In January 2011, the European Medicines Agency (EMA) announced the new revision of EudraLex Volume 4 (GMP) — Annex 11 “Computerised Systems” (1), and the consequential amendment of EudraLex Volume 4 — Chapter 4 “Documentation” (2). These revisions will come into operation on June 30, 2011.
The revisions are a response to the increasing use of electronic documents within the GMP environment. Chapter 4 defines two types of electronic documents: documentation given as “instructions” and “records/reports”. In addition, it states that many documents may exist in so-called hybrid forms (i.e., some elements electronic and others as paper). The definition of raw data was also changed because of the increasing use and types of electronic forms. Today’s IT–GMP world consists of various system types and applications, such as enterprise resource planning (ERP), manufacturing execution systems (MES), process control systems (PCS), laboratory information management systems (LIMS) and document management systems (DMS), along with many types of equipment, applications and electronic tools. The management of electronic documents, such as standard operating procedures (SOPs), electronic batch records, change control, training, complaint processes, certificates of analysis, and “simple” spreadsheet files used for laboratory calculations, necessitated this regulatory update of Annex 11 and a current guidance and interpretation for the industry.
Today’s computerized systems utilise a complex set of solutions and technologies potentially based on cloud computing, server virtualization, thin clients, data matrix technology, Web 2.0, wireless applications, interfaces between different local or global systems and much more. Such complexity presents a challenge for validation and compliance management, but also for defining the right level of regulatory requirements.The new Annex 11 requirements are based in the reality of today’s GMP systems, organisational structures, IT infrastructure and applications. The new regulation is an updated baseline for inspectors and enables innovation and a pragmatic compliance management for the industry in parallel. At the start of Annex 11, the principles section statement states “The application should be validated; IT infrastructure should be qualified.” This significant addition to the revised Annex 11 is a new clause on IT management in general. This perception is very much in line with the ISPE GAMP 5 Guide and related Good Practice Guides, including scalable and risk-based validation approaches and strategies (3–6).
Detailed requirements and expectations covering system suppliers, developers and service providers have been included that also contain identical aspects for internal and external suppliers. For example, the role of the IT department is explicitly stated in section 2: personnel and corresponding quality agreements should be in place.
The new Annex 11 adopts a risk-based approach in several areas and is generally aligned with current industry standards and practices (ICH Q9, ISPE GAMP 5, ITIL, CMMI). Applicable technical and contractual documentation or validation documents of selective criteria and justified decisions based on appropriate risk assessments are required during several steps of a system life cycle.
The following sections contain a detailed analysis and interpretation of Annex 11 that includes the original text in italics followed by our interpretations, remarks and deliverables.
- This annex applies to all forms of computerised systems used as part of a GMP regulated activities. A computerised system is a set of software and hardware components, which together fulfill certain functionalities.
GMP regulated activities need to be defined. For example, based on Chapter 4 “Documentation”. Deliverable: impact analysis of instructions and records as per “Good Documentation Practice” mapped to related systems and applications.
- The application should be validated; IT infrastructure should be qualified.
Refer to ISPE GAMP software categories, especially Category 1: IT infrastructure (Good Practice Guide).
Deliverable: IT infrastructure qualification plan.
- Where a computerised system replaces a manual operation, there should be no resultant decrease in product quality, process control or quality assurance. There should be no increase in the overall risk of the process.
Quality risk management (process based) – comparing manual and electronic process operation.
Deliverable: process map and risk management procedure.