1】:

11.1. To meet quality audit purposes, stored electronic data should be printable into clear and understandable documents.

11.2. Physical or electronic methods must be used to ensure data security to prevent intentional or accidental tampering or damage. During routine operations and when system changes occur (such as computer equipment or its programs), the accessibility and integrity of stored data should be checked.

11.3. Data backup and recovery operating procedures should be established, with regular data backups to protect stored data for future retrieval. Backup data should be stored in a separate, secure location, and the retention period should at least meet the requirements for document and record retention specified in this regulation.

12. Management of Electronic Signatures

Electronic signatures refer to any symbol or string of symbols that is edited by a computer and used, acknowledged, or authorized by someone, having the same legal status as a handwritten signature. The management of electronic signatures must comply with the relevant requirements of the Electronic Signature Law of the People’s Republic of China: electronic signatures must meet several conditions, including that the electronic signature production data is proprietary to the electronic signer, that the electronic signature production data is controlled solely by the electronic signer at the time of signing, that any changes to the electronic signature can be detected, and that any changes to the content and form of the data message can be detected. The forms of electronic signatures can include handwritten signatures, electronic versions of seals, secret codes, passwords, fingerprints, voice, retinal structures, etc.【6】. Additionally, the design of permission settings and review processes for electronic signatures should consider the characteristics of the pharmaceutical industry, ensuring security. In pharmaceutical companies, using electronic versions of seals and handwritten signatures is more appropriate, with signatures set in fixed modules within the software. The computerized system should have programs to identify unauthorized use of electronic signatures and ID passwords, and when accessing the system with electronic signatures, there should be reminders that the activities performed correspond to the responsibilities associated with that electronic signature. Companies should establish standardized management systems for electronic signatures to prevent forgery of records and signatures.

13. Retirement of Computerized Systems

When the current functions of a computerized system are no longer applicable, or when a new system is implemented to replace the existing system’s functions, the system is retired from actual use.

13.1. Retired systems should have a process plan to determine the steps for retirement, identify the new system that will replace the original system, and establish the timeline and responsibilities for the retirement process. It should be determined whether the original system’s data should be archived in a specific format. If the original system is replaced by another system, the archived data should be loaded into the replacement system, and confirmation of successful data transfer is part of the new system’s validation.

During the retirement of the system, all affected users should be notified, and the following tasks should be completed:

a. Revoke special procedures for the system.

b. Cut off system access.

c. Organize all logical values, symbols, and menu references of the system.

d. Delete all software and archived electronic records in the working environment.

13.2. System retirement reports

System retirement reports summarize the actual execution results of the entire system retirement work, confirming whether the retirement activities were implemented correctly as required.

14. Conclusion

The application of “computerized systems” in GMP management is an inevitable trend in the future of drug production and quality management. Currently, China is in the initial stage. The release of the “Good Manufacturing Practice for Drug Production (2010 Revision)” Appendix “Computerized Systems” provides pharmaceutical companies with a legal basis for standardizing the management of computerized systems. However, how to combine the characteristics of pharmaceutical companies and conduct comprehensive management of computerized systems in a more detailed manner requires further research on their current status and implementation details. A comprehensive and detailed management system for computerized systems should be established to enable China’s pharmaceutical companies to catch up with developed countries’ levels quickly, enhance corporate competitiveness, and accelerate the internationalization of China’s pharmaceutical industry.

References:

[1] Announcement by the National Medical Products Administration on the Release of the “Good Manufacturing Practice for Drug Production (2010 Revision)” Appendices on Computerized Systems and Validation (2015 No. 54)

[2] Wang Yan, Liang Yi. Application of Computerized Systems in GMP Management [J]. Pharmaceutical Industry Design, 2009, 30(5): 30-33.

[3] Yang Xianmei, Li Jing. Application of Computerized Systems in the Pharmaceutical Industry [J]. China New Technology and Products, 2013, 20(10): 27.

[4] Liang Yi, Zhang Yuqian, Wang Yan. Discussion on the Validation of Computerized Systems in Pharmaceutical Production Enterprises [J]. Electromechanical Information, 2013, 389(35): 9-13.

[5] Xue Shishuai, Xiao Yuliang, Tang Honggang. Conducting Validation of Computerized Systems to Improve Quality Management Levels [J]. Open University of China Science and Technology, 2011, 248(3): 51-53.

[6] Yang Ruiqing. Management of Computerized Systems in the Pharmaceutical Industry [J]. Pharmaceutical Industry Design, 2006, 27(6): 22-25.

Leave a Comment