Updated: Aug 10
There seems to be some work on updating EU GMP Volume 4, Annex 11. I'm looking forward to it!
But even in the current version we can read the following:
'3.1 When third parties (e.g. suppliers, service providers) are used e.g. to provide, install, configure, integrate, validate, maintain (e.g. via remote access), modify or retain a computerised system or related service or for data processing, formal agreements must exist between the manufacturer and any third parties, and these agreements should include clear statements of the responsibilities of the third party. IT-departments should be considered analogous.'
Wow! So this has been with us since 2011. Is the last sentence getting dealt with everywhere? Is it obvious that you need to have a quality agreement with your own IT department? Furthermore, who is really here that you as process owner should have an agreement with?
Let's check who should sit around the table.
Process (or data) owner: the person/department responsible for the process that is supported by the computerized system, and the GxP data in it; and the
System owner: the person/department responsible for the IT infrastructure and related IT processes.
And if you read the Annex 11 section again, let's focus on the following words: 'configure', 'validate', 'maintain'. Who does this? Usually neither process owners, nor system owners. We have found the third stakeholder: the administration team. They are the ones who are responsible for user management, master data management, and who knows what else.
So the best way the handle the requirement of Annex 11 is either having a tripartite quality agreement both with IT and the administration team, or having 2 separate quality agreements with them.
Let me also add that to capture the separation of the responsibilities is not only important to fulfill the requirement, but to have a good organizational solution for doing efficient business.