encryption Archives - European Industrial Pharmacists Group (EIPG)

Approval of the Data Governance Act, and EMA’s consultation on the protection of personal data in the CTIS


by Giuliana Miglierini The Data Governance Act (DGA) was approved and adopted in May 2022 by the European Council, following the positive position of the EU Parliament; the new legislation will entry into force after being signed by the presidents Read more

The transition towards EMA's new Digital Application Dataset Integration (DADI) user interface


by Giuliana Miglierini The Digital Application Dataset Integration (DADI) network project is aimed to replace the current PDF-based electronic applications forms (eAFs) used for regulatory submissions with new web-forms accessible through the DADI user interface. The European Medicines Agency (EMA) has Read more

IVD regulation in force: new MDCG guidelines and criticalities for innovation in diagnostics


by Giuliana Miglierini The new regulation on in vitro diagnostic medical devices (IVDR, Regulation (EU) 2017/746) entered into force on 26 May 2022. The new rules define a completely renewed framework for the development, validation and use of these important Read more

EMA’s consultation on draft Q&As on remote certification of batches by QP

, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

by Giuliana Miglierini

The last two years saw the implementation of a high degree of regulatory flexibility as a mean to respond to the many challenges posed by the travel bans consequent to the pandemic. After this “experimental” phase, regulatory authorities are now considering the possibility to allow the routine implementation of some remote procedures in the field of pharmaceutical production.

It is the case of the remote certification/confirmation of batches by the Qualified Person (QP): after the publication of a draft guideline in the form of Q&As (EMA/INS/169000/2022), the European Medicines Agency (EMA) has launched a short public consultation which will remain open up to 13 June 2022. Comments may be sent by email.

The guideline offers EMA’s point of view on the requirements for the physical attendance at the authorised manufacturing site applying to QPs in order to routinely run the remote certification of batches, outside emergency situations. The document has been drafted by the GMDP Inspectors Working Group; it is composed of four questions and their relative answers and it addresses some considerations arising from the experience gained on the application of the guidelines for human and veterinary medicines issued during the pandemic. These last ones were elaborated in cooperation between the European Commission, the Coordination group for Mutual recognition and Decentralised procedures – human (“CMDh”), the Inspectors Working Group, the Coordination group for Mutual recognition and Decentralised procedures – veterinary (“CMDv”) and EMA.

The Agency also warns that the contents proposed by new Q&As’ guideline may be subject to any other interpretation by the European Court of Justice, which is the ultimate responsible for the interpretation of the EU legislation.

The contents of the Q&As

The routine remote certification or confirmation of batches may in future apply to the activities carried out by the QPs within the EU and European Economic Area (EEA), with reference to manufactured or imported human and veterinary medicinal products and investigational medicinal products.

The first answer clarifies that it could be possible for the QP to routinely run remote batch certification or confirmation only if this type of practice is accepted by the relevant national competent authority (NCA) of the member state where the authorised site is located. To this instance, it should be noted that some NCAs may request some specific requirements to authorise the routine remote certification procedure, for example with reference to the location of the QPs.

Should the remote certification be allowed on a routine basis, specific requirements should be met in order to validate this practice, starting from its full compliance to the EU legislation and EU GMP guidelines.

The answer to question 2 specifies that all activities should take place in an EU/EEA country, and that the time spent by the QP at the authorised site should be commensurate with the risks related to the processes” hereby taking place. To this instance, it is of paramount importance the ability to demonstrate that the QP acting from remote has maintained full knowledge of the products, manufacturing processes and pharmaceutical quality system (PQS) involved in the remote certification/confirmation of batches. That also means that the QP should be highly reliant on the PQS of the authorised site, and this would be only possible by spending an adequate time on-site to verify the adequacy of the PQS with respect to the processes of interest. The pharmaceutical quality system should also include details of all the procedures used for the routine remote certification/confirmation of batches. The possible use of this type of remote procedure by the QP should be also clearly mentioned in the technical agreement governing the relationship between the authorisation holder and the QP, which should also specify all cases requiring the presence on-site of the QP. A robust IT infrastructure should be in place to guarantee the remote access of the QP to all the relevant documentation in the electronic format needed to achieve bath certification/confirmation, according to the provisions described in Annex 16 to the GMPs (Certification by a Qualified Person and Batch Release). To this instance, presence on-site should be always considered to solve issues that cannot properly be addressed from remote. The demonstration of the presence on-site of the QP falls under the responsibility of the Manufacturing/Importers Authorisation (MIA) holders.

These are also responsible to make available to the QPs all the hardware and software needed to guarantee the remote access to the relevant documentation (e.g. manufacturing executions systems, electronic batch records system, laboratory information systems etc.) as well as batch registers. All IT systems used for remote batch release should comply with the requirements of Annex 11 to the GMP (Computerised Systems).

On the same basis, it should be possible for NCAs to contemporaneously access for inspection all documentation and batch registers involved in routine remote certification/confirmation at the authorised site of batch release. MIA holders should also guarantee the QP is the only allowed person to access the batch certification/confirmation function and batch register, that the transferred data are complete and unchanged, and that an adequate system for electronic signatures is in place.

Question 3 simply clarifies that some members states may have some specific requirements about the country of residence of the QP, for example it should be the same where the authorised site involved in the remote certification procedure is located.

The last question discusses technical requirements linked to IT-security and data integrity for remote access, a type of procedure presenting a higher intrinsic risk in comparison to the same activities carried on-site. Here again, the main reference is Annex 11; all equipment and software used for remote certification of batches should always reflect the current technological developments.

Among the suggestions made by the Q&A draft guideline is the precise identification of all hardware transferred off-site to the QP, that should be inventoried and kept updated. Hard disks should be encrypted, and ports not required disabled.

Attention should be also paid to the configuration of any virtual private network (VPN) used by the QP to improve the security of the connection to the IT infrastructure of the authorised site and to prevent unauthorised accesses. Authentication should be based on recognised industry standards (e.g. two-factor or multifactor authentication, with automatic date of expiry). The transfer of data should be secured by strong transport encryption protocols; assignment of individual privileges and technical controls falls under the responsibility of the MIA holder