A crucial process during computer system development is configuration management, which establishes and maintains consistency
of a system or product's performance and functional/physical attributes throughout its lifetime within its requirements, design,
and operational information.
Establishing intended use and proper performance of the computer system is another key concept for validation. At the beginning
of a life cycle it is essential to establish the computer system’s intended use, which is one of the factors to account for
when determining the granular level of application validation. For commercially available software that has been qualified
by the vendor/supplier, this does not require the same level of testing. Proper performance relates to the general principle
of validation (20). Planned and expected performance is based upon predetermined design specifications and, consequently,
All computer systems used to automate any regulated function must be validated for intended use. This also applies to any
software used to automate design, testing, component acceptance for medical devices, manufacturing, labeling, packaging, distribution,
complaint handling, or to automate any other aspect of the quality system.
In addition, computer systems used to create, modify and maintain electronic records, and used to manage electronic signatures
are also subject to the validation requirements. Such computer systems must be validated to ensure accuracy, reliability,
consistent intended performance, and the ability to discern invalid or altered records.
Software for the above applications may be developed in-house or under contract. However, software is frequently purchased
off-the-shelf for a particular intended use. All production and/or quality system software, even if purchased off-the-shelf,
should have documented requirements that fully define its intended use, as well as information against which test results
and other evidence can be compared, to show that the software is validated for its intended use.
Appropriate installation and operational qualifications should demonstrate the suitability of computer hardware and software
to perform assigned tasks.
Other Aspects of Annex 11
In addition to the Annex' increased scope, the revisions also affect the following areas:
- Suppliers and service providers
- Periodic review
- Incident management
- Electronic signatures
- Batch release
- Business Continuity
The above areas are not discussed in this paper.
Annex 11 was revised in response to the increased use and complexity of computer systems. It defines EU requirements and applies
to all forms of computer systems used as part of GMP regulated activities. The new Annex 11 remains concise yet offers more
practical and precise specifications that can be used to ensure that computer systems will be produced under a quality system.
Consistent with current industry practices, risk management (assessment, mitigation and evaluation) applicable to computer
systems performing regulated operations takes center stage in Annex 11 and impacts all sections.
The relevance of requirements management’s role in successfully managing a computer system implementation or maintenance project
is stressed by integrating an SLC traceability management process into the risk management process.
To ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records, electronic
records management is also emphasized in the EU regulatory specification.
The validation process as a route to authenticate the quality of the computer system during the SLC is another key element
of Annex 11.
Notes and references
1. Segalstad, S. H., “Pharmaceutical Computer Systems Validation: A Practical Approach for Validating LIMS and Other Manufacturing
Systems,” European Pharmaceutical Review, November 1997.
2. Application - Software installed on a defined platform/hardware providing specific functionality. Annex 11
3. Annex 11 Volume 4 of the Rules Governing Medicinal Products in the European Community, Computerized Systems.
4. Computer System - a system including the input of data, electronic processing and the output of information to be used
either for reporting or automatic control. Eudralex Volume IV, Glossary
5. Note that a CPG, as described in 21 CFR 10.85, is considered an advisory opinion directed to FDA inspectors. These guide
are the mechanisms the FDA utilizes to spread policy statements within the Agency and to the public.
6. The equivalence of software and records in this CPG has been superseded by the approach taken in the Guidance on Part 11
Scope and Application. The equivalence of equipment and computer systems still stands. In the next revision of 21 CFR Part
11, this CPG may get formally withdrawn. The predicate regulations contained imply requirements for computers.
7. Must, or the terms "required" or "shall", mean that the definition is an absolute requirement of the specification.