The current EU GMP Guidance Annex 11 “Computerised Systems” has been issued in 2011 and does not give sufficient guidance within several areas. There has been discussion for some time about revising this annex to meet current technological and regulatory developments. On 16 November 2022, the EMA (European Medicines Agency) published a “Concept-Paper on the revision of Annex 11 of the guidelines on Good Manufacturing Practice for medicinal products – Computerised Systems” that addresses the need to update Annex 11.
Proposed timetable until the publication of the new EU GMP Annex 11
- Deadline for comments on the concept paper: 16 November 2023.
- Publication and commenting of a draft of the new Annex 11: March 2025.
- Approval and publication by the European Commission: June 2026.
- Reasons for the revision of Annex 11.
Where is there a need for change and adaptation?
In 33 points, based on the structure and chapters of the current Annex 11, new points to be included and topics to be updated are presented.
Which topics should be included in the new Annex 11?
- The EMA questionnaire on Annex 11 and data integrity is to be replaced.
- Requirements for “data in motion” and “data at rest” (backup, archive and disposal).
- Regulatory requirements on current topics such as “digital transformation”.
- Regulatory requirements for AI (artificial intelligence) and machine learning with a special focus on the data used in these models.
- Comparison with the FDA Computer Software Assurance Guidance for Industry (CSA).
The following is an excerpt from the Concept Paper of some chapters in Annex 11 that have been identified as needing adaptation:
- Suppliers and Service Providers
The topic of cloud service providers should be addressed in particular:
- [3,1] “For critical systems validated and/or operated by service providers (e.g. ‘cloud’ services), expectations should go beyond that “formal agreements must exist”. Regulated users should have access to the complete documentation for validation and safe operation of a system and be able to present this during regulatory inspections, e.g. with the help of the service provider.”
- [4.1] The meaning of the term ‘validation’ (and ‘qualification’), needs to be clarified. It should be emphasised that both activities consist of a verification of required and specified functionality as described in user requirements specifications (URS) or similar.
- [4.1] Following a risk-based approach, system qualification and validation should especially challenge critical parts of systems which are used to make GMP decisions, parts which ensure product quality and data integrity and parts, which have been specifically designed or customised.
The topic of “agile methods” should be integrated here regarding deviations from previous classic development documents.
- [4.5] It should be acknowledged and addressed that software development today very often follows agile development processes, and criteria for accepting such products and corresponding documentation, which may not consist of traditional documents, should be clarified.
- Audit Trails
Most of the new topics are mentioned here. What has been a very short chapter so far, topic should be described much more comprehensively in the new Annex 11. The points to be addressed include:
- Audit trails must not be editable
- Audit trails must not be able to be switched off for the “normal user” of a system.
- Statements should be made about the frequency of audit trail reviews.
- Audit trail data as GMP requirements are often created together with log data. It should be possible to be able to sort these data.
This topic should also be integrated more strongly under the aspect of external threats.
- [12.1] The current section has only focus on restricting system access to authorised individuals; however, there are other important topics. In line with ISO 27001, a section on IT security should include a focus on system and data confidentiality, integrity and availability.
Security techniques, information security management systems and requirements are specifically mentioned here.
- [12.1] The current version says that “Physical and/or logical controls should be in place to restrict access to computerised system to authorised persons”. However, it is necessary to be more specific and to name some of the expected controls, e.g. multi-factor authentication, firewalls, platform management, security patching, virus scanning and intrusion detection/prevention.
- [12.1] It should be specified that authentication on critical systems should identify the regulated user with a high degree of certainty. Therefore, authentication only by means of a ‘pass card’ might not be sufficient, as it could have been dropped and later found by anyone.
- [12.1] Two important expectations for allocation of system accesses should be added either here or elsewhere; i.e. ‘segregation of duties’, that day-to-day users of a system do not have admin rights, and the ‘least privilege principle’, that users of a system do not have higher access rights than what is necessary for their job function.
The current Annex 11 is partly superseded by technological and regulatory developments and that there is a corresponding need for adaptation.