Annex 11

Annex 11 establishes the EU’s requirement regarding the use of computerized systems as part of the good manufacturing practice of medicinal products. It provides information and explanation regarding the GMP directive 2003/94/EC and 91/412/EEC. This annex is part of the EudraLex that governs medicinal products within the EU.

As the dependency on digital media for operations grew, the EU introduced Annex 11 in 2011 to standardize the process. Annex 11 lays the basis of good manufacturing practices expected from organizations regarding their computerized systems.

Which products does the Annex 11 apply to?

Strictly speaking, Annex 11 does not apply to the devices themselves but to their computerized parts. It also applies to all medicinal products and their manufacturing process. This means that Annex 11 is not specific to a single product or product. Rather, it applies to all computerized systems that are involved in the medicinal product itself or the making of the products.

The computerized system is defined as a combination of software and hardware. A computerized system includes but is not limited to all digital processes involved in design, production, manufacture, and digital data recordings, maintenance, and analysis. As such, any digital system used while developing and testing a medicinal product falls within the Annex 11 territory. For example, the digital compliance and sorting of clinical data for clinical trials must be in accordance with the Annex 11 requirements. The same applies to any data transfer or storage.

The purpose of Annex 11 is to have safe and reliable computerized systems. It is further established by its principles.

One of the principles of the Annex states that the application should be validated, and the IT infrastructure should be qualified. This means that the computerized system every component of it will have to go through a validation process (to prove their usefulness, efficiency for assessment, etc).

Annex 11 reinforces the importance of system quality by stating in its third principle that when a computerized system is used instead of a manual process, the product quality, process control, risk, or quality assurance should remain the same. 

What are the Annex 11 requirements?

Annex 11 has 17 requirements in total, which are subdivided into three phases: general, project phase, and operational phase.

1-3 is the general phase, 4 is the project phase, and 5-17 belong to the operational phase.

1. Risk Management: Computerized systems used in healthcare industries should have risk management systems allotted to, applied, documented, and maintained throughout their lifetime. Potential risks to data integrity and safety should be identified and dealt with.
2. Personnel: All personnel involved in handling the computerized system should have appropriate training, qualifications, and access and should collaborate.
3. Suppliers and service providers: Companies often use third parties to provide them with computerized services. In that case, all third-party providers need to be audited to confirm their quality of service.
4. Validation: Records of validation are kept to justify each step of the manufacturing process. This justification requirement applies to any change to the system as well. The validation process itself should also be checked and standardized.
5. Data: Data exchange should be monitored with built-in checks to reduce risks.
6. Accuracy Checks: Manually entered “critical data” should be rechecked manually, or the system should have automated accuracy checks.
7. Data Storage: All data should be backed up both physically and digitally.
8. Printout: Stored data should be available for printing.
9. Audit Trails: If the device is in a higher-risk category, the system should record all GMP-related changes and deletions.
10. Change and Configuration Management: Changes to the system should be done according to a defined procedure.
11. Periodic Evaluation: Computerized systems should be periodically evaluated to ensure GMP compliance.
12. Security: Depending on the system's importance, both physical and digital security should be implemented, maintained, and updated regularly. All changes should be recorded.
13. Incident Management: All incidents should be recorded and assessed.
14. Electronic Signatures: Can be allowed.
15. Batch Release: Batch releases should only be done by trained personnel after careful assessment and record keeping.
16. Business Continuity: To ensure smooth operation in case of computerized system breakdowns, backup systems should be available at all times. The backup system can be manual or digital, provided all backups are tested.
17. Archiving: Data can be archived as long as it can be retrieved later without alteration.

Is Annex 11 legally binding?

Unlike the EU MDR and FDA, technically, Annex 11 is not legally binding. This is more similar to a guidance document. However, treating the annex as simply a guidance document is not right either. It is strongly advised that you follow the requirements unless there is a clear indication of not doing so. Whether you are legally bound to follow the annex or not, many regulatory authorities will check your compliance with annex 11, often simply because it is a good way to check whether your computerized system is competent or not.