diff --git "a/vec_36_di/storage_nodes/docstore.json" "b/vec_36_di/storage_nodes/docstore.json" new file mode 100644--- /dev/null +++ "b/vec_36_di/storage_nodes/docstore.json" @@ -0,0 +1 @@ +{"docstore/data": {"1737501d-8abe-4c2f-abce-5eeb9b946788": {"__data__": {"id_": "1737501d-8abe-4c2f-abce-5eeb9b946788", "embedding": null, "metadata": {"page_label": "1", "file_name": "[36] PIC Revision of Annex 11 EU GMP.pdf", "file_path": "raw_data/[36] PIC Revision of Annex 11 EU GMP.pdf", "image_path": "", "parsed_text_markdown": "# Concept Paper on the revision of Annex 11 of the guidelines on Good Manufacturing Practice for medicinal products \u2013 Computerised Systems\n\n**19 September 2022**\nEMA/INS/GMP/781435/2022\nGMP/GDP Inspectors Working Group (GMP/GDP IWG)\nPS/INF 94/2022\n\nAgreed by EMA GMP/GDP IWG and PIC/S | 31 October 2022\n---|---\nStart of public consultation | 16 November 2022\nEnd of consultation (deadline for comments) | 16 January 2023\n\nThe proposed guideline will replace:\n- Eudralex Volume 4: Annex 11 Computerised Systems\n- for PIC/S participating authorities: PE 009-15: Annex 11 \u2013 Computerised Systems\n\nComments should be provided using this template. The completed comments form should be sent to ADM-GMDP@ema.europa.eu\n\n| Keywords |\n|----------|\n| GMP, medicinal product, annex 11 |\n\n----\n\n**Official address**\nDomenico Scarlattilaan 6 \u2022 1083 HS Amsterdam \u2022 The Netherlands\n\n**Address for visits and deliveries**\nRefer to www.ema.europa.eu/how-to-find-us\n\n**Send us a question**\nGo to www.ema.europa.eu/contact\n**Telephone** +31 (0)88 781 6000\n\n\u00a9 European Medicines Agency, 2022. Reproduction is authorised provided the source is acknowledged.", "parsed_text": "", "document_title": "PIC/S Revision of Annex 11 EU GMP", "questions_this_excerpt_can_answer": "Aqu\u00ed tienes tres preguntas espec\u00edficas que se pueden responder con el contexto proporcionado, junto con un resumen de nivel superior:\n\n### Resumen de Nivel Superior\nEl documento es un concepto sobre la revisi\u00f3n de la Anexo 11 de las directrices de Buenas Pr\u00e1cticas de Manufactura (GMP) para productos medicinales, espec\u00edficamente en relaci\u00f3n con sistemas computarizados. Se establece un cronograma para la consulta p\u00fablica, que comenz\u00f3 el 16 de noviembre de 2022 y finaliz\u00f3 el 16 de enero de 2023. La nueva gu\u00eda reemplazar\u00e1 la versi\u00f3n anterior de Eudralex y el documento PE 009-15 para las autoridades participantes de PIC/S. Se invita a los interesados a enviar sus comentarios a trav\u00e9s de un formulario espec\u00edfico.\n\n### Preguntas Espec\u00edficas\n\n1. **\u00bfCu\u00e1l es la fecha l\u00edmite para enviar comentarios sobre la revisi\u00f3n de la Anexo 11?**\n - La fecha l\u00edmite para enviar comentarios es el 16 de enero de 2023.\n\n2. **\u00bfQu\u00e9 documentos ser\u00e1n reemplazados por la nueva gu\u00eda propuesta en la revisi\u00f3n de la Anexo 11?**\n - La nueva gu\u00eda propuesta reemplazar\u00e1 Eudralex Volume 4: Annex 11 Computerised Systems y, para las autoridades participantes de PIC/S, el documento PE 009-15: Annex 11 \u2013 Computerised Systems.\n\n3. **\u00bfA qui\u00e9n deben enviarse los comentarios sobre la revisi\u00f3n de la Anexo 11?**\n - Los comentarios deben enviarse utilizando un formulario espec\u00edfico a la direcci\u00f3n de correo electr\u00f3nico ADM-GMDP@ema.europa.eu.", "excerpt_keywords": "Keywords: Good Manufacturing Practice, Annex 11, Computerised Systems, public consultation, medicinal products"}, "excluded_embed_metadata_keys": [], "excluded_llm_metadata_keys": [], "relationships": {"1": {"node_id": "a07b9b3a-793c-4807-a254-47736a3d68b6", "node_type": "4", "metadata": {"page_label": "1", "file_name": "[36] PIC Revision of Annex 11 EU GMP.pdf", "file_path": "raw_data/[36] PIC Revision of Annex 11 EU GMP.pdf", "image_path": "", "parsed_text_markdown": "# Concept Paper on the revision of Annex 11 of the guidelines on Good Manufacturing Practice for medicinal products \u2013 Computerised Systems\n\n**19 September 2022**\nEMA/INS/GMP/781435/2022\nGMP/GDP Inspectors Working Group (GMP/GDP IWG)\nPS/INF 94/2022\n\nAgreed by EMA GMP/GDP IWG and PIC/S | 31 October 2022\n---|---\nStart of public consultation | 16 November 2022\nEnd of consultation (deadline for comments) | 16 January 2023\n\nThe proposed guideline will replace:\n- Eudralex Volume 4: Annex 11 Computerised Systems\n- for PIC/S participating authorities: PE 009-15: Annex 11 \u2013 Computerised Systems\n\nComments should be provided using this template. The completed comments form should be sent to ADM-GMDP@ema.europa.eu\n\n| Keywords |\n|----------|\n| GMP, medicinal product, annex 11 |\n\n----\n\n**Official address**\nDomenico Scarlattilaan 6 \u2022 1083 HS Amsterdam \u2022 The Netherlands\n\n**Address for visits and deliveries**\nRefer to www.ema.europa.eu/how-to-find-us\n\n**Send us a question**\nGo to www.ema.europa.eu/contact\n**Telephone** +31 (0)88 781 6000\n\n\u00a9 European Medicines Agency, 2022. Reproduction is authorised provided the source is acknowledged.", "parsed_text": "", "document_title": "PIC/S Revision of Annex 11 EU GMP"}, "hash": "82c7f0e83da398b93178efd79fe6071ea26a7b8313407e7efa6dd740b825a5da", "class_name": "RelatedNodeInfo"}}, "metadata_template": "{key}: {value}", "metadata_separator": "\n", "text": "# Concept Paper on the revision of Annex 11 of the guidelines on Good Manufacturing Practice for medicinal products \u2013 Computerised Systems\n\n**19 September 2022**\nEMA/INS/GMP/781435/2022\nGMP/GDP Inspectors Working Group (GMP/GDP IWG)\nPS/INF 94/2022\n\nAgreed by EMA GMP/GDP IWG and PIC/S | 31 October 2022\n---|---\nStart of public consultation | 16 November 2022\nEnd of consultation (deadline for comments) | 16 January 2023\n\nThe proposed guideline will replace:\n- Eudralex Volume 4: Annex 11 Computerised Systems\n- for PIC/S participating authorities: PE 009-15: Annex 11 \u2013 Computerised Systems\n\nComments should be provided using this template. The completed comments form should be sent to ADM-GMDP@ema.europa.eu\n\n| Keywords |\n|----------|\n| GMP, medicinal product, annex 11 |\n\n----\n\n**Official address**\nDomenico Scarlattilaan 6 \u2022 1083 HS Amsterdam \u2022 The Netherlands\n\n**Address for visits and deliveries**\nRefer to www.ema.europa.eu/how-to-find-us\n\n**Send us a question**\nGo to www.ema.europa.eu/contact\n**Telephone** +31 (0)88 781 6000\n\n\u00a9 European Medicines Agency, 2022. Reproduction is authorised provided the source is acknowledged.", "mimetype": "text/plain", "start_char_idx": 0, "end_char_idx": 1135, "metadata_seperator": "\n", "text_template": "[Excerpt from document]\n{metadata_str}\nExcerpt:\n-----\n{content}\n-----\n", "class_name": "TextNode"}, "__type__": "1"}, "92ee2276-ee69-40a5-bd1d-813badb8665b": {"__data__": {"id_": "92ee2276-ee69-40a5-bd1d-813badb8665b", "embedding": null, "metadata": {"page_label": "2", "file_name": "[36] PIC Revision of Annex 11 EU GMP.pdf", "file_path": "raw_data/[36] PIC Revision of Annex 11 EU GMP.pdf", "image_path": "", "parsed_text_markdown": "# 1. Introduction\n\nThis concept paper addresses the need to update Annex 11, Computerised Systems, of the Good Manufacturing Practice (GMP) guide. Annex 11 is common to the member states of the European Union (EU)/European Economic Area (EEA) as well as to the participating authorities of the Pharmaceutical Inspection Co-operation Scheme (PIC/S). The current version was issued in 2011 and does not give sufficient guidance within a number of areas. Since then, there has been extensive progress in the use of new technologies.\n\nReasons for the revision of Annex 11 include, but are not limited to the following (in non-prioritised order and with references to existing sections in sharp brackets). More improvements may prove to be necessary as inputs will be received by the drafting group:\n\n1. **[New]** The document should be updated to replace relevant parts of the Q&A on Annex 11 and the Q&A on Data Integrity on the EMA GMP website.\n2. **[New]** With regards to data integrity, Annex 11 will include requirements for \u2018data in motion\u2019 and \u2018data at rest\u2019 (backup, archive and disposal). Configuration hardening and integrated controls are expected to support and safeguard data integrity; technical solutions and automation are preferable instead of manual controls.\n3. **[New]** An update of the document with regulatory expectations to \u2018digital transformation\u2019 and similar newer concepts will be considered.\n4. **[Principle]** The scope should not only cover where a computerised system \u201creplaces of a manual operation\u201d, but rather, where it replaces \u2018another system or a manual process\u2019.\n5. **[1]** References should be made to ICH Q9.\n6. **[3.1]** The list of services should include to \u2018operate\u2019 a computerised system, e.g. \u2018cloud\u2019 services.\n7. **[3.1]** For critical systems validated and/or operated by service providers (e.g. \u2018cloud\u2019 services), expectations should go beyond that \u201cformal agreements must exist\u201d. Regulated users should have access to the complete documentation for validation and safe operation of a system and be able to present this during regulatory inspections, e.g. with the help of the service provider. See also Notice to sponsors and Q&A #9 on the EMA GCP website and Q&A on the EMA GVP website.\n8. **[3.3]** Despite being mentioned in the Glossary, the term \u201ccommercial off-the-shelf products\u201d (COTS) is not adequately defined and may easily be understood too broadly. Critical COTS products, even those used by \u201ca broad spectrum of users\u201d should be qualified by the vendor or by the regulated user, and the documentation for this should be available for inspection. The use of the term and the expectation for qualification, validation and safe operation of such (e.g. \u2018cloud\u2019) systems should be clarified.\n9. **[4.1]** The meaning of the term \u2018validation\u2019 (and \u2018qualification\u2019), needs to be clarified. It should be emphasised that both activities consist of a verification of required and specified functionality as described in user requirements specifications (URS) or similar.\n10. **[4.1]** Following a risk-based approach, system qualification and validation should especially challenge critical parts of systems which are used to make GMP decisions, parts which ensure product quality and data integrity and parts, which have been specifically designed or customised.\n11. **[4.4]** It is not sufficiently clear what is implied by the sentence saying \u201cUser requirements should be traceable throughout the life-cycle\u201d. A user requirements specification, or similar, describing all the implemented and required GMP critical functionality which has been automated, and which the regulated user is relying on, should be the very basis for any qualification or validation of the system, whether performed by the regulated user or by the vendor. User requirements specifications should be kept updated and aligned with the implemented system throughout the system life-cycle and there should be a documented traceability between user requirements, any underlying functional specifications and test cases.\n12. **[4.5]** It should be acknowledged and addressed that software development today very often follows agile development processes, and criteria for accepting such products and corresponding documentation, which may not consist of traditional documents, should be clarified.\n13. **[6]** Guidelines should be included for classification of critical data and critical systems.\n14. **[7.1]** Systems, networks and infrastructure should protect the integrity of GMP processes and data. Examples should be included of measures, both physical and electronic, required to protect data against both intentional and unintentional loss of data integrity.", "parsed_text": "", "document_title": "PIC/S Revision of Annex 11 EU GMP", "questions_this_excerpt_can_answer": "### Resumen del Contexto\n\nEl documento es un concepto de revisi\u00f3n de Annex 11, que se refiere a los sistemas computarizados dentro de las Buenas Pr\u00e1cticas de Manufactura (GMP). Se destaca la necesidad de actualizar este anexo, que fue emitido por \u00faltima vez en 2011, para reflejar los avances tecnol\u00f3gicos y las expectativas regulatorias actuales. Se enumeran varias \u00e1reas que requieren atenci\u00f3n, incluyendo la integridad de los datos, la clasificaci\u00f3n de sistemas cr\u00edticos, y la necesidad de aclarar t\u00e9rminos como \"validaci\u00f3n\" y \"calificaci\u00f3n\". Tambi\u00e9n se menciona la importancia de la trazabilidad de los requisitos del usuario a lo largo del ciclo de vida del sistema y la adaptaci\u00f3n a procesos de desarrollo \u00e1gil.\n\n### Preguntas Espec\u00edficas\n\n1. **\u00bfCu\u00e1les son las expectativas regulatorias espec\u00edficas para la integridad de los datos en movimiento y en reposo seg\u00fan la revisi\u00f3n propuesta de Annex 11?**\n - Esta pregunta busca detalles sobre los nuevos requisitos que se introducir\u00e1n en relaci\u00f3n con la protecci\u00f3n y gesti\u00f3n de datos, que no se encuentran claramente especificados en versiones anteriores.\n\n2. **\u00bfC\u00f3mo se definir\u00e1 y clasificar\u00e1 un \"producto comercial de uso general\" (COTS) en el contexto de la revisi\u00f3n de Annex 11, y qu\u00e9 implicaciones tendr\u00e1 esto para los usuarios regulados?**\n - Esta pregunta se centra en la necesidad de una definici\u00f3n clara y las expectativas de calificaci\u00f3n y validaci\u00f3n de estos productos, que son cruciales para la industria.\n\n3. **\u00bfQu\u00e9 criterios se propondr\u00e1n para la aceptaci\u00f3n de productos desarrollados mediante procesos \u00e1giles, y c\u00f3mo se diferenciar\u00e1n de los m\u00e9todos de documentaci\u00f3n tradicionales?**\n - Esta pregunta aborda la adaptaci\u00f3n de las pr\u00e1cticas de desarrollo de software a las nuevas metodolog\u00edas \u00e1giles y c\u00f3mo esto afectar\u00e1 la documentaci\u00f3n y la validaci\u00f3n en el contexto de GMP.\n\nEstas preguntas est\u00e1n dise\u00f1adas para extraer informaci\u00f3n espec\u00edfica y detallada que puede no estar disponible en otras fuentes, enfoc\u00e1ndose en aspectos cr\u00edticos de la revisi\u00f3n de Annex 11.", "prev_section_summary": "### Resumen de Temas Clave y Entidades\n\n**Tema Principal:**\n- Revisi\u00f3n de la Anexo 11 de las directrices de Buenas Pr\u00e1cticas de Manufactura (GMP) para productos medicinales, enfoc\u00e1ndose en sistemas computarizados.\n\n**Entidades Clave:**\n- **EMA (Agencia Europea de Medicamentos):** Organismo responsable de la regulaci\u00f3n de medicamentos en la Uni\u00f3n Europea.\n- **PIC/S (Pharmaceutical Inspection Co-operation Scheme):** Organizaci\u00f3n que promueve la cooperaci\u00f3n entre las autoridades de inspecci\u00f3n farmac\u00e9utica.\n- **GMP/GDP Inspectors Working Group (GMP/GDP IWG):** Grupo de trabajo que se encarga de las directrices de GMP y GDP.\n\n**Fechas Importantes:**\n- **19 de septiembre de 2022:** Fecha de publicaci\u00f3n del concepto.\n- **31 de octubre de 2022:** Aprobaci\u00f3n del documento por EMA y PIC/S.\n- **16 de noviembre de 2022:** Inicio de la consulta p\u00fablica.\n- **16 de enero de 2023:** Fecha l\u00edmite para enviar comentarios.\n\n**Documentos Reemplazados:**\n- Eudralex Volume 4: Annex 11 Computerised Systems.\n- PE 009-15: Annex 11 \u2013 Computerised Systems (para autoridades participantes de PIC/S).\n\n**Instrucciones para Comentarios:**\n- Los comentarios deben enviarse utilizando un formulario espec\u00edfico a la direcci\u00f3n de correo electr\u00f3nico: ADM-GMDP@ema.europa.eu.\n\n**Palabras Clave:**\n- GMP, producto medicinal, anexo 11. \n\nEste resumen destaca los aspectos m\u00e1s relevantes del documento, incluyendo su prop\u00f3sito, las entidades involucradas, las fechas clave y las instrucciones para la participaci\u00f3n en la consulta p\u00fablica.", "excerpt_keywords": "Keywords: GMP, Annex 11, data integrity, validation, digital transformation"}, "excluded_embed_metadata_keys": [], "excluded_llm_metadata_keys": [], "relationships": {"1": {"node_id": "ddeb8739-4ff3-4549-bedb-b7cce782008e", "node_type": "4", "metadata": {"page_label": "2", "file_name": "[36] PIC Revision of Annex 11 EU GMP.pdf", "file_path": "raw_data/[36] PIC Revision of Annex 11 EU GMP.pdf", "image_path": "", "parsed_text_markdown": "# 1. Introduction\n\nThis concept paper addresses the need to update Annex 11, Computerised Systems, of the Good Manufacturing Practice (GMP) guide. Annex 11 is common to the member states of the European Union (EU)/European Economic Area (EEA) as well as to the participating authorities of the Pharmaceutical Inspection Co-operation Scheme (PIC/S). The current version was issued in 2011 and does not give sufficient guidance within a number of areas. Since then, there has been extensive progress in the use of new technologies.\n\nReasons for the revision of Annex 11 include, but are not limited to the following (in non-prioritised order and with references to existing sections in sharp brackets). More improvements may prove to be necessary as inputs will be received by the drafting group:\n\n1. **[New]** The document should be updated to replace relevant parts of the Q&A on Annex 11 and the Q&A on Data Integrity on the EMA GMP website.\n2. **[New]** With regards to data integrity, Annex 11 will include requirements for \u2018data in motion\u2019 and \u2018data at rest\u2019 (backup, archive and disposal). Configuration hardening and integrated controls are expected to support and safeguard data integrity; technical solutions and automation are preferable instead of manual controls.\n3. **[New]** An update of the document with regulatory expectations to \u2018digital transformation\u2019 and similar newer concepts will be considered.\n4. **[Principle]** The scope should not only cover where a computerised system \u201creplaces of a manual operation\u201d, but rather, where it replaces \u2018another system or a manual process\u2019.\n5. **[1]** References should be made to ICH Q9.\n6. **[3.1]** The list of services should include to \u2018operate\u2019 a computerised system, e.g. \u2018cloud\u2019 services.\n7. **[3.1]** For critical systems validated and/or operated by service providers (e.g. \u2018cloud\u2019 services), expectations should go beyond that \u201cformal agreements must exist\u201d. Regulated users should have access to the complete documentation for validation and safe operation of a system and be able to present this during regulatory inspections, e.g. with the help of the service provider. See also Notice to sponsors and Q&A #9 on the EMA GCP website and Q&A on the EMA GVP website.\n8. **[3.3]** Despite being mentioned in the Glossary, the term \u201ccommercial off-the-shelf products\u201d (COTS) is not adequately defined and may easily be understood too broadly. Critical COTS products, even those used by \u201ca broad spectrum of users\u201d should be qualified by the vendor or by the regulated user, and the documentation for this should be available for inspection. The use of the term and the expectation for qualification, validation and safe operation of such (e.g. \u2018cloud\u2019) systems should be clarified.\n9. **[4.1]** The meaning of the term \u2018validation\u2019 (and \u2018qualification\u2019), needs to be clarified. It should be emphasised that both activities consist of a verification of required and specified functionality as described in user requirements specifications (URS) or similar.\n10. **[4.1]** Following a risk-based approach, system qualification and validation should especially challenge critical parts of systems which are used to make GMP decisions, parts which ensure product quality and data integrity and parts, which have been specifically designed or customised.\n11. **[4.4]** It is not sufficiently clear what is implied by the sentence saying \u201cUser requirements should be traceable throughout the life-cycle\u201d. A user requirements specification, or similar, describing all the implemented and required GMP critical functionality which has been automated, and which the regulated user is relying on, should be the very basis for any qualification or validation of the system, whether performed by the regulated user or by the vendor. User requirements specifications should be kept updated and aligned with the implemented system throughout the system life-cycle and there should be a documented traceability between user requirements, any underlying functional specifications and test cases.\n12. **[4.5]** It should be acknowledged and addressed that software development today very often follows agile development processes, and criteria for accepting such products and corresponding documentation, which may not consist of traditional documents, should be clarified.\n13. **[6]** Guidelines should be included for classification of critical data and critical systems.\n14. **[7.1]** Systems, networks and infrastructure should protect the integrity of GMP processes and data. Examples should be included of measures, both physical and electronic, required to protect data against both intentional and unintentional loss of data integrity.", "parsed_text": "", "document_title": "PIC/S Revision of Annex 11 EU GMP"}, "hash": "c12c6cc8d572d7ffe3960d8e48503254c67eb705a06b31e877342af580e371d2", "class_name": "RelatedNodeInfo"}}, "metadata_template": "{key}: {value}", "metadata_separator": "\n", "text": "# 1. Introduction\n\nThis concept paper addresses the need to update Annex 11, Computerised Systems, of the Good Manufacturing Practice (GMP) guide. Annex 11 is common to the member states of the European Union (EU)/European Economic Area (EEA) as well as to the participating authorities of the Pharmaceutical Inspection Co-operation Scheme (PIC/S). The current version was issued in 2011 and does not give sufficient guidance within a number of areas. Since then, there has been extensive progress in the use of new technologies.\n\nReasons for the revision of Annex 11 include, but are not limited to the following (in non-prioritised order and with references to existing sections in sharp brackets). More improvements may prove to be necessary as inputs will be received by the drafting group:\n\n1. **[New]** The document should be updated to replace relevant parts of the Q&A on Annex 11 and the Q&A on Data Integrity on the EMA GMP website.\n2. **[New]** With regards to data integrity, Annex 11 will include requirements for \u2018data in motion\u2019 and \u2018data at rest\u2019 (backup, archive and disposal). Configuration hardening and integrated controls are expected to support and safeguard data integrity; technical solutions and automation are preferable instead of manual controls.\n3. **[New]** An update of the document with regulatory expectations to \u2018digital transformation\u2019 and similar newer concepts will be considered.\n4. **[Principle]** The scope should not only cover where a computerised system \u201creplaces of a manual operation\u201d, but rather, where it replaces \u2018another system or a manual process\u2019.\n5. **[1]** References should be made to ICH Q9.\n6. **[3.1]** The list of services should include to \u2018operate\u2019 a computerised system, e.g. \u2018cloud\u2019 services.\n7. **[3.1]** For critical systems validated and/or operated by service providers (e.g. \u2018cloud\u2019 services), expectations should go beyond that \u201cformal agreements must exist\u201d. Regulated users should have access to the complete documentation for validation and safe operation of a system and be able to present this during regulatory inspections, e.g. with the help of the service provider. See also Notice to sponsors and Q&A #9 on the EMA GCP website and Q&A on the EMA GVP website.\n8. **[3.3]** Despite being mentioned in the Glossary, the term \u201ccommercial off-the-shelf products\u201d (COTS) is not adequately defined and may easily be understood too broadly. Critical COTS products, even those used by \u201ca broad spectrum of users\u201d should be qualified by the vendor or by the regulated user, and the documentation for this should be available for inspection. The use of the term and the expectation for qualification, validation and safe operation of such (e.g. \u2018cloud\u2019) systems should be clarified.\n9. **[4.1]** The meaning of the term \u2018validation\u2019 (and \u2018qualification\u2019), needs to be clarified. It should be emphasised that both activities consist of a verification of required and specified functionality as described in user requirements specifications (URS) or similar.\n10. **[4.1]** Following a risk-based approach, system qualification and validation should especially challenge critical parts of systems which are used to make GMP decisions, parts which ensure product quality and data integrity and parts, which have been specifically designed or customised.\n11. **[4.4]** It is not sufficiently clear what is implied by the sentence saying \u201cUser requirements should be traceable throughout the life-cycle\u201d. A user requirements specification, or similar, describing all the implemented and required GMP critical functionality which has been automated, and which the regulated user is relying on, should be the very basis for any qualification or validation of the system, whether performed by the regulated user or by the vendor. User requirements specifications should be kept updated and aligned with the implemented system throughout the system life-cycle and there should be a documented traceability between user requirements, any underlying functional specifications and test cases.\n12. **[4.5]** It should be acknowledged and addressed that software development today very often follows agile development processes, and criteria for accepting such products and corresponding documentation, which may not consist of traditional documents, should be clarified.\n13. **[6]** Guidelines should be included for classification of critical data and critical systems.\n14. **[7.1]** Systems, networks and infrastructure should protect the integrity of GMP processes and data. Examples should be included of measures, both physical and electronic, required to protect data against both intentional and unintentional loss of data integrity.", "mimetype": "text/plain", "start_char_idx": 0, "end_char_idx": 4692, "metadata_seperator": "\n", "text_template": "[Excerpt from document]\n{metadata_str}\nExcerpt:\n-----\n{content}\n-----\n", "class_name": "TextNode"}, "__type__": "1"}, "48bc2c89-fda4-46d3-b8e7-be84d9b84e3f": {"__data__": {"id_": "48bc2c89-fda4-46d3-b8e7-be84d9b84e3f", "embedding": null, "metadata": {"page_label": "3", "file_name": "[36] PIC Revision of Annex 11 EU GMP.pdf", "file_path": "raw_data/[36] PIC Revision of Annex 11 EU GMP.pdf", "image_path": "", "parsed_text_markdown": "15. **[7.2] Testing of the ability to restore system data**\nTesting the ability to restore system data (and if not otherwise easily recreated, the system itself) from backup is critically important, but the required periodic check of this ability, even if no changes have been made to the backup or restore processes, is not regarded necessary. Long-term backup (or archival) to volatile media should be based on a validated procedure (e.g. through 'accelerated testing'). In this case, testing should not focus on whether a backup is still readable, but rather, validating that it will be readable for a given period.\n\n16. **[7.2] Important expectations to backup processes**\nImportant expectations to backup processes are missing, e.g. to what is covered by a backup (e.g. data only or data and application), what types of backups are made (e.g. incremental or complete), how often backups are made (all types), how long backups are retained, which media is used for backups, and where backups are kept (e.g. physical separation).\n\n17. **[8] Expectation to obtain data in electronic format**\nThe section should include an expectation to be able to obtain data in electronic format including the complete audit trail. The requirement to be able to print data may be reconsidered.\n\n18. **[9] Audit trail functionality**\nAn audit trail functionality which automatically logs all manual interactions on GMP critical systems, where users, data or settings can be manually changed, should be regarded as mandatory; not just 'considered based on a risk assessment'. Controlling processes or capturing, holding or transferring electronic data in such systems without audit trail functionality is not acceptable; any grace period within this area has long expired.\n\n19. **[9] Positive identification in audit trails**\nThe audit trail should positively identify the user who made a change, it should give a full account of what was changed, i.e. both the new and old values should be clearly visible, it should include the full time and date when the change was made, and for all other changes except where a value is entered in an empty field for where this is completely obvious, the user should be prompted for the reason or rationale for why the change was made.\n\n20. **[9] Restriction on editing audit trail data**\nIt should not be possible to edit audit trail data or to deactivate the audit trail functionality for normal or privileged users working on the system. If these functionalities are available, they should only be accessible for system administrators who should not be involved in GMP production or in day-to-day work on the system (see 'segregation of duties').\n\n21. **[9] Purpose of audit trail review**\nThe concept and purpose of audit trail review is inadequately described. The process should focus on a review of the integrity of manual changes made on a system, e.g. a verification of the reason for changes and whether changes have been made on unusual dates, hours and by unusual users.\n\n22. **[9] Guidelines for audit trail review frequency**\nGuidelines for acceptable frequency of audit trail review should be provided. For audit trails on critical parameters, e.g. setting of alarms in a BMS systems giving alarms on differential pressure in connection with aseptic filling, audit trail reviews should be part of batch release, following a risk-based approach.\n\n23. **[9] Capturing data entries in audit trails**\nAudit trail functionalities should capture data entries with sufficient detail and in true time, in order to give a full and accurate picture of events. If e.g. a system notifies a regulated user of inconsistencies in a data input, by writing an error message, and the user subsequently changes the input, which makes the notification disappear; the full set of events should be captured.\n\n24. **[9] Sorting alarms and events**\nIt should be addressed that many systems generate a vast amount of alarms and event data and that these are often mixed up with audit trail entries. While alarms and events may require their own logs, acknowledgements and reviews, this should not be confused with an audit trail review of manual system interactions. Hence, as a minimum, it should be possible to be able to sort these.\n\n25. **[11] Configuration review**\nThe concept of configuration review should be added. Instead of taking onset in the number of known changes on a system (upgrade history), it should be based on a comparison of hardware and software baselines over time. This should include an account for any differences and an evaluation of the need for re-qualification/validation.\n\n26. **[12.1] Current section focus**\nThe current section has only focus on restricting system access to authorised individuals; however, there are other important topics. In line with ISO 27001, a section on IT security should include a focus on system and data confidentiality, integrity and availability.\n\n27. **[12.1] Restricting access to computerised systems**\nThe current version says that \"Physical and/or logical controls should be in place to restrict access to computerised system to authorised persons\". However, it is necessary to be more specific and to name some of the expected controls, e.g. multi-factor authentication, firewalls, platform management, security patching, virus scanning and intrusion detection/prevention.\n\n28. **[12.1] Authentication on critical systems**\nIt should be specified that authentication on critical systems should identify the regulated user with a high degree of certainty. Therefore, authentication only by means of a 'pass card' might not be sufficient, as it could have been dropped and later found by anyone.", "parsed_text": "", "document_title": "PIC/S Revision of Annex 11 EU GMP", "questions_this_excerpt_can_answer": "Aqu\u00ed tienes tres preguntas que se pueden formular a partir del contexto proporcionado, junto con res\u00famenes de nivel superior que pueden ayudar a generar mejores preguntas:\n\n### Resumen de nivel superior:\nEl documento aborda la importancia de los procesos de respaldo y la funcionalidad de auditor\u00eda en sistemas cr\u00edticos de GMP (Good Manufacturing Practice). Se enfatiza la necesidad de pruebas peri\u00f3dicas para la restauraci\u00f3n de datos, la identificaci\u00f3n positiva de usuarios en auditor\u00edas, y la restricci\u00f3n de edici\u00f3n de datos de auditor\u00eda. Tambi\u00e9n se discuten las expectativas sobre la obtenci\u00f3n de datos en formato electr\u00f3nico y la revisi\u00f3n de auditor\u00edas.\n\n### Preguntas:\n\n1. **\u00bfCu\u00e1les son las expectativas espec\u00edficas que deben cumplirse en los procesos de respaldo seg\u00fan el documento?**\n - Esta pregunta busca respuestas sobre los detalles que deben incluirse en los procesos de respaldo, como el tipo de datos respaldados, la frecuencia de los respaldos y la duraci\u00f3n de la retenci\u00f3n de los mismos.\n\n2. **\u00bfQu\u00e9 caracter\u00edsticas debe tener la funcionalidad de auditor\u00eda en sistemas cr\u00edticos de GMP para ser considerada adecuada?**\n - Esta pregunta se centra en las caracter\u00edsticas que deben estar presentes en la funcionalidad de auditor\u00eda, como la identificaci\u00f3n del usuario, el registro de cambios y la restricci\u00f3n de edici\u00f3n de datos de auditor\u00eda.\n\n3. **\u00bfC\u00f3mo se debe llevar a cabo la revisi\u00f3n de auditor\u00edas y qu\u00e9 frecuencia se recomienda para esta actividad?**\n - Esta pregunta busca informaci\u00f3n sobre el proceso de revisi\u00f3n de auditor\u00edas, incluyendo qu\u00e9 aspectos deben ser verificados y con qu\u00e9 frecuencia se deben realizar estas revisiones, especialmente en relaci\u00f3n con par\u00e1metros cr\u00edticos. \n\nEstas preguntas est\u00e1n dise\u00f1adas para extraer informaci\u00f3n espec\u00edfica que no se puede encontrar f\u00e1cilmente en otros documentos o contextos, bas\u00e1ndose en los detalles proporcionados en el texto.", "prev_section_summary": "### Resumen de Temas Clave y Entidades\n\n1. **Actualizaci\u00f3n de Annex 11**: Se propone una revisi\u00f3n del Anexo 11 de las Buenas Pr\u00e1cticas de Manufactura (GMP) para reflejar los avances tecnol\u00f3gicos desde su \u00faltima emisi\u00f3n en 2011.\n\n2. **Integridad de los Datos**: Se introducir\u00e1n requisitos espec\u00edficos para la integridad de los datos en movimiento y en reposo, enfatizando la preferencia por soluciones t\u00e9cnicas y automatizaci\u00f3n en lugar de controles manuales.\n\n3. **Transformaci\u00f3n Digital**: Se considerar\u00e1 la inclusi\u00f3n de expectativas regulatorias relacionadas con la transformaci\u00f3n digital y conceptos modernos.\n\n4. **Alcance de los Sistemas Computarizados**: El alcance debe abarcar no solo la sustituci\u00f3n de operaciones manuales, sino tambi\u00e9n la sustituci\u00f3n de otros sistemas.\n\n5. **Referencias a ICH Q9**: Se sugiere que el documento haga referencia a la gu\u00eda ICH Q9 sobre gesti\u00f3n de riesgos.\n\n6. **Servicios en la Nube**: Se debe incluir la operaci\u00f3n de sistemas computarizados como un servicio, especialmente en el contexto de servicios en la nube.\n\n7. **Documentaci\u00f3n para Sistemas Cr\u00edticos**: Los usuarios regulados deben tener acceso a la documentaci\u00f3n completa para la validaci\u00f3n y operaci\u00f3n segura de sistemas cr\u00edticos, especialmente aquellos operados por proveedores de servicios.\n\n8. **Definici\u00f3n de COTS**: Se requiere una definici\u00f3n clara de \"productos comerciales de uso general\" (COTS) y expectativas de calificaci\u00f3n y validaci\u00f3n para estos productos.\n\n9. **Validaci\u00f3n y Calificaci\u00f3n**: Se necesita aclarar el significado de validaci\u00f3n y calificaci\u00f3n, enfatizando que ambas actividades deben verificar la funcionalidad especificada en las especificaciones de requisitos del usuario (URS).\n\n10. **Enfoque Basado en Riesgos**: La calificaci\u00f3n y validaci\u00f3n de sistemas deben centrarse en partes cr\u00edticas que afectan decisiones de GMP, calidad del producto e integridad de los datos.\n\n11. **Trazabilidad de Requisitos del Usuario**: Se debe garantizar que los requisitos del usuario sean trazables a lo largo del ciclo de vida del sistema, con documentaci\u00f3n actualizada y alineada.\n\n12. **Desarrollo \u00c1gil**: Se debe abordar c\u00f3mo los procesos de desarrollo \u00e1gil afectan la aceptaci\u00f3n de productos y la documentaci\u00f3n necesaria.\n\n13. **Clasificaci\u00f3n de Datos y Sistemas Cr\u00edticos**: Se deben incluir directrices para la clasificaci\u00f3n de datos y sistemas cr\u00edticos.\n\n14. **Protecci\u00f3n de la Integridad de los Datos**: Se deben proporcionar ejemplos de medidas para proteger la integridad de los procesos y datos de GMP, tanto f\u00edsicas como electr\u00f3nicas.\n\n### Entidades Clave\n- **Anexo 11**: Parte de las Buenas Pr\u00e1cticas de Manufactura (GMP).\n- **EMA**: Agencia Europea de Medicamentos.\n- **ICH Q9**: Gu\u00eda sobre gesti\u00f3n de riesgos en la industria farmac\u00e9utica.\n- **COTS**: Productos comerciales de uso general.\n- **PIC/S**: Esquema de Cooperaci\u00f3n de Inspecci\u00f3n Farmac\u00e9utica.\n- **Sistemas Cr\u00edticos**: Sistemas que impactan la calidad del producto y la integridad de los datos.", "excerpt_keywords": "Keywords: backup processes, audit trail functionality, data integrity, GMP compliance, electronic data retrieval"}, "excluded_embed_metadata_keys": [], "excluded_llm_metadata_keys": [], "relationships": {"1": {"node_id": "c52c0bdf-e9fd-41bf-9caa-6fb7942b3e2f", "node_type": "4", "metadata": {"page_label": "3", "file_name": "[36] PIC Revision of Annex 11 EU GMP.pdf", "file_path": "raw_data/[36] PIC Revision of Annex 11 EU GMP.pdf", "image_path": "", "parsed_text_markdown": "15. **[7.2] Testing of the ability to restore system data**\nTesting the ability to restore system data (and if not otherwise easily recreated, the system itself) from backup is critically important, but the required periodic check of this ability, even if no changes have been made to the backup or restore processes, is not regarded necessary. Long-term backup (or archival) to volatile media should be based on a validated procedure (e.g. through 'accelerated testing'). In this case, testing should not focus on whether a backup is still readable, but rather, validating that it will be readable for a given period.\n\n16. **[7.2] Important expectations to backup processes**\nImportant expectations to backup processes are missing, e.g. to what is covered by a backup (e.g. data only or data and application), what types of backups are made (e.g. incremental or complete), how often backups are made (all types), how long backups are retained, which media is used for backups, and where backups are kept (e.g. physical separation).\n\n17. **[8] Expectation to obtain data in electronic format**\nThe section should include an expectation to be able to obtain data in electronic format including the complete audit trail. The requirement to be able to print data may be reconsidered.\n\n18. **[9] Audit trail functionality**\nAn audit trail functionality which automatically logs all manual interactions on GMP critical systems, where users, data or settings can be manually changed, should be regarded as mandatory; not just 'considered based on a risk assessment'. Controlling processes or capturing, holding or transferring electronic data in such systems without audit trail functionality is not acceptable; any grace period within this area has long expired.\n\n19. **[9] Positive identification in audit trails**\nThe audit trail should positively identify the user who made a change, it should give a full account of what was changed, i.e. both the new and old values should be clearly visible, it should include the full time and date when the change was made, and for all other changes except where a value is entered in an empty field for where this is completely obvious, the user should be prompted for the reason or rationale for why the change was made.\n\n20. **[9] Restriction on editing audit trail data**\nIt should not be possible to edit audit trail data or to deactivate the audit trail functionality for normal or privileged users working on the system. If these functionalities are available, they should only be accessible for system administrators who should not be involved in GMP production or in day-to-day work on the system (see 'segregation of duties').\n\n21. **[9] Purpose of audit trail review**\nThe concept and purpose of audit trail review is inadequately described. The process should focus on a review of the integrity of manual changes made on a system, e.g. a verification of the reason for changes and whether changes have been made on unusual dates, hours and by unusual users.\n\n22. **[9] Guidelines for audit trail review frequency**\nGuidelines for acceptable frequency of audit trail review should be provided. For audit trails on critical parameters, e.g. setting of alarms in a BMS systems giving alarms on differential pressure in connection with aseptic filling, audit trail reviews should be part of batch release, following a risk-based approach.\n\n23. **[9] Capturing data entries in audit trails**\nAudit trail functionalities should capture data entries with sufficient detail and in true time, in order to give a full and accurate picture of events. If e.g. a system notifies a regulated user of inconsistencies in a data input, by writing an error message, and the user subsequently changes the input, which makes the notification disappear; the full set of events should be captured.\n\n24. **[9] Sorting alarms and events**\nIt should be addressed that many systems generate a vast amount of alarms and event data and that these are often mixed up with audit trail entries. While alarms and events may require their own logs, acknowledgements and reviews, this should not be confused with an audit trail review of manual system interactions. Hence, as a minimum, it should be possible to be able to sort these.\n\n25. **[11] Configuration review**\nThe concept of configuration review should be added. Instead of taking onset in the number of known changes on a system (upgrade history), it should be based on a comparison of hardware and software baselines over time. This should include an account for any differences and an evaluation of the need for re-qualification/validation.\n\n26. **[12.1] Current section focus**\nThe current section has only focus on restricting system access to authorised individuals; however, there are other important topics. In line with ISO 27001, a section on IT security should include a focus on system and data confidentiality, integrity and availability.\n\n27. **[12.1] Restricting access to computerised systems**\nThe current version says that \"Physical and/or logical controls should be in place to restrict access to computerised system to authorised persons\". However, it is necessary to be more specific and to name some of the expected controls, e.g. multi-factor authentication, firewalls, platform management, security patching, virus scanning and intrusion detection/prevention.\n\n28. **[12.1] Authentication on critical systems**\nIt should be specified that authentication on critical systems should identify the regulated user with a high degree of certainty. Therefore, authentication only by means of a 'pass card' might not be sufficient, as it could have been dropped and later found by anyone.", "parsed_text": "", "document_title": "PIC/S Revision of Annex 11 EU GMP"}, "hash": "8e56d0e421d9ade252536d56a17b116e95fc4005403f53940d1282a89020a7ab", "class_name": "RelatedNodeInfo"}, "3": {"node_id": "e5010aaf-a243-48e4-861f-8bf6fe6702c2", "node_type": "1", "metadata": {}, "hash": "ecb04a34894b73a279e7494a7b7cc097f764e01ed24983246ae2cfca287b4771", "class_name": "RelatedNodeInfo"}}, "metadata_template": "{key}: {value}", "metadata_separator": "\n", "text": "15. **[7.2] Testing of the ability to restore system data**\nTesting the ability to restore system data (and if not otherwise easily recreated, the system itself) from backup is critically important, but the required periodic check of this ability, even if no changes have been made to the backup or restore processes, is not regarded necessary. Long-term backup (or archival) to volatile media should be based on a validated procedure (e.g. through 'accelerated testing'). In this case, testing should not focus on whether a backup is still readable, but rather, validating that it will be readable for a given period.\n\n16. **[7.2] Important expectations to backup processes**\nImportant expectations to backup processes are missing, e.g. to what is covered by a backup (e.g. data only or data and application), what types of backups are made (e.g. incremental or complete), how often backups are made (all types), how long backups are retained, which media is used for backups, and where backups are kept (e.g. physical separation).\n\n17. **[8] Expectation to obtain data in electronic format**\nThe section should include an expectation to be able to obtain data in electronic format including the complete audit trail. The requirement to be able to print data may be reconsidered.\n\n18. **[9] Audit trail functionality**\nAn audit trail functionality which automatically logs all manual interactions on GMP critical systems, where users, data or settings can be manually changed, should be regarded as mandatory; not just 'considered based on a risk assessment'. Controlling processes or capturing, holding or transferring electronic data in such systems without audit trail functionality is not acceptable; any grace period within this area has long expired.\n\n19. **[9] Positive identification in audit trails**\nThe audit trail should positively identify the user who made a change, it should give a full account of what was changed, i.e. both the new and old values should be clearly visible, it should include the full time and date when the change was made, and for all other changes except where a value is entered in an empty field for where this is completely obvious, the user should be prompted for the reason or rationale for why the change was made.\n\n20. **[9] Restriction on editing audit trail data**\nIt should not be possible to edit audit trail data or to deactivate the audit trail functionality for normal or privileged users working on the system. If these functionalities are available, they should only be accessible for system administrators who should not be involved in GMP production or in day-to-day work on the system (see 'segregation of duties').\n\n21. **[9] Purpose of audit trail review**\nThe concept and purpose of audit trail review is inadequately described. The process should focus on a review of the integrity of manual changes made on a system, e.g. a verification of the reason for changes and whether changes have been made on unusual dates, hours and by unusual users.\n\n22. **[9] Guidelines for audit trail review frequency**\nGuidelines for acceptable frequency of audit trail review should be provided. For audit trails on critical parameters, e.g. setting of alarms in a BMS systems giving alarms on differential pressure in connection with aseptic filling, audit trail reviews should be part of batch release, following a risk-based approach.\n\n23. **[9] Capturing data entries in audit trails**\nAudit trail functionalities should capture data entries with sufficient detail and in true time, in order to give a full and accurate picture of events. If e.g. a system notifies a regulated user of inconsistencies in a data input, by writing an error message, and the user subsequently changes the input, which makes the notification disappear; the full set of events should be captured.", "mimetype": "text/plain", "start_char_idx": 0, "end_char_idx": 3823, "metadata_seperator": "\n", "text_template": "[Excerpt from document]\n{metadata_str}\nExcerpt:\n-----\n{content}\n-----\n", "class_name": "TextNode"}, "__type__": "1"}, "e5010aaf-a243-48e4-861f-8bf6fe6702c2": {"__data__": {"id_": "e5010aaf-a243-48e4-861f-8bf6fe6702c2", "embedding": null, "metadata": {"page_label": "3", "file_name": "[36] PIC Revision of Annex 11 EU GMP.pdf", "file_path": "raw_data/[36] PIC Revision of Annex 11 EU GMP.pdf", "image_path": "", "parsed_text_markdown": "15. **[7.2] Testing of the ability to restore system data**\nTesting the ability to restore system data (and if not otherwise easily recreated, the system itself) from backup is critically important, but the required periodic check of this ability, even if no changes have been made to the backup or restore processes, is not regarded necessary. Long-term backup (or archival) to volatile media should be based on a validated procedure (e.g. through 'accelerated testing'). In this case, testing should not focus on whether a backup is still readable, but rather, validating that it will be readable for a given period.\n\n16. **[7.2] Important expectations to backup processes**\nImportant expectations to backup processes are missing, e.g. to what is covered by a backup (e.g. data only or data and application), what types of backups are made (e.g. incremental or complete), how often backups are made (all types), how long backups are retained, which media is used for backups, and where backups are kept (e.g. physical separation).\n\n17. **[8] Expectation to obtain data in electronic format**\nThe section should include an expectation to be able to obtain data in electronic format including the complete audit trail. The requirement to be able to print data may be reconsidered.\n\n18. **[9] Audit trail functionality**\nAn audit trail functionality which automatically logs all manual interactions on GMP critical systems, where users, data or settings can be manually changed, should be regarded as mandatory; not just 'considered based on a risk assessment'. Controlling processes or capturing, holding or transferring electronic data in such systems without audit trail functionality is not acceptable; any grace period within this area has long expired.\n\n19. **[9] Positive identification in audit trails**\nThe audit trail should positively identify the user who made a change, it should give a full account of what was changed, i.e. both the new and old values should be clearly visible, it should include the full time and date when the change was made, and for all other changes except where a value is entered in an empty field for where this is completely obvious, the user should be prompted for the reason or rationale for why the change was made.\n\n20. **[9] Restriction on editing audit trail data**\nIt should not be possible to edit audit trail data or to deactivate the audit trail functionality for normal or privileged users working on the system. If these functionalities are available, they should only be accessible for system administrators who should not be involved in GMP production or in day-to-day work on the system (see 'segregation of duties').\n\n21. **[9] Purpose of audit trail review**\nThe concept and purpose of audit trail review is inadequately described. The process should focus on a review of the integrity of manual changes made on a system, e.g. a verification of the reason for changes and whether changes have been made on unusual dates, hours and by unusual users.\n\n22. **[9] Guidelines for audit trail review frequency**\nGuidelines for acceptable frequency of audit trail review should be provided. For audit trails on critical parameters, e.g. setting of alarms in a BMS systems giving alarms on differential pressure in connection with aseptic filling, audit trail reviews should be part of batch release, following a risk-based approach.\n\n23. **[9] Capturing data entries in audit trails**\nAudit trail functionalities should capture data entries with sufficient detail and in true time, in order to give a full and accurate picture of events. If e.g. a system notifies a regulated user of inconsistencies in a data input, by writing an error message, and the user subsequently changes the input, which makes the notification disappear; the full set of events should be captured.\n\n24. **[9] Sorting alarms and events**\nIt should be addressed that many systems generate a vast amount of alarms and event data and that these are often mixed up with audit trail entries. While alarms and events may require their own logs, acknowledgements and reviews, this should not be confused with an audit trail review of manual system interactions. Hence, as a minimum, it should be possible to be able to sort these.\n\n25. **[11] Configuration review**\nThe concept of configuration review should be added. Instead of taking onset in the number of known changes on a system (upgrade history), it should be based on a comparison of hardware and software baselines over time. This should include an account for any differences and an evaluation of the need for re-qualification/validation.\n\n26. **[12.1] Current section focus**\nThe current section has only focus on restricting system access to authorised individuals; however, there are other important topics. In line with ISO 27001, a section on IT security should include a focus on system and data confidentiality, integrity and availability.\n\n27. **[12.1] Restricting access to computerised systems**\nThe current version says that \"Physical and/or logical controls should be in place to restrict access to computerised system to authorised persons\". However, it is necessary to be more specific and to name some of the expected controls, e.g. multi-factor authentication, firewalls, platform management, security patching, virus scanning and intrusion detection/prevention.\n\n28. **[12.1] Authentication on critical systems**\nIt should be specified that authentication on critical systems should identify the regulated user with a high degree of certainty. Therefore, authentication only by means of a 'pass card' might not be sufficient, as it could have been dropped and later found by anyone.", "parsed_text": "", "document_title": "PIC/S Revision of Annex 11 EU GMP", "questions_this_excerpt_can_answer": "### Resumen del Contexto\nEl documento se centra en la revisi\u00f3n de la Anexo 11 de las Buenas Pr\u00e1cticas de Manufactura (GMP) de la Uni\u00f3n Europea, espec\u00edficamente en aspectos relacionados con la gesti\u00f3n de datos electr\u00f3nicos y la funcionalidad de auditor\u00eda en sistemas cr\u00edticos de GMP. Se abordan temas como la importancia de las copias de seguridad, la funcionalidad de las auditor\u00edas, la identificaci\u00f3n de usuarios, la revisi\u00f3n de configuraciones y la seguridad de los sistemas inform\u00e1ticos. Se enfatiza la necesidad de controles espec\u00edficos para el acceso a sistemas y la captura detallada de eventos en auditor\u00edas.\n\n### Preguntas Espec\u00edficas\n1. **\u00bfCu\u00e1les son las expectativas clave que deben cumplirse en los procesos de copia de seguridad seg\u00fan el documento?**\n - El documento menciona que las expectativas clave incluyen qu\u00e9 datos se respaldan (solo datos o datos y aplicaciones), el tipo de copias de seguridad realizadas (incrementales o completas), la frecuencia de las copias, el tiempo de retenci\u00f3n, los medios utilizados y la ubicaci\u00f3n f\u00edsica de las copias de seguridad.\n\n2. **\u00bfQu\u00e9 requisitos se establecen para la funcionalidad de auditor\u00eda en sistemas cr\u00edticos de GMP?**\n - Se establece que la funcionalidad de auditor\u00eda debe registrar autom\u00e1ticamente todas las interacciones manuales, identificando positivamente al usuario que realiz\u00f3 un cambio, mostrando los valores antiguos y nuevos, y registrando la fecha y hora del cambio. Adem\u00e1s, se debe capturar el motivo de los cambios, a menos que sea obvio.\n\n3. **\u00bfQu\u00e9 medidas de seguridad se sugieren para restringir el acceso a sistemas inform\u00e1ticos cr\u00edticos?**\n - Se sugiere que se implementen controles f\u00edsicos y l\u00f3gicos espec\u00edficos, como autenticaci\u00f3n multifactor, firewalls, gesti\u00f3n de plataformas, parches de seguridad, escaneo de virus y detecci\u00f3n/preventiva de intrusiones, para restringir el acceso a sistemas inform\u00e1ticos a personas autorizadas.\n\n### Resumen de Nivel Superior\nEl documento enfatiza la importancia de la gesti\u00f3n adecuada de datos electr\u00f3nicos en sistemas cr\u00edticos de GMP, destacando la necesidad de auditor\u00edas rigurosas y copias de seguridad efectivas. Se abordan las expectativas sobre la funcionalidad de auditor\u00eda, la identificaci\u00f3n de usuarios, la revisi\u00f3n de configuraciones y la seguridad de los sistemas, sugiriendo controles espec\u00edficos para garantizar la integridad y disponibilidad de los datos.", "prev_section_summary": "### Resumen de Temas Clave y Entidades\n\n1. **Pruebas de Restauraci\u00f3n de Datos**:\n - Importancia de probar la capacidad de restaurar datos del sistema desde copias de seguridad.\n - No se considera necesario realizar chequeos peri\u00f3dicos si no hay cambios en los procesos de respaldo o restauraci\u00f3n.\n - Los respaldos a largo plazo deben basarse en procedimientos validados.\n\n2. **Expectativas de Procesos de Respaldo**:\n - Se deben definir claramente qu\u00e9 datos se respaldan (solo datos o datos y aplicaciones), tipos de respaldos (incrementales o completos), frecuencia de respaldos, duraci\u00f3n de retenci\u00f3n, medios utilizados y ubicaci\u00f3n f\u00edsica de los respaldos.\n\n3. **Obtenci\u00f3n de Datos en Formato Electr\u00f3nico**:\n - Se espera que los datos, incluyendo el rastro de auditor\u00eda completo, sean accesibles en formato electr\u00f3nico.\n\n4. **Funcionalidad de Auditor\u00eda**:\n - La funcionalidad de auditor\u00eda debe registrar autom\u00e1ticamente todas las interacciones manuales en sistemas cr\u00edticos de GMP.\n - Es obligatorio tener un rastro de auditor\u00eda; no se acepta la falta de esta funcionalidad.\n\n5. **Identificaci\u00f3n Positiva en Auditor\u00edas**:\n - El rastro de auditor\u00eda debe identificar al usuario que realiz\u00f3 un cambio, registrar los valores antiguos y nuevos, y proporcionar la fecha y hora del cambio.\n\n6. **Restricci\u00f3n en la Edici\u00f3n de Datos de Auditor\u00eda**:\n - No debe ser posible editar datos de auditor\u00eda o desactivar la funcionalidad de auditor\u00eda para usuarios normales o privilegiados.\n\n7. **Revisi\u00f3n de Auditor\u00edas**:\n - La revisi\u00f3n del rastro de auditor\u00eda debe centrarse en la integridad de los cambios manuales, verificando razones de cambios y fechas inusuales.\n\n8. **Frecuencia de Revisi\u00f3n de Auditor\u00edas**:\n - Se deben proporcionar pautas sobre la frecuencia aceptable para la revisi\u00f3n de auditor\u00edas, especialmente para par\u00e1metros cr\u00edticos.\n\n9. **Captura de Entradas de Datos en Auditor\u00edas**:\n - Las funcionalidades de auditor\u00eda deben capturar entradas de datos con suficiente detalle y en tiempo real para ofrecer una imagen precisa de los eventos.\n\n### Entidades Clave:\n- **GMP (Good Manufacturing Practice)**: Normativa que regula la producci\u00f3n y control de calidad en la industria farmac\u00e9utica.\n- **Rastro de Auditor\u00eda**: Registro que documenta todas las interacciones y cambios en sistemas cr\u00edticos.\n- **Procedimientos Validados**: M\u00e9todos que han sido comprobados y aprobados para asegurar su eficacia y confiabilidad.\n- **Datos Electr\u00f3nicos**: Informaci\u00f3n que debe ser accesible en formato digital, incluyendo registros de auditor\u00eda.\n- **Usuarios Regulados**: Personas que tienen acceso a sistemas cr\u00edticos y deben ser identificadas de manera confiable.\n\nEste resumen destaca los aspectos m\u00e1s relevantes y las entidades mencionadas en la secci\u00f3n, proporcionando una visi\u00f3n clara de los requisitos y expectativas en relaci\u00f3n con los procesos de respaldo y auditor\u00eda en sistemas cr\u00edticos de GMP.", "excerpt_keywords": "Keywords: auditor\u00eda, copias de seguridad, sistemas cr\u00edticos, autenticaci\u00f3n, integridad de datos"}, "excluded_embed_metadata_keys": [], "excluded_llm_metadata_keys": [], "relationships": {"1": {"node_id": "c52c0bdf-e9fd-41bf-9caa-6fb7942b3e2f", "node_type": "4", "metadata": {"page_label": "3", "file_name": "[36] PIC Revision of Annex 11 EU GMP.pdf", "file_path": "raw_data/[36] PIC Revision of Annex 11 EU GMP.pdf", "image_path": "", "parsed_text_markdown": "15. **[7.2] Testing of the ability to restore system data**\nTesting the ability to restore system data (and if not otherwise easily recreated, the system itself) from backup is critically important, but the required periodic check of this ability, even if no changes have been made to the backup or restore processes, is not regarded necessary. Long-term backup (or archival) to volatile media should be based on a validated procedure (e.g. through 'accelerated testing'). In this case, testing should not focus on whether a backup is still readable, but rather, validating that it will be readable for a given period.\n\n16. **[7.2] Important expectations to backup processes**\nImportant expectations to backup processes are missing, e.g. to what is covered by a backup (e.g. data only or data and application), what types of backups are made (e.g. incremental or complete), how often backups are made (all types), how long backups are retained, which media is used for backups, and where backups are kept (e.g. physical separation).\n\n17. **[8] Expectation to obtain data in electronic format**\nThe section should include an expectation to be able to obtain data in electronic format including the complete audit trail. The requirement to be able to print data may be reconsidered.\n\n18. **[9] Audit trail functionality**\nAn audit trail functionality which automatically logs all manual interactions on GMP critical systems, where users, data or settings can be manually changed, should be regarded as mandatory; not just 'considered based on a risk assessment'. Controlling processes or capturing, holding or transferring electronic data in such systems without audit trail functionality is not acceptable; any grace period within this area has long expired.\n\n19. **[9] Positive identification in audit trails**\nThe audit trail should positively identify the user who made a change, it should give a full account of what was changed, i.e. both the new and old values should be clearly visible, it should include the full time and date when the change was made, and for all other changes except where a value is entered in an empty field for where this is completely obvious, the user should be prompted for the reason or rationale for why the change was made.\n\n20. **[9] Restriction on editing audit trail data**\nIt should not be possible to edit audit trail data or to deactivate the audit trail functionality for normal or privileged users working on the system. If these functionalities are available, they should only be accessible for system administrators who should not be involved in GMP production or in day-to-day work on the system (see 'segregation of duties').\n\n21. **[9] Purpose of audit trail review**\nThe concept and purpose of audit trail review is inadequately described. The process should focus on a review of the integrity of manual changes made on a system, e.g. a verification of the reason for changes and whether changes have been made on unusual dates, hours and by unusual users.\n\n22. **[9] Guidelines for audit trail review frequency**\nGuidelines for acceptable frequency of audit trail review should be provided. For audit trails on critical parameters, e.g. setting of alarms in a BMS systems giving alarms on differential pressure in connection with aseptic filling, audit trail reviews should be part of batch release, following a risk-based approach.\n\n23. **[9] Capturing data entries in audit trails**\nAudit trail functionalities should capture data entries with sufficient detail and in true time, in order to give a full and accurate picture of events. If e.g. a system notifies a regulated user of inconsistencies in a data input, by writing an error message, and the user subsequently changes the input, which makes the notification disappear; the full set of events should be captured.\n\n24. **[9] Sorting alarms and events**\nIt should be addressed that many systems generate a vast amount of alarms and event data and that these are often mixed up with audit trail entries. While alarms and events may require their own logs, acknowledgements and reviews, this should not be confused with an audit trail review of manual system interactions. Hence, as a minimum, it should be possible to be able to sort these.\n\n25. **[11] Configuration review**\nThe concept of configuration review should be added. Instead of taking onset in the number of known changes on a system (upgrade history), it should be based on a comparison of hardware and software baselines over time. This should include an account for any differences and an evaluation of the need for re-qualification/validation.\n\n26. **[12.1] Current section focus**\nThe current section has only focus on restricting system access to authorised individuals; however, there are other important topics. In line with ISO 27001, a section on IT security should include a focus on system and data confidentiality, integrity and availability.\n\n27. **[12.1] Restricting access to computerised systems**\nThe current version says that \"Physical and/or logical controls should be in place to restrict access to computerised system to authorised persons\". However, it is necessary to be more specific and to name some of the expected controls, e.g. multi-factor authentication, firewalls, platform management, security patching, virus scanning and intrusion detection/prevention.\n\n28. **[12.1] Authentication on critical systems**\nIt should be specified that authentication on critical systems should identify the regulated user with a high degree of certainty. Therefore, authentication only by means of a 'pass card' might not be sufficient, as it could have been dropped and later found by anyone.", "parsed_text": "", "document_title": "PIC/S Revision of Annex 11 EU GMP"}, "hash": "8e56d0e421d9ade252536d56a17b116e95fc4005403f53940d1282a89020a7ab", "class_name": "RelatedNodeInfo"}, "2": {"node_id": "48bc2c89-fda4-46d3-b8e7-be84d9b84e3f", "node_type": "1", "metadata": {"page_label": "3", "file_name": "[36] PIC Revision of Annex 11 EU GMP.pdf", "file_path": "raw_data/[36] PIC Revision of Annex 11 EU GMP.pdf", "image_path": "", "parsed_text_markdown": "15. **[7.2] Testing of the ability to restore system data**\nTesting the ability to restore system data (and if not otherwise easily recreated, the system itself) from backup is critically important, but the required periodic check of this ability, even if no changes have been made to the backup or restore processes, is not regarded necessary. Long-term backup (or archival) to volatile media should be based on a validated procedure (e.g. through 'accelerated testing'). In this case, testing should not focus on whether a backup is still readable, but rather, validating that it will be readable for a given period.\n\n16. **[7.2] Important expectations to backup processes**\nImportant expectations to backup processes are missing, e.g. to what is covered by a backup (e.g. data only or data and application), what types of backups are made (e.g. incremental or complete), how often backups are made (all types), how long backups are retained, which media is used for backups, and where backups are kept (e.g. physical separation).\n\n17. **[8] Expectation to obtain data in electronic format**\nThe section should include an expectation to be able to obtain data in electronic format including the complete audit trail. The requirement to be able to print data may be reconsidered.\n\n18. **[9] Audit trail functionality**\nAn audit trail functionality which automatically logs all manual interactions on GMP critical systems, where users, data or settings can be manually changed, should be regarded as mandatory; not just 'considered based on a risk assessment'. Controlling processes or capturing, holding or transferring electronic data in such systems without audit trail functionality is not acceptable; any grace period within this area has long expired.\n\n19. **[9] Positive identification in audit trails**\nThe audit trail should positively identify the user who made a change, it should give a full account of what was changed, i.e. both the new and old values should be clearly visible, it should include the full time and date when the change was made, and for all other changes except where a value is entered in an empty field for where this is completely obvious, the user should be prompted for the reason or rationale for why the change was made.\n\n20. **[9] Restriction on editing audit trail data**\nIt should not be possible to edit audit trail data or to deactivate the audit trail functionality for normal or privileged users working on the system. If these functionalities are available, they should only be accessible for system administrators who should not be involved in GMP production or in day-to-day work on the system (see 'segregation of duties').\n\n21. **[9] Purpose of audit trail review**\nThe concept and purpose of audit trail review is inadequately described. The process should focus on a review of the integrity of manual changes made on a system, e.g. a verification of the reason for changes and whether changes have been made on unusual dates, hours and by unusual users.\n\n22. **[9] Guidelines for audit trail review frequency**\nGuidelines for acceptable frequency of audit trail review should be provided. For audit trails on critical parameters, e.g. setting of alarms in a BMS systems giving alarms on differential pressure in connection with aseptic filling, audit trail reviews should be part of batch release, following a risk-based approach.\n\n23. **[9] Capturing data entries in audit trails**\nAudit trail functionalities should capture data entries with sufficient detail and in true time, in order to give a full and accurate picture of events. If e.g. a system notifies a regulated user of inconsistencies in a data input, by writing an error message, and the user subsequently changes the input, which makes the notification disappear; the full set of events should be captured.\n\n24. **[9] Sorting alarms and events**\nIt should be addressed that many systems generate a vast amount of alarms and event data and that these are often mixed up with audit trail entries. While alarms and events may require their own logs, acknowledgements and reviews, this should not be confused with an audit trail review of manual system interactions. Hence, as a minimum, it should be possible to be able to sort these.\n\n25. **[11] Configuration review**\nThe concept of configuration review should be added. Instead of taking onset in the number of known changes on a system (upgrade history), it should be based on a comparison of hardware and software baselines over time. This should include an account for any differences and an evaluation of the need for re-qualification/validation.\n\n26. **[12.1] Current section focus**\nThe current section has only focus on restricting system access to authorised individuals; however, there are other important topics. In line with ISO 27001, a section on IT security should include a focus on system and data confidentiality, integrity and availability.\n\n27. **[12.1] Restricting access to computerised systems**\nThe current version says that \"Physical and/or logical controls should be in place to restrict access to computerised system to authorised persons\". However, it is necessary to be more specific and to name some of the expected controls, e.g. multi-factor authentication, firewalls, platform management, security patching, virus scanning and intrusion detection/prevention.\n\n28. **[12.1] Authentication on critical systems**\nIt should be specified that authentication on critical systems should identify the regulated user with a high degree of certainty. Therefore, authentication only by means of a 'pass card' might not be sufficient, as it could have been dropped and later found by anyone.", "parsed_text": "", "document_title": "PIC/S Revision of Annex 11 EU GMP"}, "hash": "a0de17e4f25aa3e26052b58a3084bfd5ef652443318a0caca521d29aaa30dc91", "class_name": "RelatedNodeInfo"}}, "metadata_template": "{key}: {value}", "metadata_separator": "\n", "text": "22. **[9] Guidelines for audit trail review frequency**\nGuidelines for acceptable frequency of audit trail review should be provided. For audit trails on critical parameters, e.g. setting of alarms in a BMS systems giving alarms on differential pressure in connection with aseptic filling, audit trail reviews should be part of batch release, following a risk-based approach.\n\n23. **[9] Capturing data entries in audit trails**\nAudit trail functionalities should capture data entries with sufficient detail and in true time, in order to give a full and accurate picture of events. If e.g. a system notifies a regulated user of inconsistencies in a data input, by writing an error message, and the user subsequently changes the input, which makes the notification disappear; the full set of events should be captured.\n\n24. **[9] Sorting alarms and events**\nIt should be addressed that many systems generate a vast amount of alarms and event data and that these are often mixed up with audit trail entries. While alarms and events may require their own logs, acknowledgements and reviews, this should not be confused with an audit trail review of manual system interactions. Hence, as a minimum, it should be possible to be able to sort these.\n\n25. **[11] Configuration review**\nThe concept of configuration review should be added. Instead of taking onset in the number of known changes on a system (upgrade history), it should be based on a comparison of hardware and software baselines over time. This should include an account for any differences and an evaluation of the need for re-qualification/validation.\n\n26. **[12.1] Current section focus**\nThe current section has only focus on restricting system access to authorised individuals; however, there are other important topics. In line with ISO 27001, a section on IT security should include a focus on system and data confidentiality, integrity and availability.\n\n27. **[12.1] Restricting access to computerised systems**\nThe current version says that \"Physical and/or logical controls should be in place to restrict access to computerised system to authorised persons\". However, it is necessary to be more specific and to name some of the expected controls, e.g. multi-factor authentication, firewalls, platform management, security patching, virus scanning and intrusion detection/prevention.\n\n28. **[12.1] Authentication on critical systems**\nIt should be specified that authentication on critical systems should identify the regulated user with a high degree of certainty. Therefore, authentication only by means of a 'pass card' might not be sufficient, as it could have been dropped and later found by anyone.", "mimetype": "text/plain", "start_char_idx": 3007, "end_char_idx": 5678, "metadata_seperator": "\n", "text_template": "[Excerpt from document]\n{metadata_str}\nExcerpt:\n-----\n{content}\n-----\n", "class_name": "TextNode"}, "__type__": "1"}, "0e045b78-fc1e-43b4-b223-e6859f7c8ed8": {"__data__": {"id_": "0e045b78-fc1e-43b4-b223-e6859f7c8ed8", "embedding": null, "metadata": {"page_label": "4", "file_name": "[36] PIC Revision of Annex 11 EU GMP.pdf", "file_path": "raw_data/[36] PIC Revision of Annex 11 EU GMP.pdf", "image_path": "", "parsed_text_markdown": "29. **[12.1]** Two important expectations for allocation of system accesses should be added either here or elsewhere; i.e. 'segregation of duties', that day-to-day users of a system do not have admin rights, and the 'least privilege principle', that users of a system do not have higher access rights than what is necessary for their job function.\n\n30. **[12.3]** The current version says that \"Creation, change, and cancellation of access authorisations should be recorded\". However, it is necessary to go further than just recording who has access to a system. Systems accesses and roles should be continually managed as people assume and leave positions. System accesses and roles should be subject to recurrent reviews in order to ensure that forgotten and undesired accesses are removed.\n\n31. **[17]** As previously mentioned (see 7.2), it is not sufficient to re-actively check archived data for accessibility, readability and integrity (it would be too late to find out if these parameters were not maintained). Instead, archival should rely on a validated process. Depending on the storage media used, it might be necessary to validate that the media can be read after a certain period.\n\n32. **[New]** There is an urgent need for regulatory guidance and expectations to the use of artificial intelligence (AI) and machine learning (ML) models in critical GMP applications as industry is already implementing this technology. The primary focus should be on the relevance, adequacy and integrity of the data used to test these models with, and on the results (metrics) from such testing, rather that on the process of selecting, training and optimising the models.\n\n33. **[New]** After this concept paper has been drafted and prepared for approval of the EMA GMP/GDP Inspectors Working Group and the PIC/S Sub-committee on GMDP Harmonisation, the FDA has released a draft guidance on Computer Software Assurance for Production and Quality System Software (CSA). This guidance and any implication will be considered with regards to aspects of potential regulatory relevance for GMP Annex 11.\n\n## 2. Discussion\n\nThe current Annex 11 does not give sufficient guidance within a number of areas already covered, and other areas, which are becoming increasingly important to GMP, are not covered at all. The revised text will expand the guidance given in the document and embrace the application of new technologies which have gained momentum since the release of the existing version.\n\nIf possible, the revised document will include guidelines for acceptance of AI/ML algorithms used in critical GMP applications. This is an area where regulatory guidance is highly needed as this is not covered by any existing regulatory guidance in the pharmaceutical industry and as pharma companies are already implementing such algorithms.\n\n## 3. Recommendation\n\nThe EMA GMP/GDP Inspectors Working Group and the PIC/S Sub-committee on GMDP Harmonisation jointly recommends that the current version of Annex 11, Computerised Systems, be revised according to this concept paper.\n\n## 4. Proposed timetable\n\n- Preparation of draft concept paper \u2013 from October 2021\n- Approval of draft concept paper by EMA GMP/GDP IWG \u2013 October 2022\n- Release for consultation of draft concept paper (2 months consultation) \u2013 October 2022\n- Deadline for comments on concept paper \u2013 December 2022\n- Discussion in EMA GMP/GDP IWG and PIC/S Committee drafting group \u2013 from March 2023\n- Proposed release for consultation of draft guideline (3 months consultation) \u2013 December 2024\n- Deadline for comments on guideline \u2013 March 2025\n- Adoption by EMA GMP/GDP IWG \u2013 March 2026\n- Publication by European Community \u2013 June 2026\n- Adoption by PIC/S Sub-committee on GMDP Harmonisation \u2013 September 2026", "parsed_text": "", "document_title": "PIC/S Revision of Annex 11 EU GMP", "questions_this_excerpt_can_answer": "### Resumen del Contexto\n\nEl documento se centra en la revisi\u00f3n del Anexo 11 de las Buenas Pr\u00e1cticas de Manufactura (GMP) de la Uni\u00f3n Europea, que trata sobre sistemas informatizados. Se identifican \u00e1reas donde la gu\u00eda actual es insuficiente, especialmente en relaci\u00f3n con la gesti\u00f3n de accesos a sistemas, la integridad de los datos archivados y la necesidad de orientaci\u00f3n regulatoria sobre el uso de inteligencia artificial (IA) y aprendizaje autom\u00e1tico (ML) en aplicaciones cr\u00edticas de GMP. Se propone un cronograma para la revisi\u00f3n y consulta del documento, destacando la urgencia de actualizar las directrices para adaptarse a las nuevas tecnolog\u00edas.\n\n### Preguntas Espec\u00edficas\n\n1. **\u00bfCu\u00e1les son las implicaciones de no aplicar el principio de 'segregaci\u00f3n de deberes' y el 'principio de menor privilegio' en la gesti\u00f3n de accesos a sistemas inform\u00e1ticos en el contexto de GMP?**\n - Esta pregunta busca explorar las consecuencias espec\u00edficas que podr\u00edan surgir si estas pr\u00e1cticas no se implementan adecuadamente, lo que podr\u00eda no estar claramente documentado en otras fuentes.\n\n2. **\u00bfQu\u00e9 criterios espec\u00edficos se deben considerar para validar los medios de almacenamiento de datos archivados en el contexto de GMP, y c\u00f3mo se relacionan con la integridad de los datos a largo plazo?**\n - Esta pregunta se centra en los detalles t\u00e9cnicos y criterios de validaci\u00f3n que son cruciales para garantizar la integridad de los datos, que pueden no estar ampliamente discutidos en otros documentos.\n\n3. **\u00bfQu\u00e9 aspectos espec\u00edficos de la implementaci\u00f3n de IA y ML en aplicaciones GMP requieren m\u00e1s atenci\u00f3n regulatoria, y c\u00f3mo se pueden abordar en la revisi\u00f3n del Anexo 11?**\n - Esta pregunta busca identificar \u00e1reas concretas donde la regulaci\u00f3n es insuficiente y c\u00f3mo se pueden integrar en el nuevo marco regulatorio, lo que podr\u00eda no estar claramente delineado en otras gu\u00edas existentes.\n\n### Resumen de Nivel Superior\n\nEl documento destaca la necesidad de actualizar el Anexo 11 de GMP para abordar deficiencias en la gu\u00eda actual, especialmente en la gesti\u00f3n de accesos a sistemas, la validaci\u00f3n de datos archivados y la regulaci\u00f3n del uso de IA y ML en la industria farmac\u00e9utica. Se propone un cronograma detallado para la revisi\u00f3n y consulta del documento, enfatizando la urgencia de estas actualizaciones para adaptarse a las tecnolog\u00edas emergentes y garantizar la integridad y seguridad de los sistemas inform\u00e1ticos en el \u00e1mbito de GMP.", "prev_section_summary": "### Temas Clave\n\n1. **Pruebas de Restauraci\u00f3n de Datos**: La importancia de probar la capacidad de restaurar datos del sistema desde copias de seguridad, aunque no se considere necesario realizar chequeos peri\u00f3dicos si no hay cambios en los procesos de respaldo.\n\n2. **Expectativas de Procesos de Copia de Seguridad**: Se deben definir claramente las expectativas sobre qu\u00e9 se respalda (datos y aplicaciones), tipos de copias (incrementales o completas), frecuencia, retenci\u00f3n, medios utilizados y ubicaci\u00f3n f\u00edsica de las copias.\n\n3. **Formato Electr\u00f3nico de Datos**: Se espera que los datos, incluyendo el rastro de auditor\u00eda completo, est\u00e9n disponibles en formato electr\u00f3nico, reconsiderando la necesidad de imprimir datos.\n\n4. **Funcionalidad de Auditor\u00eda**: Se requiere que los sistemas cr\u00edticos de GMP tengan una funcionalidad de auditor\u00eda que registre autom\u00e1ticamente todas las interacciones manuales, identificando al usuario y documentando cambios con detalles completos.\n\n5. **Revisi\u00f3n de Rastro de Auditor\u00eda**: Se deben establecer pautas sobre la frecuencia de revisi\u00f3n del rastro de auditor\u00eda, especialmente para par\u00e1metros cr\u00edticos, y se debe capturar cada entrada de datos con suficiente detalle.\n\n6. **Revisi\u00f3n de Configuraci\u00f3n**: Se propone que la revisi\u00f3n de configuraci\u00f3n se base en comparaciones de l\u00edneas base de hardware y software a lo largo del tiempo, evaluando la necesidad de re-calificaci\u00f3n o validaci\u00f3n.\n\n7. **Seguridad de Sistemas Inform\u00e1ticos**: Se enfatiza la necesidad de controles espec\u00edficos para restringir el acceso a sistemas inform\u00e1ticos, incluyendo autenticaci\u00f3n multifactor y otras medidas de seguridad.\n\n8. **Autenticaci\u00f3n en Sistemas Cr\u00edticos**: La autenticaci\u00f3n debe identificar al usuario regulado con un alto grado de certeza, sugiriendo que el uso de una tarjeta de acceso por s\u00ed sola puede no ser suficiente.\n\n### Entidades Clave\n\n- **Sistemas Cr\u00edticos de GMP**: Sistemas que manejan datos regulados y requieren auditor\u00eda rigurosa.\n- **Rastro de Auditor\u00eda**: Registro de cambios y accesos en sistemas cr\u00edticos.\n- **Copias de Seguridad**: Procesos y procedimientos para asegurar la recuperaci\u00f3n de datos.\n- **Controles de Seguridad**: Medidas implementadas para proteger el acceso a sistemas inform\u00e1ticos.\n- **ISO 27001**: Est\u00e1ndar que gu\u00eda la gesti\u00f3n de la seguridad de la informaci\u00f3n.\n\nEste resumen destaca la importancia de la gesti\u00f3n de datos electr\u00f3nicos y la seguridad en sistemas cr\u00edticos de GMP, enfatizando la necesidad de auditor\u00edas efectivas y controles de acceso robustos.", "excerpt_keywords": "Keywords: GMP, Annex 11, artificial intelligence, system access, regulatory guidance"}, "excluded_embed_metadata_keys": [], "excluded_llm_metadata_keys": [], "relationships": {"1": {"node_id": "89ef6a9b-9cf7-4a3b-ab07-68f9c0609b3a", "node_type": "4", "metadata": {"page_label": "4", "file_name": "[36] PIC Revision of Annex 11 EU GMP.pdf", "file_path": "raw_data/[36] PIC Revision of Annex 11 EU GMP.pdf", "image_path": "", "parsed_text_markdown": "29. **[12.1]** Two important expectations for allocation of system accesses should be added either here or elsewhere; i.e. 'segregation of duties', that day-to-day users of a system do not have admin rights, and the 'least privilege principle', that users of a system do not have higher access rights than what is necessary for their job function.\n\n30. **[12.3]** The current version says that \"Creation, change, and cancellation of access authorisations should be recorded\". However, it is necessary to go further than just recording who has access to a system. Systems accesses and roles should be continually managed as people assume and leave positions. System accesses and roles should be subject to recurrent reviews in order to ensure that forgotten and undesired accesses are removed.\n\n31. **[17]** As previously mentioned (see 7.2), it is not sufficient to re-actively check archived data for accessibility, readability and integrity (it would be too late to find out if these parameters were not maintained). Instead, archival should rely on a validated process. Depending on the storage media used, it might be necessary to validate that the media can be read after a certain period.\n\n32. **[New]** There is an urgent need for regulatory guidance and expectations to the use of artificial intelligence (AI) and machine learning (ML) models in critical GMP applications as industry is already implementing this technology. The primary focus should be on the relevance, adequacy and integrity of the data used to test these models with, and on the results (metrics) from such testing, rather that on the process of selecting, training and optimising the models.\n\n33. **[New]** After this concept paper has been drafted and prepared for approval of the EMA GMP/GDP Inspectors Working Group and the PIC/S Sub-committee on GMDP Harmonisation, the FDA has released a draft guidance on Computer Software Assurance for Production and Quality System Software (CSA). This guidance and any implication will be considered with regards to aspects of potential regulatory relevance for GMP Annex 11.\n\n## 2. Discussion\n\nThe current Annex 11 does not give sufficient guidance within a number of areas already covered, and other areas, which are becoming increasingly important to GMP, are not covered at all. The revised text will expand the guidance given in the document and embrace the application of new technologies which have gained momentum since the release of the existing version.\n\nIf possible, the revised document will include guidelines for acceptance of AI/ML algorithms used in critical GMP applications. This is an area where regulatory guidance is highly needed as this is not covered by any existing regulatory guidance in the pharmaceutical industry and as pharma companies are already implementing such algorithms.\n\n## 3. Recommendation\n\nThe EMA GMP/GDP Inspectors Working Group and the PIC/S Sub-committee on GMDP Harmonisation jointly recommends that the current version of Annex 11, Computerised Systems, be revised according to this concept paper.\n\n## 4. Proposed timetable\n\n- Preparation of draft concept paper \u2013 from October 2021\n- Approval of draft concept paper by EMA GMP/GDP IWG \u2013 October 2022\n- Release for consultation of draft concept paper (2 months consultation) \u2013 October 2022\n- Deadline for comments on concept paper \u2013 December 2022\n- Discussion in EMA GMP/GDP IWG and PIC/S Committee drafting group \u2013 from March 2023\n- Proposed release for consultation of draft guideline (3 months consultation) \u2013 December 2024\n- Deadline for comments on guideline \u2013 March 2025\n- Adoption by EMA GMP/GDP IWG \u2013 March 2026\n- Publication by European Community \u2013 June 2026\n- Adoption by PIC/S Sub-committee on GMDP Harmonisation \u2013 September 2026", "parsed_text": "", "document_title": "PIC/S Revision of Annex 11 EU GMP"}, "hash": "b1e372198aacb2a5499469d8c7866fc3d99a0b172b51478030741bd867f180ea", "class_name": "RelatedNodeInfo"}}, "metadata_template": "{key}: {value}", "metadata_separator": "\n", "text": "29. **[12.1]** Two important expectations for allocation of system accesses should be added either here or elsewhere; i.e. 'segregation of duties', that day-to-day users of a system do not have admin rights, and the 'least privilege principle', that users of a system do not have higher access rights than what is necessary for their job function.\n\n30. **[12.3]** The current version says that \"Creation, change, and cancellation of access authorisations should be recorded\". However, it is necessary to go further than just recording who has access to a system. Systems accesses and roles should be continually managed as people assume and leave positions. System accesses and roles should be subject to recurrent reviews in order to ensure that forgotten and undesired accesses are removed.\n\n31. **[17]** As previously mentioned (see 7.2), it is not sufficient to re-actively check archived data for accessibility, readability and integrity (it would be too late to find out if these parameters were not maintained). Instead, archival should rely on a validated process. Depending on the storage media used, it might be necessary to validate that the media can be read after a certain period.\n\n32. **[New]** There is an urgent need for regulatory guidance and expectations to the use of artificial intelligence (AI) and machine learning (ML) models in critical GMP applications as industry is already implementing this technology. The primary focus should be on the relevance, adequacy and integrity of the data used to test these models with, and on the results (metrics) from such testing, rather that on the process of selecting, training and optimising the models.\n\n33. **[New]** After this concept paper has been drafted and prepared for approval of the EMA GMP/GDP Inspectors Working Group and the PIC/S Sub-committee on GMDP Harmonisation, the FDA has released a draft guidance on Computer Software Assurance for Production and Quality System Software (CSA). This guidance and any implication will be considered with regards to aspects of potential regulatory relevance for GMP Annex 11.\n\n## 2. Discussion\n\nThe current Annex 11 does not give sufficient guidance within a number of areas already covered, and other areas, which are becoming increasingly important to GMP, are not covered at all. The revised text will expand the guidance given in the document and embrace the application of new technologies which have gained momentum since the release of the existing version.\n\nIf possible, the revised document will include guidelines for acceptance of AI/ML algorithms used in critical GMP applications. This is an area where regulatory guidance is highly needed as this is not covered by any existing regulatory guidance in the pharmaceutical industry and as pharma companies are already implementing such algorithms.\n\n## 3. Recommendation\n\nThe EMA GMP/GDP Inspectors Working Group and the PIC/S Sub-committee on GMDP Harmonisation jointly recommends that the current version of Annex 11, Computerised Systems, be revised according to this concept paper.\n\n## 4. Proposed timetable\n\n- Preparation of draft concept paper \u2013 from October 2021\n- Approval of draft concept paper by EMA GMP/GDP IWG \u2013 October 2022\n- Release for consultation of draft concept paper (2 months consultation) \u2013 October 2022\n- Deadline for comments on concept paper \u2013 December 2022\n- Discussion in EMA GMP/GDP IWG and PIC/S Committee drafting group \u2013 from March 2023\n- Proposed release for consultation of draft guideline (3 months consultation) \u2013 December 2024\n- Deadline for comments on guideline \u2013 March 2025\n- Adoption by EMA GMP/GDP IWG \u2013 March 2026\n- Publication by European Community \u2013 June 2026\n- Adoption by PIC/S Sub-committee on GMDP Harmonisation \u2013 September 2026", "mimetype": "text/plain", "start_char_idx": 0, "end_char_idx": 3758, "metadata_seperator": "\n", "text_template": "[Excerpt from document]\n{metadata_str}\nExcerpt:\n-----\n{content}\n-----\n", "class_name": "TextNode"}, "__type__": "1"}, "dab0a6ef-b9f1-4376-a774-4c9b12efa933": {"__data__": {"id_": "dab0a6ef-b9f1-4376-a774-4c9b12efa933", "embedding": null, "metadata": {"page_label": "5", "file_name": "[36] PIC Revision of Annex 11 EU GMP.pdf", "file_path": "raw_data/[36] PIC Revision of Annex 11 EU GMP.pdf", "image_path": "", "parsed_text_markdown": "# 5. Resource requirements for preparation\n\nA drafting group has been established by EMA GMP/GDP Inspectors Working Group and the PIC/S Sub-committee on GMDP Harmonisation with a rapporteur and supporting experts from other EU member regulatory authorities and from non-EU PIC/S participating authorities.\n\nIt is expected that most of the work will be completed by email and by teleconference.\n\nThe guideline will be discussed at GMP/GDP IWG and the PIC/S Committee as necessary and at other involved working parties and groups. Further discussions are expected with interested parties.\n\n# 6. Impact assessment (anticipated)\n\nThe updated Annex 11 is intended to benefit both industry and regulators by clarifying expectations to areas already covered, by broadening these to areas not yet covered, and by pushing the adoption of a common approach between EU and non-EU regulatory authorities. Revision of Annex 11 will facilitate a better understanding of expectations to the use of computerised systems within manufacturing of medicinal products, and thereby, enhance the quality and safety of products and the integrity of data.\n\nNo unnecessary adverse impact on industry with respect to either resources or costs is foreseen, although there is always a cost associated with being in compliance (or quality). The revision may require some systems and processes to be modified over a period of time.\n\n# 7. Interested parties\n\n- EMA GMP/GDP Inspectors Working Group\n- PIC/S Committee, Sub-committee on GMDP Harmonisation\n- National competent authorities of EU/EEA member states\n- PIC/S participating authorities\n- Pharmaceutical industry\n- International societies and interest groups within pharmaceutical industry, e.g. ISPE GAMP\n\n# 8. References to literature, guidelines, etc.\n\n- EMA GMP Q&A on Annex 11 and Q&A on Data Integrity, link\n- EMA GCP Guideline on computerised systems and electronic data in clinical trials (draft), EMA/226170/2021, link\n- EMA GCP Q&A no. 8, 9, and Notice to sponsors on validation and qualification of computerised systems used in clinical trials on link\n- EMA GVP Q&A on Level of validation/qualification needed to be performed by a MAH when using an electronic system previously qualified by a provider link", "parsed_text": "", "document_title": "PIC/S Revision of Annex 11 EU GMP", "questions_this_excerpt_can_answer": "Aqu\u00ed tienes tres preguntas espec\u00edficas que se pueden responder con el contexto proporcionado, junto con un resumen de nivel superior:\n\n### Resumen de Nivel Superior\nEl documento trata sobre la revisi\u00f3n del Anexo 11 de las Buenas Pr\u00e1cticas de Manufactura (GMP) en la Uni\u00f3n Europea, enfoc\u00e1ndose en la preparaci\u00f3n de directrices que clarifiquen las expectativas sobre el uso de sistemas informatizados en la fabricaci\u00f3n de productos medicinales. Se establece un grupo de redacci\u00f3n compuesto por expertos de diversas autoridades regulatorias, tanto de la UE como de pa\u00edses no pertenecientes a la UE. La revisi\u00f3n busca beneficiar a la industria y a los reguladores, promoviendo un enfoque com\u00fan y mejorando la calidad y seguridad de los productos. Se identifican las partes interesadas y se mencionan referencias a literatura y gu\u00edas relevantes.\n\n### Preguntas Espec\u00edficas\n\n1. **\u00bfCu\u00e1l es el objetivo principal de la revisi\u00f3n del Anexo 11 seg\u00fan el documento?**\n - La revisi\u00f3n del Anexo 11 tiene como objetivo beneficiar tanto a la industria como a los reguladores al clarificar las expectativas en \u00e1reas ya cubiertas, ampliar estas expectativas a \u00e1reas no cubiertas y fomentar la adopci\u00f3n de un enfoque com\u00fan entre las autoridades regulatorias de la UE y no UE.\n\n2. **\u00bfQu\u00e9 tipo de impacto se anticipa en la industria como resultado de la revisi\u00f3n del Anexo 11?**\n - Se anticipa que no habr\u00e1 un impacto adverso innecesario en la industria en t\u00e9rminos de recursos o costos, aunque siempre hay un costo asociado con el cumplimiento. Sin embargo, se espera que algunas modificaciones en sistemas y procesos sean necesarias a lo largo del tiempo.\n\n3. **\u00bfQui\u00e9nes son las partes interesadas mencionadas en el documento que participar\u00e1n en la discusi\u00f3n de la revisi\u00f3n del Anexo 11?**\n - Las partes interesadas incluyen el Grupo de Inspectores de GMP/GDP de la EMA, el Comit\u00e9 PIC/S y su Subcomit\u00e9 sobre la Armonizaci\u00f3n de GMDP, las autoridades competentes nacionales de los estados miembros de la UE/EEE, las autoridades participantes de PIC/S, la industria farmac\u00e9utica y sociedades internacionales e grupos de inter\u00e9s dentro de la industria farmac\u00e9utica, como ISPE GAMP.", "prev_section_summary": "### Temas Clave\n\n1. **Gesti\u00f3n de Accesos a Sistemas**:\n - Importancia de la 'segregaci\u00f3n de deberes' y el 'principio de menor privilegio' en la asignaci\u00f3n de accesos a sistemas inform\u00e1ticos.\n - Necesidad de gestionar continuamente los accesos y roles de los usuarios, con revisiones recurrentes para eliminar accesos no deseados.\n\n2. **Integridad de Datos Archivados**:\n - La importancia de validar los procesos de archivo para asegurar la accesibilidad, legibilidad e integridad de los datos a largo plazo.\n - Recomendaci\u00f3n de validar los medios de almacenamiento para garantizar que los datos puedan ser le\u00eddos despu\u00e9s de un per\u00edodo determinado.\n\n3. **Uso de Inteligencia Artificial (IA) y Aprendizaje Autom\u00e1tico (ML)**:\n - Urgente necesidad de orientaci\u00f3n regulatoria sobre el uso de IA y ML en aplicaciones cr\u00edticas de GMP.\n - Enfoque en la relevancia, adecuaci\u00f3n e integridad de los datos utilizados para probar estos modelos, as\u00ed como en los resultados de dichas pruebas.\n\n4. **Revisi\u00f3n del Anexo 11 de GMP**:\n - Reconocimiento de que la versi\u00f3n actual del Anexo 11 no proporciona suficiente gu\u00eda en \u00e1reas cr\u00edticas y que se deben incluir nuevas tecnolog\u00edas.\n - Propuesta de un cronograma para la revisi\u00f3n y consulta del documento, destacando la urgencia de actualizar las directrices.\n\n### Entidades\n\n- **EMA GMP/GDP Inspectors Working Group**: Grupo de trabajo encargado de la revisi\u00f3n de las Buenas Pr\u00e1cticas de Manufactura.\n- **PIC/S Sub-committee on GMDP Harmonisation**: Subcomit\u00e9 que colabora en la armonizaci\u00f3n de las directrices de GMP.\n- **FDA**: Administraci\u00f3n de Alimentos y Medicamentos de EE. UU., que ha emitido una gu\u00eda sobre la garant\u00eda de software para sistemas de producci\u00f3n y calidad.\n- **GMP (Good Manufacturing Practices)**: Buenas Pr\u00e1cticas de Manufactura, regulaciones que aseguran la calidad y seguridad en la producci\u00f3n farmac\u00e9utica.\n\n### Resumen General\n\nEl documento aborda la necesidad de revisar el Anexo 11 de las Buenas Pr\u00e1cticas de Manufactura de la UE, enfatizando la insuficiencia de la gu\u00eda actual en \u00e1reas como la gesti\u00f3n de accesos a sistemas, la integridad de datos archivados y la regulaci\u00f3n del uso de IA y ML en la industria farmac\u00e9utica. Se propone un cronograma detallado para la revisi\u00f3n y consulta del documento, subrayando la urgencia de estas actualizaciones para adaptarse a las tecnolog\u00edas emergentes y garantizar la seguridad de los sistemas inform\u00e1ticos en el \u00e1mbito de GMP.", "excerpt_keywords": "Keywords: Annex 11, GMP, computerized systems, regulatory authorities, impact assessment"}, "excluded_embed_metadata_keys": [], "excluded_llm_metadata_keys": [], "relationships": {"1": {"node_id": "553db23d-99c5-4b91-92ab-a88e07eaa8de", "node_type": "4", "metadata": {"page_label": "5", "file_name": "[36] PIC Revision of Annex 11 EU GMP.pdf", "file_path": "raw_data/[36] PIC Revision of Annex 11 EU GMP.pdf", "image_path": "", "parsed_text_markdown": "# 5. Resource requirements for preparation\n\nA drafting group has been established by EMA GMP/GDP Inspectors Working Group and the PIC/S Sub-committee on GMDP Harmonisation with a rapporteur and supporting experts from other EU member regulatory authorities and from non-EU PIC/S participating authorities.\n\nIt is expected that most of the work will be completed by email and by teleconference.\n\nThe guideline will be discussed at GMP/GDP IWG and the PIC/S Committee as necessary and at other involved working parties and groups. Further discussions are expected with interested parties.\n\n# 6. Impact assessment (anticipated)\n\nThe updated Annex 11 is intended to benefit both industry and regulators by clarifying expectations to areas already covered, by broadening these to areas not yet covered, and by pushing the adoption of a common approach between EU and non-EU regulatory authorities. Revision of Annex 11 will facilitate a better understanding of expectations to the use of computerised systems within manufacturing of medicinal products, and thereby, enhance the quality and safety of products and the integrity of data.\n\nNo unnecessary adverse impact on industry with respect to either resources or costs is foreseen, although there is always a cost associated with being in compliance (or quality). The revision may require some systems and processes to be modified over a period of time.\n\n# 7. Interested parties\n\n- EMA GMP/GDP Inspectors Working Group\n- PIC/S Committee, Sub-committee on GMDP Harmonisation\n- National competent authorities of EU/EEA member states\n- PIC/S participating authorities\n- Pharmaceutical industry\n- International societies and interest groups within pharmaceutical industry, e.g. ISPE GAMP\n\n# 8. References to literature, guidelines, etc.\n\n- EMA GMP Q&A on Annex 11 and Q&A on Data Integrity, link\n- EMA GCP Guideline on computerised systems and electronic data in clinical trials (draft), EMA/226170/2021, link\n- EMA GCP Q&A no. 8, 9, and Notice to sponsors on validation and qualification of computerised systems used in clinical trials on link\n- EMA GVP Q&A on Level of validation/qualification needed to be performed by a MAH when using an electronic system previously qualified by a provider link", "parsed_text": "", "document_title": "PIC/S Revision of Annex 11 EU GMP"}, "hash": "a84af9d75d4d536ce142cfc57917c6bf5539096fe956fad1908245b48ae71c85", "class_name": "RelatedNodeInfo"}}, "metadata_template": "{key}: {value}", "metadata_separator": "\n", "text": "# 5. Resource requirements for preparation\n\nA drafting group has been established by EMA GMP/GDP Inspectors Working Group and the PIC/S Sub-committee on GMDP Harmonisation with a rapporteur and supporting experts from other EU member regulatory authorities and from non-EU PIC/S participating authorities.\n\nIt is expected that most of the work will be completed by email and by teleconference.\n\nThe guideline will be discussed at GMP/GDP IWG and the PIC/S Committee as necessary and at other involved working parties and groups. Further discussions are expected with interested parties.\n\n# 6. Impact assessment (anticipated)\n\nThe updated Annex 11 is intended to benefit both industry and regulators by clarifying expectations to areas already covered, by broadening these to areas not yet covered, and by pushing the adoption of a common approach between EU and non-EU regulatory authorities. Revision of Annex 11 will facilitate a better understanding of expectations to the use of computerised systems within manufacturing of medicinal products, and thereby, enhance the quality and safety of products and the integrity of data.\n\nNo unnecessary adverse impact on industry with respect to either resources or costs is foreseen, although there is always a cost associated with being in compliance (or quality). The revision may require some systems and processes to be modified over a period of time.\n\n# 7. Interested parties\n\n- EMA GMP/GDP Inspectors Working Group\n- PIC/S Committee, Sub-committee on GMDP Harmonisation\n- National competent authorities of EU/EEA member states\n- PIC/S participating authorities\n- Pharmaceutical industry\n- International societies and interest groups within pharmaceutical industry, e.g. ISPE GAMP\n\n# 8. References to literature, guidelines, etc.\n\n- EMA GMP Q&A on Annex 11 and Q&A on Data Integrity, link\n- EMA GCP Guideline on computerised systems and electronic data in clinical trials (draft), EMA/226170/2021, link\n- EMA GCP Q&A no. 8, 9, and Notice to sponsors on validation and qualification of computerised systems used in clinical trials on link\n- EMA GVP Q&A on Level of validation/qualification needed to be performed by a MAH when using an electronic system previously qualified by a provider link", "mimetype": "text/plain", "start_char_idx": 0, "end_char_idx": 2242, "metadata_seperator": "\n", "text_template": "[Excerpt from document]\n{metadata_str}\nExcerpt:\n-----\n{content}\n-----\n", "class_name": "TextNode"}, "__type__": "1"}}, "docstore/metadata": {"1737501d-8abe-4c2f-abce-5eeb9b946788": {"doc_hash": "312bcb4fdc317c6424f69eaaee44fb0d336040018060225d6440846800ff9f5f", "ref_doc_id": "a07b9b3a-793c-4807-a254-47736a3d68b6"}, "92ee2276-ee69-40a5-bd1d-813badb8665b": {"doc_hash": "c0964a3a4436ab17fdd72b5096e62a0372a524268b688bb5e7fa9d2f865b0947", "ref_doc_id": "ddeb8739-4ff3-4549-bedb-b7cce782008e"}, "48bc2c89-fda4-46d3-b8e7-be84d9b84e3f": {"doc_hash": "7541f842a2843e2011603d2b56e45d7208347569f9c2afc61513d48f39270b85", "ref_doc_id": "c52c0bdf-e9fd-41bf-9caa-6fb7942b3e2f"}, "e5010aaf-a243-48e4-861f-8bf6fe6702c2": {"doc_hash": "99b538f12ef839ee84ab2ba3ab98f143270d3206f3e30b855a202e98ec5fc334", "ref_doc_id": "c52c0bdf-e9fd-41bf-9caa-6fb7942b3e2f"}, "0e045b78-fc1e-43b4-b223-e6859f7c8ed8": {"doc_hash": "2f5cb125c504bdab848a372242b405be957a66e92422b536b6c32c46e3c8cfe5", "ref_doc_id": "89ef6a9b-9cf7-4a3b-ab07-68f9c0609b3a"}, "dab0a6ef-b9f1-4376-a774-4c9b12efa933": {"doc_hash": "77deb199d4d016342f7e091fb2e5cca0d5f7d797642c6c26b1a1e1e864a39e43", "ref_doc_id": "553db23d-99c5-4b91-92ab-a88e07eaa8de"}}, "docstore/ref_doc_info": {"a07b9b3a-793c-4807-a254-47736a3d68b6": {"node_ids": ["1737501d-8abe-4c2f-abce-5eeb9b946788"], "metadata": {"page_label": "1", "file_name": "[36] PIC Revision of Annex 11 EU GMP.pdf", "file_path": "raw_data/[36] PIC Revision of Annex 11 EU GMP.pdf", "image_path": "", "parsed_text_markdown": "# Concept Paper on the revision of Annex 11 of the guidelines on Good Manufacturing Practice for medicinal products \u2013 Computerised Systems\n\n**19 September 2022**\nEMA/INS/GMP/781435/2022\nGMP/GDP Inspectors Working Group (GMP/GDP IWG)\nPS/INF 94/2022\n\nAgreed by EMA GMP/GDP IWG and PIC/S | 31 October 2022\n---|---\nStart of public consultation | 16 November 2022\nEnd of consultation (deadline for comments) | 16 January 2023\n\nThe proposed guideline will replace:\n- Eudralex Volume 4: Annex 11 Computerised Systems\n- for PIC/S participating authorities: PE 009-15: Annex 11 \u2013 Computerised Systems\n\nComments should be provided using this template. The completed comments form should be sent to ADM-GMDP@ema.europa.eu\n\n| Keywords |\n|----------|\n| GMP, medicinal product, annex 11 |\n\n----\n\n**Official address**\nDomenico Scarlattilaan 6 \u2022 1083 HS Amsterdam \u2022 The Netherlands\n\n**Address for visits and deliveries**\nRefer to www.ema.europa.eu/how-to-find-us\n\n**Send us a question**\nGo to www.ema.europa.eu/contact\n**Telephone** +31 (0)88 781 6000\n\n\u00a9 European Medicines Agency, 2022. Reproduction is authorised provided the source is acknowledged.", "parsed_text": "", "document_title": "PIC/S Revision of Annex 11 EU GMP", "questions_this_excerpt_can_answer": "Aqu\u00ed tienes tres preguntas espec\u00edficas que se pueden responder con el contexto proporcionado, junto con un resumen de nivel superior:\n\n### Resumen de Nivel Superior\nEl documento es un concepto sobre la revisi\u00f3n de la Anexo 11 de las directrices de Buenas Pr\u00e1cticas de Manufactura (GMP) para productos medicinales, espec\u00edficamente en relaci\u00f3n con sistemas computarizados. Se establece un cronograma para la consulta p\u00fablica, que comenz\u00f3 el 16 de noviembre de 2022 y finaliz\u00f3 el 16 de enero de 2023. La nueva gu\u00eda reemplazar\u00e1 la versi\u00f3n anterior de Eudralex y el documento PE 009-15 para las autoridades participantes de PIC/S. Se invita a los interesados a enviar sus comentarios a trav\u00e9s de un formulario espec\u00edfico.\n\n### Preguntas Espec\u00edficas\n\n1. **\u00bfCu\u00e1l es la fecha l\u00edmite para enviar comentarios sobre la revisi\u00f3n de la Anexo 11?**\n - La fecha l\u00edmite para enviar comentarios es el 16 de enero de 2023.\n\n2. **\u00bfQu\u00e9 documentos ser\u00e1n reemplazados por la nueva gu\u00eda propuesta en la revisi\u00f3n de la Anexo 11?**\n - La nueva gu\u00eda propuesta reemplazar\u00e1 Eudralex Volume 4: Annex 11 Computerised Systems y, para las autoridades participantes de PIC/S, el documento PE 009-15: Annex 11 \u2013 Computerised Systems.\n\n3. **\u00bfA qui\u00e9n deben enviarse los comentarios sobre la revisi\u00f3n de la Anexo 11?**\n - Los comentarios deben enviarse utilizando un formulario espec\u00edfico a la direcci\u00f3n de correo electr\u00f3nico ADM-GMDP@ema.europa.eu.", "excerpt_keywords": "Keywords: Good Manufacturing Practice, Annex 11, Computerised Systems, public consultation, medicinal products"}}, "ddeb8739-4ff3-4549-bedb-b7cce782008e": {"node_ids": ["92ee2276-ee69-40a5-bd1d-813badb8665b"], "metadata": {"page_label": "2", "file_name": "[36] PIC Revision of Annex 11 EU GMP.pdf", "file_path": "raw_data/[36] PIC Revision of Annex 11 EU GMP.pdf", "image_path": "", "parsed_text_markdown": "# 1. Introduction\n\nThis concept paper addresses the need to update Annex 11, Computerised Systems, of the Good Manufacturing Practice (GMP) guide. Annex 11 is common to the member states of the European Union (EU)/European Economic Area (EEA) as well as to the participating authorities of the Pharmaceutical Inspection Co-operation Scheme (PIC/S). The current version was issued in 2011 and does not give sufficient guidance within a number of areas. Since then, there has been extensive progress in the use of new technologies.\n\nReasons for the revision of Annex 11 include, but are not limited to the following (in non-prioritised order and with references to existing sections in sharp brackets). More improvements may prove to be necessary as inputs will be received by the drafting group:\n\n1. **[New]** The document should be updated to replace relevant parts of the Q&A on Annex 11 and the Q&A on Data Integrity on the EMA GMP website.\n2. **[New]** With regards to data integrity, Annex 11 will include requirements for \u2018data in motion\u2019 and \u2018data at rest\u2019 (backup, archive and disposal). Configuration hardening and integrated controls are expected to support and safeguard data integrity; technical solutions and automation are preferable instead of manual controls.\n3. **[New]** An update of the document with regulatory expectations to \u2018digital transformation\u2019 and similar newer concepts will be considered.\n4. **[Principle]** The scope should not only cover where a computerised system \u201creplaces of a manual operation\u201d, but rather, where it replaces \u2018another system or a manual process\u2019.\n5. **[1]** References should be made to ICH Q9.\n6. **[3.1]** The list of services should include to \u2018operate\u2019 a computerised system, e.g. \u2018cloud\u2019 services.\n7. **[3.1]** For critical systems validated and/or operated by service providers (e.g. \u2018cloud\u2019 services), expectations should go beyond that \u201cformal agreements must exist\u201d. Regulated users should have access to the complete documentation for validation and safe operation of a system and be able to present this during regulatory inspections, e.g. with the help of the service provider. See also Notice to sponsors and Q&A #9 on the EMA GCP website and Q&A on the EMA GVP website.\n8. **[3.3]** Despite being mentioned in the Glossary, the term \u201ccommercial off-the-shelf products\u201d (COTS) is not adequately defined and may easily be understood too broadly. Critical COTS products, even those used by \u201ca broad spectrum of users\u201d should be qualified by the vendor or by the regulated user, and the documentation for this should be available for inspection. The use of the term and the expectation for qualification, validation and safe operation of such (e.g. \u2018cloud\u2019) systems should be clarified.\n9. **[4.1]** The meaning of the term \u2018validation\u2019 (and \u2018qualification\u2019), needs to be clarified. It should be emphasised that both activities consist of a verification of required and specified functionality as described in user requirements specifications (URS) or similar.\n10. **[4.1]** Following a risk-based approach, system qualification and validation should especially challenge critical parts of systems which are used to make GMP decisions, parts which ensure product quality and data integrity and parts, which have been specifically designed or customised.\n11. **[4.4]** It is not sufficiently clear what is implied by the sentence saying \u201cUser requirements should be traceable throughout the life-cycle\u201d. A user requirements specification, or similar, describing all the implemented and required GMP critical functionality which has been automated, and which the regulated user is relying on, should be the very basis for any qualification or validation of the system, whether performed by the regulated user or by the vendor. User requirements specifications should be kept updated and aligned with the implemented system throughout the system life-cycle and there should be a documented traceability between user requirements, any underlying functional specifications and test cases.\n12. **[4.5]** It should be acknowledged and addressed that software development today very often follows agile development processes, and criteria for accepting such products and corresponding documentation, which may not consist of traditional documents, should be clarified.\n13. **[6]** Guidelines should be included for classification of critical data and critical systems.\n14. **[7.1]** Systems, networks and infrastructure should protect the integrity of GMP processes and data. Examples should be included of measures, both physical and electronic, required to protect data against both intentional and unintentional loss of data integrity.", "parsed_text": "", "document_title": "PIC/S Revision of Annex 11 EU GMP", "questions_this_excerpt_can_answer": "### Resumen del Contexto\n\nEl documento es un concepto de revisi\u00f3n de Annex 11, que se refiere a los sistemas computarizados dentro de las Buenas Pr\u00e1cticas de Manufactura (GMP). Se destaca la necesidad de actualizar este anexo, que fue emitido por \u00faltima vez en 2011, para reflejar los avances tecnol\u00f3gicos y las expectativas regulatorias actuales. Se enumeran varias \u00e1reas que requieren atenci\u00f3n, incluyendo la integridad de los datos, la clasificaci\u00f3n de sistemas cr\u00edticos, y la necesidad de aclarar t\u00e9rminos como \"validaci\u00f3n\" y \"calificaci\u00f3n\". Tambi\u00e9n se menciona la importancia de la trazabilidad de los requisitos del usuario a lo largo del ciclo de vida del sistema y la adaptaci\u00f3n a procesos de desarrollo \u00e1gil.\n\n### Preguntas Espec\u00edficas\n\n1. **\u00bfCu\u00e1les son las expectativas regulatorias espec\u00edficas para la integridad de los datos en movimiento y en reposo seg\u00fan la revisi\u00f3n propuesta de Annex 11?**\n - Esta pregunta busca detalles sobre los nuevos requisitos que se introducir\u00e1n en relaci\u00f3n con la protecci\u00f3n y gesti\u00f3n de datos, que no se encuentran claramente especificados en versiones anteriores.\n\n2. **\u00bfC\u00f3mo se definir\u00e1 y clasificar\u00e1 un \"producto comercial de uso general\" (COTS) en el contexto de la revisi\u00f3n de Annex 11, y qu\u00e9 implicaciones tendr\u00e1 esto para los usuarios regulados?**\n - Esta pregunta se centra en la necesidad de una definici\u00f3n clara y las expectativas de calificaci\u00f3n y validaci\u00f3n de estos productos, que son cruciales para la industria.\n\n3. **\u00bfQu\u00e9 criterios se propondr\u00e1n para la aceptaci\u00f3n de productos desarrollados mediante procesos \u00e1giles, y c\u00f3mo se diferenciar\u00e1n de los m\u00e9todos de documentaci\u00f3n tradicionales?**\n - Esta pregunta aborda la adaptaci\u00f3n de las pr\u00e1cticas de desarrollo de software a las nuevas metodolog\u00edas \u00e1giles y c\u00f3mo esto afectar\u00e1 la documentaci\u00f3n y la validaci\u00f3n en el contexto de GMP.\n\nEstas preguntas est\u00e1n dise\u00f1adas para extraer informaci\u00f3n espec\u00edfica y detallada que puede no estar disponible en otras fuentes, enfoc\u00e1ndose en aspectos cr\u00edticos de la revisi\u00f3n de Annex 11.", "prev_section_summary": "### Resumen de Temas Clave y Entidades\n\n**Tema Principal:**\n- Revisi\u00f3n de la Anexo 11 de las directrices de Buenas Pr\u00e1cticas de Manufactura (GMP) para productos medicinales, enfoc\u00e1ndose en sistemas computarizados.\n\n**Entidades Clave:**\n- **EMA (Agencia Europea de Medicamentos):** Organismo responsable de la regulaci\u00f3n de medicamentos en la Uni\u00f3n Europea.\n- **PIC/S (Pharmaceutical Inspection Co-operation Scheme):** Organizaci\u00f3n que promueve la cooperaci\u00f3n entre las autoridades de inspecci\u00f3n farmac\u00e9utica.\n- **GMP/GDP Inspectors Working Group (GMP/GDP IWG):** Grupo de trabajo que se encarga de las directrices de GMP y GDP.\n\n**Fechas Importantes:**\n- **19 de septiembre de 2022:** Fecha de publicaci\u00f3n del concepto.\n- **31 de octubre de 2022:** Aprobaci\u00f3n del documento por EMA y PIC/S.\n- **16 de noviembre de 2022:** Inicio de la consulta p\u00fablica.\n- **16 de enero de 2023:** Fecha l\u00edmite para enviar comentarios.\n\n**Documentos Reemplazados:**\n- Eudralex Volume 4: Annex 11 Computerised Systems.\n- PE 009-15: Annex 11 \u2013 Computerised Systems (para autoridades participantes de PIC/S).\n\n**Instrucciones para Comentarios:**\n- Los comentarios deben enviarse utilizando un formulario espec\u00edfico a la direcci\u00f3n de correo electr\u00f3nico: ADM-GMDP@ema.europa.eu.\n\n**Palabras Clave:**\n- GMP, producto medicinal, anexo 11. \n\nEste resumen destaca los aspectos m\u00e1s relevantes del documento, incluyendo su prop\u00f3sito, las entidades involucradas, las fechas clave y las instrucciones para la participaci\u00f3n en la consulta p\u00fablica.", "excerpt_keywords": "Keywords: GMP, Annex 11, data integrity, validation, digital transformation"}}, "c52c0bdf-e9fd-41bf-9caa-6fb7942b3e2f": {"node_ids": ["48bc2c89-fda4-46d3-b8e7-be84d9b84e3f", "e5010aaf-a243-48e4-861f-8bf6fe6702c2"], "metadata": {"page_label": "3", "file_name": "[36] PIC Revision of Annex 11 EU GMP.pdf", "file_path": "raw_data/[36] PIC Revision of Annex 11 EU GMP.pdf", "image_path": "", "parsed_text_markdown": "15. **[7.2] Testing of the ability to restore system data**\nTesting the ability to restore system data (and if not otherwise easily recreated, the system itself) from backup is critically important, but the required periodic check of this ability, even if no changes have been made to the backup or restore processes, is not regarded necessary. Long-term backup (or archival) to volatile media should be based on a validated procedure (e.g. through 'accelerated testing'). In this case, testing should not focus on whether a backup is still readable, but rather, validating that it will be readable for a given period.\n\n16. **[7.2] Important expectations to backup processes**\nImportant expectations to backup processes are missing, e.g. to what is covered by a backup (e.g. data only or data and application), what types of backups are made (e.g. incremental or complete), how often backups are made (all types), how long backups are retained, which media is used for backups, and where backups are kept (e.g. physical separation).\n\n17. **[8] Expectation to obtain data in electronic format**\nThe section should include an expectation to be able to obtain data in electronic format including the complete audit trail. The requirement to be able to print data may be reconsidered.\n\n18. **[9] Audit trail functionality**\nAn audit trail functionality which automatically logs all manual interactions on GMP critical systems, where users, data or settings can be manually changed, should be regarded as mandatory; not just 'considered based on a risk assessment'. Controlling processes or capturing, holding or transferring electronic data in such systems without audit trail functionality is not acceptable; any grace period within this area has long expired.\n\n19. **[9] Positive identification in audit trails**\nThe audit trail should positively identify the user who made a change, it should give a full account of what was changed, i.e. both the new and old values should be clearly visible, it should include the full time and date when the change was made, and for all other changes except where a value is entered in an empty field for where this is completely obvious, the user should be prompted for the reason or rationale for why the change was made.\n\n20. **[9] Restriction on editing audit trail data**\nIt should not be possible to edit audit trail data or to deactivate the audit trail functionality for normal or privileged users working on the system. If these functionalities are available, they should only be accessible for system administrators who should not be involved in GMP production or in day-to-day work on the system (see 'segregation of duties').\n\n21. **[9] Purpose of audit trail review**\nThe concept and purpose of audit trail review is inadequately described. The process should focus on a review of the integrity of manual changes made on a system, e.g. a verification of the reason for changes and whether changes have been made on unusual dates, hours and by unusual users.\n\n22. **[9] Guidelines for audit trail review frequency**\nGuidelines for acceptable frequency of audit trail review should be provided. For audit trails on critical parameters, e.g. setting of alarms in a BMS systems giving alarms on differential pressure in connection with aseptic filling, audit trail reviews should be part of batch release, following a risk-based approach.\n\n23. **[9] Capturing data entries in audit trails**\nAudit trail functionalities should capture data entries with sufficient detail and in true time, in order to give a full and accurate picture of events. If e.g. a system notifies a regulated user of inconsistencies in a data input, by writing an error message, and the user subsequently changes the input, which makes the notification disappear; the full set of events should be captured.\n\n24. **[9] Sorting alarms and events**\nIt should be addressed that many systems generate a vast amount of alarms and event data and that these are often mixed up with audit trail entries. While alarms and events may require their own logs, acknowledgements and reviews, this should not be confused with an audit trail review of manual system interactions. Hence, as a minimum, it should be possible to be able to sort these.\n\n25. **[11] Configuration review**\nThe concept of configuration review should be added. Instead of taking onset in the number of known changes on a system (upgrade history), it should be based on a comparison of hardware and software baselines over time. This should include an account for any differences and an evaluation of the need for re-qualification/validation.\n\n26. **[12.1] Current section focus**\nThe current section has only focus on restricting system access to authorised individuals; however, there are other important topics. In line with ISO 27001, a section on IT security should include a focus on system and data confidentiality, integrity and availability.\n\n27. **[12.1] Restricting access to computerised systems**\nThe current version says that \"Physical and/or logical controls should be in place to restrict access to computerised system to authorised persons\". However, it is necessary to be more specific and to name some of the expected controls, e.g. multi-factor authentication, firewalls, platform management, security patching, virus scanning and intrusion detection/prevention.\n\n28. **[12.1] Authentication on critical systems**\nIt should be specified that authentication on critical systems should identify the regulated user with a high degree of certainty. Therefore, authentication only by means of a 'pass card' might not be sufficient, as it could have been dropped and later found by anyone.", "parsed_text": "", "document_title": "PIC/S Revision of Annex 11 EU GMP", "questions_this_excerpt_can_answer": "Aqu\u00ed tienes tres preguntas que se pueden formular a partir del contexto proporcionado, junto con res\u00famenes de nivel superior que pueden ayudar a generar mejores preguntas:\n\n### Resumen de nivel superior:\nEl documento aborda la importancia de los procesos de respaldo y la funcionalidad de auditor\u00eda en sistemas cr\u00edticos de GMP (Good Manufacturing Practice). Se enfatiza la necesidad de pruebas peri\u00f3dicas para la restauraci\u00f3n de datos, la identificaci\u00f3n positiva de usuarios en auditor\u00edas, y la restricci\u00f3n de edici\u00f3n de datos de auditor\u00eda. Tambi\u00e9n se discuten las expectativas sobre la obtenci\u00f3n de datos en formato electr\u00f3nico y la revisi\u00f3n de auditor\u00edas.\n\n### Preguntas:\n\n1. **\u00bfCu\u00e1les son las expectativas espec\u00edficas que deben cumplirse en los procesos de respaldo seg\u00fan el documento?**\n - Esta pregunta busca respuestas sobre los detalles que deben incluirse en los procesos de respaldo, como el tipo de datos respaldados, la frecuencia de los respaldos y la duraci\u00f3n de la retenci\u00f3n de los mismos.\n\n2. **\u00bfQu\u00e9 caracter\u00edsticas debe tener la funcionalidad de auditor\u00eda en sistemas cr\u00edticos de GMP para ser considerada adecuada?**\n - Esta pregunta se centra en las caracter\u00edsticas que deben estar presentes en la funcionalidad de auditor\u00eda, como la identificaci\u00f3n del usuario, el registro de cambios y la restricci\u00f3n de edici\u00f3n de datos de auditor\u00eda.\n\n3. **\u00bfC\u00f3mo se debe llevar a cabo la revisi\u00f3n de auditor\u00edas y qu\u00e9 frecuencia se recomienda para esta actividad?**\n - Esta pregunta busca informaci\u00f3n sobre el proceso de revisi\u00f3n de auditor\u00edas, incluyendo qu\u00e9 aspectos deben ser verificados y con qu\u00e9 frecuencia se deben realizar estas revisiones, especialmente en relaci\u00f3n con par\u00e1metros cr\u00edticos. \n\nEstas preguntas est\u00e1n dise\u00f1adas para extraer informaci\u00f3n espec\u00edfica que no se puede encontrar f\u00e1cilmente en otros documentos o contextos, bas\u00e1ndose en los detalles proporcionados en el texto.", "prev_section_summary": "### Resumen de Temas Clave y Entidades\n\n1. **Actualizaci\u00f3n de Annex 11**: Se propone una revisi\u00f3n del Anexo 11 de las Buenas Pr\u00e1cticas de Manufactura (GMP) para reflejar los avances tecnol\u00f3gicos desde su \u00faltima emisi\u00f3n en 2011.\n\n2. **Integridad de los Datos**: Se introducir\u00e1n requisitos espec\u00edficos para la integridad de los datos en movimiento y en reposo, enfatizando la preferencia por soluciones t\u00e9cnicas y automatizaci\u00f3n en lugar de controles manuales.\n\n3. **Transformaci\u00f3n Digital**: Se considerar\u00e1 la inclusi\u00f3n de expectativas regulatorias relacionadas con la transformaci\u00f3n digital y conceptos modernos.\n\n4. **Alcance de los Sistemas Computarizados**: El alcance debe abarcar no solo la sustituci\u00f3n de operaciones manuales, sino tambi\u00e9n la sustituci\u00f3n de otros sistemas.\n\n5. **Referencias a ICH Q9**: Se sugiere que el documento haga referencia a la gu\u00eda ICH Q9 sobre gesti\u00f3n de riesgos.\n\n6. **Servicios en la Nube**: Se debe incluir la operaci\u00f3n de sistemas computarizados como un servicio, especialmente en el contexto de servicios en la nube.\n\n7. **Documentaci\u00f3n para Sistemas Cr\u00edticos**: Los usuarios regulados deben tener acceso a la documentaci\u00f3n completa para la validaci\u00f3n y operaci\u00f3n segura de sistemas cr\u00edticos, especialmente aquellos operados por proveedores de servicios.\n\n8. **Definici\u00f3n de COTS**: Se requiere una definici\u00f3n clara de \"productos comerciales de uso general\" (COTS) y expectativas de calificaci\u00f3n y validaci\u00f3n para estos productos.\n\n9. **Validaci\u00f3n y Calificaci\u00f3n**: Se necesita aclarar el significado de validaci\u00f3n y calificaci\u00f3n, enfatizando que ambas actividades deben verificar la funcionalidad especificada en las especificaciones de requisitos del usuario (URS).\n\n10. **Enfoque Basado en Riesgos**: La calificaci\u00f3n y validaci\u00f3n de sistemas deben centrarse en partes cr\u00edticas que afectan decisiones de GMP, calidad del producto e integridad de los datos.\n\n11. **Trazabilidad de Requisitos del Usuario**: Se debe garantizar que los requisitos del usuario sean trazables a lo largo del ciclo de vida del sistema, con documentaci\u00f3n actualizada y alineada.\n\n12. **Desarrollo \u00c1gil**: Se debe abordar c\u00f3mo los procesos de desarrollo \u00e1gil afectan la aceptaci\u00f3n de productos y la documentaci\u00f3n necesaria.\n\n13. **Clasificaci\u00f3n de Datos y Sistemas Cr\u00edticos**: Se deben incluir directrices para la clasificaci\u00f3n de datos y sistemas cr\u00edticos.\n\n14. **Protecci\u00f3n de la Integridad de los Datos**: Se deben proporcionar ejemplos de medidas para proteger la integridad de los procesos y datos de GMP, tanto f\u00edsicas como electr\u00f3nicas.\n\n### Entidades Clave\n- **Anexo 11**: Parte de las Buenas Pr\u00e1cticas de Manufactura (GMP).\n- **EMA**: Agencia Europea de Medicamentos.\n- **ICH Q9**: Gu\u00eda sobre gesti\u00f3n de riesgos en la industria farmac\u00e9utica.\n- **COTS**: Productos comerciales de uso general.\n- **PIC/S**: Esquema de Cooperaci\u00f3n de Inspecci\u00f3n Farmac\u00e9utica.\n- **Sistemas Cr\u00edticos**: Sistemas que impactan la calidad del producto y la integridad de los datos.", "excerpt_keywords": "Keywords: backup processes, audit trail functionality, data integrity, GMP compliance, electronic data retrieval"}}, "89ef6a9b-9cf7-4a3b-ab07-68f9c0609b3a": {"node_ids": ["0e045b78-fc1e-43b4-b223-e6859f7c8ed8"], "metadata": {"page_label": "4", "file_name": "[36] PIC Revision of Annex 11 EU GMP.pdf", "file_path": "raw_data/[36] PIC Revision of Annex 11 EU GMP.pdf", "image_path": "", "parsed_text_markdown": "29. **[12.1]** Two important expectations for allocation of system accesses should be added either here or elsewhere; i.e. 'segregation of duties', that day-to-day users of a system do not have admin rights, and the 'least privilege principle', that users of a system do not have higher access rights than what is necessary for their job function.\n\n30. **[12.3]** The current version says that \"Creation, change, and cancellation of access authorisations should be recorded\". However, it is necessary to go further than just recording who has access to a system. Systems accesses and roles should be continually managed as people assume and leave positions. System accesses and roles should be subject to recurrent reviews in order to ensure that forgotten and undesired accesses are removed.\n\n31. **[17]** As previously mentioned (see 7.2), it is not sufficient to re-actively check archived data for accessibility, readability and integrity (it would be too late to find out if these parameters were not maintained). Instead, archival should rely on a validated process. Depending on the storage media used, it might be necessary to validate that the media can be read after a certain period.\n\n32. **[New]** There is an urgent need for regulatory guidance and expectations to the use of artificial intelligence (AI) and machine learning (ML) models in critical GMP applications as industry is already implementing this technology. The primary focus should be on the relevance, adequacy and integrity of the data used to test these models with, and on the results (metrics) from such testing, rather that on the process of selecting, training and optimising the models.\n\n33. **[New]** After this concept paper has been drafted and prepared for approval of the EMA GMP/GDP Inspectors Working Group and the PIC/S Sub-committee on GMDP Harmonisation, the FDA has released a draft guidance on Computer Software Assurance for Production and Quality System Software (CSA). This guidance and any implication will be considered with regards to aspects of potential regulatory relevance for GMP Annex 11.\n\n## 2. Discussion\n\nThe current Annex 11 does not give sufficient guidance within a number of areas already covered, and other areas, which are becoming increasingly important to GMP, are not covered at all. The revised text will expand the guidance given in the document and embrace the application of new technologies which have gained momentum since the release of the existing version.\n\nIf possible, the revised document will include guidelines for acceptance of AI/ML algorithms used in critical GMP applications. This is an area where regulatory guidance is highly needed as this is not covered by any existing regulatory guidance in the pharmaceutical industry and as pharma companies are already implementing such algorithms.\n\n## 3. Recommendation\n\nThe EMA GMP/GDP Inspectors Working Group and the PIC/S Sub-committee on GMDP Harmonisation jointly recommends that the current version of Annex 11, Computerised Systems, be revised according to this concept paper.\n\n## 4. Proposed timetable\n\n- Preparation of draft concept paper \u2013 from October 2021\n- Approval of draft concept paper by EMA GMP/GDP IWG \u2013 October 2022\n- Release for consultation of draft concept paper (2 months consultation) \u2013 October 2022\n- Deadline for comments on concept paper \u2013 December 2022\n- Discussion in EMA GMP/GDP IWG and PIC/S Committee drafting group \u2013 from March 2023\n- Proposed release for consultation of draft guideline (3 months consultation) \u2013 December 2024\n- Deadline for comments on guideline \u2013 March 2025\n- Adoption by EMA GMP/GDP IWG \u2013 March 2026\n- Publication by European Community \u2013 June 2026\n- Adoption by PIC/S Sub-committee on GMDP Harmonisation \u2013 September 2026", "parsed_text": "", "document_title": "PIC/S Revision of Annex 11 EU GMP", "questions_this_excerpt_can_answer": "### Resumen del Contexto\n\nEl documento se centra en la revisi\u00f3n del Anexo 11 de las Buenas Pr\u00e1cticas de Manufactura (GMP) de la Uni\u00f3n Europea, que trata sobre sistemas informatizados. Se identifican \u00e1reas donde la gu\u00eda actual es insuficiente, especialmente en relaci\u00f3n con la gesti\u00f3n de accesos a sistemas, la integridad de los datos archivados y la necesidad de orientaci\u00f3n regulatoria sobre el uso de inteligencia artificial (IA) y aprendizaje autom\u00e1tico (ML) en aplicaciones cr\u00edticas de GMP. Se propone un cronograma para la revisi\u00f3n y consulta del documento, destacando la urgencia de actualizar las directrices para adaptarse a las nuevas tecnolog\u00edas.\n\n### Preguntas Espec\u00edficas\n\n1. **\u00bfCu\u00e1les son las implicaciones de no aplicar el principio de 'segregaci\u00f3n de deberes' y el 'principio de menor privilegio' en la gesti\u00f3n de accesos a sistemas inform\u00e1ticos en el contexto de GMP?**\n - Esta pregunta busca explorar las consecuencias espec\u00edficas que podr\u00edan surgir si estas pr\u00e1cticas no se implementan adecuadamente, lo que podr\u00eda no estar claramente documentado en otras fuentes.\n\n2. **\u00bfQu\u00e9 criterios espec\u00edficos se deben considerar para validar los medios de almacenamiento de datos archivados en el contexto de GMP, y c\u00f3mo se relacionan con la integridad de los datos a largo plazo?**\n - Esta pregunta se centra en los detalles t\u00e9cnicos y criterios de validaci\u00f3n que son cruciales para garantizar la integridad de los datos, que pueden no estar ampliamente discutidos en otros documentos.\n\n3. **\u00bfQu\u00e9 aspectos espec\u00edficos de la implementaci\u00f3n de IA y ML en aplicaciones GMP requieren m\u00e1s atenci\u00f3n regulatoria, y c\u00f3mo se pueden abordar en la revisi\u00f3n del Anexo 11?**\n - Esta pregunta busca identificar \u00e1reas concretas donde la regulaci\u00f3n es insuficiente y c\u00f3mo se pueden integrar en el nuevo marco regulatorio, lo que podr\u00eda no estar claramente delineado en otras gu\u00edas existentes.\n\n### Resumen de Nivel Superior\n\nEl documento destaca la necesidad de actualizar el Anexo 11 de GMP para abordar deficiencias en la gu\u00eda actual, especialmente en la gesti\u00f3n de accesos a sistemas, la validaci\u00f3n de datos archivados y la regulaci\u00f3n del uso de IA y ML en la industria farmac\u00e9utica. Se propone un cronograma detallado para la revisi\u00f3n y consulta del documento, enfatizando la urgencia de estas actualizaciones para adaptarse a las tecnolog\u00edas emergentes y garantizar la integridad y seguridad de los sistemas inform\u00e1ticos en el \u00e1mbito de GMP.", "prev_section_summary": "### Temas Clave\n\n1. **Pruebas de Restauraci\u00f3n de Datos**: La importancia de probar la capacidad de restaurar datos del sistema desde copias de seguridad, aunque no se considere necesario realizar chequeos peri\u00f3dicos si no hay cambios en los procesos de respaldo.\n\n2. **Expectativas de Procesos de Copia de Seguridad**: Se deben definir claramente las expectativas sobre qu\u00e9 se respalda (datos y aplicaciones), tipos de copias (incrementales o completas), frecuencia, retenci\u00f3n, medios utilizados y ubicaci\u00f3n f\u00edsica de las copias.\n\n3. **Formato Electr\u00f3nico de Datos**: Se espera que los datos, incluyendo el rastro de auditor\u00eda completo, est\u00e9n disponibles en formato electr\u00f3nico, reconsiderando la necesidad de imprimir datos.\n\n4. **Funcionalidad de Auditor\u00eda**: Se requiere que los sistemas cr\u00edticos de GMP tengan una funcionalidad de auditor\u00eda que registre autom\u00e1ticamente todas las interacciones manuales, identificando al usuario y documentando cambios con detalles completos.\n\n5. **Revisi\u00f3n de Rastro de Auditor\u00eda**: Se deben establecer pautas sobre la frecuencia de revisi\u00f3n del rastro de auditor\u00eda, especialmente para par\u00e1metros cr\u00edticos, y se debe capturar cada entrada de datos con suficiente detalle.\n\n6. **Revisi\u00f3n de Configuraci\u00f3n**: Se propone que la revisi\u00f3n de configuraci\u00f3n se base en comparaciones de l\u00edneas base de hardware y software a lo largo del tiempo, evaluando la necesidad de re-calificaci\u00f3n o validaci\u00f3n.\n\n7. **Seguridad de Sistemas Inform\u00e1ticos**: Se enfatiza la necesidad de controles espec\u00edficos para restringir el acceso a sistemas inform\u00e1ticos, incluyendo autenticaci\u00f3n multifactor y otras medidas de seguridad.\n\n8. **Autenticaci\u00f3n en Sistemas Cr\u00edticos**: La autenticaci\u00f3n debe identificar al usuario regulado con un alto grado de certeza, sugiriendo que el uso de una tarjeta de acceso por s\u00ed sola puede no ser suficiente.\n\n### Entidades Clave\n\n- **Sistemas Cr\u00edticos de GMP**: Sistemas que manejan datos regulados y requieren auditor\u00eda rigurosa.\n- **Rastro de Auditor\u00eda**: Registro de cambios y accesos en sistemas cr\u00edticos.\n- **Copias de Seguridad**: Procesos y procedimientos para asegurar la recuperaci\u00f3n de datos.\n- **Controles de Seguridad**: Medidas implementadas para proteger el acceso a sistemas inform\u00e1ticos.\n- **ISO 27001**: Est\u00e1ndar que gu\u00eda la gesti\u00f3n de la seguridad de la informaci\u00f3n.\n\nEste resumen destaca la importancia de la gesti\u00f3n de datos electr\u00f3nicos y la seguridad en sistemas cr\u00edticos de GMP, enfatizando la necesidad de auditor\u00edas efectivas y controles de acceso robustos.", "excerpt_keywords": "Keywords: GMP, Annex 11, artificial intelligence, system access, regulatory guidance"}}, "553db23d-99c5-4b91-92ab-a88e07eaa8de": {"node_ids": ["dab0a6ef-b9f1-4376-a774-4c9b12efa933"], "metadata": {"page_label": "5", "file_name": "[36] PIC Revision of Annex 11 EU GMP.pdf", "file_path": "raw_data/[36] PIC Revision of Annex 11 EU GMP.pdf", "image_path": "", "parsed_text_markdown": "# 5. Resource requirements for preparation\n\nA drafting group has been established by EMA GMP/GDP Inspectors Working Group and the PIC/S Sub-committee on GMDP Harmonisation with a rapporteur and supporting experts from other EU member regulatory authorities and from non-EU PIC/S participating authorities.\n\nIt is expected that most of the work will be completed by email and by teleconference.\n\nThe guideline will be discussed at GMP/GDP IWG and the PIC/S Committee as necessary and at other involved working parties and groups. Further discussions are expected with interested parties.\n\n# 6. Impact assessment (anticipated)\n\nThe updated Annex 11 is intended to benefit both industry and regulators by clarifying expectations to areas already covered, by broadening these to areas not yet covered, and by pushing the adoption of a common approach between EU and non-EU regulatory authorities. Revision of Annex 11 will facilitate a better understanding of expectations to the use of computerised systems within manufacturing of medicinal products, and thereby, enhance the quality and safety of products and the integrity of data.\n\nNo unnecessary adverse impact on industry with respect to either resources or costs is foreseen, although there is always a cost associated with being in compliance (or quality). The revision may require some systems and processes to be modified over a period of time.\n\n# 7. Interested parties\n\n- EMA GMP/GDP Inspectors Working Group\n- PIC/S Committee, Sub-committee on GMDP Harmonisation\n- National competent authorities of EU/EEA member states\n- PIC/S participating authorities\n- Pharmaceutical industry\n- International societies and interest groups within pharmaceutical industry, e.g. ISPE GAMP\n\n# 8. References to literature, guidelines, etc.\n\n- EMA GMP Q&A on Annex 11 and Q&A on Data Integrity, link\n- EMA GCP Guideline on computerised systems and electronic data in clinical trials (draft), EMA/226170/2021, link\n- EMA GCP Q&A no. 8, 9, and Notice to sponsors on validation and qualification of computerised systems used in clinical trials on link\n- EMA GVP Q&A on Level of validation/qualification needed to be performed by a MAH when using an electronic system previously qualified by a provider link", "parsed_text": "", "document_title": "PIC/S Revision of Annex 11 EU GMP", "questions_this_excerpt_can_answer": "Aqu\u00ed tienes tres preguntas espec\u00edficas que se pueden responder con el contexto proporcionado, junto con un resumen de nivel superior:\n\n### Resumen de Nivel Superior\nEl documento trata sobre la revisi\u00f3n del Anexo 11 de las Buenas Pr\u00e1cticas de Manufactura (GMP) en la Uni\u00f3n Europea, enfoc\u00e1ndose en la preparaci\u00f3n de directrices que clarifiquen las expectativas sobre el uso de sistemas informatizados en la fabricaci\u00f3n de productos medicinales. Se establece un grupo de redacci\u00f3n compuesto por expertos de diversas autoridades regulatorias, tanto de la UE como de pa\u00edses no pertenecientes a la UE. La revisi\u00f3n busca beneficiar a la industria y a los reguladores, promoviendo un enfoque com\u00fan y mejorando la calidad y seguridad de los productos. Se identifican las partes interesadas y se mencionan referencias a literatura y gu\u00edas relevantes.\n\n### Preguntas Espec\u00edficas\n\n1. **\u00bfCu\u00e1l es el objetivo principal de la revisi\u00f3n del Anexo 11 seg\u00fan el documento?**\n - La revisi\u00f3n del Anexo 11 tiene como objetivo beneficiar tanto a la industria como a los reguladores al clarificar las expectativas en \u00e1reas ya cubiertas, ampliar estas expectativas a \u00e1reas no cubiertas y fomentar la adopci\u00f3n de un enfoque com\u00fan entre las autoridades regulatorias de la UE y no UE.\n\n2. **\u00bfQu\u00e9 tipo de impacto se anticipa en la industria como resultado de la revisi\u00f3n del Anexo 11?**\n - Se anticipa que no habr\u00e1 un impacto adverso innecesario en la industria en t\u00e9rminos de recursos o costos, aunque siempre hay un costo asociado con el cumplimiento. Sin embargo, se espera que algunas modificaciones en sistemas y procesos sean necesarias a lo largo del tiempo.\n\n3. **\u00bfQui\u00e9nes son las partes interesadas mencionadas en el documento que participar\u00e1n en la discusi\u00f3n de la revisi\u00f3n del Anexo 11?**\n - Las partes interesadas incluyen el Grupo de Inspectores de GMP/GDP de la EMA, el Comit\u00e9 PIC/S y su Subcomit\u00e9 sobre la Armonizaci\u00f3n de GMDP, las autoridades competentes nacionales de los estados miembros de la UE/EEE, las autoridades participantes de PIC/S, la industria farmac\u00e9utica y sociedades internacionales e grupos de inter\u00e9s dentro de la industria farmac\u00e9utica, como ISPE GAMP.", "prev_section_summary": "### Temas Clave\n\n1. **Gesti\u00f3n de Accesos a Sistemas**:\n - Importancia de la 'segregaci\u00f3n de deberes' y el 'principio de menor privilegio' en la asignaci\u00f3n de accesos a sistemas inform\u00e1ticos.\n - Necesidad de gestionar continuamente los accesos y roles de los usuarios, con revisiones recurrentes para eliminar accesos no deseados.\n\n2. **Integridad de Datos Archivados**:\n - La importancia de validar los procesos de archivo para asegurar la accesibilidad, legibilidad e integridad de los datos a largo plazo.\n - Recomendaci\u00f3n de validar los medios de almacenamiento para garantizar que los datos puedan ser le\u00eddos despu\u00e9s de un per\u00edodo determinado.\n\n3. **Uso de Inteligencia Artificial (IA) y Aprendizaje Autom\u00e1tico (ML)**:\n - Urgente necesidad de orientaci\u00f3n regulatoria sobre el uso de IA y ML en aplicaciones cr\u00edticas de GMP.\n - Enfoque en la relevancia, adecuaci\u00f3n e integridad de los datos utilizados para probar estos modelos, as\u00ed como en los resultados de dichas pruebas.\n\n4. **Revisi\u00f3n del Anexo 11 de GMP**:\n - Reconocimiento de que la versi\u00f3n actual del Anexo 11 no proporciona suficiente gu\u00eda en \u00e1reas cr\u00edticas y que se deben incluir nuevas tecnolog\u00edas.\n - Propuesta de un cronograma para la revisi\u00f3n y consulta del documento, destacando la urgencia de actualizar las directrices.\n\n### Entidades\n\n- **EMA GMP/GDP Inspectors Working Group**: Grupo de trabajo encargado de la revisi\u00f3n de las Buenas Pr\u00e1cticas de Manufactura.\n- **PIC/S Sub-committee on GMDP Harmonisation**: Subcomit\u00e9 que colabora en la armonizaci\u00f3n de las directrices de GMP.\n- **FDA**: Administraci\u00f3n de Alimentos y Medicamentos de EE. UU., que ha emitido una gu\u00eda sobre la garant\u00eda de software para sistemas de producci\u00f3n y calidad.\n- **GMP (Good Manufacturing Practices)**: Buenas Pr\u00e1cticas de Manufactura, regulaciones que aseguran la calidad y seguridad en la producci\u00f3n farmac\u00e9utica.\n\n### Resumen General\n\nEl documento aborda la necesidad de revisar el Anexo 11 de las Buenas Pr\u00e1cticas de Manufactura de la UE, enfatizando la insuficiencia de la gu\u00eda actual en \u00e1reas como la gesti\u00f3n de accesos a sistemas, la integridad de datos archivados y la regulaci\u00f3n del uso de IA y ML en la industria farmac\u00e9utica. Se propone un cronograma detallado para la revisi\u00f3n y consulta del documento, subrayando la urgencia de estas actualizaciones para adaptarse a las tecnolog\u00edas emergentes y garantizar la seguridad de los sistemas inform\u00e1ticos en el \u00e1mbito de GMP.", "excerpt_keywords": "Keywords: Annex 11, GMP, computerized systems, regulatory authorities, impact assessment"}}}} \ No newline at end of file