Annex 11: Progress in EU Computer Systems Guidelines - Pharmaceutical Technology

Latest Issue

Latest Issue
PharmTech Europe

Annex 11: Progress in EU Computer Systems Guidelines

Pharmaceutical Technology Europe
Volume 23, Issue 6

The third principle in Annex 11 is:

“Where a computerised system replaces a manual operation, there should be no resultant decrease in product quality, process control or quality assurance. There should be no increase in the overall risk of the process.”

This third principle is related with the expectations of the regulator regarding implementation of computer systems. Prior to converting a process from manual to automated control or the introduction of a new automated operation, it is important that project staff consider any quality assurance and safety issues as part of an impact assessment of the risks associated with the process. Risk reduction measures may need to be incorporated into the systems design and operation. Additional risks to the quality of the related products/materials should not be introduced as a result of reducing the manual involvement in the process. As part of the process risk assessment, the manual process should be addressed and, if applicable, improvement in the process should be introduced. The automation must make the process easier and reduce execution time. The use of a computer system does not reduce any requirements that would be expected for a manual system in terms of data control and security.

Quality System for Computer Systems

Paragraph 4.5 in Annex 11 is a decisive principle and probably the most important:

“4.5. The regulated user should take all reasonable steps to ensure that the system has been developed in accordance with an appropriate quality management system.”

It refers to the need to ensure that computer systems are produced under a quality system, which incorporates the applicable system development life cycle model. The common goals in a quality system are understanding and meeting customer’s needs, and to ensure that adequate quality standards are maintained. The components of the quality system for computer systems are controlled process, computer system, operating procedures, and documentation.

Analysis of Main Clauses

In addition to the principles described above, Annex 11 contains a total of 17 clauses. The four main clauses are the risk management, requirements management, e-records management, and validation.

Risk Management

“Risk management should be applied throughout the life-cycle of the computerised system taking into account patient safety, data integrity and product quality. As part of a risk management system, decisions on the extent of validation and data integrity controls should be based on a justified and documented risk assessment of the computerised system.”

There are many techniques used to implement a risk management process, but generally include risk assessment, risk mitigation, and evaluation and assessment; here I outline one such method.

A detailed risk assessment should be performed, building on the initial risk assessment from the concept phase of the computer system. This risk assessment process weighs risks associated with processes and functions defined in the draft requirements specification (RS) (15). Risks found during the assessment may add requirements that need to be part of the RS. Risk assessment activities to consider are: identification of the processes/functions/transactions (as appropriate); analysis of risk scenarios, effects for each event, likelihood of events, severity of impact, likelihood of detection; a plan for the reduction or elimination of those risks. Reduction or elimination of those risks is performed during the system development life cycle (SDLC). Based on the risks identified, planning of the design validation, design verification, and qualification testing should begin. The test plan and test cases should be developed accordingly.

Strategies for mitigation of the identified risks may include modifying the process or system design, modification of the project approach or structure, or modification of the validation and testing approach.

During the risk evaluation, processes, systems, and/or functions should be assessed considering how possible hazards and potential harms arising from these hazards may be controlled or mitigated. For some processes, systems, and/or functions a detailed assessment should be performed.

To gain the most benefit from risk management, integration with the system life cycle (SLC) management and risk management activities should be achieved. Based on the intended use and the risk associated with the computer system to be implemented, the computer system developer/integrator should determine the specific approach, the combination of techniques to be used, and the level of effort to be applied.

EU Annex 20 on risk management provides an approach to computer systems and computer controlled equipment risk management. According to Annex 20, risk management should be applied to select the design of computer hardware and software (e.g., modular, structured, fault tolerance) and to determine the extent of validation (e.g., identification of critical performance parameters, selection of the requirements and design, code review, the extent of testing and test methods, reliability of electronic records and signatures).

Requirements Management

Requirements management is only one paragraph in Annex 11, yet it is a very critical recommendation and several processes are required to fulfill it.

“4.4. User Requirements Specifications should describe the required functions of the computerised system and be based on documented risk assessment and GMP impact. User requirements should be traceable throughout the life-cycle.”

This clause establishes the expectation of the EU regulator on how to manage requirements and traceability, through the SLC, the operational and non-operational computer systems functions required by the users, applicable regulations, company standards, product, process, and safety (16). These operational and non-operational functions must be managed based on a risk assessment.


blog comments powered by Disqus
LCGC E-mail Newsletters

Subscribe: Click to learn more about the newsletter
| Weekly
| Monthly
| Weekly

What role should the US government play in the current Ebola outbreak?
Finance development of drugs to treat/prevent disease.
Oversee medical treatment of patients in the US.
Provide treatment for patients globally.
All of the above.
No government involvement in patient treatment or drug development.
Finance development of drugs to treat/prevent disease.
Oversee medical treatment of patients in the US.
Provide treatment for patients globally.
All of the above.
No government involvement in patient treatment or drug development.
Jim Miller Outsourcing Outlook Jim MillerOutside Looking In
Cynthia Challener, PhD Ingredients Insider Cynthia ChallenerAdvances in Large-Scale Heterocyclic Synthesis
Jill Wechsler Regulatory Watch Jill Wechsler New Era for Generic Drugs
Sean Milmo European Regulatory WatchSean MilmoTackling Drug Shortages
New Congress to Tackle Health Reform, Biomedical Innovation, Tax Policy
Combination Products Challenge Biopharma Manufacturers
Seven Steps to Solving Tabletting and Tooling ProblemsStep 1: Clean
Legislators Urge Added Incentives for Ebola Drug Development
FDA Reorganization to Promote Drug Quality
Source: Pharmaceutical Technology Europe,
Click here