Are you in control of your Computer Systems Inventory?

What is a computer systems inventory and how do you establish one? What are the regulations that govern it? What’s the best way to manage it? Senior QA Specialist of Compliant Cloud Nicola Brady answers these questions and more.  

What is a Computer Systems Inventory?  

A computer systems inventory is an essential resource containing information related to computer systems owned and / or operated by an organisation. For GxP regulated companies, however it is not only an essential resource, but a regulatory requirement.  

What do the regulations say?  

EudraLex – Volume 4 Good manufacturing practice (GMP) Guidelines Annex 11 for computerised systems includes the following requirement for a regulated company: an up to date listing of all relevant systems and their GMP functionality (inventory) should be available” [1] 

There is also a Japanese regulatory requirement set forth in PMDA Guideline on Management of Computerized Systems for Marketing Authorization Holders and Manufacturers of Drugs and Quasi-drugs which requires “preparation and maintenance of system inventory” as a fundamental policy for development, validation, and operations management for computerized systems. [2] 

The FDA have not prescribed specific regulations in 21 CFR part 11 in relation to a system inventory, although an up-to-date systems inventory is often one of the first things requested by an FDA inspector.   

In addition to regulations requiring it and inspectors expecting it, the PIC/S Good Practices for Computerised Systems in Regulated GxP” Environments guidance [3] and WHO Guidelines on Validation – Appendix 5 Validation of Computerised Systems [4] also point to an inventory list of GxP systems as an expectation.   

How do I establish my Computer Systems Inventory?  

For GxP regulated companies the Computer Systems Inventory must capture all GxP Computerised Systems. But what exactly does this mean? A GxP computerised system can be considered as any system that has a direct or indirect impact on an GxP activity. Examples may include but are not limited to the following: 

  • Systems controlling or managing manufacturing processes 
  • Systems controlling or managing laboratory instruments 
  • Systems controlling or management GxP data or records 
  • Systems controlling or managing utilities e.g. HVAC, WFI 

The GxP regulated company should define and document the scope GMP Computerised Systems to be included within the computer system inventory.   

Annex 11 [1] calls for the minimum requirements as the list of the computer systems and details of the functions of the computerised systemhowever it also states that “for critical systems an up to date system description detailing the physical and logical arrangements, data flows and interfaces with other systems or processes, any hardware and software pre-requisites, and security measures should be available”.  

PMDA [2] call specifically for “the name of each system, registration number, whether it is a subject of validation or not (i.e. category of the software), and the names of the persons in charge of the system, etc”. The PIC/S Guidance [3] calls for additional details including “ownership, supplier/developer, functionality, links and validation status” and also expects computerised systems to be “classified as to their use, criticality and validation status”.  

So, based on these requirements and expectations, the following information should be captured on the Computer Systems Inventory:   

  • Unique System Identifier 
  • System Name
  • System Impact / System Classification (e.g. Direct / Indirect) 
  • Description of the use of the system 
  • Details of the system Boundary 
  • Software / Hardware Category (e.g. GAMP Category) 
  • Validation Status 
  • Business Process Owner 
  • System Owner  
  • Periodic Review Schedule 
  • Supplier / Integrator Details 

What is the best way to manage my Computer Systems Inventory? 

The system inventory should be easily searchable and filterable to allow for easy interrogation and use. This is often managed by GxP regulated companies utilising a hybrid system where electronic spreadsheets are maintained and updated in real time and periodically approved and formalised via the applicable document management system.  

This, of course, can have its challenges. What happens when the auditors arrive on site? The master record will be that which was approved via the applicable document management system, but this might not be reflective of the working copy spreadsheet? How do you know that the “working copy” spreadsheet is current and correct? How frequently should the formal approval be documented, and so on.  

A more efficient and effective way of managing your computer systems inventory is to move to a fully integrated electronic computer systems inventory. An electronic solution would, of course, require validation, but the potential additional capabilities such as centralised user access management and user access review could add significant business value.  

References 

[1] https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-4/annex11_01-2011_en.pdf 

[2] https://www.pmda.go.jp/files/000153231.pdf 

[3] PIC/S_recommendation_on_computerised_systems.pdf 

[4] WHO Guideline_Validation_Computerized_Systems-Appendix5_QAS16-667. 

Nicola Brady

Nicola Brady

Nicola Brady is a Senior Quality Assurance Specialist with Odyssey VC and Compliant Cloud. She specialises in articles about Quality and Data.

Share on

Share on twitter
Share on linkedin
Share on facebook
avatar
  Subscribe  
newest oldest
Notify of
AffiliateLabz
Guest

Great content! Super high-quality! Keep it up! 🙂