Annex 11: Computerized Systems (What You Need to Know)

EU Annex 11 outlines requirements for using computerized systems in the Life Science industries operating within the European Union.

It is a guidance document for interpreting the principles of good manufacturing practice (GMP) for medicinal products.

In this article, we will cover the basics of EU Annex 11, who needs to comply with it, its parts, the requirements, and the differences between 21 CFR Part 11 and Annex 11. We will also discuss how the SimplerQMS eQMS software solution helps ensure compliance with EU Annex 11.

EU Annex 11 was introduced in 2011 as an addition to EudraLex Volume 4 GMP guidelines due to the increased use and complexity of computerized systems employed in GMP-regulated processes.

To help improve compliance with stringent GMP requirements and streamline their quality processes, Life Science companies are progressively adopting electronic Quality Management Systems (eQMS).

SimplerQMS offers EU GMP Annex 11-compliant eQMS software tailored to the needs of Life Science companies. You can schedule a demo to explore how SimplerQMS can benefit your company’s compliance and quality management efforts.

We will discuss the following topics in this article:

• What Is EU Annex 11?
• Who Should Comply With EU Annex 11?
• What Are the Different Parts of EU Annex 11?
• Requirements of EU Annex 11
• What Is the Difference Between 21 CFR Part 11 and Annex 11?
• How Does SimplerQMS Comply With EU Annex 11 Requirements?

What Is EU Annex 11?

EU Annex 11 is a European Union (EU) guideline that outlines the requirements for computerized systems used to manufacture human and veterinary medicinal products.

It is part of the EudraLex Volume 4 GMP guidelines, which set out the requirements that manufacturers of medicinal products can follow to ensure the quality of their products.

The purpose of EU Annex 11 is to establish clear guidelines for using computerized systems in GMP-regulated activities, ensuring the reliability and security of electronic systems.

A computerized system is a combination of hardware and software components working together to accomplish a specific task, according to EU Annex 11.

It applies to all computerized systems used in GMP-regulated activities, including but not limited to:

• Computerized systems used in production, testing, and quality control.
• Computerized systems used to manage documentation and data.

EU Annex 11 requires all computerized systems to be validated and IT infrastructure to be qualified. This means verifying that a computerized system fulfills its intended purpose and operates as expected while ensuring that the IT infrastructure is capable of supporting the system’s intended functions.

The current version of EU Annex 11 was published in 2011. A revision of EU Annex 11 is currently underway and is expected to include updates to reflect the latest technological developments and address new challenges in the area of computerized systems.

Updating the guideline to match current technologies benefits the companies that need to comply with EU Annex 11 since it ensures they use the most up-to-date and secure systems.

Who Should Comply With EU Annex 11?

Companies utilizing computerized systems as part of GMP-regulated activities that operate within the European Union should comply with EU Annex 11.

EU Annex 11 applies to a wide range of companies involved in the pharmaceutical and Life Science industries. Below are some company types that must be compliant since they utilize computerized systems for GMP-regulated activities:

• Pharmaceutical companies: Any company manufacturing medicinal products.
• Contract manufacturing organizations (CMOs): CMOs that manufacture medicinal products on behalf of pharmaceutical companies.
• Clinical research organizations (CROs): CROs must comply with EU Annex 11 if they use computerized systems to manage clinical trials.
• Vendors of computerized systems: Vendors of computerized systems used in manufacturing medicinal products must ensure that their systems meet the requirements of EU Annex 11.

EU Annex 11, while being an important document for the pharmaceutical and Life Science industries, is not a legal requirement. It is a guideline rather than a legally binding regulation.

However, regulatory authorities can consider compliance with EU Annex 11 as a sign of data integrity and quality control. So, compliance with EU Annex 11 is regarded as a best practice within the industries that helps ensure product and process quality, safety, and integrity.

Quality management software can be a valuable tool for helping companies comply with EU Annex 11. By automating and streamlining processes, QMS software helps reduce the risk of errors, maintain data integrity, and ensure regulatory compliance while working more efficiently.

SimplerQMS offers an eQMS solution designed specifically for the Life Sciences industry. Our software is tailored to meet the requirements outlined in different parts of EU Annex 11 and support many other Life Science requirements.

What Are the Different Parts of EU Annex 11?

The different parts of EU Annex 11 provide a structured approach and specific guidance for different stages of computerized system implementation and operation.

EU Annex 11 is divided into three main parts, which are further defined below:

• General Requirements: Provide general guidance on using computerized systems in GMP-regulated activities. It covers risk management, personnel, suppliers, and service providers.
• Project Phase: Focuses on the activities and considerations during implementing and validating computerized systems. It covers topics such as system validation, user requirements specifications, and performance assessment, among others.
• Operational Phase: Addresses the ongoing use and maintenance of computerized systems in GMP-regulated processes. It includes requirements related to data storage, printouts, audit trails, change management, security, electronic signatures, and more.

Requirements of EU Annex 11

EU Annex 11 outlines several requirements for the use of computerized systems in GMP-regulated processes.

Here we will discuss a more detailed breakdown of the different requirements of EU Annex 11.

General Requirements

Risk Management

Risk management should be applied throughout the computerized system’s lifecycle, considering patient safety, data integrity, and product quality. Decisions regarding validation and data integrity controls should be based on a well-documented risk assessment.

Personnel

Close cooperation should exist among relevant personnel, including Process Owner, System Owner, Qualified Persons, and IT. All personnel should possess appropriate qualifications, access authorization, and clearly defined responsibilities to perform their assigned tasks.

Suppliers and Service Providers

Formal agreements between the manufacturer and third parties must be in place when utilizing suppliers for computerized system activities. These agreements should include well-defined responsibilities.

The requirements also apply to IT departments, which should be considered analogous to third parties. Meaning that companies also need to have a clear agreement outlining IT responsibilities.

Project phase

Validation

EU Annex 11 emphasizes the need for manufacturers to validate their systems throughout their lifecycle, ensuring that they meet their intended use and performance.

Computerized system validation includes the following requirements:

• Documentation and reports should cover lifecycle steps, justifying standards, protocols, criteria, procedures, and records based on risk assessment.
• Validation documentation must include change control records and reports on deviations observed.
• An up-to-date inventory of systems and their GMP functionality should be available, with system descriptions for critical systems.
• User requirements specifications should describe system functions throughout the product lifecycle and be based on risk assessment and GMP impact.
• Regulated users must ensure that computerized system development aligns with quality management. Suppliers should be assessed appropriately.
• Validation for customized systems must include formal assessment and reporting of quality and performance measures.
• Evidence of appropriate test methods should be demonstrated considering system parameters, data limits, and error handling.
• Validation needs to ensure data integrity during transfer to another format or system.

Operational phase

Data

Computerized systems should have built-in checks to ensure the correct and secure entry and processing of electronically exchanged data. These checks reduce risks associated with loss of data integrity.

Accuracy Checks

An additional check must be performed for critical manually entered data to verify accuracy. This can be done by a second operator or through validated electronic means. Risk management should consider the criticality and potential consequences of inaccurate data.

Data Storage

Data need to be protected against damage through physical and electronic means. Stored data should be regularly checked for accessibility, readability, and accuracy. Access to data should be maintained throughout the retention period.

Printouts

The system should allow for clear printed copies of electronically stored data. Printouts should indicate if any data has been changed since the original entry for records supporting the batch release.

Audit Trails

Based on a risk assessment, systems should generate an audit trail to record all GMP-relevant changes and deletions. The reason for changing or deleting GMP-relevant data should be documented. Audit trails should be available, easily comprehensible, and regularly reviewed.

Change and Configuration Management

Any changes to a computerized system, including system configurations, must follow a defined procedure and be made in a controlled manner. This ensures that changes are appropriately managed and documented.

Periodic evaluation

Computerized systems should undergo periodic evaluations to remain valid and compliant with EU GMP requirements. These evaluations should cover functionality, deviation records, incidents, problems, upgrades, performance, reliability, security, and validation status.

Security

Controls, whether physical or logical, must restrict access only to authorized personnel. Methods like keys, tokens, identification codes, passwords, and biometrics can prevent unauthorized entry.

The level of security depends on system criticality. Access authorizations should be recorded, and management systems should track users’ actions.

Incident Management

All incidents, including system failures and data errors, need to be reported and assessed. Critical incidents should be investigated to identify root causes and implement corrective and preventive actions (CAPA), if necessary.

Electronic Signature

Electronic signatures should be equivalent to handwritten ones when used to sign electronic records.

Signatures need to be permanently linked to their respective records and include the time and date of signing.

Batch release

A computerized system must limit access for certifying and releasing batches to only Qualified Persons. The system should identify and record the person responsible for the release or certification using an electronic signature.

Business Continuity

Procedures should be in place to ensure the continuity of critical processes during system breakdown. This may involve alternative or manual operation systems.

The time required to switch to alternative arrangements must be based on risk and appropriate for the system and business process. These arrangements should be documented and tested.

Archiving

Data can be archived and needs to be regularly checked for accessibility, readability, and integrity. If any changes are made to the system, such as computer equipment or programs, the ability to retrieve archived data should be ensured and tested.

Archived data must undergo periodic checks to ensure accessibility, readability, and integrity. If any changes are made to the system, such as modifications to computer equipment or programs, the ability to retrieve data must be ensured and tested.

What Is the Difference Between 21 CFR Part 11 and Annex 11?

The difference between 21 CFR Part 11 and EU Annex 11 lies in their regulatory statuses and use in different jurisdictions.

Here are some key differences between EU Annex 11 and FDA 21 CFR Part 11.

• EU Annex 11:
  • It applies to companies operating in the European Union market.
  • Guideline enforced by European Medicines Agency (EMA).
  • Outlines requirements for computerized data systems.
  • Applies to companies performing GMP-regulated activities for the manufacture of medicinal products.
• 21 CFR Part 11:
  • It applies to companies operating in the United States market.
  • Regulation enforced by Food and Drug Administration (FDA).
  • Specifies requirements for electronic records and signatures.
  • Applies to all FDA-regulated industries using electronic records and signatures.

For a more detailed comparison between FDA 21 CFR Part 11 and EU GMP Annex 11, you can refer to our dedicated article.

However, 21 CFR Part 11 and EU Annex 11 share several similarities. For instance, both frameworks require system validation, generation of audit trails, appropriate personnel training, secure data storage, records retrieval, and security measures.

They also emphasize using electronic signatures equivalent to handwritten signatures, linked to records, and accompanied by a time and date stamp.

How Does SimplerQMS Comply With EU Annex 11 Requirements?

SimplerQMS is an eQMS software solution that helps Life Science companies comply with several regulations, including EU Annex 11.

We offer several features that help organizations meet the requirements of EU Annex 11, some of which are described below.

System Validation

SimplerQMS is fully validated according to the risk-based approach of ISPE GAMP5 for computerized systems.

The software remains in a validated state, undergoing revalidation when new versions or standard updates are introduced. This eliminates the need for our clients to invest any additional time and resources in validation activities.

Audit Trails

The system automatically generates time-stamped audit trails, capturing all user actions, including the responsible person, date, and time.

These audit trails preserve previously recorded information and cannot be modified by users, ensuring data integrity.

Personnel Training

SimplerQMS offers our clients personalized system training to ensure users have the necessary knowledge to utilize the QMS software effectively.

Additionally, the system includes training management capabilities, allowing the management of employee training.

Suppliers Management

We provide supplier management capabilities, enabling companies to create and manage supplier-related activities such as qualification, maintaining an approved supplier list (ASL), managing supplier certificates, and much more.

Change Management

SimplerQMS provides a comprehensive change control management solution. It enables the creation, documentation, and management of all changes within the company.

Assignments can be created and delegated, electronically signed upon approval, and notifications and reminders can be set up to ensure the timely completion of change-related processes.

Electronic Signatures

Our eQMS offers EU Annex 11 and 21 CFR part 11 compliant electronic signatures.

Users must authenticate their identity with a unique username and password before signing a document, preventing unauthorized use of signatures.

After signing, the signer’s printed name, date, time, and meaning of the signature are displayed at the bottom of the document. SimplerQMS system automatically links signatures to the respective electronic record, safeguarding against falsification.

Controlled Prints

We offer a controlled printing capability that allows companies to track printouts effectively.

By selecting the print type, the system differentiates between controlled and uncontrolled printouts, adding a unique footer to each printout page.

Security Measures

SimplerQMS integrates with Microsoft Entra ID (previously known as Microsoft Azure Active Directory), offering a cloud-based solution for managing identity and user access.

The system provides features like single sign-on, multifactor authentication, and conditional access. It allows easy management of unique identification codes and passwords and enables periodic updates to prevent password aging.

In addition to the features mentioned above, SimplerQMS provides all QMS modules to streamline quality management processes. These modules include document management, risk management, nonconformance, CAPA, customer complaints, audit management, and more.

The software is designed to address Life Science requirements, helping companies to achieve compliance with EU Annex 11, 21 CFR Part 11, 210, 211, and 820, ISO 13485:2016, ISO 9001:2015, MDR and IVDR, EU volume 4 GMP, ICH Q10, and more.

Explore the advantages of implementing an eQMS in your company by downloading our eQMS Business Case template.

This valuable resource will help you assess the benefits of an eQMS and provide the essential material for effectively presenting your findings to management.

Final Thoughts

EU Annex 11 outlines guidelines for computerized systems used in GMP-regulated activities in the European Union, ensuring they meet specific requirements for their intended use.

By complying with EU Annex 11 requirements, companies improve the reliability and security of their computerized systems, safeguarding product quality and process control.

Many Life Science companies are adopting electronic Quality Management Systems (eQMS) designed to streamline quality processes and support achieving compliance.

SimplerQMS provides a Life Science eQMS solution that helps streamline quality management processes, allows for more efficient work, and helps comply with EU Annex 11 and other Life Science-related requirements.

Learn more about how SimplerQMS can support your company QMS. Book a personalized demo with our quality experts today and see how SimplerQMS can help your company.