Is GMP Annex 11 Europe's Answer to 21 CFR 11?

January 2011 saw the publication of the new revision of European Union (EU) GMP Annex 11 on computerized systems and Chapter 4 on documentation. What will the impact be of these two revised regulations on computerized spectrometry systems operating in regulated GMP laboratories?

Regulations and guidance for the pharmaceutical industry have been changing at an increasing rate over the past 10 years. The latest of these was from the European Medicines Agency (EMA) in January 2011 and was the long awaited revision of Annex 11 on computerized systems together with consequential changes in Chapter 4 on documentation (1,2). These two updates become effective on June 30, 2011. This column looks at the major changes in the two revisions and explores their impact on any regulated GMP laboratory that has to comply with these regulations. This will be a selective look and readers are encouraged to look at the EMA web site to read the documents in their entirety (3). The question posed by the title addresses whether or not Annex 11 is Europe's answer to 21 CFR 11 on electronic records and electronic signatures (4). We will explore this question as we analyze the new regulations.

Background

At first glance EU GMP (5) is structured very differently from the United States GMP for pharmaceuticals: European GMP is split into three parts plus 20 annexes. Part 1 is concerned with finished pharmaceutical products and Part 2 with active pharmaceutical ingredients (this is ICH Q7 (6) adapted into European law). Part 3 deals with the site master file (SMF). The annexes are regulations on specific topics applicable to both Parts 1 and 2 with Annex 11 focussed on computerized systems.

Annex 11 has been part of EU regulations since 1992 and has remained unchanged until now. Since it was published there have been many technology changes but also organizational changes such as outsourcing and software as a service (SaaS). In 2008, a proposed draft of Annex 11 was published for industry comment and over 1400 replies were received by the EMA. In January's version, many of the more wacky proposals in the 2008 draft have been removed or toned down, however the new version is an expansion of the current regulation and there are new requirements that laboratories must consider when working under these regulations or exporting medicines to Europe.

EU GMP Annex 11: Major Changes

I will give an overview of the changes that will be effective to the end of June 2011 in this section. Owing to space availability this will not be a comprehensive discussion of all changes so please read the whole document yourself (1). The various sections and topics of Annex 11 are presented in Table I.

Table I: The structure and content of the revised EU GMP Annex 11

Increased Scope of Annex 11

The first section to discuss is the principle that covers the scope and application of the new regulation. The key elements of the principle are as follows:

• Annex 11 applies to all forms of computerized systems used as part of GMP regulated activities. This is a wide scope statement and includes all laboratory computerized systems plus the spreadsheets and databases developed in your laboratories, as well as statistical analysis software programs.

• The application should be validated; IT infrastructure should be qualified.

This is the major item: the 10 words that mean so much — validate applications and qualify infrastructure. Validate applications — OK, this has been a given for the last 25 years although we tend to consider systems which include infrastructure in them. However, for the first time in any regulation there is a specific and explicit requirement for IT infrastructure qualification. Many regulated organizations do qualify infrastructure but there is now a regulatory requirement to do so; however, for the companies that have not done so this becomes a major retrospective qualification exercise.

• When a computerized system replaces a manual process there should be no resultant decrease in product quality, process control, or quality assurance. In a carryover from the current version of Annex 11 with the additional requirement of process control systems, which may be relevant when a spectrometer is used in a process analytical technology (PAT) project. In essence, it requires that as a minimum the quality of a computerized system should be as good as the manual system it replaces. In reality, the computerized system should be much better as the human factor (that is, the liveware that makes most of the mistakes), is usually taken out of the process.

Risk Management Throughout the Life Cycle

Annex 11 has always had risk management but it was buried in the section on validation of systems: "the amount of validation work required was dependent on the nature of the software and if novel elements (i.e., custom software) were incorporated." Now we have a new section requiring risk management to be applied throughout the life cycle of a computerized system to ensure patient safety, data integrity, and product quality. The work done should be based on a "justified and documented risk assessment." Hmm, I wonder where this wording came from? That's right, the Europeans have stolen the phrase from the FDA's Part 11 scope and application guidance (7)! The good side of this is that we are getting harmonization of regulations, which can only be a positive thing. There is a further and specific mention of risk management under the new section on change control and configuration management.

New Roles and Responsibilities

In section 2 on personnel there still remains the requirement for close cooperation between all involved with the system, including IT from the original version of the regulation. However, we have two new roles mentioned in the text and defined in the glossary:

• Process owner: the person responsible for the business process. The individual in this case would typically be a senior manager as a business process may impact more than one department.

• System owner: the person responsible for the availability and maintenance of a computerized system and the security of the data residing on that system (such as a senior spectroscopist or laboratory manager). Typically this is the person who goes to jail if the system validation is wrong or had not been done.

Suppliers and Service Providers

This area is a major expansion of Annex 11 that moves from a single sentence into four clauses in an attempt to catch up with technology and organizational changes that have occurred since the original version was issued. When third parties are used to carry out any work (supply of product or service) on a computerized system there needs to be a formal agreement (contract or service level agreement). Clause 3.1 notes that there should be "clear statements of the responsibilities of the third party." Then there is a short sentence stating, "IT departments should be considered analogous," which means that even if an organization's own IT department is used to support a validated computerized system, there needs to be a contract or service level agreement (SLA) in place with the regulated laboratory. There is also the requirement for audits of a service supplier, the decision for each audit should be based on a risk assessment, which, of course, will be documented and approved. The issue of cloud computing, if used by a regulated laboratory, may be partially addressed through service contracts but how will the requirement for IT infrastructure to be qualified be met? An interesting issue that may prevent take up by conservative pharmaceutical companies.

When an audit of a supplier or service provider is performed, the new regulation requires that the "quality system and audit information" is available to inspectors on request. This is a major departure from current practices, typically an audit report is seen as an internal quality assurance document by many companies and only the evidence that an audit took place will be a certificate given to an inspector. However, currently there is major regulatory concern with the quality of the whole pharmaceutical supply chain which includes software and services. The European regulators are taking a hard line and want to read the supplier and service provider audit reports to satisfy themselves that the service of product for critical operations has the quality built into it.

Gazing at my crystal ball, I think that an implicit requirement in this new regulation will be the emergence of vendor management (8), where pharmaceutical companies will monitor suppliers to ensure that corrective actions following audits of quality management systems, products, and services have been implemented effectively. For supplier and service providers where lip service is paid to quality it will also mean an increased number of audits by the same customer to ensure corrective actions have been completed (for example, follow-up audits over perhaps a number of years). For further information about managing the risks associated with the software supply chain, I would suggest reading a report, published in December 2010, from the Software Engineering Institute (SEI) at Carnegie Mellon University (9). Some of the main conclusions of this report are

• Product development is completed in advance of an acquirer's product and supplier assessment.

• There is no guarantee that current supplier development practices were used for a specific product.

• For custom system acquisitions, acquirers can and should actively monitor both contractor and product supply chain risks during development.

• This report suggests contractor and acquirer activities that support the management of software supply chain risks.

Finally in this section, any documentation supplied for commercial off the shelf products needs to be reviewed to see that user requirements are fulfilled (this is not the user manuals by the way). I suggest you read an earlier "Focus on Quality" column about my views on material supplied by vendors in this area (10) as it can often be quicker to write your own user requirements.

Validation

The validation section has been expanded from one to eight clauses in the new version. The key changes are that a life cycle should be used to validate a system and that manufacturers should be able to justify their approaches based on risk assessment. The Annex 11 update does not mandate any validation approach, but whichever one is selected for a specific system it needs to be justified and documented to withstand regulatory scrutiny. Some administrative requirements for validation are an inventory for computerized systems although this would have been useful to link with the validation master plan (11) in Annex 15 (12) and/or the earlier PIC/S source document (13). For critical systems there needs to be a current system description. In effect, the new requirement for an inventory formalizes what is usually required for an inspection and the system description is limited now to critical, rather than all systems as required by the old version of the regulation.

For each computerized system validation there needs to be a user requirement specification to describe the required functions of the system based on risk assessment and GMP impact. Furthermore, there is now the need for requirements traceability throughout the life cycle, again the first time in a regulation that a traceability matrix (14,15) is required. The test methods and scenarios need to be documented and applies and testing should include the overall process with consideration of data limits, parameter limits, and error handling. The latter is particularly important to know before a system becomes operational than when discussing this with an inspector. Annex 11 also allows the use of automated test tools and test environments providing that they have documented assessments for their adequacy for the task. Before you all rush off and spend money on automated test tools bear in mind an assessment by Frewster and Graham (16) that you need to be able to operate a test tool between eight and 11 times before you break even on your investment. There will be very few laboratory systems that will require automated testing.

Controls for Ensuring Data Integrity

Sections 5, 6, 8, 9, and 12 cover the main elements of data integrity (data, accuracy, audit trails, and security) in the new Annex 11. In summary, these sections are looking for checks for correct and secure entry (both manually entered and automatically captured data) and the subsequent data processing to minimize the risks of a wrong decision based on wrong results. The identities and access privileges of authorized individuals carrying out work needs to be maintained for each validated system. Further controls are required to secure data by both physical and electronic means against damage and that stored data need to be checked for accessibility, readability, and accuracy and this applies to both paper and electronic records.

Audit trails are not mandatory for all computerized systems but their implementation should be based on a documented risk assessment. Personally, I think that if you are working electronically, then an audit trail is essential for ensuring data integrity. Mirroring some of the recent FDA warning letters, the new Annex 11 requires audit trails to be "available and convertible to a generally intelligible form and be regularly reviewed." The problem is that many audit trails implemented for commercial laboratory systems are simply depositories of unintelligible rubbish; moreover, how will a vendor implement a function in their system to meet the requirements that an audit trail has been reviewed? In addition, the audit trail needs to include the date and time stamps of record entries, changes, and deletions that brings the EU regulation close to the US Part 11 requirements on the same subject.

Printouts both of electronically stored data and any records used to support batch release need to be available. There is also a further and specific requirement for any print out supporting batch release to indicate if any data has been changed since the original entry, so that the qualified person (under EU GMP a batch can only be released by a suitably trained individual called a qualified person or QP) can check what changes have occurred. However, most vendors will point to the audit trail search function as the means to fulfill this requirement (17). This is inadequate. What is required is that when the result is printed out, there is an annotation or equivalent to indicate if the result has been changed or not. Chromatography data systems have this for baseline fits: unchanged baseline fits are in capital letters and manually changed ones are in lower case.

In addition, there are requirements for data migration (section 4.8) and archiving (section 17) to ensure that electronic records acquired in one version of software can be read in a new version as well as allowing data to be archived. In the latter case, however, the data should be assessed for "accessibility, readability, and integrity" especially after changes made to the backup software or system.

Electronic Signatures

The new version of Annex 11 also sees the formalization of electronic signatures in EU GMP. Many laboratories have implemented electronic signatures based on 21 CFR 11 (4), but Annex 11 does not appear as stringent or as overly bureaucratic as the US regulation. The European requirements for electronic signatures simply state that electronic signatures are to have the same impact as hand written signatures within the boundaries of the company, be permanently linked to the respective record, and include the time and date that a signature was applied. There is not the heavy bureaucracy and formality of 21 CFR 11 to send letters to the FDA, nor is there the need to have training in nonrepudiation of an electronic signature or description of the three different types of signature. However, many of the same requirements are implicit as the European legislation simply states that electronic signatures have the same impact as handwritten signatures and hence all of the nonrepudiation requirements apply immediately. The advantage of the European legislation is that practicing inspectors have drafted the regulation rather than lawyers. Perhaps if the FDA ever gets around to reissuing Part 11, could it look and read like Annex 11? Now that is an interesting thought.

IT Support of Validated Computer Systems

The current Annex 11 IT requirements of backup, security, incident management, and business continuity has been carried over to the new version and expanded. Backups (section 7.2) need to be performed regularly but the new version has expanded requirements for checks for the integrity and accuracy of backup data (which, of course, will be documented) and the ability to restore data that is checked during a system validation and also periodically thereafter (you guessed it — which is also documented). This is intended to ensure that backup media can still be read throughout the record retention period. The security section also includes the network as well as individual applications so the extent of controls depends on the criticality of the application, but also if you are accessing it from inside or outside an organization.

Incident management has changed from a simple statement of "any failures and remedial action should be recorded" to "all incidents, not only system failures and data errors, should be reported and assessed." So the scope has been widened greatly. However, the new version goes further, "The root cause of a critical incident should be identified and should form the basis of corrective and preventative actions." So implied within this process should be a means to assess and classify errors and then for the critical ones only undertake a root cause analysis and then formulate both corrective and preventative action plans. It is this portion of the new regulation that will impact many incident management processes and have the IT department scrabbling to understand root cause analysis.

Again, business continuity was covered in clauses 15 and 16 in the old regulation which have been consolidated into clause 16 in the new version. Requirements include having plans available to ensure continuity of support for critical processes as well as knowing the time required to bring alternatives into operation based on risk assessments. However, the new regulation specifically requires that these arrangements need to be documented and tested adequately before use. There is no use having a business continuity plan that fails as the last set of backup tapes are corrupted and that your alternative computer site is not available when you need it or perhaps the plan was written and has not been updated to account for the latest technology.

Maintaining Validation

A brand new Annex 11 requirement comes in the shape of a formal periodic evaluation, otherwise known as a periodic review, to ensure that computerized systems remain in a validated state. This formalizes what a number of companies already do and should cover the last full validation, any changes made since then versus current functionality, deviations and incidents, procedures and training, upgrades, and security that will be documented in a report. A future "Focus on Quality" column will discuss a periodic review in more detail.

Change control has been an original part of Annex 11, and it remains in the new version with an extension that includes configuration management. Controlling changes is the most important part of maintaining the validation status of a computerized system and a procedure needs to be defined and earlier under the validation section should involve risk assessment (clause 1) and be documented (clause 4.2). The problem with clause 10 is that it mentions configuration management but this is not defined in the glossary nor mentioned in the text. Another fine (regulatory) mess! What is required? We do not know if configuration management is meant in the context of management of modules of software code, components of the computerized system (configuration items), or both.

What Has Been Omitted in the New Annex 11?

There are two major items from the current version that have not been carried through into the new version of Annex 11:

• Retrospective validation: the old version had the ability for a company to validate a computerized system retrospectively. This is omitted from the new version. What is the reason for this? Remember in 1992 computerized system validation was relatively new and many operational systems would not have been formally validated, therefore this was an opportunity to get an existing system under control. However, as Annex 11 has been effective for nearly 20 years and you have not yet validated your computerized systems, what hope is there for you?

• Running a manual process and a new computerized system in parallel was part of an overall validation under the old version of Annex 11, it has been dropped from the new version of the regulation. This is a good move as virtually nobody bothered to do this as it is a waste of resources and effort which should be focused on validating the new system. Moreover, if there was a difference between the two ways of working which one was correct?

Therefore, there have been some changes in the new version of Annex 11 the omission of parallel testing is good and reflects current validation practice. Omitting the ability to validate systems retrospectively may catch slow companies or start-up companies moving from R&D into manufacturing for the first time.

Is GMP Annex 11 Europe's Answer to 21 CFR 11?

So back to the title of this column: Reading through the requirements there are some similarities with data integrity controls and the ability to use electronic signatures. However, the answer to the question is no — because there is no mention of electronic records in Annex 11 only controls for validation and control of computerized systems, data integrity, migration of data, and archiving. So why, you may ask, did I pose the question? If you remember at the start we are also going to discuss the impact of Chapter 4 on documentation and we come closer to answering the title question as yes.

EU GMP Chapter 4: Major Changes

The new version of Chapter 4 on Documentation (2) of the EU Guideline to GMP also was published at the same time as Annex 11 and also will become effective on June 30, 2011. The clue to its impact comes in the reason for change of the sections on generation and control of documentation and retention of documents sections "in light of the increasing use of electronic documents within the GMP environment." Furthermore, in the principle section, it states that "Documentation may exist in a variety of forms, including paper based, electronic or photographic media." This is close to the definition of electronic record in 21 CFR 11 (4), except in Europe for electronic record read documentation.

Principle: Define Raw Data

The European regulators have defined the expected GMP document types in far more detail, as shown in Table II, than their U.S. counterparts, thus making it far easier to understand and implement required GMP documentation in practice.

Table II: Types of required EU GMP documents

Of particular interest in our discussion are records, which are defined as

• "Provide evidence of various actions taken to demonstrate compliance with instructions, e.g. activities, events, investigations, and in the case of manufactured batches a history of each batch of product, including its distribution."

This means that if you follow a procedure or an analytical method, there needs to be evidence that the procedure or instruction was followed each time it was followed. Traditionally, this is by printing data or results, but as you remember the reason for the update of Chapter 4 was the increased use of electronic documentation, so the next section states

• "Records include the raw data which is used to generate other records. For electronic records regulated users should define which data are to be used as raw data. At least, all data on which quality decisions are based should be defined as raw data."

Now we come to one of the major impacts of Chapter 4, the requirement to define the raw data in GMP regulated activities, including paper, hybrid, and electronic records. Therefore electronic records that are used to make quality decisions should be defined as raw data. Moreover, if you convert the raw data to generate other records such as a dissolution profile using, say a spreadsheet program, these additional records and the printout are raw data and should also be defined. You will, of course, realize that when a regulation says "should" it really means "must."

Generation and Control of Documentation

Clause 4.1 states that all types of documents should be defined and adhered to and they apply to all media types. This clause discusses hybrid and homogeneous documents as follows:

"Many documents (instructions and/or records) may exist in hybrid forms, i.e. some elements as electronic and others as paper based. Relationships and control measures for master documents, official copies, data handling, and records need to be stated for both hybrid and homogenous systems. Appropriate controls for electronic documents such as templates, forms, and master documents should be implemented. Appropriate controls should be in place to ensure the integrity of the record throughout the retention period."

Let us dissect this section in a little more detail. Regardless of the fact that a document (including a record, such as an analytical result) is homogeneous (either all paper or fully electronic) or hybrid (electronic with a paper printout), the control mechanisms for these records need to be defined, documented, and implemented. One key requirement that both the FDA and Europeans agree on is record or data integrity: what controls are needed to ensure the record is a true and accurate one? The typical response from the regulator is "appropriate" — more critical records need more stringent controls than noncritical records. This has been discussed in some detail in the GAMP Good Practice Guide on Part 11 Electronic Records and Signatures compliance (18) and is outside of the scope of this column.

Dead as a Dodo: My Raw Data Are Paper

However, the major change that this section, combined with the principle, brings is the nail in the coffin of the "my raw data are paper" argument. During audits of laboratories, I can discuss with managers and QA that spectrometry systems that have a computer attached and instrument-controlling software must include the electronic files from which the paper records are generated. Both the Europeans and Americans have equivalent regulations that recognize the de facto situation of hybrid systems that are common in the majority of laboratories. Therefore, the impact of the new Chapter 4 regulation is to ensure that both the signed paper printout and the underlying electronic records that generated it are defined as raw data and the electronic records maintained and protected.

Retention of Documents

The section on record retention has been extensively updated in the new version of Chapter 4 and this brings us two main changes with major ramifications.

4.10: "It should be clearly defined which record is related to each manufacturing activity and where this record is located. Secure controls must be in place to ensure the integrity of the record throughout the retention period and validated where appropriate."

Not only do you have to define what the raw data are, you also have to state where they are stored. For paper this will be relatively easy — no, not on the shelves in your office, but in a secure location. However, for hybrid systems you will have the problem of two locations, one for the signed paper records and one for the corresponding electronic records. Please do not use USB sticks or CDs for this task — keep the electronic records on the network with IT backing them up, as security of the storage location is essential. When electronic records are stored, regardless of source (hybrid or electronic), then validation of the security and integrity data repository is required.

4.12: "For other types of documentation, the retention period will depend on the business activity which the documentation supports. Critical documentation, including raw data (for example relating to validation or stability), which supports information in the Marketing Authorization should be retained whilst the authorization remains in force. It may be considered acceptable to retire certain documentation (e.g. raw data supporting validation reports or stability reports) where the data has been superseded by a full set of new data. Justification for this should be documented and should take into account the requirements for retention of batch documentation; for example, in the case of process validation data, the accompanying raw data should be retained for a period at least as long as the records for all batches whose release has been supported on the basis of that validation exercise."

This clause splits the record retention, including raw data, requirements into two main areas: records supporting release of a batch of material and records supporting the marketing authorization (the European equivalent of a new Drug Application or NDA in the U.S.). Batch-related material must be stored for at least a year past the expiry date of the batch or for at least five years after certification of the batch by the QP, whichever is the longer. In 4.12, however, there is the need to retain material for the time it supports the marketing authorization — for example, stability reports and the associated raw data should be retained as long as the authorization is valid. As aspirin has been on the market for over 100 years, I hope you have enough disk space for this.

Is GMP Annex 11 and Chapter 4 Europe's Answer to 21 CFR 11?

So, back to the original question, but modified slightly: are Annex 11 and Chapter 4 Europe's answer to Part 11? Yes. Although, looking on the bright side, Annex 11 and Chapter 4 are certainly not as bureaucratic as 21 CFR 11, and there is less detail about the controls required for electronic records and electronic signatures. However, there are many implicit requirements contained in the simple wording of many of the clauses, as we have seen with the short discussion of electronic signatures. To get the full impact of the new regulations, it is imperative to read Annex 11 in conjunction with Chapter 4 in their entirety.

References

(1) European Union GMP Annex 11 Computerised Systems, effective June 30, 2011.

(2) European Union GMP Chapter 4 Documentation, effective June 30, 2011.

(3) EudraLex web site: http://ec.europa.eu/health/documents/eudralex/vol-4/index_en.htm.

(4) 21 CFR 11: Electronic Records; Electronic Signature final rule, 1997.

(5) European Union, EU Guidelines to Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use, 2007 (available for download from reference 3).

(6) International Conference on Harmonization (ICH) Q7, Basic Requirements for Active Substances used as Starting Materials, 2000

(7) FDA Guidance for Industry, Part 11 Scope and Application, 2003.

(8) R.D. McDowall, Validation of Chromatography Data Systems, Meeting Business and Regulatory Requirements, Chapter 10, Royal Society of Chemistry, Cambridge, 2005.

(9) R. Ellison, C. Alberts, R. Creel, A. Dorofee, and C. Woody, Software Supply Chain Risk Management: From Products to Systems of Systems, Technical Note CMU/SEI-2010-TN-026, Software Engineering Institute, Carnegie Mellon University, December 2010.

(10) R.D. McDowall, Spectroscopy 25(9), 22 (2010).

(11) R.D. McDowall, Spectroscopy 23(7) (2008).

(12) European Union GMP, Annex 15, Qualification and validation, 2001.

(13) Pharmaceutical Inspection Convention (PIC/S), Recommendations on Validation Master Plan, Installation and Operational Qualification, Non-Sterile Process Validation and Cleaning Validation (PI-006), 2001.

(14) R.D. McDowall, Spectroscopy 23(11), (2008).

(15) R.D. McDowall, Spectroscopy 23(12), (2008).

(16) M. Frewster and D. Graham, Automated Software Testing (Addison Wesley, 1999).

(17) R.D. McDowall, Spectroscopy 22(4), (2007).

(18) GAMP Good Practice Guide, Part 11 Compliant Records and Signatures, ISPE, Tampa, Florida, 2005.

R.D. McDowall R.D. McDowall is principal of McDowall Consulting and director of R.D. McDowall Limited, and the editor of the "Questions of Quality" column for LCGC Europe, Spectroscopy's sister magazine. Address correspondence to him at 73 Murray Avenue, Bromley, Kent, BR1 3DJ, UK.