Revision of the EU GMP Guide Annex 11 "Computerised Systems" - Presentation of Concept Paper
Recommendation
11-13 December 2024
The current EU GMP Guidance Annex 11 "Computerised Systems" has been in force since 2011. It has been discussed for a long time to revise this annex in order to meet current technological and regulatory developments. On 16 November 2022, the EMA (European Medicines Agency) published a 5-page "Concept-Paper on the revision of Annex 11 of the guidelines on Good Manufacturing Practice for medicinal products - Computerised Systems". Comments on this concept paper can be submitted until 16 January 2023.
Cooperation with other organisations
The previous Annex 11 was already adopted with identical content by the PIC/S (Pharmaceutical Co-Operation Scheme) with its more than 50 members distributed worldwide as PE 009-15: Annex 11 - Computerised Systems. This cooperation will also be continued in the revision of Annex 11.
Proposed timetable until the publication of the new EU GMP Annex 11
- Deadline for comments on the concept paper: 16 November 2023.
- Publication and commenting of a draft of the new Annex 11: March 2025.
- Approval and publication by the European Commission: summer 2026.
Where is there a need for change and adaptation?
In 33 points, based on the structure and chapters of the existing Annex 11, new points to be included and topics to be updated are presented. Which topics should be included in the new Annex 11?
- The EMA questionnaire on Annex 11 and data integrity is to be replaced.
- Requirements for 'data in motion' and 'data at rest'.
- Regulatory requirements on current topics such as 'digital transformation'.
- Regulatory requirements for AI (artificial intelligence) and machine learning with a special focus on the data used in these models.
- Comparison with the FDA Computer Software Assurance Guidance for Industry (CSA).
Where is there a need for adaptation in which Annex 11 chapters? (selection)
- (3) Suppliers and Service Providers: Here, the topic of cloud service providers should be addressed in particular. The regulated user should have access to the validation documentation and the documentation for the secure operation of the system and also be able to show these during inspections.
- (4) Validation: The topic of "agile methods" should be integrated here with regard to deviations from previous classic development documents.
- (9) Audit trails: Most of the new topics are mentioned here. What has been a very short chapter so far, topic should be described much more comprehensively in the new Annex 11. The points to be tackled include:
- Audit trails must not be editable
- Audit trails must not be able to be switched off for the "normal user" of a system.
- Statements should be made about the frequency of audit trail reviews.
- Audit trail data as GMP requirements are often created together with log data. It should be possible to sort this data. - (12) (Security): This topic should also be integrated more strongly under the aspect of external threats. ISO 27001 (Information technology
- Security techniques - Information security management systems - Requirements) is specifically mentioned here. So far, Annex 11 requires "Physical and/or logical controls...". The controls are to be described in more detail here.
Evaluation
It is clear that the current Annex 11 is partly outdated by technological and regulatory developments and that there is a corresponding need for adaptation. It remains to be seen how detailed the implementation will ultimately be in a first draft. The more detailed and more detailed the requirements, the less flexible the implementation will be.