Synopsis.

This manuscript examines the new final version of Annex 11. It provides my recommendations to
implement Annex 11. There are many other ways to implement the same requirements. For the
purpose of bringing up to the reader additional information, it relates other regulations/guidelines
overlapping the issue in discussion. The purpose of this article is not to find gaps between Annex
11 and the referenced regulations. Some descriptions are based on listed guidelines with judicious
editing where necessary to fit the context of this manuscript.

Biography.

Orlando had held several technical and management eCompliance positions in different
pharmaceutical and medical device companies. Thorough knowledge of erecs integrity regulations
and guidelines (21 CFR Part 11, Annex 11, MHRA, WHO, PIC/C, CFDA, USFDA, EU OMLC).
Experience evaluating, designing/redesigning business rules, processes, definitions, and quality
expectations to ensure erecs integrity in a scalable and efficient manner. He had spoken on the topic
of erecs integrity at several industry conferences and published in the ISPE's Pharma Engineering,
Pharma Technology and GXP Journal magazines. He recently published a book about erecs integrity
best practices and it's a member of the IVT DI Working Group. His special interest is the GMP
compliance issues applicable to computer systems.

Orlando is the author of 25+ publications, including the Encyclopedia of Pharmaceutical Science
and Technology, 4th Edition (CSV ) and 8 computer compliance related books -
amazon.com/author/orlandolopez/

He can be contacted by e-mail at olopez6102@gmail.com.

Acknowledgement.

I would like to express my gratitude to Ludwig Huber, Siegfried Schmitt, David Stokes and Sion
Wayne who provided recommendations to improve this article.

Disclaimers.

The information contained in this article is provided in good faith and reflects the personal views of
the author. These views do not necessary reflect the perspective of the publisher of this article. No
liability can be accepted in any way. The information provided does not constitute legal advice.

Dedication.

This article is dedicated to my grandson Mikhail López…the Jr.

1
Select quotations.

Page Quotation

The revised Annex 11 adopts a risk based approach, and is mostly aligned
1
with current industry good practice.
It is interested the difference between the GAMP and the EU regulations
3
on a simple issue as the meaning of a computer system.
It is the author’s opinion that Paragraph 4.5 of this annex should be an
4
element of the main principles.
Section 11-4.4 establishes the expectation of the EU regulator regarding
8
how to manage requirements.
At least, all data on which quality decisions are based should be defined as
9
raw data.
Regulated user companies have a choice as to whether to use electronic records instead of
11 paper based records or e-signatures exercised to the applicable to e-records
The highpoints of Annex 11 are the Risk Management, Requirements
16 Management, E-records Management, and Validation.

2
Annex 11 – Changes to Computer Systems Guidelines in the EU

Introduction.

As in the Food and Drug Administration (FDA) in the United States (US), the European Union
(EU) sets requirements applicable to the Good Manufacturing Practices (GMP) for medicinal
products for human use, investigational medicinal products for human use, and veterinary medicinal
products.

These requirements are established in the Commission Directives 91/356/EEC, as amended by

Directive 2003/94/EC.

In 1991, the Commission of the European Committees adopted 2 directives laying down principles
and guidelines for good manufacturing practice for medicinal products.

Eudralex Volume 4, Annex 11 (Annex 111, http://ec.europa.eu/health/files/eudralex/vol-

4/annex11_01-2011_en.pdf), which refers specifically to computer systems2, provide guidance for
the interpretation of the GMP for all EU members. Annex 11 is found in Volume 4 of "The rules
governing medicinal products in the European Union.” Volume 4 covers the interpretation of the
principles and guidelines of GMP regulated activities.

The origins of Annex 11 are from 19913. The Pharmaceutical Inspection Co-operation (PIC)
created a document defining their requirements for computer systems. This document was given the
name Annex 5 to the PIC GMP. In 1992, Annex 5 was incorporated as Annex 11 to the EU GMP.
It has later become a part of the GLP and GCP requirements in Europe.

After 1992, computer systems and applications4 have increased in complexity to such an extent that
although the main principles of the Annex 11 are still valid, the scope and content of the present
annex are considered no longer suitable to meet the needs of either the pharmaceutical industry or
inspectors.

The new version of Annex 11 was released by the European Commission (EC) in January 2011
along with a revision of Chapter 4 of its GMPs on documentation. It comes into effect in June
2011.

The EU updated, as well, its GMP expectations for documentation, Chapter 4 of its GMPs on
documentation.

The Annex 11 and Chapter 4 revisions are part of the EU effort to modernize its GMPs in
accordance with ICH Q8-10 concepts, to reflect the actualities of electronic record keeping, and
current quality management expectations.

1 Annex 11 to Volume 4 of the Rules Governing Medicinal Products in the European Community, Computerized
Systems.
2 Computer System - a system including the input of data, electronic processing and the output of information to be

used either for reporting or automatic control. Eudralex Volume IV, Glossary
3 Segalstad, S. H., “Pharmaceutical Computer Systems Validation: A Practical Approach for Validating LIMS and Other

Manufacturing Systems,” European Pharmaceutical Review, November 1997.

4 Application - Software installed on a defined platform/hardware providing specific functionality. Annex 11

1
The worldwide importance of Annex 11 is noticeable. For example, Australia’s Therapeutic Good
Administration (TGA) adopted on January 2009 PIC/S GMP Guide for Medicines as a
Manufacturing Principle and the majority of the EU Annexes, including Annex 11.

The revised Annex 11 adopts a risk based approach, and is mostly aligned with current industry
computer systems good practices.

Another example of the world wide relevance of Annex 11 is in the PIC/S organization. PIC/S is
the abbreviation to describe both the Pharmaceutical Inspection Convention (PIC) and the
Pharmaceutical Inspection Co-operation Scheme (PIC Scheme). PIC/S, provide an active and
constructive co-operation in the field of Good Manufacturing Practice. The purpose of PIC/S is to
facilitate the networking between participating authorities and the maintenance of mutual
confidence, the exchange of information and experience in the field of GMP and related areas, and
the mutual training of GMP inspectors. PIC/S PI 011-35 is the guideline use by the GMP inspectors
to audit computer systems. PIC/S PI 011-3 is based on Annex 11. At this moment PIC/S hasn't
yet rewritten PIC/S PI-011 to reflect the new requirements in Annex 11.

The major changes in Annex 11 include:

 Formalization of risk management in both computer validation and change control.

 Requirements traceability throughout a life cycle moves from a regulatory expectation to a
regulatory requirement for the first time.
 New requirements for the need to keep and manage all electronic records.
 Validation phase has been extensively expanded to include the complete life.

This manuscript examines the released final version of Annex 11 and provides my recommendations
to implement Annex 11. There are many other ways to implement the same requirements. For the
purpose of bringing up to the reader additional information, it is referenced relevant
regulations/guidelines. The purpose of this article is not to find gaps between Annex 11 and the
referenced regulations. Some descriptions are based on listed guidelines with judicious editing were
necessary to fit the context of this manuscript.

The recommendations to implement Annex 11, as described in this article, are purely from the
standpoint and opinion of the author, and should serve as a suggestion only. They are not intended
to serve as the regulators’ official implementation process.

Two (2) additional analyses can be found at http://www.ispe.org/analysisrevisioneuannex11 and at

http://www.gmp-compliance.com/daten/download/Annex11_Chapter4_Jan2011.pdf. The first
one, “Analysis: Revision of EU Annex 11 and Chapter 4”, written by Sion Wyn. The second one, “The
New GMP Annex 11 and Chapter 4 is Europe’s Answer to Part 11”, written by R.D.McDowall.

EU GMP Applicability on Computers.

Before getting into the Annex 11 it is necessary to review the reference points outside of the Annex
11 that provide the EU framework to regulate computer systems.

5Pharmaceutical Inspection Co-operation Scheme. Good Practices for Computerised Systems in Regulated, “GxP”
Environments, Pharmaceutical Inspection Convention, PI 011-3, 2007.

2
The EU authority to regulate the use of computers in the manufacturing of medicinal products for
human use, investigational medicinal products for human use, and veterinary medicinal products
food plants is derived from the Article 6 of the EC Directive 2003/94.

Computers systems performing regulated operations in the manufacturing of medicinal products for
human use, investigational medicinal products for human use, and veterinary medicinal products are
regarded as equipment. Every time the expression “equipment” is used in the EU GMP, this is also
applicable to computer systems.

By connecting the hardware and equipment, the EU GMP principles applicable to computers
systems are:

Premises and equipment.

1. Premises and manufacturing equipment shall be located, designed, constructed, adapted and maintained to suit the
intended operations.
2. Premises and manufacturing equipment shall be laid out, designed and operated in such a way as to minimize the
risk of error and to permit effective cleaning and maintenance in order to avoid contamination, cross contamination
and, in general, any adverse effect on the quality of the product.
3. Premises and equipment to be used for manufacturing operations, which are critical to the quality of the products,
shall be subjected to appropriate qualification and validation.

Suggested Implementation. References

Computer hardware must8 be properly specified to meet the requirements 11-5.

for its intended use and the amount of data it must handle. The 21 CFR 58.61. and .63
environmental controls, electrical requirements, electromagnetic "noise"
21 CFR 111.27(a)(1)(v).and .30
control, and others requirements should9 be considered when determining
a location for the computer hardware. The location of the hardware must 21 CFR 211.63 and .68.
allow access for maintenance, as required. There must be a program 21 CFR 820.70(g).
detailing the maintenance of the computer system (i.e. hardware Q7A Good Manufacturing Practice
maintenance manual). The maintenance of the computer, including Guidance for Active Pharmaceutical
periodic scheduled maintenance and breakdown maintenance, must be Ingredients.
documented. There must be a system to control changes to the hardware.
Changes must only be made by authorized individuals following an
appropriate review and approval of the change.
A set of design documentation, including as-built drawings, should be
maintained for computers, infrastructure10, and instrumentation. There
must be documented verification of the inputs and outputs (I/Os) for
accuracy and that computer infrastructure must be qualified11. In addition
to the verification of I/Os checks during the qualification of computer
hardware, I/Os checks must be verified periodically covering the
data/control/monitoring interface(s) between the system and equipment
to ensure correct I/O transmissions.

8 Statements using “must”, "required”, or "shall", mean that the definition is an absolute requirement of the
specification.
9 Statements using “should” are intended to give guidance and provide acceptable methods for complying, but other

methods may be used if it can be demonstrated that they are equivalent.

10 Infrastructure - the hardware and software such as networking software and operation systems, which makes it

possible for the application to function. Annex 11.

11 Qualification - action of proving that any equipment works correctly and actually leads to the expected results.

Eudralex Volume IV, Glossary.

3
Main principles of the Annex 11
The structure of the released Annex 11 document has a Principle and 17 clauses. The following are
the 3 principles.
This annex applies to all forms of computerised systems used as part of a GMP regulated activities. A
computerised system is a set of software and hardware components which together fulfill certain functionalities.
Suggested Implementation. References

Computer systems can be used to perform operations covered by the 21 CFR 211.68.
GMP regulation. 21 CFR 820.70(i).
Even computer systems can be used to perform operations covered by the EU Directive 2003/94/EC.
GMP regulation, there is no requirement to maintain electronic copies of 21 CFR 11.2(b).
records in preference to other media such as microfiche or paper.
Note of the author: It is interesting to note the difference between the Good Automated
Manufacturing Practices (GAMP)12 and the EU regulations on the meaning of a computer system.
For the GAMP, a computer system includes people, all software (applications, system level software,
and documentation), hardware, operating procedures, and peripheral equipment being operated by
the computer performing specific, defined roles within a given environment. For the EU, a
computer system is a set of software and hardware components which together fulfill certain
functionalities.
The application should be validated; IT infrastructure should be qualified.
Suggested Implementation. References

Computer systems require a written validation 14 process. The depth and Eudralex Volume IV, Glossary.
scope of validation depends on the diversity, complexity, and criticality of PIC/S PI 011-315.
the computerized application.
21 CFR 211.68.
Validation is associated with processes and qualification is associated with 21 CFR 820.70(i).
equipment.
Q7A Good Manufacturing Practice
Guidance for Active Pharmaceutical
Refer to 11-4.
Ingredients.
21 CFR 11.10(a).

Where a computerised system replaces a manual operation, there should be no resultant decrease in product
quality, process control or quality assurance. There should be no increase in the overall risk of the process.
Suggested Implementation. References

Prior to converting a process from manual to automated control or the PIC/S PI 011-3
introduction of a new automated operation, it is important that project 11-1
staff consider any quality assurance and safety issues as part of an impact
assessment of risks.
The use of a computer system does not reduce either the requirements that

12 GAMP Guide for Validation of Automated Systems in Pharmaceutical Manufacture, Version V5.0, Good Automated
Manufacturing Practice (GAMP) Forum, International Society for Pharmaceutical Engineering, Tampa FL, 2008.
14 Validation - action of proving, in accordance with the principles of Good Manufacturing Practice, that any procedure,

process, equipment, material, activity or system actually leads to the expected results. Eudralex Volume IV, Glossary.
15 Pharmaceutical Inspection Co-operation Scheme. Good Practices for Computerised Systems in Regulated, “GxP”

Environments, Pharmaceutical Inspection Convention, PI 011-3, 2007.

4
 Suggested Implementation. References

would be expected for a manual system of data control and security.

Risk reduction measures may need to be incorporated into the systems
design and operation. Additional risks to the quality of the related
products/materials should not be introduced as a result of reducing the
manual involvement in the process.
As part of the process risk assessment, the manual process should be
addressed and, if applicable, improvement should be introduced. The
automation must make the process easier and make shorter the process
execution time.

After the above 3 main principles, Annex 11 continues on with 17 recommendations for computer
operations.
General
1. Risk Management
Risk management should be applied throughout the lifecycle of the computerised system taking into account
patient safety, data integrity and product quality. As part of a risk management system, decisions on the
extent of validation and data integrity controls should be based on a justified and documented risk assessment
of the computerised system.
Suggested Implementation. References

This is a new section in the Annex 11. It establishes the expectations for ICH Harmonized Tripartite
computer systems through the system life cycle. Risk management is Guideline, Quality Risk Management,
addressed as a tool that should be applied throughout the life cycle of the Q9.
computer system, taking into account factors such as patient safety, data
NIST, Risk Management Guide for
integrity and product quality. The following is one of many techniques to
Information Technology Systems,
implement a Risk Management process.
Special Publication 800-30.
Risk management encompasses three processes: risk assessment, risk
GHTF, Implementation of risk
mitigation, and evaluation and assessment.
management principles and activities
Risk Assessment. within a Quality Management System.
Risk assessment is the method to assess and characterize the critical GAMP Forum, Risk Assessment for
parameters in the functionality of an equipment or process17. Use of Automated Systems
Supporting Manufacturing Process --
A detailed Risk Assessment should be performed, building on the initial
Risk to Record, Pharmaceutical
Risk Assessment performed at the concept phase. The Risk Assessment
Engineering, Nov/Dec 2002.
process assesses risks associated with processes and functions defined in
the Requirements Specification and Functional Specification deliverables. GAMP/ISPE, Risk Assessment for
The activities are: Use of Automated Systems
Supporting Manufacturing Process --
 Identify processes/functions/transactions (as appropriate) Functional Risk, Pharmaceutical
 Assess risk by analyzing: Engineering, May/Jun 2003.
- Risk scenarios
- Effects for each event Pressman, Roger S., Software
- Likelihood of events Engineering – A Practitioner’s Approach,
- Severity of impact McGraw Hill
- Likelihood of detection
 Plan for reduction or elimination of those risks, based on the analysis.

17
EU Annex 15 – Validation and Qualification, July 2001

5
 Suggested Implementation. References

After performing that assessment, it should determine the degree of

validation necessary based on the identified risks, and then develop your
test plan and test cases accordingly.
Risk Mitigation.
Strategies for mitigation of the identified risks may18 include modifying the
process or system design, modification of project approach or structure, or
modifying the validation and testing approach.
Risk Evaluation.
 Assess processes, systems, and/or function, considering:
- Possible hazards.
How potential harm arising from these hazards may be controlled
or mitigated.
 For some processes, systems, and/or functions a detailed assessment
should be performed.
For a better benefit of the Risk Management, an integration of the system
life cycle (SLC) management and risk management activities should be
achieved. Based on the intended use and the safety risk associated with the
software to be developed, the software developer should determine the
specific approach, the combination of techniques to be used, and the level
of effort to be applied.
EU Annex 20 provides an approach to a Quality Risk Management
EU Annex 20, Quality Risk
pertinent to computer systems and computer controlled equipment.
Management, February 2008.
According to Annex 20 risk management should be applied to:
 select the design of computer hardware and software (e.g., modular,
structured, fault tolerance)
 determine the extent of validation, e.g.,
- identification of critical performance parameters
- selection of the requirements and design
- code review
- the extent of testing and test methods
- reliability of electronic records and signatures

2. Personnel
There should be close cooperation between all relevant personnel such as Process Owner, System Owner,
Qualified Persons and IT. All personnel should have appropriate qualifications, level of access and defined
responsibilities to carry out their assigned duties.
Suggested Implementation. References

There should be an adequate number of personnel qualified by appropriate 21 CFR 110(c).

education, training, and/or experience to operate and supervise the
21 CFR 211 Sub Part B.
computer related work.
21 CFR 606.160(b)(5)(v).
The responsibilities of all personnel engaged with computer systems must
be specified in writing. 21 CFR 820.20(b)(1) and (2).
Training should be regularly conducted by qualified individuals and should 21 CFR 11.10(i).

18 MAY - This word, or the adjective "OPTIONAL", mean that an item is truly optional.

6
 cover, at a minimum, the particular operations that the employee performs
and GMP as it relates to the employee's functions. Records of training
should be maintained. Training should be periodically assessed.
Management must identify and provide the appropriate software
development environment and resources.

3. Suppliers and Service Providers

3.1 When third parties (e.g. suppliers, service providers) are used e.g. to provide, install, configure,
integrate, validate, maintain (e.g. via remote access), modify or retain a computerised system or related
service or for data processing, formal agreements must exist between the manufacturer and any third
parties, and these agreements should include clear statements of the responsibilities of the third party. IT-
departments should be considered analogous.
3.2 The competence and reliability of a supplier are key factors when selecting a product or service
provider. The need for an audit should be based on a risk assessment.
3.3 Documentation supplied with commercial off-the-shelf products should be reviewed by regulated users19
to check that user requirements are fulfilled.
3.4 Quality system and audit information relating to suppliers or developers of software and implemented
systems should be made available to inspectors on request.
Suggested Implementation. References

Consultants advising on computer systems development/operations 21 CFR 211 Sub Part B.

should have sufficient education, training, and experience, or any 21 CFR 211.34.
combination thereof, to advise on the subject for which they are retained. 21 CFR 820.20(b)(1) and (2).
21 CFR 110(c).
Records should be maintained stating the name, address, qualifications,
Q7A Good Manufacturing Practice
and type of service provided by these consultants.
Guidance for Active Pharmaceutical
Ingredients.

Project Phase

4. Validation
4.1 The validation documentation and reports should cover the relevant steps of the life cycle. Manufacturers
should be able to justify their standards, protocols, acceptance criteria, procedures and records based on their
risk assessment.
4.2 Validation documentation should include change control records (if applicable) and reports on any
deviations observed during the validation process.
4.3 An up to date listing of all relevant systems and their GMP functionality (inventory) should be available.
For critical systems an up to date system description detailing the physical and logical arrangements, data
flows and interfaces with other systems or processes, any hardware and software pre-requisites, and security
measures should be available.

19The regulated Good Practice entity, that is responsible for the operation of a computerized system and the
applications, files and data held thereon. PIC/S PI 011-3

7
 4.4 User Requirements Specifications should describe the required functions of the computerised system and be
based on documented risk assessment and GMP impact. User requirements should be traceable throughout
the life-cycle.
4.5 The regulated user should take all reasonable steps, to ensure that the system has been developed in
accordance with an appropriate quality management system. The supplier should be assessed appropriately.
4.6 For the validation of bespoke or customised computerised systems there should be a process in place that
ensures the formal assessment and reporting of quality and performance measures for all the life-cycle stages of
the system.
4.7 Evidence of appropriate test methods and test scenarios should be demonstrated. Particularly, system
(process) parameter limits, data limits and error handling should be considered. Automated testing tools and
test environments should have documented assessments for their adequacy.
4.8 If data are transferred to another data format or system, validation should include checks that data are
not altered in value and/or meaning during this migration process.
Suggested Implementation. References

Computer systems validation is the formal assessment and reporting of

Article 9 Section 2, Commission
quality and performance measures for all the life-cycle stages of software
Directives 2003/94/EC.
and system development, its implementation, qualification and acceptance,
operation, modification, re-qualification, maintenance and retirement.
Such that the user has a high level of confidence in the integrity of both Medicines and Healthcare products
the processes executed within the controlling computer system(s) and in Regulatory Agency (MHRA) (UK).
those processes controlled by and/or linked to the computer system(s),
within the prescribed operating environment(s)20. IEEE.
SOPs for validation activities must be developed.
PIC/S PI 011-3.
Appropriate installation and operational qualifications should demonstrate
the suitability of computer hardware and software to perform assigned 21 CFR 211.68.
tasks.
Critical and/or complex validation projects should defined the 21 CFR 211.100(a), (b).
documentation requirements in a Validation Plan or must follow the
applicable system lifecycle documentation procedural control. 21 CFR 606.160(b)(5)(ii).
Configuration management should be followed during the development of
the computer system. 21 CFR 820.30(g).

Commercially available software that has been qualified does not require 21 CFR 820.70(i).
the same level of testing.
E-records migration must be verified. There must be an additional check Q7A Good Manufacturing Practice
on the accuracy of the entry. Guidance for Active Pharmaceutical
Section 4.4 is one of the most important sections regarding management of Ingredients.
a project. It also establishes the expectation of the EU regulator regarding
how to manage requirements. Section 4.4 establishes 21 tracing operational 11-1
and non-operational computer systems functions required by the users,
applicable regulation(s), company standards, product, process, and safety. 21 CFR 11.10(a).
These operational and non-operational functions must be accomplished by
a risk management process and traceable during the SLC.
A key concept in the validation process is to establish the intended use and
proper performance of the computer system. It is essential to establish, in

20 PIC/S PI 011-3
21 Establish means define, document (in writing or electronically), and implement.

8
 Suggested Implementation. References

the beginning of a computer system’s life cycle, the intended use of a

computer system. The intended use is one of the factors to account to
determine the granular level of the application validation.
The phrase “proper performance” relates to the general principle of
validation22. Planned and expected performance is based upon
predetermined design specifications, consequently, “intended use”.
All computer system used to automate any regulated function must be
validated for its intended use. This requirement applies to any software
used to automate design, testing, component acceptance for medical
devices, manufacturing, labeling, packaging, distribution, complaint
handling, or to automate any other aspect of the quality system.
In addition, computer systems used to create, modify, and maintain
electronic records and to manage electronic signatures are also subject to
the validation requirements. Such computer systems must be validated to
ensure accuracy, reliability, consistent intended performance, and the
ability to discern invalid or altered records.
Software for the above applications may be developed in-house or under
contract. However, software is frequently purchased off-the-shelf for a
particular intended use. All production and/or quality system software,
even if purchased off-the-shelf, should have documented requirements
that fully define its intended use, and information against which testing
results and other evidence can be compared, to show that the software is
validated for its intended use

Note of the author: It is the author’s opinion that Paragraph 4.5 of this annex should be an element
of the main principles. Specifically Paragraph 4.5 refers to the need to ensure that the software has
been produced under a quality system which incorporates a system development life cycle model.

Operational Phase
5. Data
Computerised systems exchanging data electronically with other systems should include appropriate built-in
checks for the correct and secure entry and processing of data, in order to minimize the risks.
Suggested Implementation. References

Based on the complexity and reliability of computer systems there must be US FDA 425.400.
procedural controls and technologies to ensure the accuracy and security of
21 CFR 211.68.
computer systems I/Os and electronic records.
EudraLex - Volume 4 Good
The US FDA Compliance Policy Guide (CPG) 425.400 (formerly
manufacturing practice (GMP)
7132a.07), “I/O Checking,” establishes that computers inputs and outputs
Guidelines, Part I - Basic
(I/Os) are to be tested for data accuracy as part of the computer system
Requirements for Medicinal Products,
qualification and, after the qualification, as part of the computer system’s
Chapter 4 – Documentation.
on-going performance evaluation procedure. The use of inputs edits25 is
allowed to mitigate the need for extensive I/O checks. 21 CFR 11.10(a); 11.10(b); 11.10(e);

22 Center for Drug Evaluation and Research, Center for Biologics Evaluation and Research, and Center for Devices and
Radiological Health Food and Drug Administration, “Guideline on General Principles of Process Validation,” U.S.
FDA, Rockville, MD, May 1987
25 Edits -- software may be written in such a manner as to reject or alter certain input or output information, which does

not conform to some pre-determined criterion or otherwise fall within certain pre-established limits. Edits can be a

9
 Suggested Implementation. References

The objective of the I/O checks is to develop a method to prevent 11.10(f); 11.10(g); 11.10(h).
inaccurate data inputs and outputs. I/Os should be monitored to ensure
the process remains within the established parameters. When monitoring
data on quality characteristics that reveals negative tendencies, the cause
should be investigated, corrective action be taken and revalidation
considered.
Edits can also be used to make up information and give the erroneous
impression that a process is under control. These error over-rides must be
documented during the design.
For electronic records regulated users should define which data are to be
used as raw data. At least, all data on which quality decisions are based
should be defined as raw data.26
6. Accuracy Checks
For critical data entered manually, there should be an additional check on the accuracy of the data. This
check may be done by a second operator or by validated electronic means. The criticality and the potential
consequences of erroneous or incorrectly entered data to a system should be covered by risk management.

Suggested Implementation. References

For electronic records, regulated users should define which data are to be The APV Guideline “Computerized
used as raw data. At least, all data on which quality decisions are based Systems” based on Annex 11 of the
should be defined as raw data. EU-GMP Guideline.
Where applicable, there should be special procedures for critical data entry EudraLex - Volume 4 Good
requiring a second check, for example the data entry and check for a manufacturing practice (GMP)
manufacturing formula or the keying in of laboratory data and results from Guidelines, Part I - Basic
paper records. Requirements for Medicinal Products,
Chapter 4 – Documentation.
A second authorized person with logged name and identification, with time
PIC/S PI 011-3.
and date, may verify data entry via the keyboard.
21 CFR 211.68(c).
The inclusion and use of an audit trail to capture the diversity of changes
11-1.
possibly impacting the data may facilitate this check.
For computer systems featuring direct data capture linked to other
databases and intelligent peripherals, the verification by a second individual
may not be necessary when automated equipment is used as described
under Section 211.68. As an example, firms may omit the second person
component in weight check operations if scales are connected to a
computer system performing checks on component quality control release
status and proper identification of containers. The computer system must
be validated, registering the raw materials identification, lot number and
expiry date and integrated with the recorded accurate weight data.

7. Data Storage
7.1 Data should be secured by both physical and electronic means against damage. Stored data should be
checked for accessibility, readability and accuracy. Access to data should be ensured throughout the retention
period.

useful way of minimizing errors and/or to reject erroneous entries. Edits can also be used to falsify information and
give the erroneous impression that a process is under control.
26 Definition of raw data applicable to Annex 11.

10
 7.2 Regular back-ups of all relevant data should be done. Integrity and accuracy of back-up data and the
ability to restore the data should be checked during validation and monitored periodically.
Suggested Implementation. References

Computer systems electronic records must be controlled including records Article 9 Section 2, Commission
retention, backup, and security. Directives 2003/94/EC.
Computer systems must have adequate controls to prevent unauthorized PIC/S PI 011-3.
access or changes to e-records, inadvertent erasures, or loss.
EudraLex - Volume 4 Good
The validated back-up procedure including storage facilities and media manufacturing practice (GMP)
should assure integrity and availability of e-records and audit trail records. Guidelines, Part I - Basic
The frequency of back up is dependent on the computer system functions Requirements for Medicinal Products,
and the risk assessment of a loss of e-records. Chapter 4 – Documentation.
Procedure for regular testing, including a test plan, for back-up and disaster 21 CFR 211.68.
recovery procedures should be in place.
21 CFR Part 11.10(c); 11.10(d);
A log of back up testing including date of testing and results should be 11.10(e); 11.10(g); 11.10(h); 11.30.
kept. A record of rectification of any errors should be kept.
Specific records retention
The physical security of the system should also be adequate to minimize requirements are found in applicable
the possibility of unauthorized access, willful or accidental damage by predicate rule. For example 21 CFR
personnel or loss of e-records. 211.180(c), (d), 108.25(g), and
108.35(h).
Regular training in all security/backup relevant procedures to the
personnel providing security and performing backups is key and critical.
Before hardware and/or software is exchanged, a change control
mechanism should be used to check that the e-records concerned can also
be printed in the new configuration.
Should an inevitable change in the hardware and/or software may mean
that the stored e-records cannot be printed in the new configuration, then
one of the following procedures should be applied:
 the e-records in the format concerned should be converted into a
format that can be printed in the new configuration
 the components of the old hardware and/or software configuration
required for printing should be retained. In this case it should be
guaranteed that a suitable alternative system is available in case the
retained system fails.
 the e-record is transferred to another medium.
The electronically stored e-records should be checked regularly for
availability and integrity.
Appropriate controls for electronic documents such as templates, forms,
and master documents should be implemented. Appropriate controls
should be in place to ensure the integrity of the record throughout the
retention period.

8. Printouts
8.1 It should be possible to obtain clear printed copies of electronically stored e-records.
8.2 For records supporting batch release it should be possible to generate printouts
indicating if any of the e-record has been changed since the original entry.

11
Suggested Implementation. References

Regulated user companies have a choice as to whether to use electronic Directive 1999/93/EC of the
records instead of paper based records or e-signatures exercised to the European Parliament and of the
applicable to e-records. Council of 13 December 1999 on a
Community framework for electronic
Paper printouts can be used instead of e-record, if all the requirements of
signatures.
the applicable predicate rules and persons rely on the paper records to
perform their regulated activities. PIC/S PI 011-3.
In the case of electronic filing, details of the format in which the e-records FDA, Guidance for Industry
were stored should also be filed along with the e-records themselves. In Part 11, Electronic Records;
order to generate reliable printouts, an operational print program should be Electronic Signatures — Scope and
available for every format in the electronic filing system. Application, August 2003.
The APV Guideline “Computerized
Systems” based on Annex 11 of the
EU-GMP Guideline.
9. Audit Trails
Consideration should be given, based on a risk assessment, to building into the system the creation of a record
of all GMP-relevant changes and deletions (a system generated "audit trail"). For change or deletion of
GMP-relevant data the reason should be documented. Audit trails need to be available and convertible to a
generally intelligible form and regularly reviewed.
Suggested Implementation. References

Audit trails are control mechanisms generated by the computer systems 1978 US CGMP rev. Comment
that allow all data entered and further processed by the system to be traced paragraph 186.
back to the original e-record.
The APV Guideline “Computerized
Systems” based on Annex 11 of the
EU-GMP Guideline.
If the e-record need to be changed, a second person should approve these
changes along with the reasons. PIC/S PI 011-3.
The audit trail records should be reviewed regularly. Q7A Good Manufacturing Practice
Guidance for Active Pharmaceutical
Audit trails can be part of the record which has been modified or a stand-
Ingredients.
alone record linked to the modified record.
21 CFR 11.10(e); 11.10(k)(2)
The date and time of the audit trail must be synchronized to a trusted date
and time service.
One of the key controls for audit trails is the linking of the electronic
record with the audit trail. It must not be possible to modify audit trails.
The access rights for audit trial information must be limited to print
and/or read only. The combination of authentication, digital certificates,
encryption, and ACLs provide the technical mechanisms needed to control
the access to audit trail files.

10. Change and Configuration Management

Any changes to a computerised system including system configurations should only be made in a controlled
manner in accordance with a defined procedure.
Suggested Implementation. References

There must be a system to control changes to the computer hardware and 21 CFR 211.68.
software, including documentation. 21 CFR 820.30(i).

12
Suggested Implementation. References

The formal change control procedure should outline the necessary 21 CFR 820.70(i).
information and records for the following areas: 21 CFR 11.10(d); 11.10(e)
 Records of details of proposed change(s) with reasoning. PIC/S PI 011-3.
The APV Guideline “Computerized
 System status and controls impact prior to implementing change(s).
Systems” based on Annex 11 of the
 Review and change authorization methods (also see 12.5). EU-GMP Guideline.
Pressman, Roger S., Software
 Records of change reviews and sentencing (approval or rejection). Engineering – A Practitioner’s Approach,
 Method of indicating ‘change’ status of documentation. McGraw Hill.

 Method(s) of assessing the full impact of change(s), including

regression analysis and regression testing, as appropriate.
 Interface of change control procedure with configuration management
system.
A configuration plan describing the following items should be created:
 Nnomenclature for the version numbering of the system components
and documentation.
 All system components and documents with the respective version
numbers and periods of use.
 The tools and procedures to be used to integrate these system
components in the desired versions for an operational computer
system.

11. Periodic evaluation

Computerised systems should be periodically evaluated to confirm that they remain in a valid state and are
compliant with GMP. Such evaluations should include, where appropriate, the current range of functionality,
deviation records, incidents, problems, upgrade history, performance, reliability, security and validation status
reports.
Explanation. References

There must be a written program detailing the maintenance of the 21 CFR 211.68
computer system, including an on-going performance evaluation and
21 CFR 11.10(k)
periodic reviews.
The objective to periodically monitor the performance of the system is to
determine if changes to the system, infrastructure, etc., indicate process
drifts and the need for change.

12. Security
12.1 Physical and/or logical controls should be in place to restrict access to computerised system to authorised
persons. Suitable methods of preventing unauthorised entry to the system may include the use of keys, pass
cards, personal codes with passwords, biometrics, restricted access to computer equipment and data storage
areas.
12.2 The extent of security controls depends on the criticality of the computerised system.
12.3 Creation, change, and cancellation of access authorisations should be recorded.

13
 12.4 Management systems for data and for documents should be designed to record the identity of operators
entering, changing, confirming or deleting data including date and time.
Suggested Implementation. References

Computer systems must have adequate controls to prevent unauthorized 21 CFR 211.68
access or changes to e-record, inadvertent erasures, or loss.
21 CFR 11.10(d); 11.10(e); 11.10(g).
Procedures should be available for the following:
PIC/S PI 011-3.
 Access rights for all operators are clearly defined and controlled,
including physical and logical access.
 Basic rules exist and are documented to ensure security related to
personal passwords or pass cards and related system/e-records
security requirements are not reduced or negated.
 Correct authority and responsibilities are assigned to the correct
organizational level.
 Procedures are in place to ensure that identification code and
password issuance are periodically checked, recalled or revised.
 Loss management procedures exist to electronically invalidate lost,
stolen or potentially compromised passwords. The system should be
capable of enforcing regular changes of passwords.
 It may be necessary to regard proposed changes to infrastructure as a
special case and define a set of stakeholders.
 Procedures identify prohibited passwords.
 An audit log of breaches of password security should be kept and
measures should be in place to address breaches of password security.
 The system should enforce revoking of access after a specified
number of unsuccessful logon attempts.
 Measures are needed to ensure the validated recovery of original
information and e-records following back up, media transfer,
transcription, archiving, or system failure.
 Attempted breaches of security safeguards should be recorded and
investigated.
 Some equipment, such as standalone computer systems and dedicated
operator equipment interfaces and instruments may lack logical
(password etc.) capabilities. These should be listed, justified and
subjected to procedural controls.

14
 13. Incident Management
All incidents, not only system failures and data errors, should be reported and assessed. The root cause of a
critical incident should be identified and should form the basis of corrective and preventive actions.
Suggested Implementation.. References

Incidents related to computer systems that could affect the quality of the 21 CFR 820.100
product, the reliability of records, or test results should be recorded and
investigated. Q7A Good Manufacturing Practice
Guidance for Active Pharmaceutical
Ingredients..

14. Electronic Signature

Electronic records may be signed electronically. Electronic signatures are expected to:
a. have the same impact as hand-written signatures within the boundaries of the company,
b.be permanently linked to their respective record,
c. include the time and date that they were applied.
Suggested Implementation. References

Regulated user companies have a choice as to whether to use electronic Directive 1999/93/EC of the
records instead of paper based records or e-signatures exercised to the European Parliament and of the
applicable to e-records. Council of 13 December 1999 on a
Community framework for electronic
If electronic signatures are used on documents, they should be
signatures.
authenticated and secure.
Q7A GMP for API.
When regulated users elect to use electronic records for GxP 27
applications28 then it will be necessary for the companies to identify the 21 CFR 11.50; .70, .100, .200.
particular regulations being applied and whether they are to be considered
legally binding and equivalent to their paper-based counterparts.
Regulations applicable to particular GxP disciplines may impose specific
rules e.g. when electronic records and electronic signatures are used as a
primary source of data, records and/or evidence.

15. Batch release

When a computerised system is used for recording certification and batch release, the system should allow only
Qualified Persons to certify the release of the batches and it should clearly identify and record the person
releasing or certifying the batches. This should be performed using an electronic signature.
Explanation. References

EC Directive 2001/83, as amended by Directive 2004/24/EC, requires a 21 CFR 211.68

Qualified Person to “certify” in a ‘register’ that batches for release meet the
The APV Guideline “Computerized
required condition.
Systems” based on Annex 11 of the

27 GxP – the underlying international life science requirements such as those set forth in the US FD&C Act, US PHS
Act, FDA regulations, EU Directives, Japanese MHL.W regulations, Australia TGA, or other applicable national
legislation or regulations under which a company operates. GAMP Good Practice Guide, IT Infrastructure Control and
Compliance, ISPE 2005.
28 GxP applications – Software entities which have a specific user defined business purpose that must meet the

requirements of a GxP regulation. GAMP Good Practice Guide, IT Infrastructure Control and Compliance, ISPE 2005.

15
Explanation. References

Computer systems must have adequate controls to prevent unauthorized EU-GMP Guideline.
access or changes to data, inadvertent erasures, or loss.
11-9; 11-14
Where approval of batches for distribution is to be automated, the
EC Directive 2001/83
computer system should be able to recognize that only specified persons
are authorized to release batches. The required authorization for batch 21 CFR 11.70; Sub Part C
release should be granted with one of the following procedures:
 a combination of a physical key (e.g. chipcard, "real" key) and a
software key (personal code or another method to guarantee unique
identification)
 an identification step using a software key which must be entered
every time a batch is released, in addition to the standard access
restrictions
All methods used for identification purposes must be defined, especially
regulations for stand-ins.
Following batch release, only the persons granting release and a second
named person should be able to make changes to the stored data. In case
of modification to the approved batch record, there should be a record of
any data change made, the previous entry, who made the change, and when
the change was made.

16. Business Continuity

For the availability of computerised systems supporting critical processes, provisions should be made to ensure
continuity of support for those processes in the event of a system breakdown (e.g. a manual or alternative
system). The time required to bring the alternative arrangements into use should be based on risk and
appropriate for a particular system and the business process it supports. These arrangements should be
adequately documented and tested.
Explanation. References

The Business Continuity Plan enables a system emergency to be responded PIC/S PI 011-3.
to and includes: application and data criticality analysis; Data back-up plan;
Disaster Recovery Plan; plan for the emergency operating mode; testing
and revision procedures.
The effectiveness of this plan should be tested periodically, including the
recovery procedures.

17. Archiving
Data may be archived. This data should be checked for accessibility, readability and integrity. If relevant
changes are to be made to the system (e.g. computer equipment or programs), then the ability to retrieve the
data should be ensured and tested.
Explanation. References

The archived records need to be trustworthy and reliable as well as DOD 5015.2-STD, Design Criteria
accessible, no matter where they are stored. The party having primary Standard for E-records Management
responsibility for record retention under the predicate regulations would be Software Applications.
the party we would hold responsible for adequacy of archiving. 21 CFR 11.10(c)

16
Additional References.
 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the
protection of individuals with regard to the processing of personal data and on the free
movement of such data. http://www.veetle.com/index.php/channel/view#4d1b88b3276fc
 Commission Directive 91/412/EEC of 23 July 1991 laying down the principles and guidelines
of good manufacturing practice for veterinary medicinal products.
 EU Data protection page - http://ec.europa.eu/justice/policies/privacy/index_en.htm
 EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4 Good
Manufacturing Practice Medicinal Products for Human and Veterinary Use, Annex 11:
Computerised Systems, http://ec.europa.eu/health/files/eudralex/vol-4/annex11_01-
2011_en.pdf.

Conclusion.

Annex 11 was revised in response to the increased use of computer systems and the increased
complexity of these systems. It defines EU requirements for computer systems, and applies to all
forms of computer systems used as part of GMP regulated activities.

Annex 11 compared to the older version it has more details. Compared with other similar regulatory
guideline documents, Annex 11 is a concise, but at the same time, practical and precise specification
that can be used to ensure, if properly implemented, that the computer system will be developed and
maintained under a quality assurance system. Annex 11 can be used in a different regulated
environment, such as the US, as a regulatory guideline to look the regulatory requirements applicable
to computer systems supporting GxP applications.

The highpoints of Annex 11 are the Risk Management, Requirements Management, E-records
Management, and Validation.

Consistent with the current industry practices, Risk Management (risk assessment, risk mitigation,
and evaluation and assessment) applicable to computer systems performing regulated operations
takes a center stage in Annex 11. It impacts all sections in this Annex.

The relevance of the Requirements Management to successfully manage a computer system

implementation/maintenance project it is stressed by establishing a system lifecycle (SLC)
traceability management process integrated with a risk management process and traceable during the
SLC.

To ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or
altered records, electronic records management is also emphasized in the EU regulatory
specification.

The validation process takes center stage as a path to authenticate the quality of the computer
system during the SLC.

The implementation of the principles, guidance, reporting and life cycle documentation best
practices, outlined in this manuscript, will enable regulated users of computer systems in the EU to

17
establish quality assurance systems and records capable of demonstrating compliance with current
GxP requirements and related guidance.

18