In January 2011, the European Medicines Agency (EMA) announced the new revision of EudraLex Volume 4 (GMP) — Annex 11 “Computerised
Systems” (1), and the consequential amendment of EudraLex Volume 4 — Chapter 4 “Documentation” (2). These revisions will come
into operation on June 30, 2011.
The revisions are a response to the increasing use of electronic documents within the GMP environment. Chapter 4 defines two
types of electronic documents: documentation given as “instructions” and “records/reports”. In addition, it states that many
documents may exist in so-called hybrid forms (i.e., some elements electronic and others as paper). The definition of raw
data was also changed because of the increasing use and types of electronic forms. Today’s IT–GMP world consists of various
system types and applications, such as enterprise resource planning (ERP), manufacturing execution systems (MES), process
control systems (PCS), laboratory information management systems (LIMS) and document management systems (DMS), along with
many types of equipment, applications and electronic tools. The management of electronic documents, such as standard operating
procedures (SOPs), electronic batch records, change control, training, complaint processes, certificates of analysis, and
“simple” spreadsheet files used for laboratory calculations, necessitated this regulatory update of Annex 11 and a current
guidance and interpretation for the industry.
Today’s computerized systems utilise a complex set of solutions and technologies potentially based on cloud computing, server
virtualization, thin clients, data matrix technology, Web 2.0, wireless applications, interfaces between different local or
global systems and much more. Such complexity presents a challenge for validation and compliance management, but also for
defining the right level of regulatory requirements.
The new Annex 11 requirements are based in the reality of today’s GMP systems, organisational structures, IT infrastructure
and applications. The new regulation is an updated baseline for inspectors and enables innovation and a pragmatic compliance
management for the industry in parallel. At the start of Annex 11, the principles section statement states “The application
should be validated; IT infrastructure should be qualified.” This significant addition to the revised Annex 11 is a new clause
on IT management in general. This perception is very much in line with the ISPE GAMP 5 Guide and related Good Practice Guides,
including scalable and risk-based validation approaches and strategies (3–6).
Detailed requirements and expectations covering system suppliers, developers and service providers have been included that
also contain identical aspects for internal and external suppliers. For example, the role of the IT department is explicitly
stated in section 2: personnel and corresponding quality agreements should be in place.
The new Annex 11 adopts a risk-based approach in several areas and is generally aligned with current industry standards and
practices (ICH Q9, ISPE GAMP 5, ITIL, CMMI). Applicable technical and contractual documentation or validation documents of
selective criteria and justified decisions based on appropriate risk assessments are required during several steps of a system
The following sections contain a detailed analysis and interpretation of Annex 11 that includes the original text in italics
followed by our interpretations, remarks and deliverables.
- This annex applies to all forms of computerised systems used as part of a GMP regulated activities. A computerised system
is a set of software and hardware components, which together fulfill certain functionalities.
GMP regulated activities need to be defined. For example, based on Chapter 4 “Documentation”.
Deliverable: impact analysis of instructions and records as per “Good Documentation Practice” mapped to related systems and
- The application should be validated; IT infrastructure should be qualified.
Refer to ISPE GAMP software categories, especially Category 1: IT infrastructure (Good Practice Guide).
Deliverable: IT infrastructure qualification plan.
- Where a computerised system replaces a manual operation, there should be no resultant decrease in product quality, process
control or quality assurance. There should be no increase in the overall risk of the process.
Quality risk management (process based) – comparing manual and electronic process operation.
Deliverable: process map and risk management procedure.