For Life Science Professionals
Annex 11 and 21 CFR Part 11: Comparisons for International Compliance
by Orlando Lopez, Independent Consultant
Jan 31, 2012 | Free Downloads | |
The two essential resources available to regulated life-science professionals regarding the validation of computer systems are: the Food and Drug Administration's (FDA) rule on Electronic Records/Signatures (21 CFR Part 11 aka Part 11) and the European Medicine Agency's (EMEA) Guidelines to Good Manufacturing Practice (GMPs) - Annex 11, Computerized Systems (aka EU Annex 11).
This article discusses how the updated Annex 11 compares with Part 11. A matrix containing a comprehensive comparison of Annex 11, Part 11 and other regulations/guidelines can be downloaded for free at www.computer-systems-validation.com
Part 11 establishes the requirements for the technical and procedural controls that must be met by the regulated user if the regulated user chooses to maintain regulated records electronically. Part 11 was published in March 1997. It is strictly applicable in the United States to all FDA program areas. Part 11 is also applicable to manufacturers outside of the United States and its territories who wish to gain FDA market approval. Part 11 applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted under any records requirements set forth in agency regulations. For the purpose of this analysis it is required to consider the Part 11 Guideline (2003). This guidance is the one used by the FDA for interpretation and to enforce the Part 11 requirements established in the Part 11 regulation. (See Analysis of Part 11).
European Union (EU) Annex 11 covers the interpretation of the principles and guidelines of GMP-regulated activities to computer systems. The first edition of EU Annex 11 dates back to 1992. The current updated version was published January 2011. EU Annex 11 is strictly applicable to the EU, although U.S. manufacturers who wish EU market approval need to take it into account as an applicable requirement. It applies to Good Manufacturing Practices (GMP) for medicinal products for human use, investigational medicinal products for human use and veterinary medicinal products. (See Analysis of EU Annex 11.)
This article discusses how the updated Annex 11 compares with Part 11. A matrix containing a comprehensive comparison of Annex 11, Part 11 and other regulations/guidelines can be downloaded for free at www.computer-systems-validation.com.
There are two primary common areas between the EU's EMEA Annex 11 and the FDA's Part 11. The first common area is the electronic signatures (e-sigs) elements within these documents. The second common area is the elements covered in Part 11.10, Controls for Closed Systems.
Speaking strictly about e-sigs, Part 11 goes beyond Annex 11. Back in the early 1990s, the main reason for initiating Part 11 was to approve online electronic batch records.
E-sigs in the EU Annex 11 is covered under 11-14. The use of e-sigs to sign electronic records (e-recs) is permitted. It is expected that e-sigs will:
- have the same impact as handwritten signatures within the boundaries of the company (11.100(a) and (b) 11.200(a)(2));
- be permanently linked to their respective record(s) (11.70); and
- include the time and date of signature (11.50(a)(2).
The direct EU Annex 11 corresponding e-sigs guideline associated with Part 11 regulation can be found in parentheses above.
In addition, Part 11 includes the following e-sig requirements not covered in the EU Annex 11:
11.50(a)(1) and (3); 11.50(b)
Section 11.50 requires signature manifestations to contain information associated with the signing of e-recs. This information must include the printed name of the signer, and the meaning (such as review, approval, responsibility, and authorship) associated with the signature. In addition, this information is subject to the same controls as e-recs and must be included in any human readable forms of the e-rec (such as electronic display or printout).
11.100(c)(1) and (2)
Under the general requirements for e-sigs, at Sec. 11.100, before an organization establishes, assigns, certifies, or otherwise sanctions an individual's e-sig, the organization shall verify the identity of the individual.
11.200(a)(1)(i) and (ii); 11.200(a)(3); 11.200(b)
Section 11.200 provides that e-sigs not based on biometrics must employ at least two distinct identification components such as an identification code and password. In addition, when an individual executes a series of signings during a single period of controlled system access, the first signing must be executed using all electronic signature components and the subsequent signings must be executed using at least one component designed to be used only by that individual. When an individual executes one or more signings not performed during a single period of controlled system access, each signing must be executed using all of the electronic signature components.
E-sigs not based on biometrics are also required to be administered and executed to ensure that attempted use of an individual's e-sig by anyone else requires the collaboration of two or more individuals. This would make it more difficult for anyone to forge an electronic signature. E-sigs based upon biometrics must be designed to ensure that such signatures cannot be used by anyone other than the genuine owners.
Under Sec. 11.300, e-sigs based upon use of identification codes in combination with passwords must employ controls to ensure security and integrity. The controls must include the following provisions: (1) The uniqueness of each combined identification code and password must be maintained in such a way that no two individuals have the same combination of identification code and password; (2) persons using identification codes and/or passwords must ensure that they are periodically recalled or revised; (3) loss management procedures must be followed to deauthorize lost, stolen, missing or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification codes or password information; (4) transaction safeguards must be used to prevent unauthorized use of passwords and/or identification codes, and to detect and report any attempt to misuse such codes; (5) devices that bear or generate identification codes or password information, such as tokens or cards, must be tested initially and periodically to ensure that they function properly and have not been altered in an unauthorized manner.
The above Part 11 e-sig descriptions were directly obtained from the Part 11 regulation preamble.
Section 11.10 describes the controls that must be designed by the regulated user to ensure the integrity of the computer system operations and the information stored in the closed system.
On the controls framework, the Part 11 regulation considers computer systems in two groupings: closed and open. Closed and open systems are defined in Part 11.3. The access in closed systems is controlled by persons responsible for the content of electronic records on that system. An open system is an environment in which system access is not controlled by persons who are responsible for the content of electronic records on the system. Annex 11 does not make this distinction. Implicitly, Annex 11 covers these security related controls in 11-12.
Speaking strictly about the integrity of system operations and information stored in the system, Annex 11 goes beyond Part 11. The requirements covered by Part 11 on the controls for closed systems are: validation, copy and protection of e-recs, audit trails, system documentation, computer system access, and experience of people developing/maintaining/using the computer system.
- Validation (11.10(a))
- Validation is the "formal assessment and reporting of quality and performance measures for all the lifecycle stages of software and system development, its implementation, qualification and acceptance, operation, modification, re-qualification, maintenance and retirement. This should enable both the regulated user, and competent authority to have a high level of confidence in the integrity of both the processes executed within the controlling computer system(s) and in those processes controlled by and/or linked to the computer system(s), within the prescribed operating environment(s)." The FDA has maintained the requirement for validation because the agency believes that it is necessary that software be validated to the extent possible to adequately ensure performance.
- The correct validation implementation program on computer systems "ensures accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records."
- In the EU Annex 11, validation of computer systems is an element of the project phase and takes center stage. The validation phase has been extensively expanded in the updated Annex 11 to cover the complete computer system life cycle. One of the main principles of this Annex states that: "The application should be validated; IT infrastructure should be qualified."
- A significant and essential activity at the beginning of a computer system's life cycle is to establish the intended use and proper performance of computer systems. The intended use is one of the factors to account to determine the granular level of the computer systems validation.
- The phrase "proper performance" relates to the general principle of validation . Planned and expected performance is based upon predetermined design specifications, consequently, "intended use."
- All computer systems automating any regulated function must be validated for its intended use. This requirement applies to any computer system automating the design, testing, raw material or component acceptance, manufacturing, labeling, packaging, distribution, complaint handling, or to automate any other aspect of the quality system.
- In addition, computer systems creating, modifying, and maintaining electronic records and managing electronic signatures are also subject to the validation requirements. Such computer systems must be validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.
- Software for the above applications may be developed in-house or under contract. However, software is frequently purchased off-the-shelf for a particular intended use. All production and/or quality system software, even if purchased off-the-shelf, should have documented requirements that fully define its intended use, and information against which testing results and other evidence can be compared, to show that the software is validated for its intended use.
- Appropriate installation and operational qualifications should demonstrate the suitability of computer hardware and software to perform assigned tasks.
- The ability to generate accurate, complete copies of records (11.10(b))
- According to this requirement, also contained as well in Annex 11-5 documentation, it must be possible to obtain clear printed copies of electronically stored e-records. When generating an electronic copy of an electronic record, any file conversions must be qualified.
- Protection of records (11.10(c) and (d)) .
- Computer systems electronic records must be controlled including records retention, backup and security.
- The data collected in a computer system should be secured by both physical and electronic means against damage. The access to data should be ensured throughout the retention period.
- One of many activities supporting this requirement is backups. Backups must be performed on electronic copies of electronic records and stored separately from the primary electronic records. The objective of the backup is to guarantee the availability of the stored data and, in case of loss of data, to reconstruct all GMP-relevant documentation.
- According to 11-7.2 and similarly to an electronic file, the integrity and accuracy of backup data and the ability to restore the data should be verified during validation and periodically (Annex 11-7.1). The frequency and extent of backup should be based on the effort involved to recreate the data. This should be defined in the backup procedure.
- Measures must be taken, however, to ensure that backup data are exact and complete and that they are secure from alteration, inadvertent erasure, and loss.
- Security is an issue covered in all regulations. The basic principle in Annex 11 is that computer systems must have adequate controls to prevent unauthorized access or changes to data, inadvertent erasures, or loss (Annex 11-7.1)
- Use of computer-generated, time-stamped audit trails (11.10(e), (k)(2) and associated requirements in 11.30).
- One of the first references on the use of audit trails in FDA guidelines is from the 1978 current good manufacturing practices (cGMP) preamble. The comment on paragraph 186 states: "If a computer system has the capability, however, to verify its output, such as with audit trails, this could be considered as a check for accuracy."
- As in Annex 11-9, the system-generated audit trail referenced in 11.10(e) or other physical, logical, or procedural security measures must be in place to ensure the trustworthiness and reliability of the records. The appropriate measures should be based on a risk assessment. For change or deletion of cGMP-relevant data the reason should be documented.
- This is one requirement where, since 2003, the FDA has exercised enforcement discretion. Regulated firms must still comply with all applicable predicate rule requirements related to documentation of date, time or sequencing of events, as well as any requirements for ensuring that changes to records do not obscure previous entries.
- Audit trails are appropriate when the regulated user is expected to create, modify or delete regulated records during normal operation.
- Use of appropriate controls over systems documentation.
- Computer system documentation means records that relate to system operation and maintenance, from high-level design documents to end-user manuals. All regulatory provisions applicable to software are also applicable to its documentation.
- Computer system documents are generated/updated during the implementation/maintenance project, correspondingly. These documents may be either printed material or electronic records, such as computer files, storage media or film. Storing a large number of documents increases the cost of document management because of the increasing difficulty of keeping the documents consistent with the computer system. Computer system documents must be available if needed for review. Obsolete information must be archived or destroyed in accordance with a written record retention plan.
- Even Annex 11 provides guidance on documentation; there is no explicit guidance on controls over computer systems documentation. The applicable controls on documentation can be found in the new version of Chapter 4 ("Documentation") of the EU Guideline to GMP. Chapter 4 can be used as a guidance to implement 11.10(k).
- System access be limited to authorized individuals (11.10(d), (g) and (h))
- Security is a key issue in computer systems, including the use of authority checks (21 CFR 11.10(g)) to ensure that only authorized individuals can use the system and alter records.
- Part 11 security requirements listed in 11.10(d), (g) and (h), are covered in Annex 11-7.1 and 11-12. In addition, Annex 11-4.3 calls for "An up-to-date listing of all relevant systems and their GMP functionality (inventory) should be available...and security measures should be available."
- A determination that persons who develop, maintain or use electronic records and signature systems have the education, training, and experience to perform their assigned tasks.
- Annex 11-2 covers this Part 11 requirement.
- The revised Annex 11 lists in a comprehensive manner 11.10 requirements.
- In the context of the content of Part 11 and Annex 11, the main difference between the two is that Part 11 is a regulation. The nature of a regulation restricts the granularity of the guidance that a regulator may provide. The regulated user will get less guidance in Part 11 than in the Annex 11. The guidance by the regulator on Part 11 can be found in the preamble of this regulation and in the 2003 guidance document.
Annex 11 has a much broader scope than Part 11. Speaking strictly about e-recs and e-sigs, Part 11 goes beyond Annex 11, but Annex 11 works well with 21 CFR Part 11. Annex 11 can be used in different regulated environments, such as the United States, as a regulatory guideline to comply with the regulatory requirements applicable to computer systems supporting GxP applications.
The narrow scope of Part 11 started the awareness of regulated industry on e-recs and e-signatures. The updated EU Annex 11 has improved the standard for regulated users and systems. EU Annex 11 gives the specific guidance in areas that are not covered in Part 11 regulations.
- The regulated Good Practice entity, that is responsible for the operation of a computerized system and the applications, files and data held thereon. PIC/S PI 011-3.
- FDA, 21 CFR Part 11, "Electronic Records; Electronic Signatures; Final Rule." Federal Register Vol. 62, No. 54, 13429, March 20, 1997.
- The European Medicines Agency is an agency of the European Union. The Agency is responsible for the scientific evaluation of medicines developed by pharmaceutical companies for use in the European Union.
- Annex 11 to Volume 4 of the Rules Governing Medicinal Products in the European Community, Computerized Systems.
- FDA, Part 11, Electronic Records; Electronic Signatures — Scope and Application, 2003.
- Preamble - Analysis preceding a proposed or final rule that clarifies the intention of the rulemaking and any ambiguities regarding the rule. Responses to comments made on a proposed rule are published in the preamble preceding the final rule. Preambles are published only in the FR and do not have a binding effect.
- Pharmaceutical Inspection Co-operation Scheme. "Good Practices for Computerized Systems in GxP Regulated Environments," PIC/S PI 011-3, September 2007.
- Center for Drug Evaluation and Research, Center for Biologics Evaluation and Research, and Center for Devices and Radiological Health Food and Drug Administration, "Guideline on General Principles of Process Validation," U.S. FDA, Rockville, MD, May 1987.
- An electronic means of auditing the interactions with records within an electronic system so that any access to the system can be documented as it occurs for identifying unauthorized actions in relation to the records, e.g., modification, deletion, or addition. (DOD 5015.2-STD)
Orlando Lopez is an independent consultant with 20+ years of information technology experience and more than a decade with QA and Compliance, he had managed a complete validation project at a medical device manufacturing facility, including facility, utilities, process equipment, R&D/QA laboratories, and processes (formulation and fabrication).
He established the computer validation initiative for compliance for multiple Johnson & Johnson companies such as McNeil and ITCS.
Recognized globally for expertise in computer system compliance, he was member of the PDA Part 11 Core Team and member of the GAMP Infrastructure Special Interest Group. As part of the GAMP4 Guide, he led the development of the Operation Appendix O6, "Guidelines for Record Retention, Archiving and Retrieval." He has lectured globally, chairing several computer validation conferences.
He is the author of two books: "21 CFR Part 11 - "A Complete Guide to International Compliance," published by Sue Horwood Publishing Limited, and "Computer Infrastructure Qualification for FDA Regulatory Industries" published by Davis Healthcare International Publishing, 21 CFR Part 11 - A Complete Guide to International Compliance, published by Sue Horwood Publishing Limited (www.suehorwoodpubltd.com). Mr. Lopez may be reached at email@example.com.