Annex 11 and Computerized Systems

Some time ago, I talked to you in an article about Annex 1.

Another document that is extremely important for any GMP activity is Annex 11. Annex 11 deals with computerized systems such as environmental monitoring systems (AKA EMS).

Enough chit-chat, I’ll leave it to Lucas who will tell you a little more about this Annex 11 when he finishes his coffee.

What is the Annex 11?

Annex 11 is a document, which like Annex 1, is part of the Good Manufacturing Practice guidelines, which are issued and published by the European Commission.

In short, when a computerized system replaces a manual operation, it should not result in a decrease in product quality, process control or quality assurance.

The equivalent of Annex 11 on the US side?

Annex 11 is often compared to the FDA’s 21 CFR Part 11, but be aware that Annex 11 is much broader in scope than the American Part 11.

Annex 11 is about more than just electronic records, it takes into account the entire life cycle of the computerized system.

It focuses on risk assessment as a tool to ensure product safety and effectiveness.

Annex 11 – What are the objectives?

As you can imagine, when a computer system (our Mirrhia software, for example) replaces manual activities, this system can in no way cause a loss of quality or risk. If you’ve ever heard of data integrity… Well, we’re in the middle of it.

It defines the criteria by which electronic records and electronic signatures can be considered equivalent to paper documents.

The Annex 11 & Electronic Signature

In concrete terms, the electronic signature makes it possible to identify the author of an electronic document with certainty, to guarantee the integrity of the document’s content and to ensure that the author cannot deny having signed the document. These safeguards are essential to ensure the safety and quality of manufactured pharmaceutical products.

To comply with EU Annex 11, the electronic signature must be performed using a valid electronic certificate and a secure means of authentication (Like a password).

Mirrhia Labs and Mirrhia Facility allow you to manage the electronic signature.

For some tasks/changes, electronic signature is requested.

That is, Mirrhia asks for identification when performing the action even though the user is already logged into the system.

This signature replaces the handwritten signature of a person and allows to authenticate the author of a document or an action in an accurate way and to guarantee the non-repudiation.

The electronic signature present in Mirrhia Labs and Mirrhia Facility software respects the 5 fundamental rules for a reliable electronic signature:

• The author is easily identifiable
• The signatory cannot dispute the signature
• The signer cannot impersonate another person
• The signature cannot be used on another document

Once signed, the document cannot be modified and is automatically archived.

The Annex 11 & Electronic Records

Electronic records are important elements in the implementation of Good Manufacturing Practices (GMP) for pharmaceutical products. EU Annex 11 sets out the requirements for the management of electronic records in the context of pharmaceutical manufacturing.

The ALCOA + principle

The ALOCA+ principle is there to ensure the quality and reliability of these electronic records.

ALCOA is a concept that first appeared in an FDA document. This acronym came straight out of the brain of Stan Woollen of the FDA and lists principles concerning the collection and management of data. In fact, ALCOA was born to answer a crucial problem of voluntary or involuntary negligence or bad habits that can cause the alteration of data or even its loss.

And what does ALCOA mean? Well, we say that the data must be Attributable to someone (hence the electronic signature described in the point just above), Readable (traceable and permanent), Contemporaneous (issued at a specific time and date), Original (without subsequent modification) and Accurate. ALCOA+ also specifies that the data must be Complete, Concordant, Durable and Available on a secure server.

As you can see, ensuring data integrity in drug production activities is a major issue. Following the ALACO principles helps manufacturers to comply with current standards.

Mirrhia has designed all of its solutions to strictly adhere to the Annex 11 guidelines.

With regard to electronic records, let’s see point by point, concretely, how Mirrhia applies these rules.

Attributable

Each user who uses one of our solutions has a password-protected account.

This user has a specific role, this role defines what actions the user can perform on the system.

The administrator can restrict or increase the possible actions of each user.

All actions performed on the system are recorded in an audit trail.

In this audit, the following information can be found:

Which actions have been performed

• On which factor
• By which user
• For what reason the action was performed
• When the action was performed (date and time)
• Value before and after the modification

As you can see, each modification can be attributed to a person.

Legible 

The recorded data and alarms can be consulted in real time or later.

Our solutions allow to extract a series of reports in several types of formats.

We provide the ability to generate reports on every data entered in the system as well as every modification made on the system.

Mirrhia even allows you to automatically extract the EBR (Eletronic Batch Record) related to the environmental data for a given batch.

Contemporaneous

Time stamping (the fact that an event is associated with a date and time) is fully integrated into our solutions.

Whether in our reports or in audits, each event will always be accompanied by the date and time it occurred.

To do so, each data and event is automatically recorded at the time of the action with a precise time stamp.

Original

Mirrhia certifies that the data recorded in its solutions are from the first recording.

In accordance with Annex 11, all data entered in the system cannot be deleted or modified in any way.

Accurate

Mirrhia formally assures that all data entered into the system is accurate and processed correctly.

In accordance with Annex 11 and data integrity, no data can be modified or deleted.

In order to keep a totally accurate measurement, a calibration adjustment system is available in our Mirrhia Labs and Mirrhia Facility solutions. This adjustment is based on a certificate established according to the current standards.

Who does Annex 11 apply to?

Annex 11 applies to pharmaceutical companies and drug manufacturers operating in the European Union. It also applies to companies that import medicines into the EU. Companies must comply with it in order to market their products in the European Union.

Understanding how Annex 11 is organized

Annex 11 is composed of 3 major phases that are divided into 17 separate controls, these three phases are :

• General
• The Project phase
• The operational phase

We will go through these three phases describing the directives that make them up.

The general phase

The first three controls form the “general” part, they are considered a prelude to guide compliance with Annex 11.

The three guidelines in question:

• Risk Management : Risk management must be applied throughout the life cycle of the IT system.It takes into account patient safety, data integrity, and product quality.
• Close cooperation between all personnel involved. All personnel must be appropriately qualified and their levels of access and responsibilities must be clearly defined
• Management of suppliers and service providers.The competence and reliability of a supplier are essential factors to be taken into account when selecting a product

The project phase

After the general phase comes the project phase also known as “Validation” phase. In Annex 11, validation is considered as a continuous activity.

That is, it takes place throughout the life cycle of a system, from implementation to retirement, including change control as updates are made to the system.

Annex 11 states that the manufacturer must be able to justify their standards, protocols, acceptance criteria, procedures and records, based on their risk assessment.

The operational phase

After laying the groundwork for compliance of computerized systems with validation, Annex 11 moves on to the operational phase which is detailed by 13 controls.

The first two controls focus on the data entering the system:

• Built-in Controls: When data is exchanged with other systems, built-in controls are required to ensure data accuracy and secure transfer
• An accuracy check: When data is entered manually, an additional check is required to verify the accuracy of the data.This additional check can be done by a second operator or by validated electronic means.

The most sensitive point in Annex 11: Data Integrity

Three controls focus on data access and protections that ensure data integrity.

• Data storage: It is necessary that the data be protected from damage, while remaining accessible, readable and accurate throughout the retention period.It is recommended to make regular backups of relevant data, and the integrity and accuracy of the backed up data must be verified during the validation phase.
• Printouts: It must be possible to obtain clear printouts of electronically stored data.For data required for batch release, it must be possible to generate printouts indicating whether any of the data has changed since it was originally entered.
• Traceability of changes: Based on a risk analysis, all changes to data/systems must be documented. The audit trail must be available, convertible into an understandable format and reviewed at regular intervals

System security

System security is also a central point addressed in Annex 11 :

In short, physical and/or logical means must be put in place to restrict access to computerized systems to authorized personnel only.Various appropriate methods can be implemented such as the use of keys, badges, personal codes associated with passwords, biometrics etc…

In short, the extent of security controls depends on the criticality of the computerized system.The modification, cancellation and creation of access authorizations must be recorded.

Annex 11 & Quality Management Control.

In this section are the controls that ensure that a system has known support for continued operation in a validated and controlled state.

• Change and configuration control: any change to a computerized system, including configuration changes, can only be made in a controlled manner and in accordance with a defined procedure.
• Periodic evaluation: Computerized systems must be periodically evaluated to ensure that they remain in a validated and GMP compliant state. Annex 11 states that these evaluations must include the current range of functionality, records of deviations, incidents, historical problems of updates, and performance, reliability, security and validation reports.
• Incident management: All incidents, not just those related to system failures and data errors, must be reportable and assessable.The origin of a critical incident must be identified in order to form the basis for corrective and preventive actions.
• Operational continuity: Arrangements must be made to ensure that critical processes continue to function properly even in the event of a breakdown.These alternative arrangements must be properly documented and tested.

An international consensus is approaching

So we talked above about Annex 11 and 21 CFR part 11.

You should know that the Japanese authorities have also published a guide (Guideline on Management of Computerized Systems for Marketing Authorization). China has done the same with a version quite similar to our European version (China FDA GMP Annex – Computerised systems).

It should be noted that there is a will to harmonize all this.

Let’s talk for a moment about the PIC/S (Pharmaceutical Inspection Co-operation Scheme) which is an international organization bringing together pharmaceutical regulatory authorities from all over the world to harmonize inspection and regulatory standards in the pharmaceutical industry. PIC/S members cooperate to establish high standards of drug quality, safety and efficacy, and to promote the consistent application of these standards among regulatory authorities. PIC/S activities include standards development, inspector training, information exchange and technical cooperation among members.

Another example is GAMP 5 (Good Automated Manufacturing Practice), which is a set of international (non-regulatory) guidelines for the validation of computerized systems used in the pharmaceutical and life sciences industry. It provides a framework for quality assurance and risk management of automated systems used in pharmaceutical manufacturing. GAMP 5 is published by the International Society for Pharmaceutical Engineering (ISPE) and incorporates all the requirements of PIC/S.

If you want to to know more about the Annex 1, Read our article on the new version of the Annex 1. And if you are curious, I also invite you to read Annex 1 for Dummies, if you want to have a first overview of what this document is and why it exists.

Want talk about it with our team?

If you want to chat with us about our Mirrhia solutions, Contact Us and we will be happy to discuss about your projects.

A Minute With Marie

Want to see the series “A Minute with Marie” on Annex 11?