In 1991, the Pharmaceutical Inspection Co-operation (PIC) created a document defining their requirements for computer systems. This document was given the name Annex 5 in the PIC GMP. In 1992, Annex 5 was incorporated as Annex 11 in the EU GMP, and has later become part of the GLP and GCP requirements in Europe (1). Since 1992, computer systems and applications have increased in complexity to such an extent that, although the main principles of the Annex 11 are still valid, the scope and content of the present annex are considered no longer suitable to meet the needs of either the pharmaceutical industry or inspectors (2).
Eudralex Volume 4, Annex 11, which refers specifically to computer systems, provides guidance for the interpretation of the principles of GMP for all EU members (3, 4). Annex 11 is found in Volume 4 of “The rules governing medicinal products in the European Union.” Volume 4 covers the interpretation of the principles and guidelines of GMP regulated activities.
In January 2011, a new version of Annex 11 was released by the European Commission along with a revision of Chapter 4 of its GMP on documentation to reflect the actualities of electronic record keeping, all of which come into full effect in June 2011. The revised Annex 11 adopts a risk-based approach, and is mostly aligned with current industry computer system good practices. The structure of the released Annex 11 document has a main principle and 17 clauses.Major changes in Annex 11 are:
This paper examines the Annex 11 main directive, principle and four main clauses: risk management, requirements management, e-records management, and validation. It provides recommendations to implement these paragraphs. Some descriptions are based on listed guidelines with judicious editing where necessary to fit the context of this paper.
Main Directive and Principles
Similar to the US FDA Compliance Policy Guide (CPG) 7132a.11, computer systems performing regulated operations in the manufacturing of medicinal products for human use are regarded as equipment (5). Every time the expression “equipment” is used in the GMP, it is also a requirement for the associated computer systems (6).
Premises and equipment
Computer hardware must be properly specified to meet the requirements for its intended use, and the amount of data it must handle (7). The environmental controls, electrical requirements, electromagnetic "noise" control, and others should be considered when determining a location for computer hardware. The location of the hardware must allow access for maintenance, as required. There must be a program detailing the maintenance of the computer system (i.e., hardware maintenance manual). The maintenance of the computer, including periodic scheduled maintenance and breakdown maintenance, must be documented. There must be a system to control changes to the hardware. Changes must only be made by authorized individuals following an appropriate review and approval of the change.
Design documentation, including as-built drawings, should be maintained for computers, infrastructure and instrumentation (8, 9). There must be documented verification of the inputs and outputs (I/Os) for accuracy and the computer infrastructure must be qualified (10). In addition to the verification of I/Os checks during the qualification of computer hardware, I/Os checks must be verified periodically covering the data/control/monitoring interfaces between the system and equipment.
Annex 11 is ruled by three main principles. The first principle is:
“This annex applies to all forms of computerised systems used as part of a GMP regulated activities. A computerised system is a set of software and hardware components, which together fulfill certain functionalities.”
It is interesting to note how this differs to the Good Automated Manufacturing Practices (GAMP) definition of a computer system, which includes people, all software (applications, system level software and documentation), hardware, operating procedures, and peripheral equipment being operated by the computer performing specific, defined roles within a given environment (11).
The second principle in Annex 11 is:
“The application should be validated; IT infrastructure should be qualified.”
Computer systems require a written validation process; the depth and scope of this validation depends on the complexity and criticality of the computer application (12, 13, 15). The principle is stating that validation is associated with processes and that qualification is associated with equipment. The scope of validation is further discussed in Annex 11- 4.