Annex 11: The EU's New Expectations for Regulated Computerized Systems

Note: The views expressed in this article are those of the author and do not necessarily represent those of his/her employer, GxP Lifeline, its editor or MasterControl, Inc.

In 2011, the European Union (EU) revised its guidance for the life cycle of computerized systems to reflect the increased use and complexity of automated systems in the pharmaceutical industry. The guidance, called Annex 11, also was revised in response to an alarming number of problems detected in computerized systems.

In plain English, Annex 11 wants to ensure the computerized systems you use to manufacture medicinal products have no adverse impact on product quality, product efficacy, or patient safety. In addition, when a computerized system replaces a manual operation, Annex 11 wants to ensure there are no increased risks.

Scope of Annex 11

Annex 11 is one of several guidance documents that supplement the EU's GMP rules (EUDRALEX Rules Governing Medicinal Products in the European Union, Volume 4, Good Manufacturing Practice). It applies to all human and veterinary medicinal products made or sold in the EU.

Here's how the EU summarizes the overall purpose of Annex 11 (boldface added for emphasis):

"...the introduction of computerized systems into systems of manufacturing—including storage, distribution and quality control—does not alter the need to observe the relevant principles given elsewhere in the [GMP] Guide. Where a computerized system replaces a manual operation, there should be no resultant decrease in product quality or quality assurance."

In plain English, Annex 11 wants to ensure the computerized systems you use to manufacture medicinal products have no adverse impact on product quality, product efficacy, or patient safety. In addition, when a computerized system replaces a manual operation, Annex 11 wants to ensure there are no increased risks.

Specifically, Annex 11 says computerized systems involved in GMP-regulated activities should be validated. Such activities include, but aren't limited to:

  • Material supply
  • Production
  • Process controls
  • Laboratory testing
  • Product release, storage and distribution
  • Clinical trials
  • Quality systems
  • Records and documentation

Annex 11 Compared to Part 11

If all this sounds similar to the requirements of the FDA's 21 CFR Part 11 rules for electronic records and electronic signatures, it should. Both documents share the mutual goal of safe, validated computer systems for drug manufacturing and—in the case of the FDA—medical device manufacturing as well.

However, the two documents approach this goal differently. Annex 11 is "how to" in tone while Part 11 is "thou shalt". Part 11 is a U.S. government regulation that establishes fully enforceable requirements under federal law. It emphasizes identity verification, accountability of actions by authorized individuals, and the reporting of obligations.

In contrast, Annex 11 is not a legal requirement but a guideline, though a strongly recommended one. It provides a more practical approach and goes well beyond Part 11 in setting heightened expectations in three key areas:

  1. Supplier and service provider audits
  2. IT infrastructure qualification
  3. Risk management

This last item especially has attracted the attention and concern of the regulated community. Annex 11 says your compliance activities start—and to a large extent, continually encompass—risk assessment. The guidance takes a risk-based approach to determine which of your systems are the most critical, then recommends a systems-based approach to periodic evaluation of those risks.

In comparison, Part 11 doesn't require risk management (and risk assessment isn't even included in FDA's pharmaceutical GMPs), although risk is addressed in FDA's overall guidance for computerized systems. Part 11 differentiates security risks for open vs. closed systems, requiring extra security measures for open systems, but makes no reference to overall system risk or criticality.

Impact of Annex 11 on Medical Device Companies

Strictly speaking, Annex 11 applies only to medicinal products and not to medical devices. However, forward-thinking device companies may want to align their activities with the guidance. Now that the Global Harmonization Task Force is being dissolved, the EU will take a more centralized approach and eventually apply its guidance more broadly to all regulated areas. Annex 11 represents the clearest thinking yet from the EU on the use of electronic record keeping and electronic signatures in a regulated environment. Complying now with Annex 11 will help medical device manufacturers go a long way toward meeting future European medical device expectations (especially from a Notified Body auditor's viewpoint).

Role of Annex 11 in Inspection Readiness

GMP site inspections by EU member states or FDA routinely include an assessment of the computerized systems used for GMP regulated activities. With Annex 11 now in effect, look for even more scrutiny.

Most inspectors will consider computerized systems equally as important as other critical equipment and processes such as filling machines and laboratory test methods.

Using Annex 11 and Part 11 as frameworks, questions and information requests from inspectors may cover computerized system development, procurement, life cycle and validation activities, suppliers, security, control of data and records, and management policies and responsibilities, to name just a few. In addition, inspectors are likely to review your computer system inventory and examine the risk assessments you've done to 1) identify critical systems and 2) prioritize the extent and sequence of validation activities. Be prepared to justify your risk assessment decisions to the inspector.

Each of your sites should have company experts and easily-accessible information to answer those kinds of questions about your computerized systems. In addition, each site should have a plan and checklist to ensure it has properly addressed regulatory requirements. Examples of such checklists can be found in the PIC/S guidance document "Good Practices for Computerised Systems in a Regulated GXP Environment".

Side-by-Side Comparison Available

With the regulatory expectations clearly established in Annex 11 and Part 11, companies that fail to show adequate control of their computerized systems are now subject to the same sanctions they face for any other significant GMP deficiency. But companies can't say they haven't been given a roadmap. Together, these two documents form a relatively thorough and usable guide to lead your company to world-wide compliance.

If you would like more details on how Part 11 compares with Annex 11, email EduQuest ( for a free side-by-side visual comparison.

Martin Browning is the President and Co-Founder of EduQuest, a global team of FDA compliance experts based near Washington, D.C. He spent 22 years with the FDA as a local, national and international expert investigator and then served as special assistant to the Associate Commissioner for Regulatory Affairs. He also was vice chair of the agency's Electronic Records and Signatures Working Group, which drafted the 21 CFR Part 11 regulations. Martin served as the chair of the U.S. government's ISO 9000 committee; on the Global Harmonization Task Force, and on the committee that developed the Good Manufacturing Practice regulations for medical devices, otherwise known as the Quality System Regulation (QSR). He is the program chairman for many of EduQuest's popular training courses, including "FDA Auditing of Computerized Systems and Part 11/Annex 11", next scheduled March 26-28, 2012, near Rockville, Maryland, and available for on-site, on-demand delivery at client sites. Details are available at