In 1991, the Pharmaceutical Inspection Co-operation (PIC) created a document defining their requirements for computer systems.
This document was given the name Annex 5 in the PIC GMP. In 1992, Annex 5 was incorporated as Annex 11 in the EU GMP, and
has later become part of the GLP and GCP requirements in Europe (1). Since 1992, computer systems and applications have increased
in complexity to such an extent that, although the main principles of the Annex 11 are still valid, the scope and content
of the present annex are considered no longer suitable to meet the needs of either the pharmaceutical industry or inspectors
Eudralex Volume 4, Annex 11, which refers specifically to computer systems, provides guidance for the interpretation of the
principles of GMP for all EU members (3, 4). Annex 11 is found in Volume 4 of “The rules governing medicinal products in the
European Union.” Volume 4 covers the interpretation of the principles and guidelines of GMP regulated activities.
In January 2011, a new version of Annex 11 was released by the European Commission along with a revision of Chapter 4 of its
GMP on documentation to reflect the actualities of electronic record keeping, all of which come into full effect in June 2011.
The revised Annex 11 adopts a risk-based approach, and is mostly aligned with current industry computer system good practices.
The structure of the released Annex 11 document has a main principle and 17 clauses.
Major changes in Annex 11 are:
- Formalization of risk management in both computer validation and change control.
- Traceability throughout a life cycle moves from a regulatory expectation to a regulatory requirement for the first time.
- New requirements for the need to keep and manage all electronic records.
- Extensive expansion of the life cycle validation phase.
This paper examines the Annex 11 main directive, principle and four main clauses: risk management, requirements management,
e-records management, and validation. It provides recommendations to implement these paragraphs. Some descriptions are based
on listed guidelines with judicious editing where necessary to fit the context of this paper.
Main Directive and Principles
Similar to the US FDA Compliance Policy Guide (CPG) 7132a.11, computer systems performing regulated operations in the manufacturing
of medicinal products for human use are regarded as equipment (5). Every time the expression “equipment” is used in the GMP,
it is also a requirement for the associated computer systems (6).
Premises and equipment
Computer hardware must be properly specified to meet the requirements for its intended use, and the amount of data it must
handle (7). The environmental controls, electrical requirements, electromagnetic "noise" control, and others should be considered
when determining a location for computer hardware. The location of the hardware must allow access for maintenance, as required.
There must be a program detailing the maintenance of the computer system (i.e., hardware maintenance manual). The maintenance
of the computer, including periodic scheduled maintenance and breakdown maintenance, must be documented. There must be a system
to control changes to the hardware. Changes must only be made by authorized individuals following an appropriate review and
approval of the change.
Design documentation, including as-built drawings, should be maintained for computers, infrastructure and instrumentation
(8, 9). There must be documented verification of the inputs and outputs (I/Os) for accuracy and the computer infrastructure
must be qualified (10). In addition to the verification of I/Os checks during the qualification of computer hardware, I/Os
checks must be verified periodically covering the data/control/monitoring interfaces between the system and equipment.
Annex 11 is ruled by three main principles. The first principle is:
“This annex applies to all forms of computerised systems used as part of a GMP regulated activities. A computerised system
is a set of software and hardware components, which together fulfill certain functionalities.”
It is interesting to note how this differs to the Good Automated Manufacturing Practices (GAMP) definition of a computer system,
which includes people, all software (applications, system level software and documentation), hardware, operating procedures,
and peripheral equipment being operated by the computer performing specific, defined roles within a given environment (11).
The second principle in Annex 11 is:
“The application should be validated; IT infrastructure should be qualified.”
Computer systems require a written validation process; the depth and scope of this validation depends on the complexity and
criticality of the computer application (12, 13, 15). The principle is stating that validation is associated with processes
and that qualification is associated with equipment. The scope of validation is further discussed in Annex 11- 4.