GMP Compliance Adviser Update No 6/2023

Focuses of this update are: deviation management, facility control systems, as well as GxP relevant data in the cloud


The following overview lists the topics covered with this Update:


Ask our Experts

GMP in Practice

Chapter 1 Quality Management Systems

  • 1.E Deviation management

Chapter 4 Facilities and Equipment

  • 4.D System controllers and process control systems

Chapter 9 Computerised Systems

  • 9.H GXP relevant data in the cloud

GMP Regulations

Chapter C EU Directives and Guidelines

  • C.19 Questions and answers for marketing authorisation holders/applicants on the CHMP Opinion for the Article5(3) of Regulation (EC) No726/2004 referral on nitrosamine impurities in human medicinal products

The following overview lists the topics covered with this Update:

GMP in Practice

Chapter 1 Quality Management Systems

1.E Deviation management

There is no universal definition for the term "deviation". Each company must therefore determine for itself what is meant by deviations. Usually, this includes at least violations of limits in processes of manufacturing and testing as well as other systems and procedures. The organisational forms and responsibilities within deviation management are also defined on a company-specific basis.

Deviations must be recorded and investigated. During the investigation, the root causes must be analysed in order to define meaningful and effective CAPA actions. The actions are documented in the failure investigation report.

The systematic handling of deviations is subject to a scheme that can be divided into different phases. In principle, care must be taken to ensure that the data and correlations determined are documented in as structured and detailed a manner as possible. This enables the evaluations and the underlying considerations to be traced even after a longer period.

The particular challenge when dealing with deviations is not to be satisfied with hasty explanations (e.g. "human error"), but to investigate the real root causes. This may touch on sensitive areas such as quality awareness and error culture of the individual, but also of the organisation. This can certainly lead to conflicts.

Deviation management is an important part of the pharmaceutical quality system, for whose existence and effectiveness the management is ultimately responsible. The responsible persons in the pharmaceutical company, e.g. the Head of Production and Quality Control as well as the Qualified Person (QP), play an important role in this. Frequently, deviation management is administered via quality assurance as the system owner.

Batch certification and release is one of the special challenges in dealing with deviations. For the evaluation by the Qualified Person, the deviations must be completed and meet certain requirements. The scope for decision-making when certifying/releasing a batch with a deviation is defined in Annex 16 and takes specific criteria into account.

Deviation management has a direct link to the risk management system and leads to a repeated review of the established risk assessments. Deviation management also interfaces with other elements of quality management such as CAPA, PQR or management review.

The processing of a deviation, the implementation of a root cause analysis and the creation of a failure investigation report are explained in detail using case studies.
(Christian Gausepohl, PhD)


Chapter 4 Facililties and Equipment

4.D System controllers and process control systems

Facility control systems are used to automate recurring processes. Depending on the purpose and complexity of the system, different methods of system control are used. Today, systems with microprocessor controls and programmable logic controllers (PLCs) are commonly used.

In order to be able to control a process, quality-related process parameters must be measured using calibrated sensors. Checks are carried out as part of the operational qualification to ensure that parameters are kept within their limits by automatic control loops. As soon as microprocessors or PLCs are used, the scope of computer validation must be considered and evaluated for relevance.

PLCs normally fall under GAMP® 5 Category 4 and must undergo qualification. The hardware/software functional requirements are described in the URS (user requirements specification). A thorough and efficient formulation of the URS/FS simplifies the actual qualification that follows. The scope of testing is determined by the operator during a risk analysis. The life cycle of a PLC is subject to the same requirements as the associated facility.

PLC qualification can be carried out during qualification of the facility.

Process control systems are used to monitor and control the production process across facility components. A distinction can be made between system-specific and mostly PLC-based hardware, which have different advantages and disadvantages. The challenge faced when introducing a PLC is the number of interfaces that must be integrated, which must be taken into account during project imple-mentation, qualification and documentation.
(Hannes Dittinger, Rainer Röcker, Anton Steurer, Steffen Wöllner)


9 Computerised Systems

9.H GXP relevant data in the cloud

Cloud applications are flexible, fast and cost-effective. The spectrum of possible cloud applications is broad due to different deployment and service models. The cloud is therefore also becoming increasingly popular in trade and industry. However, from the perspective of a GxP regulated company, many questions arise regarding data security, data availability and data integrity.

A prerequisite for successful cloud use in the GxP environment is therefore a clear understanding of the requirements and the potential opportunities and risks.

For detailed information there is current and detailed literature which is freely available, e.g. the guidance documents of the German Federal Office for Information Security (BSI) as well as the guidance of the Cloud Security Alliance (CSA).

Concrete requirements for handling data in the cloud are not (yet) included in the GxP relevant regulations. However, requirements can be derived indirectly, e.g. for the retention of documentation (data storage and data backup), the outsourcing of activities (cloud service provider) and data integrity.

Before selecting a cloud service provider, it is important to develop a well thought-out cloud strategy. The use of cloud-based services does not constitute one hundred percent protection against security risks – especially against loss of data. Long-term economic viability is also not always a given. This should be checked in advance and as part of selecting the service provider. Suitable cloud providers have recognized certifications on the topics of QM and IT security and are ideally familiar with the requirements of the GxP regulated industry.

A service agreement should address all aspects of scope of services, security, and communication to maintain regulatory compliance during the lifecycle.

A suitable validation strategy can be laid out, for example, according to the principles of GAMP® 5. The specification of the service model used, and the dynamic nature of cloud technology must be taken into account. For the operational business, the communication of change processes and the handling of deviations must be regulated in particular.

A cloud strategy should also include provisions for a possible exit from the cloud or a change of cloud provider to ensure business continuity and the maintenance of compli-ant operations, as necessary.

GMP inspections often focus on processes associated with cloud use, such as qualification, validation, change and deviation management.
(Peter Schober, PhD)


GMP Regulations

Chapter C EU Directives and Guidelines

C.19 Questions and answers for marketing authorisation holders/applicants on the CHMP Opinion for the Article 5(3) of Regulation (EC) No 726/2004 referral on nitrosamine impurities in human medicinal products

The Revision 19 update of 12 October 2023 amends Q&A 10 to allow referral to other sources for CPCA categorisation, to change reference from ICH M7(R1) to ICH M7(R2) guideline and the removal of information in Annexes 2 and 3 to Appendices 2 and 3, respectively.