This manuscript examines the new final version of Annex 11. It provides my recommendations to
implement Annex 11. There are many other ways to implement the same requirements. For the
purpose of bringing up to the reader additional information, it relates other regulations/guidelines
overlapping the issue in discussion. The purpose of this article is not to find gaps between Annex
11 and the referenced regulations. Some descriptions are based on listed guidelines with judicious
editing where necessary to fit the context of this manuscript.
Biography.
Orlando had held several technical and management eCompliance positions in different
pharmaceutical and medical device companies. Thorough knowledge of erecs integrity regulations
and guidelines (21 CFR Part 11, Annex 11, MHRA, WHO, PIC/C, CFDA, USFDA, EU OMLC).
Experience evaluating, designing/redesigning business rules, processes, definitions, and quality
expectations to ensure erecs integrity in a scalable and efficient manner. He had spoken on the topic
of erecs integrity at several industry conferences and published in the ISPE's Pharma Engineering,
Pharma Technology and GXP Journal magazines. He recently published a book about erecs integrity
best practices and it's a member of the IVT DI Working Group. His special interest is the GMP
compliance issues applicable to computer systems.
Orlando is the author of 25+ publications, including the Encyclopedia of Pharmaceutical Science
and Technology, 4th Edition (CSV ) and 8 computer compliance related books -
amazon.com/author/orlandolopez/
Acknowledgement.
I would like to express my gratitude to Ludwig Huber, Siegfried Schmitt, David Stokes and Sion
Wayne who provided recommendations to improve this article.
Disclaimers.
The information contained in this article is provided in good faith and reflects the personal views of
the author. These views do not necessary reflect the perspective of the publisher of this article. No
liability can be accepted in any way. The information provided does not constitute legal advice.
Dedication.
1
Select quotations.
Page Quotation
The revised Annex 11 adopts a risk based approach, and is mostly aligned
1
with current industry good practice.
It is interested the difference between the GAMP and the EU regulations
3
on a simple issue as the meaning of a computer system.
It is the author’s opinion that Paragraph 4.5 of this annex should be an
4
element of the main principles.
Section 11-4.4 establishes the expectation of the EU regulator regarding
8
how to manage requirements.
At least, all data on which quality decisions are based should be defined as
9
raw data.
Regulated user companies have a choice as to whether to use electronic records instead of
11 paper based records or e-signatures exercised to the applicable to e-records
The highpoints of Annex 11 are the Risk Management, Requirements
16 Management, E-records Management, and Validation.
2
Annex 11 – Changes to Computer Systems Guidelines in the EU
Introduction.
As in the Food and Drug Administration (FDA) in the United States (US), the European Union
(EU) sets requirements applicable to the Good Manufacturing Practices (GMP) for medicinal
products for human use, investigational medicinal products for human use, and veterinary medicinal
products.
In 1991, the Commission of the European Committees adopted 2 directives laying down principles
and guidelines for good manufacturing practice for medicinal products.
The origins of Annex 11 are from 19913. The Pharmaceutical Inspection Co-operation (PIC)
created a document defining their requirements for computer systems. This document was given the
name Annex 5 to the PIC GMP. In 1992, Annex 5 was incorporated as Annex 11 to the EU GMP.
It has later become a part of the GLP and GCP requirements in Europe.
After 1992, computer systems and applications4 have increased in complexity to such an extent that
although the main principles of the Annex 11 are still valid, the scope and content of the present
annex are considered no longer suitable to meet the needs of either the pharmaceutical industry or
inspectors.
The new version of Annex 11 was released by the European Commission (EC) in January 2011
along with a revision of Chapter 4 of its GMPs on documentation. It comes into effect in June
2011.
The EU updated, as well, its GMP expectations for documentation, Chapter 4 of its GMPs on
documentation.
The Annex 11 and Chapter 4 revisions are part of the EU effort to modernize its GMPs in
accordance with ICH Q8-10 concepts, to reflect the actualities of electronic record keeping, and
current quality management expectations.
1 Annex 11 to Volume 4 of the Rules Governing Medicinal Products in the European Community, Computerized
Systems.
2 Computer System - a system including the input of data, electronic processing and the output of information to be
used either for reporting or automatic control. Eudralex Volume IV, Glossary
3 Segalstad, S. H., “Pharmaceutical Computer Systems Validation: A Practical Approach for Validating LIMS and Other
1
The worldwide importance of Annex 11 is noticeable. For example, Australia’s Therapeutic Good
Administration (TGA) adopted on January 2009 PIC/S GMP Guide for Medicines as a
Manufacturing Principle and the majority of the EU Annexes, including Annex 11.
The revised Annex 11 adopts a risk based approach, and is mostly aligned with current industry
computer systems good practices.
Another example of the world wide relevance of Annex 11 is in the PIC/S organization. PIC/S is
the abbreviation to describe both the Pharmaceutical Inspection Convention (PIC) and the
Pharmaceutical Inspection Co-operation Scheme (PIC Scheme). PIC/S, provide an active and
constructive co-operation in the field of Good Manufacturing Practice. The purpose of PIC/S is to
facilitate the networking between participating authorities and the maintenance of mutual
confidence, the exchange of information and experience in the field of GMP and related areas, and
the mutual training of GMP inspectors. PIC/S PI 011-35 is the guideline use by the GMP inspectors
to audit computer systems. PIC/S PI 011-3 is based on Annex 11. At this moment PIC/S hasn't
yet rewritten PIC/S PI-011 to reflect the new requirements in Annex 11.
This manuscript examines the released final version of Annex 11 and provides my recommendations
to implement Annex 11. There are many other ways to implement the same requirements. For the
purpose of bringing up to the reader additional information, it is referenced relevant
regulations/guidelines. The purpose of this article is not to find gaps between Annex 11 and the
referenced regulations. Some descriptions are based on listed guidelines with judicious editing were
necessary to fit the context of this manuscript.
The recommendations to implement Annex 11, as described in this article, are purely from the
standpoint and opinion of the author, and should serve as a suggestion only. They are not intended
to serve as the regulators’ official implementation process.
Before getting into the Annex 11 it is necessary to review the reference points outside of the Annex
11 that provide the EU framework to regulate computer systems.
5Pharmaceutical Inspection Co-operation Scheme. Good Practices for Computerised Systems in Regulated, “GxP”
Environments, Pharmaceutical Inspection Convention, PI 011-3, 2007.
2
The EU authority to regulate the use of computers in the manufacturing of medicinal products for
human use, investigational medicinal products for human use, and veterinary medicinal products
food plants is derived from the Article 6 of the EC Directive 2003/94.
Computers systems performing regulated operations in the manufacturing of medicinal products for
human use, investigational medicinal products for human use, and veterinary medicinal products are
regarded as equipment. Every time the expression “equipment” is used in the EU GMP, this is also
applicable to computer systems.
By connecting the hardware and equipment, the EU GMP principles applicable to computers
systems are:
8 Statements using “must”, "required”, or "shall", mean that the definition is an absolute requirement of the
specification.
9 Statements using “should” are intended to give guidance and provide acceptable methods for complying, but other
3
Main principles of the Annex 11
The structure of the released Annex 11 document has a Principle and 17 clauses. The following are
the 3 principles.
This annex applies to all forms of computerised systems used as part of a GMP regulated activities. A
computerised system is a set of software and hardware components which together fulfill certain functionalities.
Suggested Implementation. References
Computer systems can be used to perform operations covered by the 21 CFR 211.68.
GMP regulation. 21 CFR 820.70(i).
Even computer systems can be used to perform operations covered by the EU Directive 2003/94/EC.
GMP regulation, there is no requirement to maintain electronic copies of 21 CFR 11.2(b).
records in preference to other media such as microfiche or paper.
Note of the author: It is interesting to note the difference between the Good Automated
Manufacturing Practices (GAMP)12 and the EU regulations on the meaning of a computer system.
For the GAMP, a computer system includes people, all software (applications, system level software,
and documentation), hardware, operating procedures, and peripheral equipment being operated by
the computer performing specific, defined roles within a given environment. For the EU, a
computer system is a set of software and hardware components which together fulfill certain
functionalities.
The application should be validated; IT infrastructure should be qualified.
Suggested Implementation. References
Computer systems require a written validation 14 process. The depth and Eudralex Volume IV, Glossary.
scope of validation depends on the diversity, complexity, and criticality of PIC/S PI 011-315.
the computerized application.
21 CFR 211.68.
Validation is associated with processes and qualification is associated with 21 CFR 820.70(i).
equipment.
Q7A Good Manufacturing Practice
Guidance for Active Pharmaceutical
Refer to 11-4.
Ingredients.
21 CFR 11.10(a).
Where a computerised system replaces a manual operation, there should be no resultant decrease in product
quality, process control or quality assurance. There should be no increase in the overall risk of the process.
Suggested Implementation. References
Prior to converting a process from manual to automated control or the PIC/S PI 011-3
introduction of a new automated operation, it is important that project 11-1
staff consider any quality assurance and safety issues as part of an impact
assessment of risks.
The use of a computer system does not reduce either the requirements that
12 GAMP Guide for Validation of Automated Systems in Pharmaceutical Manufacture, Version V5.0, Good Automated
Manufacturing Practice (GAMP) Forum, International Society for Pharmaceutical Engineering, Tampa FL, 2008.
14 Validation - action of proving, in accordance with the principles of Good Manufacturing Practice, that any procedure,
process, equipment, material, activity or system actually leads to the expected results. Eudralex Volume IV, Glossary.
15 Pharmaceutical Inspection Co-operation Scheme. Good Practices for Computerised Systems in Regulated, “GxP”
4
Suggested Implementation. References
After the above 3 main principles, Annex 11 continues on with 17 recommendations for computer
operations.
General
1. Risk Management
Risk management should be applied throughout the lifecycle of the computerised system taking into account
patient safety, data integrity and product quality. As part of a risk management system, decisions on the
extent of validation and data integrity controls should be based on a justified and documented risk assessment
of the computerised system.
Suggested Implementation. References
This is a new section in the Annex 11. It establishes the expectations for ICH Harmonized Tripartite
computer systems through the system life cycle. Risk management is Guideline, Quality Risk Management,
addressed as a tool that should be applied throughout the life cycle of the Q9.
computer system, taking into account factors such as patient safety, data
NIST, Risk Management Guide for
integrity and product quality. The following is one of many techniques to
Information Technology Systems,
implement a Risk Management process.
Special Publication 800-30.
Risk management encompasses three processes: risk assessment, risk
GHTF, Implementation of risk
mitigation, and evaluation and assessment.
management principles and activities
Risk Assessment. within a Quality Management System.
Risk assessment is the method to assess and characterize the critical GAMP Forum, Risk Assessment for
parameters in the functionality of an equipment or process17. Use of Automated Systems
Supporting Manufacturing Process --
A detailed Risk Assessment should be performed, building on the initial
Risk to Record, Pharmaceutical
Risk Assessment performed at the concept phase. The Risk Assessment
Engineering, Nov/Dec 2002.
process assesses risks associated with processes and functions defined in
the Requirements Specification and Functional Specification deliverables. GAMP/ISPE, Risk Assessment for
The activities are: Use of Automated Systems
Supporting Manufacturing Process --
Identify processes/functions/transactions (as appropriate) Functional Risk, Pharmaceutical
Assess risk by analyzing: Engineering, May/Jun 2003.
- Risk scenarios
- Effects for each event Pressman, Roger S., Software
- Likelihood of events Engineering – A Practitioner’s Approach,
- Severity of impact McGraw Hill
- Likelihood of detection
Plan for reduction or elimination of those risks, based on the analysis.
17
EU Annex 15 – Validation and Qualification, July 2001
5
Suggested Implementation. References
2. Personnel
There should be close cooperation between all relevant personnel such as Process Owner, System Owner,
Qualified Persons and IT. All personnel should have appropriate qualifications, level of access and defined
responsibilities to carry out their assigned duties.
Suggested Implementation. References
18 MAY - This word, or the adjective "OPTIONAL", mean that an item is truly optional.
6
cover, at a minimum, the particular operations that the employee performs
and GMP as it relates to the employee's functions. Records of training
should be maintained. Training should be periodically assessed.
Management must identify and provide the appropriate software
development environment and resources.
Project Phase
4. Validation
4.1 The validation documentation and reports should cover the relevant steps of the life cycle. Manufacturers
should be able to justify their standards, protocols, acceptance criteria, procedures and records based on their
risk assessment.
4.2 Validation documentation should include change control records (if applicable) and reports on any
deviations observed during the validation process.
4.3 An up to date listing of all relevant systems and their GMP functionality (inventory) should be available.
For critical systems an up to date system description detailing the physical and logical arrangements, data
flows and interfaces with other systems or processes, any hardware and software pre-requisites, and security
measures should be available.
19The regulated Good Practice entity, that is responsible for the operation of a computerized system and the
applications, files and data held thereon. PIC/S PI 011-3
7
4.4 User Requirements Specifications should describe the required functions of the computerised system and be
based on documented risk assessment and GMP impact. User requirements should be traceable throughout
the life-cycle.
4.5 The regulated user should take all reasonable steps, to ensure that the system has been developed in
accordance with an appropriate quality management system. The supplier should be assessed appropriately.
4.6 For the validation of bespoke or customised computerised systems there should be a process in place that
ensures the formal assessment and reporting of quality and performance measures for all the life-cycle stages of
the system.
4.7 Evidence of appropriate test methods and test scenarios should be demonstrated. Particularly, system
(process) parameter limits, data limits and error handling should be considered. Automated testing tools and
test environments should have documented assessments for their adequacy.
4.8 If data are transferred to another data format or system, validation should include checks that data are
not altered in value and/or meaning during this migration process.
Suggested Implementation. References
Commercially available software that has been qualified does not require 21 CFR 820.70(i).
the same level of testing.
E-records migration must be verified. There must be an additional check Q7A Good Manufacturing Practice
on the accuracy of the entry. Guidance for Active Pharmaceutical
Section 4.4 is one of the most important sections regarding management of Ingredients.
a project. It also establishes the expectation of the EU regulator regarding
how to manage requirements. Section 4.4 establishes 21 tracing operational 11-1
and non-operational computer systems functions required by the users,
applicable regulation(s), company standards, product, process, and safety. 21 CFR 11.10(a).
These operational and non-operational functions must be accomplished by
a risk management process and traceable during the SLC.
A key concept in the validation process is to establish the intended use and
proper performance of the computer system. It is essential to establish, in
20 PIC/S PI 011-3
21 Establish means define, document (in writing or electronically), and implement.
8
Suggested Implementation. References
Note of the author: It is the author’s opinion that Paragraph 4.5 of this annex should be an element
of the main principles. Specifically Paragraph 4.5 refers to the need to ensure that the software has
been produced under a quality system which incorporates a system development life cycle model.
Operational Phase
5. Data
Computerised systems exchanging data electronically with other systems should include appropriate built-in
checks for the correct and secure entry and processing of data, in order to minimize the risks.
Suggested Implementation. References
Based on the complexity and reliability of computer systems there must be US FDA 425.400.
procedural controls and technologies to ensure the accuracy and security of
21 CFR 211.68.
computer systems I/Os and electronic records.
EudraLex - Volume 4 Good
The US FDA Compliance Policy Guide (CPG) 425.400 (formerly
manufacturing practice (GMP)
7132a.07), “I/O Checking,” establishes that computers inputs and outputs
Guidelines, Part I - Basic
(I/Os) are to be tested for data accuracy as part of the computer system
Requirements for Medicinal Products,
qualification and, after the qualification, as part of the computer system’s
Chapter 4 – Documentation.
on-going performance evaluation procedure. The use of inputs edits25 is
allowed to mitigate the need for extensive I/O checks. 21 CFR 11.10(a); 11.10(b); 11.10(e);
22 Center for Drug Evaluation and Research, Center for Biologics Evaluation and Research, and Center for Devices and
Radiological Health Food and Drug Administration, “Guideline on General Principles of Process Validation,” U.S.
FDA, Rockville, MD, May 1987
25 Edits -- software may be written in such a manner as to reject or alter certain input or output information, which does
not conform to some pre-determined criterion or otherwise fall within certain pre-established limits. Edits can be a
9
Suggested Implementation. References
The objective of the I/O checks is to develop a method to prevent 11.10(f); 11.10(g); 11.10(h).
inaccurate data inputs and outputs. I/Os should be monitored to ensure
the process remains within the established parameters. When monitoring
data on quality characteristics that reveals negative tendencies, the cause
should be investigated, corrective action be taken and revalidation
considered.
Edits can also be used to make up information and give the erroneous
impression that a process is under control. These error over-rides must be
documented during the design.
For electronic records regulated users should define which data are to be
used as raw data. At least, all data on which quality decisions are based
should be defined as raw data.26
6. Accuracy Checks
For critical data entered manually, there should be an additional check on the accuracy of the data. This
check may be done by a second operator or by validated electronic means. The criticality and the potential
consequences of erroneous or incorrectly entered data to a system should be covered by risk management.
For electronic records, regulated users should define which data are to be The APV Guideline “Computerized
used as raw data. At least, all data on which quality decisions are based Systems” based on Annex 11 of the
should be defined as raw data. EU-GMP Guideline.
Where applicable, there should be special procedures for critical data entry EudraLex - Volume 4 Good
requiring a second check, for example the data entry and check for a manufacturing practice (GMP)
manufacturing formula or the keying in of laboratory data and results from Guidelines, Part I - Basic
paper records. Requirements for Medicinal Products,
Chapter 4 – Documentation.
A second authorized person with logged name and identification, with time
PIC/S PI 011-3.
and date, may verify data entry via the keyboard.
21 CFR 211.68(c).
The inclusion and use of an audit trail to capture the diversity of changes
11-1.
possibly impacting the data may facilitate this check.
For computer systems featuring direct data capture linked to other
databases and intelligent peripherals, the verification by a second individual
may not be necessary when automated equipment is used as described
under Section 211.68. As an example, firms may omit the second person
component in weight check operations if scales are connected to a
computer system performing checks on component quality control release
status and proper identification of containers. The computer system must
be validated, registering the raw materials identification, lot number and
expiry date and integrated with the recorded accurate weight data.
7. Data Storage
7.1 Data should be secured by both physical and electronic means against damage. Stored data should be
checked for accessibility, readability and accuracy. Access to data should be ensured throughout the retention
period.
useful way of minimizing errors and/or to reject erroneous entries. Edits can also be used to falsify information and
give the erroneous impression that a process is under control.
26 Definition of raw data applicable to Annex 11.
10
7.2 Regular back-ups of all relevant data should be done. Integrity and accuracy of back-up data and the
ability to restore the data should be checked during validation and monitored periodically.
Suggested Implementation. References
Computer systems electronic records must be controlled including records Article 9 Section 2, Commission
retention, backup, and security. Directives 2003/94/EC.
Computer systems must have adequate controls to prevent unauthorized PIC/S PI 011-3.
access or changes to e-records, inadvertent erasures, or loss.
EudraLex - Volume 4 Good
The validated back-up procedure including storage facilities and media manufacturing practice (GMP)
should assure integrity and availability of e-records and audit trail records. Guidelines, Part I - Basic
The frequency of back up is dependent on the computer system functions Requirements for Medicinal Products,
and the risk assessment of a loss of e-records. Chapter 4 – Documentation.
Procedure for regular testing, including a test plan, for back-up and disaster 21 CFR 211.68.
recovery procedures should be in place.
21 CFR Part 11.10(c); 11.10(d);
A log of back up testing including date of testing and results should be 11.10(e); 11.10(g); 11.10(h); 11.30.
kept. A record of rectification of any errors should be kept.
Specific records retention
The physical security of the system should also be adequate to minimize requirements are found in applicable
the possibility of unauthorized access, willful or accidental damage by predicate rule. For example 21 CFR
personnel or loss of e-records. 211.180(c), (d), 108.25(g), and
108.35(h).
Regular training in all security/backup relevant procedures to the
personnel providing security and performing backups is key and critical.
Before hardware and/or software is exchanged, a change control
mechanism should be used to check that the e-records concerned can also
be printed in the new configuration.
Should an inevitable change in the hardware and/or software may mean
that the stored e-records cannot be printed in the new configuration, then
one of the following procedures should be applied:
the e-records in the format concerned should be converted into a
format that can be printed in the new configuration
the components of the old hardware and/or software configuration
required for printing should be retained. In this case it should be
guaranteed that a suitable alternative system is available in case the
retained system fails.
the e-record is transferred to another medium.
The electronically stored e-records should be checked regularly for
availability and integrity.
Appropriate controls for electronic documents such as templates, forms,
and master documents should be implemented. Appropriate controls
should be in place to ensure the integrity of the record throughout the
retention period.
8. Printouts
8.1 It should be possible to obtain clear printed copies of electronically stored e-records.
8.2 For records supporting batch release it should be possible to generate printouts
indicating if any of the e-record has been changed since the original entry.
11
Suggested Implementation. References
Regulated user companies have a choice as to whether to use electronic Directive 1999/93/EC of the
records instead of paper based records or e-signatures exercised to the European Parliament and of the
applicable to e-records. Council of 13 December 1999 on a
Community framework for electronic
Paper printouts can be used instead of e-record, if all the requirements of
signatures.
the applicable predicate rules and persons rely on the paper records to
perform their regulated activities. PIC/S PI 011-3.
In the case of electronic filing, details of the format in which the e-records FDA, Guidance for Industry
were stored should also be filed along with the e-records themselves. In Part 11, Electronic Records;
order to generate reliable printouts, an operational print program should be Electronic Signatures — Scope and
available for every format in the electronic filing system. Application, August 2003.
The APV Guideline “Computerized
Systems” based on Annex 11 of the
EU-GMP Guideline.
9. Audit Trails
Consideration should be given, based on a risk assessment, to building into the system the creation of a record
of all GMP-relevant changes and deletions (a system generated "audit trail"). For change or deletion of
GMP-relevant data the reason should be documented. Audit trails need to be available and convertible to a
generally intelligible form and regularly reviewed.
Suggested Implementation. References
Audit trails are control mechanisms generated by the computer systems 1978 US CGMP rev. Comment
that allow all data entered and further processed by the system to be traced paragraph 186.
back to the original e-record.
The APV Guideline “Computerized
Systems” based on Annex 11 of the
EU-GMP Guideline.
If the e-record need to be changed, a second person should approve these
changes along with the reasons. PIC/S PI 011-3.
The audit trail records should be reviewed regularly. Q7A Good Manufacturing Practice
Guidance for Active Pharmaceutical
Audit trails can be part of the record which has been modified or a stand-
Ingredients.
alone record linked to the modified record.
21 CFR 11.10(e); 11.10(k)(2)
The date and time of the audit trail must be synchronized to a trusted date
and time service.
One of the key controls for audit trails is the linking of the electronic
record with the audit trail. It must not be possible to modify audit trails.
The access rights for audit trial information must be limited to print
and/or read only. The combination of authentication, digital certificates,
encryption, and ACLs provide the technical mechanisms needed to control
the access to audit trail files.
There must be a system to control changes to the computer hardware and 21 CFR 211.68.
software, including documentation. 21 CFR 820.30(i).
12
Suggested Implementation. References
The formal change control procedure should outline the necessary 21 CFR 820.70(i).
information and records for the following areas: 21 CFR 11.10(d); 11.10(e)
Records of details of proposed change(s) with reasoning. PIC/S PI 011-3.
The APV Guideline “Computerized
System status and controls impact prior to implementing change(s).
Systems” based on Annex 11 of the
Review and change authorization methods (also see 12.5). EU-GMP Guideline.
Pressman, Roger S., Software
Records of change reviews and sentencing (approval or rejection). Engineering – A Practitioner’s Approach,
Method of indicating ‘change’ status of documentation. McGraw Hill.
There must be a written program detailing the maintenance of the 21 CFR 211.68
computer system, including an on-going performance evaluation and
21 CFR 11.10(k)
periodic reviews.
The objective to periodically monitor the performance of the system is to
determine if changes to the system, infrastructure, etc., indicate process
drifts and the need for change.
12. Security
12.1 Physical and/or logical controls should be in place to restrict access to computerised system to authorised
persons. Suitable methods of preventing unauthorised entry to the system may include the use of keys, pass
cards, personal codes with passwords, biometrics, restricted access to computer equipment and data storage
areas.
12.2 The extent of security controls depends on the criticality of the computerised system.
12.3 Creation, change, and cancellation of access authorisations should be recorded.
13
12.4 Management systems for data and for documents should be designed to record the identity of operators
entering, changing, confirming or deleting data including date and time.
Suggested Implementation. References
Computer systems must have adequate controls to prevent unauthorized 21 CFR 211.68
access or changes to e-record, inadvertent erasures, or loss.
21 CFR 11.10(d); 11.10(e); 11.10(g).
Procedures should be available for the following:
PIC/S PI 011-3.
Access rights for all operators are clearly defined and controlled,
including physical and logical access.
Basic rules exist and are documented to ensure security related to
personal passwords or pass cards and related system/e-records
security requirements are not reduced or negated.
Correct authority and responsibilities are assigned to the correct
organizational level.
Procedures are in place to ensure that identification code and
password issuance are periodically checked, recalled or revised.
Loss management procedures exist to electronically invalidate lost,
stolen or potentially compromised passwords. The system should be
capable of enforcing regular changes of passwords.
It may be necessary to regard proposed changes to infrastructure as a
special case and define a set of stakeholders.
Procedures identify prohibited passwords.
An audit log of breaches of password security should be kept and
measures should be in place to address breaches of password security.
The system should enforce revoking of access after a specified
number of unsuccessful logon attempts.
Measures are needed to ensure the validated recovery of original
information and e-records following back up, media transfer,
transcription, archiving, or system failure.
Attempted breaches of security safeguards should be recorded and
investigated.
Some equipment, such as standalone computer systems and dedicated
operator equipment interfaces and instruments may lack logical
(password etc.) capabilities. These should be listed, justified and
subjected to procedural controls.
14
13. Incident Management
All incidents, not only system failures and data errors, should be reported and assessed. The root cause of a
critical incident should be identified and should form the basis of corrective and preventive actions.
Suggested Implementation.. References
Incidents related to computer systems that could affect the quality of the 21 CFR 820.100
product, the reliability of records, or test results should be recorded and
investigated. Q7A Good Manufacturing Practice
Guidance for Active Pharmaceutical
Ingredients..
Regulated user companies have a choice as to whether to use electronic Directive 1999/93/EC of the
records instead of paper based records or e-signatures exercised to the European Parliament and of the
applicable to e-records. Council of 13 December 1999 on a
Community framework for electronic
If electronic signatures are used on documents, they should be
signatures.
authenticated and secure.
Q7A GMP for API.
When regulated users elect to use electronic records for GxP 27
applications28 then it will be necessary for the companies to identify the 21 CFR 11.50; .70, .100, .200.
particular regulations being applied and whether they are to be considered
legally binding and equivalent to their paper-based counterparts.
Regulations applicable to particular GxP disciplines may impose specific
rules e.g. when electronic records and electronic signatures are used as a
primary source of data, records and/or evidence.
27 GxP – the underlying international life science requirements such as those set forth in the US FD&C Act, US PHS
Act, FDA regulations, EU Directives, Japanese MHL.W regulations, Australia TGA, or other applicable national
legislation or regulations under which a company operates. GAMP Good Practice Guide, IT Infrastructure Control and
Compliance, ISPE 2005.
28 GxP applications – Software entities which have a specific user defined business purpose that must meet the
requirements of a GxP regulation. GAMP Good Practice Guide, IT Infrastructure Control and Compliance, ISPE 2005.
15
Explanation. References
Computer systems must have adequate controls to prevent unauthorized EU-GMP Guideline.
access or changes to data, inadvertent erasures, or loss.
11-9; 11-14
Where approval of batches for distribution is to be automated, the
EC Directive 2001/83
computer system should be able to recognize that only specified persons
are authorized to release batches. The required authorization for batch 21 CFR 11.70; Sub Part C
release should be granted with one of the following procedures:
a combination of a physical key (e.g. chipcard, "real" key) and a
software key (personal code or another method to guarantee unique
identification)
an identification step using a software key which must be entered
every time a batch is released, in addition to the standard access
restrictions
All methods used for identification purposes must be defined, especially
regulations for stand-ins.
Following batch release, only the persons granting release and a second
named person should be able to make changes to the stored data. In case
of modification to the approved batch record, there should be a record of
any data change made, the previous entry, who made the change, and when
the change was made.
The Business Continuity Plan enables a system emergency to be responded PIC/S PI 011-3.
to and includes: application and data criticality analysis; Data back-up plan;
Disaster Recovery Plan; plan for the emergency operating mode; testing
and revision procedures.
The effectiveness of this plan should be tested periodically, including the
recovery procedures.
17. Archiving
Data may be archived. This data should be checked for accessibility, readability and integrity. If relevant
changes are to be made to the system (e.g. computer equipment or programs), then the ability to retrieve the
data should be ensured and tested.
Explanation. References
The archived records need to be trustworthy and reliable as well as DOD 5015.2-STD, Design Criteria
accessible, no matter where they are stored. The party having primary Standard for E-records Management
responsibility for record retention under the predicate regulations would be Software Applications.
the party we would hold responsible for adequacy of archiving. 21 CFR 11.10(c)
16
Additional References.
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the
protection of individuals with regard to the processing of personal data and on the free
movement of such data. http://www.veetle.com/index.php/channel/view#4d1b88b3276fc
Commission Directive 91/412/EEC of 23 July 1991 laying down the principles and guidelines
of good manufacturing practice for veterinary medicinal products.
EU Data protection page - http://ec.europa.eu/justice/policies/privacy/index_en.htm
EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4 Good
Manufacturing Practice Medicinal Products for Human and Veterinary Use, Annex 11:
Computerised Systems, http://ec.europa.eu/health/files/eudralex/vol-4/annex11_01-
2011_en.pdf.
Conclusion.
Annex 11 was revised in response to the increased use of computer systems and the increased
complexity of these systems. It defines EU requirements for computer systems, and applies to all
forms of computer systems used as part of GMP regulated activities.
Annex 11 compared to the older version it has more details. Compared with other similar regulatory
guideline documents, Annex 11 is a concise, but at the same time, practical and precise specification
that can be used to ensure, if properly implemented, that the computer system will be developed and
maintained under a quality assurance system. Annex 11 can be used in a different regulated
environment, such as the US, as a regulatory guideline to look the regulatory requirements applicable
to computer systems supporting GxP applications.
The highpoints of Annex 11 are the Risk Management, Requirements Management, E-records
Management, and Validation.
Consistent with the current industry practices, Risk Management (risk assessment, risk mitigation,
and evaluation and assessment) applicable to computer systems performing regulated operations
takes a center stage in Annex 11. It impacts all sections in this Annex.
To ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or
altered records, electronic records management is also emphasized in the EU regulatory
specification.
The validation process takes center stage as a path to authenticate the quality of the computer
system during the SLC.
The implementation of the principles, guidance, reporting and life cycle documentation best
practices, outlined in this manuscript, will enable regulated users of computer systems in the EU to
17
establish quality assurance systems and records capable of demonstrating compliance with current
GxP requirements and related guidance.
18