Mastering Computerised System Validation: An In-Depth Review of EU GMP Annex 11

by @PQE Group

Introduction 

Annex 11 provides guidelines for good manufacturing practice (GMP) for medical products. The current version was approved in 2011 and it will be updated in order to add detailed principles for more relevant areas still uncovered, since there have been not only an increased use of computerised systems but also an important progress in the use of new technologies (i.e. Artificial Intelligence & Machine Learning algorithms within GxP software). The draft version of the Concept Paper on the revision of Annex 11 has already been released in Dec 2022. Computerised System Validation is an essential part of the pharmaceutical industry: it ensures that products are safe, effective and meet the required quality standards.  

The regulatory requirements commonly defined in a risk-based approach validation are the provisions set forth by the 21 CFR Part 11 & EU cGMP Annex 11 rules, so that the next version of Annex 11 is expected to affect the validation strategy, related deliverables, and testing acceptance criteria.  

The aim of this article is to describe the improvements introduced by the Annex 11 review (see Concept Paper on the revision of Annex 11 of the guidelines on GMP for medical products – Computerised Systems) and the possible implications related to a risk-based approach validation in order to ensure the system compliance for the following topics: 

  • User Requirements Specifications (see section 4.4, Annex 11) 
  • Accuracy Checks (see section 6, Annex 11) 
  • Audit Trail (see section 9, Annex 11) 
  • Data Security (see section 12, Annex11) 
Mastering CSV_Annex 11_Banner

User Requirement Specifications  

The new version will describe more clearly the required functions of the system (based on a Risk Assessment and GxP impact) to be included in the URS document (or similar document): the requirements should detail and reflect the business and/or production processes being supported by the system, including the GMP critical functionalities. User requirements specifications should be not only traceable throughout the system life-cycle but also maintained or updated in case of system modifications (e.g. via change control management and impact assessment). 

Moreover, the traceability between user requirements, functional specifications and testing activities should be documented and kept updated. 

The above-mentioned updates for User Requirement Specification might affect the following validation deliverables: 

  • User Requirements Specifications (e.g. update of the integrity requirements such as those related to section 4.4 of Annex 11). 
  • System Risk Assessment (e.g. addition of new risk scenarios/potential failures related to the affected user requirements). 
  • Traceability Matrix (e.g. addition of the traceability between user requirement specification and functional, configuration and design specifications). 

 

Accuracy Checks  

Accuracy check consists of additional (manual and/or automatic) verification performed by a second operator/supervisor or validated device/system for manually entered data considered as critical for the GMP process (e.g. instrumental, method or recipe parameters). The next version will include useful guidelines in order to better classify the criticality of data and systems.  

The above-mentioned updates for Accuracy Check might affect the following validation deliverables: 

  • User Requirements Specifications (e.g. update of the integrity requirements such as those related to section 6 of Annex 11). 
  • System Risk Assessment (e.g. addition of new risk scenarios/potential failures related to the affected user requirements). 
  • IQ/OQ Test Scripts (e.g. update of the Accuracy Check verification and addition of a criticality evaluation of the system data / parameters based on a risk assessment). 

 

Audit Trail  

The reviewed version will describe more adequately what a system Audit Trail should trace and how to review it. Moreover, Audit trail should be always enabled and locked and there should not be the possibility to deactivate the functionality, nor delete or modify (with no trace) the relevant information. In case deactivation and/or edition options are available, only system administrators (not involved in the GMP process) should have access. New detailed guidelines about Audit Trail review frequency will be added according to the following principle: the higher the criticality of the system, more frequently the audit trails should be reviewed. 

The above-mentioned updates for Audit Trail might affect the following validation deliverables: 

  • User Requirements Specifications (e.g. update of the traceability requirements such as those related to section 9 of Annex 11). 
  • System Risk Assessment (e.g. addition of new risk scenarios/potential failures related to the affected user requirements). 
  • IQ/OQ Test Scripts (e.g. inclusion of additional checks for Audit Trail functionality and traceability verification for all relevant  testing steps related to creation/modification of electronic records, user accounts, groups and/or privileges). 

 

Data Security  

The updated version will be more detailed about the security (i.e. physical and logical) controls to be implemented (e.g. additional security measures such as multi-factor authentication, platform management, etc.) in order to guarantee system access only to authorized users. In particular, the only use of “pass cards” will not be accepted because they might be lost or shared by different users. In such cases, depending on the system criticality, it should be recommended the use of a multi-factor authentication method. 

When designing and configuring the system user groups and related privileges the “segregation of duties” and “least privilege” principles should be considered. Furthermore, creation, change and cancellation of access authorizations should be not only recorded (e.g. within access log) but also frequently reviewed given that people may assume or change their roles within the company or quit their job. 

The above-mentioned updates for Data Security might affect the following validation deliverables: 

  • Configuration & Design Specifications (or similar document) (e.g. addition of new security parameters such as password complexity & history and multi-factor authentication features). 
  • User Requirements Specifications (e.g. update of the security requirements such as those related to sections 12.1 and 12.3 of Annex 11). 
  • System Risk Assessment (e.g. addition of new risk scenarios/potential failures related to the affected user requirements). 
  • IQ/OQ Test Scripts (e.g. update of the Password policy, User profile and privileges and Access Control verifications, including traceability verification related to modification of password settings). 

 

Conclusions 

The last time Annex 11 was updated to include new guidelines on computerized systems validation, it implied a significant impact on validation approach and relevant deliverables. 

The revision of Annex 11 will be crucial and will implement many feedbacks received from regulated users and suppliers in order to better clarify the current applicable regulations. The guidelines is expected to introduce more “tools” and recommendations to be used for ensuring the system compliance to quality, security, integrity, traceability and accountability requirements from a validation perspective. Finally, considering that it’s been (relatively) many years since the Annex 11 was updated, the impact on system validation approach and related deliverables is expected to be important depending on the improvements and details that will be provided within the new guidelines. 

Are you compliant ?

PQE Group can support your business in reaching the compliance for your products as well as in implementing new procedures, tools and software.

To get more information or support, check our Data Integrity dedicated page or get in touch with us to find the most suitable solution for your company.