What is the current version of EudraLex Volume 4 Annex 11?
The current version of EudraLex Volume 4 Annex 11, as of the January 2011 revision, has been deemed inadequate in providing sufficient guidance in various areas, particularly regarding the use of new technologies such as Artificial Intelligence (AI) and Machine Learning (ML).
However, a revised draft version of Annex 11 was recently published on November 16, 2022, which can be found here.
The draft version of Annex 11 introduces several updates, including a section dedicated to clinical trial data management, guidance on the utilization of emerging technologies such as artificial intelligence and machine learning, as well as guidelines for validating software and IT systems.
It is crucial to emphasize that Annex 11 serves as a reference guide, and pharmaceutical companies and medical device manufacturers must adhere to the specific requirements mandated by their respective countries or regions.
EudraLex Volume 4 Annex 11: what is the new revision all about?
Below we will summarize the main content from what is newly proposed in the planned revision of annex 11.
The revised document will include guidelines for acceptance of AI/ML algorithms used in critical GMP applications. This is an area where regulatory guidance is highly needed as this is not covered by any existing regulatory guidance in the pharmaceutical industry and as pharma companies are already implementing such algorithms.
Regarding data integrity, Annex 11 will include requirements for “data in motion” and “data at rest” (backup, archiving, and deletion). Configuration hardening and integrated controls are expected to support and safeguard data integrity; technical solutions and automation are in lieu of manual controls.
An update of the document with regulatory expectations towards “ digital transformation” and similar more recent concepts will be considered.
The list of services for “operating” should include a computerized system, e.g., “cloud” services.
For critical systems validated and/or operated by service providers (e.g. ‘cloud’ services), expectations should go beyond that “formal agreements must exist”. Regulated users should have access to the complete documentation for validation and safe operation of a system and be able to present this during regulatory inspections, e.g. with the help of the service provider.
Despite being mentioned in the Glossary, the term “commercial off-the-shelf products”(COTS) is not adequately defined and may easily be understood too broadly.
Critical COTS products, even those used by “a broad spectrum of users” should be qualified by the vendor or by the regulated user, and the documentation for this should be available for inspection.
The use of the term and the expectation for qualification, validation, and safe operation of such (e.g. ‘cloud’) systems should be clarified.
It should be acknowledged and addressed that software development today very often follows agile development processes, and criteria for accepting such products and corresponding documentation, which may not consist of traditional documents.
An audit trail functionality that automatically logs all manual interactions on GMP critical systems, where users, data, or settings can be manually changed, should be regarded as mandatory; not just ‘considered based on a risk assessment’.
Controlling processes or capturing, holding, or transferring electronic data in such systems without audit trail functionality is not acceptable; any grace period within this area has long expired.
The concept and purpose of audit trail review are inadequately described. The process should focus on a review of the integrity of manual changes made on a system, e.g. a verification of the reason for changes and whether changes have been made on unusual dates, hours, and by unusual users. ( Source)
It should be addressed that many systems generate a vast amount of alarms and event data and that these are often mixed up with audit trail entries. While alarms and events may require their own logs, acknowledgments, and reviews, this should not be confused with an audit trail review of manual system interactions. Hence, as a minimum, it should be possible to be able to sort these. ( Source)
The current section has only focused on restricting system access to authorized individuals; however, there are other important topics. In line with ISO 27001, a section on IT security should include a focus on system and data confidentiality, integrity, and availability. ( Source)
Proposed timetable new version EudraLex Vol. 4 Annex 11
The below figure gives the high-level timeline for the revision of the new version of EudraLex Volume 4 Annex 11.
| Date | Milestone |
|---|---|
| October 2021 | Preparation of draft concept paper |
| October 2022 | Approval of draft concept paper by EMA GMP/GDP IWG |
| October 2022 | Release for consultation of draft concept paper |
| December 2022 | Deadline for comments on concept paper |
| March 2023 | Discussion in EMA GMP/GDP IWG and PIC/S Committee drafting group |
| December 2024 | Proposed release for consultation of draft guideline |
| March 2025 | Deadline for comments on guideline |
| March 2026 | Adoption by EMA GMP/GDP IWG |
| June 2026 | Publication by European Community |
| September 2026 | Adoption by PIC/S Sub-committee on GMDP Harmonisation |
Compliance questionnaire to EudraLex Annex 11
The following questionnaire is intended to assess whether the computer system complies with Annex 11 of EudraLex – Volume 4 – Good Manufacturing Practice (GMP) guidelines.
Free checklist
EudraLex Vol. 4 Annex 11: compliance questionnaire
Subscribe to the latest updates in life science
Expert perspectives delivered to your inbox — pick your interests.
No spam, ever. Unsubscribe anytime.