Annex 11 in Europe and 21 CFR part 11 in the US, those regulationsfor computerized systems such as EMS (Environmental Monitoring System).
Some time ago, I talked to you in an article about Annex 1.
Another document that is extremely important for any GMP activity is Annex 11. Annex 11 deals with computerized systems such as environmental monitoring systems (AKA EMS).
Enough chit-chat, I'll leave it to Lucas, our intern, who will tell you a little more about this Annex 11 when he finishes his coffee.
Annex 11 is a document, which like Annex 1, is part of the Good Manufacturing Practice guidelines, which are issued and published by the European Commission.
In short, when a computerized system replaces a manual operation, it should not result in a decrease in product quality, process control or quality assurance.
Annex 11 is often compared to the FDA's 21 CFR Part 11, but be aware that Annex 11 is much broader in scope than the American Part 11.
Annex 11 is about more than just electronic records, it takes into account the entire life cycle of the computerized system.
It focuses on risk assessment as a tool to ensure product safety and effectiveness.
As you can imagine, when a computer system (our Mirrhia software, for example) replaces manual activities, this system can in no way cause a loss of quality or risk. If you've ever heard of data integrity... Well, we're in the middle of it.
It defines the criteria by which electronic records and electronic signatures can be considered equivalent to paper documents.
In concrete terms, the electronic signature makes it possible to identify the author of an electronic document with certainty, to guarantee the integrity of the document's content and to ensure that the author cannot deny having signed the document. These safeguards are essential to ensure the safety and quality of manufactured pharmaceutical products.
To comply with EU Annex 11, the electronic signature must be performed using a valid electronic certificate and a secure means of authentication (Like a password).
Mirrhia Labs and Mirrhia Facility allow you to manage the electronic signature.
For some tasks/changes, electronic signature is requested.
That is, Mirrhia asks for identification when performing the action even though the user is already logged into the system.
This signature replaces the handwritten signature of a person and allows to authenticate the author of a document or an action in an accurate way and to guarantee the non-repudiation.
The electronic signature present in Mirrhia Labs and Mirrhia Facility software respects the 5 fundamental rules for a reliable electronic signature:
Once signed, the document cannot be modified and is automatically archived.
Electronic records are important elements in the implementation of Good Manufacturing Practices (GMP) for pharmaceutical products. EU Annex 11 sets out the requirements for the management of electronic records in the context of pharmaceutical manufacturing.
The ALOCA+ principle is there to ensure the quality and reliability of these electronic records.
ALCOA is a concept that first appeared in an FDA document. This acronym came straight out of the brain of Stan Woollen of the FDA and lists principles concerning the collection and management of data. In fact, ALCOA was born to answer a crucial problem of voluntary or involuntary negligence or bad habits that can cause the alteration of data or even its loss.
And what does ALCOA mean? Well, we say that the data must be Attributable to someone (hence the electronic signature described in the point just above), Readable (traceable and permanent), Contemporaneous (issued at a specific time and date), Original (without subsequent modification) and Accurate. ALCOA+ also specifies that the data must be Complete, Concordant, Durable and Available on a secure server.
As you can see, ensuring data integrity in drug production activities is a major issue. Following the ALACO principles helps manufacturers to comply with current standards.
Mirrhia has designed all of its solutions to strictly adhere to the Annex 11 guidelines.
With regard to electronic records, let's see point by point, concretely, how Mirrhia applies these rules.
Each user who uses one of our solutions has a password-protected account.
This user has a specific role, this role defines what actions the user can perform on the system.
The administrator can restrict or increase the possible actions of each user.
All actions performed on the system are recorded in an audit trail.
In this audit, the following information can be found:
Which actions have been performed
As you can see, each modification can be attributed to a person.
The recorded data and alarms can be consulted in real time or later.
Our solutions allow to extract a series of reports in several types of formats.
We provide the ability to generate reports on every data entered in the system as well as every modification made on the system.
Mirrhia even allows you to automatically extract the EBR (Eletronic Batch Record) related to the environmental data for a given batch.
Time stamping (the fact that an event is associated with a date and time) is fully integrated into our solutions.
Whether in our reports or in audits, each event will always be accompanied by the date and time it occurred.
To do so, each data and event is automatically recorded at the time of the action with a precise time stamp.
Mirrhia certifies that the data recorded in its solutions are from the first recording.
In accordance with Annex 11, all data entered in the system cannot be deleted or modified in any way.
Mirrhia formally assures that all data entered into the system is accurate and processed correctly.
In accordance with Annex 11 and data integrity, no data can be modified or deleted.
In order to keep a totally accurate measurement, a calibration adjustment system is available in our Mirrhia Labs and Mirrhia Facility solutions. This adjustment is based on a certificate established according to the current standards.
Annex 11 applies to pharmaceutical companies and drug manufacturers operating in the European Union. It also applies to companies that import medicines into the EU. Companies must comply with it in order to market their products in the European Union.
Annex 11 is composed of 3 major phases that are divided into 17 separate controls, these three phases are :
We will go through these three phases describing the directives that make them up.
The first three controls form the "general" part, they are considered a prelude to guide compliance with Annex 11.
The three guidelines in question:
After the general phase comes the project phase also known as "Validation" phase. In Annex 11, validation is considered as a continuous activity.
That is, it takes place throughout the life cycle of a system, from implementation to retirement, including change control as updates are made to the system.
Annex 11 states that the manufacturer must be able to justify their standards, protocols, acceptance criteria, procedures and records, based on their risk assessment.
After laying the groundwork for compliance of computerized systems with validation, Annex 11 moves on to the operational phase which is detailed by 13 controls.
The first two controls focus on the data entering the system:
An accuracy check: When data is entered manually, an additional check is required to verify the accuracy of the data.This additional check can be done by a second operator or by validated electronic means.
Three controls focus on data access and protections that ensure data integrity.
Data storage: It is necessary that the data be protected from damage, while remaining accessible, readable and accurate throughout the retention period.It is recommended to make regular backups of relevant data, and the integrity and accuracy of the backed up data must be verified during the validation phase.
Printouts: It must be possible to obtain clear printouts of electronically stored data.For data required for batch release, it must be possible to generate printouts indicating whether any of the data has changed since it was originally entered.
System security is also a central point addressed in Annex 11 :
In short, physical and/or logical means must be put in place to restrict access to computerized systems to authorized personnel only.Various appropriate methods can be implemented such as the use of keys, badges, personal codes associated with passwords, biometrics etc...
In short, the extent of security controls depends on the criticality of the computerized system.The modification, cancellation and creation of access authorizations must be recorded.
In this section are the controls that ensure that a system has known support for continued operation in a validated and controlled state.
So we talked above about Annex 11 and 21 CFR part 11.
You should know that the Japanese authorities have also published a guide (Guideline on Management of Computerized Systems for Marketing Authorization). China has done the same with a version quite similar to our European version (China FDA GMP Annex - Computerised systems).
It should be noted that there is a will to harmonize all this.
Let's talk for a moment about the PIC/S (Pharmaceutical Inspection Co-operation Scheme) which is an international organization bringing together pharmaceutical regulatory authorities from all over the world to harmonize inspection and regulatory standards in the pharmaceutical industry. PIC/S members cooperate to establish high standards of drug quality, safety and efficacy, and to promote the consistent application of these standards among regulatory authorities. PIC/S activities include standards development, inspector training, information exchange and technical cooperation among members.
Another example is GAMP 5 (Good Automated Manufacturing Practice), which is a set of international (non-regulatory) guidelines for the validation of computerized systems used in the pharmaceutical and life sciences industry. It provides a framework for quality assurance and risk management of automated systems used in pharmaceutical manufacturing. GAMP 5 is published by the International Society for Pharmaceutical Engineering (ISPE) and incorporates all the requirements of PIC/S.
If you want to to know more about the Annex 1, read our article on the new version of the Annex 1. And if you are curious, I also invite you to read Annex 1 for Dummies, if you want to have a first overview of what this document is and why it exists.
If you want to chat with us about our Mirrhia solutions, contact us and we will be happy to discuss about your projects.