EudraLex Volume 4 Annex 11: compliance checklist + prospects

8:04

What is EudraLex Volume 4 Annex 11?

EudraLex Annex 11 serves as a reference document within the European Union‘s pharmaceutical industry. It provides guidance for interpreting the principles and guidelines of good manufacturing practice (GMP) specifically in relation to computerized systems used in GMP-regulated activities. These computerized systems consist of software and hardware components that collectively perform certain functions. It is essential for the application to undergo validation, while the IT infrastructure should be qualified.

Annex 11 forms a crucial component of the European Union’s “Good Manufacturing Practice” (GMP) regulations for pharmaceuticals. Its purpose is to ensure that information technology (IT) systems utilized in the production and quality control of medicines meet the necessary regulatory standards.

With each update to Annex 11, modifications are made to regulatory requirements and guidance to accommodate technological advancements and address emerging industry challenges. This article examines the latest revision of EudraLex Volume 4 Annex 11 and offers a compliance checklist.

What is the current version of EudraLex Volume 4 Annex 11?

The current version of EudraLex Volume 4 Annex 11, as of the January 2011 revision, has been deemed inadequate in providing sufficient guidance in various areas, particularly regarding the use of new technologies such as Artificial Intelligence (AI) and Machine Learning (ML).

However, a revised draft version of Annex 11 was recently published on November 16, 2022, which can be found here.

The draft version of Annex 11 introduces several updates, including a section dedicated to clinical trial data management, guidance on the utilization of emerging technologies such as artificial intelligence and machine learning, as well as guidelines for validating software and IT systems.

It is crucial to emphasize that Annex 11 serves as a reference guide, and pharmaceutical companies and medical device manufacturers must adhere to the specific requirements mandated by their respective countries or regions.

EudraLex Volume 4 Annex 11: what is the new revision all about?

Below we will summarize the main content from what is newly proposed in the planned revision of annex 11.

The revised document will include guidelines for acceptance of AI/ML algorithms used in critical GMP applications. This is an area where regulatory guidance is highly needed as this is not covered by any existing regulatory guidance in the pharmaceutical industry and as pharma companies are already implementing such algorithms.

Regarding data integrity, Annex 11 will include requirements for “data in motion” and “data at rest” (backup, archiving, and deletion). Configuration hardening and integrated controls are expected to support and safeguard data integrity; technical solutions and automation are in lieu of manual controls.

An update of the document with regulatory expectations towards “digital transformation” and similar more recent concepts will be considered.

The list of services for “operating” should include a computerized system, e.g., “cloud” services.

For critical systems validated and/or operated by service providers (e.g. ‘cloud’ services), expectations should go beyond that “formal agreements must exist”. Regulated users should have access to the complete documentation for validation and safe operation of a system and be able to present this during regulatory inspections, e.g. with the help of the service provider.

Despite being mentioned in the Glossary, the term “commercial off-the-shelf products”(COTS) is not adequately defined and may easily be understood too broadly.

Critical COTS products, even those used by “a broad spectrum of users” should be qualified by the vendor or by the regulated user, and the documentation for this should be available for inspection.

The use of the term and the expectation for qualification, validation, and safe operation of such (e.g. ‘cloud’) systems should be clarified.

It should be acknowledged and addressed that software development today very often follows agile development processes, and criteria for accepting such products and corresponding documentation, which may not consist of traditional documents.

An audit trail functionality that automatically logs all manual interactions on GMP critical systems, where users, data, or settings can be manually changed, should be regarded as mandatory; not just ‘considered based on a risk assessment’.

Controlling processes or capturing, holding, or transferring electronic data in such systems without audit trail functionality is not acceptable; any grace period within this area has long expired.

The concept and purpose of audit trail review are inadequately described. The process should focus on a review of the integrity of manual changes made on a system, e.g. a verification of the reason for changes and whether changes have been made on unusual dates, hours, and by unusual users. (Source)

It should be addressed that many systems generate a vast amount of alarms and event data and that these are often mixed up with audit trail entries. While alarms and events may require their own logs, acknowledgments, and reviews, this should not be confused with an audit trail review of manual system interactions. Hence, as a minimum, it should be possible to be able to sort these. (Source)

The current section has only focused on restricting system access to authorized individuals; however, there are other important topics. In line with ISO 27001, a section on IT security should include a focus on system and data confidentiality, integrity, and availability. (Source)

Proposed timetable new version EudraLex Vol. 4 Annex 11

The below figure gives the high-level timeline for the revision of the new version of EudraLex Volume 4 Annex 11.

Date	Milestone
October 2021	Preparation of draft concept paper
October 2022	Approval of draft concept paper by EMA GMP/GDP IWG
October 2022	Release for consultation of draft concept paper
December 2022	Deadline for comments on concept paper
March 2023	Discussion in EMA GMP/GDP IWG and PIC/S Committee drafting group
December 2024	Proposed release for consultation of draft guideline
March 2025	Deadline for comments on guideline
March 2026	Adoption by EMA GMP/GDP IWG
June 2026	Publication by European Community
September 2026	Adoption by PIC/S Sub-committee on GMDP Harmonisation

Compliance questionnaire to EudraLex Annex 11

The following questionnaire is intended to assess whether the computer system complies with Annex 11 of EudraLex – Volume 4 – Good Manufacturing Practice (GMP) guidelines.

Need help complying with EudraLex Volume 4 Annex 11?

In general, Annex 11 of Volume 4 of EudraLex is a document that provides guidelines on computer systems used in the pharmaceutical industry and sets out the requirements that computer systems used in the manufacture, testing, and distribution of pharmaceutical products must meet to ensure the quality, safety, and efficacy of the products.

Some of the updates made in the new version of EudraLex Volume 4 Annex 11 are the inclusion of a section on clinical trial data management, guidance on the use of emerging technologies such as artificial intelligence and machine learning, and the inclusion of guidelines for the validation of software and IT systems.

Do you need help to know if your company is compliant with the new version of EudraLex volume 4 annex 11? Do not hesitate to contact us, our specialists will be able to guide you in the transition of what is established in this new version.