Arcondis

Revision of Annex 11

The revision of Annex 11 "Computerised Systems" of the EU GMP guidelines published in April 2008 represents the response of the Inspectors Working Group to the growing use and the varying forms of integration of computerized systems in regulated environments.

The regulatory requirements needed updating in order to allow the authorities to keep pace with the growing complexity and the continuing developments in computerized systems. The latest draft of Annex 11 takes into account the developments of recent years and focuses in particular on PIC/S PI011-1 "Good practices for computerised systems in GxP regulated environments", ISO 17799 "A code of practice for information security management" and ISPE GAMP 5.

With the aim of describing in detail the updated requirements caused by regulatory and technological developments, the revised version of Annex 11 is structured as follows:

  1. Risk Management
  2. Personnel
  3. Validation
  4. System
  5. Software
  6. Data
  7. User testing and the system’s fitness for purpose
  8. Security
  9. Accuracy Checks
  10. Audit Trails
  11. Signature
  12. Change control and configuration management
  13. Printouts
  14. Data Storage
  15. Backup; Migration; Archiving; Retrieval
  16. Business Continuity
  17. Incident Management
  18. Suppliers
  19. Batch Release

The new version includes all the content from the previous versions of Annex 11, but some areas have been significantly extended and covered in more detail.

The key areas of the revised version of Annex 11 are as follows:

  • System-specific risk management relating to product quality and safety and data security and integrity (section 1).
  • A more comprehensive version of the "Validation" section as a result of an increase in the specific requirements (section 3).
  • A direct reference to keeping an inventory of all computerized systems (sections 3.1 and 4.1); use of the term "controls" (as in an integrated control system).
  • A direct reference to customizing software systems and related controls (section 3.2).
  • Developing and maintaining a process to ensure the traceability of design documents is now essential (section 3.3). This is part of the specific references to the required documentation.
  • A specific reference to testing and the type of tests (section 3.5).
  • A clear specification for carrying out periodic reviews (section 3.6).
  • Specific requirements for existing functionality and the related validation processes (section 3.7).
  • References to managing spreadsheets in a separate paragraph (section 3.8).System-specific risk management relating to product quality and safety and data security and integrity (section 1).
  • A more comprehensive version of the "Validation" section as a result of an increase in the specific requirements (section 3).
  • A direct reference to keeping an inventory of all computerized systems (sections 3.1 and 4.1); use of the term "controls" (as in an integrated control system).
  • A direct reference to customizing software systems and related controls (section 3.2).
  • Developing and maintaining a process to ensure the traceability of design documents is now essential (section 3.3). This is part of the specific references to the required documentation.
  • A specific reference to testing and the type of tests (section 3.5).
  • A clear specification for carrying out periodic reviews (section 3.6).
  • Specific requirements for existing functionality and the related validation processes (section 3.7).
  • References to managing spreadsheets in a separate paragraph (section 3.8).

The sections after section 5 are new or have a new detailed structure. They consist of a description of a computerized system and place a major emphasis on the subject of security:

  • The term "Commercial Off-The-Shelf" (COTS) is used directly to describe standard software products (section 5.2). Section 5.3 is new.
  • Technical user accounts with shared passwords are disallowed (section 6.1).
  • The access not only to applications and their data, but also to folders and files must be controlled and documented in an information security management system (ISMS) (section 8.2).
  • Suitable methods, depending on the criticality of the data, should be in place to prevent unauthorised access to or modification of data (including time limited logging, encryption and re-entry of unique identifiers) (section 8.3).
  • Human-readable audit trails must be available (section 10.1)
  • The "Signatures" section is new and corresponds with 21 CFR Part 11.
  • The "Printouts" section is new (section 13).
  • Backups of all relevant data must be made (section 15.1). Restoration procedures must demonstrably produce the required results (section 15.3).
  • There is a specific consideration of the subject of archiving (section 15.2).
  • Business continuity processes must be adequately documented and tested (section 16.1).
  • Supplier audits based on a risk assessment are now mandatory (section 18.2).

In summary, all the additions referred to make the use of familiar state-of-the-art methods (such as traceability and periodic reviews) a requirement within Europe.

The revised version recognizes the importance of risk management, which involves identifying, evaluating and tracking risks throughout the entire life cycle of the system. In addition, a risk classification process for systems must be introduced in the form of the required inventory of all computerized systems. The data and system integrity of IT systems is regarded as a risk factor for product quality in relation to IT infrastructure qualification and must be maintained by the use of appropriate change control and configuration management processes.

The subject of validation is covered in more detail and specific references are made to spreadsheets, database systems and the traceability of design documents. The importance of security is highlighted, as demonstrated by the requirement for a comprehensive ISMS. In addition, the frequent use of the term "control" indicates a move towards integrated control systems. The very frequent use of the term "manufacturing authorisation holders" in the context of responsibilities emphasizes who is responsible for ensuring that the regulatory requirements are met.

The revision of Annex 11 describes the requirements for computerized systems more comprehensively and in greater detail, without representing a rigid and inflexible structure. As in the previous version, the revised annex also allows for different interpretations and latitude in the individual implementation strategy. The use of current procedures regarded as being state-of-the-art becomes mandatory under the new regulations. System development methods are considered from a more professional perspective and umbrella functions, such as risk management and inventories, provide support for the more effective validation of computerized systems.

back

NewsFlash April 2012

Top Links