EU Annex 11 and its comparison with FDA 21 CFR Part 11

Follow this link to read the full article:?https://zamann-pharma.com/2024/05/02/eu-annex-11-essential-guide-to-computerised-system-validation/

What Is EU Annex 11?

EU Annex 11 is essential for pharmaceutical and life science industries, serving as a guideline rather than a legally binding document. Compliance demonstrates a commitment to data integrity and quality control, although it's not mandatory. Regulatory authorities may consider compliance with Annex 11 as indicative of adherence to quality standards. It is part of the EudraLex Volume 4 GMP guidelines, which ensure product quality in manufacturing.?The purpose of EU Annex 11 is to provide clear guidelines for using computerized systems in GMP-regulated activities, ensuring their reliability and security.

According to Annex 11, a computerized system comprises hardware and software components working together to achieve specific tasks. It applies to systems used in production, testing, quality control, and documentation management in GMP-regulated activities.

EU Annex 11 mandates that all computerized systems undergo validation, and IT infrastructure must be qualified to support their functions. Validation confirms that a system fulfills its intended purpose and operates as expected.

Who Should Comply With EU Annex 11?

EU Annex 11 applies to companies operating within the European Union that utilize computerized systems as part of GMP-regulated activities. This includes pharmaceutical companies, contract manufacturing organizations (CMOs), clinical research organizations (CROs) managing clinical trials with computerized systems, and vendors of computerized systems used in manufacturing medicinal products. Compliance with EU Annex 11 is mandatory for these entities.Pharmaceutical companies:?Any company manufacturing medicinal products.

• Contract manufacturing organizations (CMOs):?CMOs that manufacture medicinal products on behalf of pharmaceutical companies.
• Clinical research organizations (CROs):?CROs must comply with EU Annex 11 if they use computerized systems to manage clinical trials.
• Vendors of computerized systems:?Vendors of computerized systems used in manufacturing medicinal products must ensure that their systems meet the requirements of EU Annex 11.

What Are the Different Parts of EU Annex 11?

EU Annex 11 outlines a structured approach and specific guidance for various stages of implementing and operating computerized systems. It comprises three main parts:

• General Requirements: This section offers overarching guidance on utilizing computerized systems in GMP-regulated activities. It encompasses aspects like risk management, personnel considerations, dealing with suppliers and service providers, etc.
• Project Phase: This part focuses on activities and considerations during the implementation and validation of computerized systems. It includes topics such as system validation, user requirements specifications, performance assessment, and other relevant factors critical to the successful deployment of the system.
• Operational Phase: Here, the Annex addresses the ongoing use and maintenance of computerized systems in GMP-regulated processes. It covers requirements pertaining to data storage, printouts, audit trails, change management, security protocols, electronic signatures, and more, ensuring the continued compliance and effectiveness of the system during its operational lifespan.

Requirements of EU Annex 11

EU Annex 11 outlines several requirements for the use of computerized systems in GMP-regulated processes.Here we will discuss a more detailed breakdown of the different requirements of EU Annex 11.

A.?? General Requirements

• ?Risk Management

When you implement new software, your team will create a risk assessment of the computerised system. The risk assessment should account for patient safety, data integrity, and product quality. Risk management should be applied throughout the computerized system’s lifecycle,

Ask your software vendor if they can help you create a risk assessment and update your Standard Operating Procedures. Although responsibility for risk management ultimately lies with sites and sponsors, many vendors ?are happy to help with the process.

Decisions regarding validation and data integrity controls should be based on a well-documented risk assessment.

• Personnel

There should be close cooperation between all relevant personnel such as Process Owner,System Owner, Qualified Persons and IT. All personnel should have appropriate qualifications, level of access and defined responsibilities to carry out their assigned tasks.

• Suppliers and Service Providers

Formal agreements between the manufacturer and third parties must be in place When third parties (e.g. suppliers, service providers) are used to provide, install, configure, integrate, validate, maintain (e.g. via remote access), modify or retain a computerized system or related service or for data processing, these agreements should include clear statements of the responsibilities of the third party. IT-departments should be considered analogous.

This point help us to understand the importance of supplier competence, reliability, and documentation review in selecting products or services. A risk assessment should determine the need for audits. Users of commercial off-the-shelf products should ensure user requirements are met through documentation review. Quality system and audit information should be accessible to inspectors upon request for software and implemented systems.

B.??? Project phase

Validation : EU Annex 11 emphasizes the need for manufacturers to validate their systems throughout their lifecycle, ensuring that they meet their intended use and consistently producing results that meet predetermined criteria. Computerized system validation includes the following requirements:

• Manufacturers should justify their standards, protocols, acceptance criteria, procedures, and records based on risk assessment, covering relevant steps of the life cycle
• Validation documentation should include change control records and reports on deviations observed during the process
• An up-to-date listing of relevant systems and their GMP functionality should be available, with detailed descriptions for critical systems
• User Requirements Specifications should be based on documented risk assessment and GMP impact, traceable throughout the life cycle
• The regulated user should ensure that the system is developed in accordance with an appropriate quality management system, and the supplier should be assessed appropriately
• For bespoke or customized systems, there should be a process for formal assessment and reporting of quality and performance measures throughout the life cycle
• Appropriate test methods and scenarios, including system parameter limits, data limits, and error handling, should be demonstrated, with documented assessments for testing tools and environments
• Validation should include checks to ensure data integrity during data transfer or migration to another format or system.

C.??? Operational phase: These principles aim to ensure the reliability, security, and compliance of computerized systems handling data in regulated environments.

• Data Integrity and Security: Emphasis is placed on built-in checks to ensure correct and secure entry and processing of electronically exchanged data to reduce risks.
• Accuracy Checks: Critical manually entered data should undergo additional verification to ensure accuracy, considering the potential consequences of inaccuracies.
• Data Storage: Measures should be taken to protect stored data against physical and electronic damage, and regular checks for accessibility, readability, and accuracy are necessary.
• Printouts: Systems should allow for clear printed copies of electronically stored data, indicating any changes made since the original entry.
• Audit Trails: Systems should generate audit trails recording GMP-relevant changes and deletions, with documentation of reasons for such actions.
• Change and Configuration Management: Changes to computerized systems must follow defined procedures to ensure proper management and documentation.
• Periodic Evaluation: Regular evaluations of computerized systems are necessary to maintain validity and compliance with regulations.
• Security: Access controls should restrict system access to authorized personnel only, with various methods like passwords and biometrics employed based on system criticality.
• Incident Management: All incidents, including system failures and data errors, need to be reported, assessed, and investigated, with appropriate corrective and preventive actions taken.
• Electronic Signature: Electronic signatures should be equivalent to handwritten signatures, with clear linkage to respective records and time/date information.
• Batch Release: Access for certifying and releasing batches should be limited to Qualified Persons, with electronic signatures used to record responsible individuals.
• Business Continuity: Procedures should ensure the continuity of critical processes during system breakdown, with documented and tested alternative arrangements.
• Archiving: Data archiving procedures should ensure accessibility, readability, and integrity, with provisions for retrieval after system changes and periodic testing of retrieval capabilities.

What Are the Key Differences Between 21 CFR Part 11 and Annex 11?

21 CFR Part 11 and EU Annex 11 have different scopes and requirements. However, they both are important frameworks for ensuring the quality and integrity of data in electronic records. It is essential to understand the differences between the two frameworks to comply with the requirements that apply to your specific needs. Overall, 21 CFR Part 11 is more specific and detailed in its requirements than EU Annex 11.

When comparing these frameworks, several aspects are considered. These encompass the following elements.

However, 21 CFR Part 11 and EU Annex 11 share several similarities. For instance, both frameworks require system validation, generation of audit trails, appropriate personnel training, secure data storage, records retrieval, and security measures.

They also emphasize using electronic signatures equivalent to handwritten signatures, linked to records, and accompanied by a time and date stamp.

Conclusion:

The European Union's Annex 11 offers guidelines for computerized systems used in GMP-regulated activities, ensuring they meet specific requirements for their intended use. Compliance with these guidelines enhances the reliability and security of computerized systems, thereby safeguarding product quality and process control.

It's important to note that while EU Annex 11 focuses on GMP-regulated activities for medicinal products in the EU, 21 CFR Part 11 is a US regulation governing electronic records and signatures in all FDA-regulated activities. Thus, they differ in scope, applicability, and requirements.

============================================

FAQ

Q: When do I need to validate my systems? A: Validation is required when your system (computer system, equipment, process, or method) is used in a GxP process or used to make decisions about the quality of the product. In addition, if the system is used to generate information for submissions to regulatory bodies like the FDA, the system needs to be validated.

Q: How does validation add value to my system? Validation adds value to systems by demonstrating that the system will perform as expected. Validation also removes the risk of regulatory non-compliance.

Q: Do I need to validate my computer system? A: Computer system validation is required for systems used to store electronic records, according to FDA 21 CFR Part 11.10(a) and Annex 11 Paragraph 4.

Q: Where do I find the rules for validating pharmaceutical manufacturing processes and equipment? A: Guidelines for validation for pharmaceutical manufacturing are in FDA 21 CFR 211.

Q: What federal rules are in place regulating Quality Systems? A: Quality System regulation is located in FDA 21 CFR 820.

Q: Am I allowed to change a validated system? A: Changing validated systems requires Change Control to ensure that there are no unexpected or unrecorded changes to the system.

Q: Can you tell me if my systems need to be validated? A: Yes. Zamann performs compliance assessments, or we can train your staff to do your own gap analysis.

?