EU Annex 11 is the section of the European Medicines Agency (EMA)’s Good Manufacturing Practice (GMP/GxP) for “all forms of computerised systems used as part of GMP regulated activities”. It is applicable to all the member states of the European Union, the European Economic Area (EEA) and the 52 regulatory authorities who are members of the Pharmaceutical Inspection Co-operation Scheme (PIC/S) and so has a significant remit, relevance and importance across the pharma, biopharma and medical device industries.
In September 2022, the EMA published a concept paper for the update of EU Annex 11 to start the collection of inputs for a new guidance that is suitable for deploying effective and safe GxP computer systems in today’s current world and technology environment.
Striking initial notes in the concept paper are that “technical solutions and automation are preferable instead of manual controls”, and that “regulatory expectations to ‘digital transformation’… will be considered”. To industry outsiders this may seem self-apparent! However, until now pharma regulators have been cautious on strong statements on the need for technology adoption to replace less robust manual paper based approaches.
Disclaimer:
This article is based on a concept paper and prior to any output from the EMA’s drafting process. It contains interpretation and extracts of the concept and references (in italics), using Factorytalk’s opinion from practical domain experience.
Time to align with emerging technologies and modern methods
As a target, we see the following key objectives for the Annex 11 update;
- Guidance that supports and encourages Digital Transformation / 4.0 / IoT initiatives that are occurring across the industry
- Contribute to a framework for flexible yet controlled GxP software usage and development
- Clarify regulatory expectations for new technologies and methods
- Resolve common misunderstandings that lead to inspection failings
Why an update is needed?
Annex 11 was last revised in 2011, technology has been changing at a rapid and continuous pace, but pharma has generally been slow to adopt and exploit areas of new IT capability. The regulators clearly do not want to hold the industry back, several statements support this view including in May 2023 in the Machine Learning and Artificial Intelligence discussion paper published from the US FDA; “FDA is committed to ensuring that drugs are safe and effective while facilitating innovations in their development”. As regulators are encouraging technology based opportunities for the industry to advance, then it is essential for Annex 11 to be modernised as the basis for the industry to move forwards in confidence without risk of non-compliance or confusion.
The concept paper proposes a strong focus on science based and risk-based decision making “References should be made to ICH Q9”, in the deployment of GxP computer systems that impact product quality and patient safety. This is a direct link into the recent movements made in Computer Systems Validation (CSV) and Computer Software Assurance (CSA) to increase the value of software compliance activities before and during GxP usage.
Considering the speed of advancement in IT tools and improvements in qualification/verification approaches in the industry, then it is time for Annex 11 to be revised. The common themes from the concept paper are:
- There is a large appetite for a significant rewriting of Annex 11, not only to provide more clarity but to reduce perceptions that have led to issues observed in regulatory audits. It is our view that industry should not be struggling with misunderstanding the requirements, when the real target is to improve processes and products through the use of data.
- A strong need to align with the PIC/s guide for computerised systems (PI011). PIC/s is more detailed in comparison to Annex 11, as a document to explain to inspectors what the expectations are, it has been useful for industry and updated with relevant GMP, standards (ICH Q9 QRM, Part 11, ISO) and bodies of knowledge such as ISPE (GAMP5SE). Industry expects more alignment so there are less regulatory variances to know of and manage, for example in the area of required technical controls on electronic records and signatures very specific regulations exist alongside high level expectations that could be harmonized.
- Starting from ICHQ9 and GAMP5, along with the more recent publications of the US FDA’s guidance on CSA and the Second Edition of GAMP 5 (GAMP5SE), Quality Risk Management is an established instrument to scope the IT systems verification. It is evident that the risk-based approach, and a move away from “documentation centric” compliance is the current way of thinking. The CSA guidance provides an initial roadmap and sets a clear intention to make a paradigm shift in thinking to more value added CSV activities. GAMP5SE has responded to this demand with a large and wide update to the overall best practices and Annex 11 must consider this in the updated version.
Key changes to be expected
Use of innovative technologies
Cloud: there have been advancements in the availability of digital tools that support actual GxP data records and processes across logistics, manufacturing, quality control, laboratory, and operational base functions such as engineering and quality management. Partly the increased adoption is due to cloud deployment which has simplified efforts, costs and moved configuration ability to the process owners away from customization by suppliers. For a controlled digital environment, both the application and infrastructure components must be secure, qualified and well managed, and so the overall assurance from suppliers and third parties providing applications becomes more important. We expect the Annex 11 update will result in guidance for cloud GxP applications and deployment models such as Software as a Service, following the statements: “critical systems validated and/or operated by service providers (e.g. ‘cloud’ services), should go beyond that “formal agreements must exist” and related to this: “should be qualified by the vendor or by the regulated user, and the documentation for this should be available for inspection”. Other aspects that the concept paper raises:
Data Security and Privacy:
Stored data in the cloud must be secured and available only to authorized users “authentication on critical systems should identify the regulated user with a high degree of certainty”. Therefore, Annex 11 will need to consider agreements for the usage and access to cloud-based services, and assessments of the security, quality related responsibilities, data integrity and business continuity risksData Ownership and Intellectual Property:
What company policies, local laws apply to the data stored in an externally provided cloud? What are the applicable constraints in cases of litigation? What GxP constraints apply on the data stored in an external cloud? These are questions that Annex 11 is not expected to resolve directly but the update is recommended to point to best practices that are already published and referenceable (ISO, CAIQ etc)
AI/ML: With the goal of analytical based decision making, Artificial Intelligence and Machine Learning offers a great opportunity in Pharma to be able to systemize tasks that are done manually today, and gain insights that are out of our current ability due to having to understand models and patterns from huge amounts of data. AI/ML raises various challenges to the current industry approach to IT compliance, as inherently the outputs and reliability are difficult to prove upfront and may add further reliance on non-transparent third party tools, IP and infrastructure. From the concept paper: “There is an urgent need for regulatory guidance and expectations to the use of artificial intelligence (AI) and machine learning (ML) models”. A useful analogy is that if 3 batch validation method is static, upfront and one time- then as a comparison AI/ML is continuous process verification and requires a move to a QbD philosophy. GAMP5SE has made progress and new guidance on the concerns with new technologies such as ML/AI and Blockchain and the Annex 11 update will need to cover fundamental expectations for how to prove and demonstrate a continuous state of control using data; this is a clear definition of Validation 4.0!
With the increasing reliance on cloud-based service providers for data storage and application deployment, it is imperative to provide details of guidance on expectations from cloud-based systems. Some major factors that need considerations are
Software methods and tools: the use of Agile methods, software development lifecycle (SDLC) management tools and automated testing and deployment has been widely adopted outside of Pharma to reduce time for creating new software and updating of new features on mass for end-users. Such tools are able to manage fully electronically the requirements, design, build, testing and support of GxP software applications, including traceability and evidence for every customer and release. We expect the Annex 11 update to encourage the use of SDLC tools for both GxP suppliers and regulated companies, “it is to be acknowledged and addressed that software development today very often follows agile development processes”.
Process Analytical Technologies / Quality by Design / Validation 4.0: These topics are not mentioned in the concept paper, however due to emerging treatment areas and novel products in biopharma and personalized medicines, then today manufacturing has to cope with complex production demands in real-time and inherently variable processing. The increase in sophisticated measurement, analysis and control systems for QbD will need to be considered in Annex 11 to avoid blocking flexibility in manufacturing systems and process validation.
Time to embrace process, data and risk based validation
The recent guidance and best practices are encouraging the industry professional to apply the concept of critical thinking, simply put this means to question and optimize what is the appropriate approach, scope and depth of CSV work for the intended use of a particular system. A key enabler of this is a process and data risk assessment, instead of a prescriptive and predefined method using categorization or standard document sets expected for a given system type- this lead to document heavy CSV projects that did not focus sufficient time or effort on the actual risk and usage of the systems, and could miss important aspects that create data integrity or operational risks. The concept note states: “Following a risk-based approach, system qualification and validation should especially challenge critical parts of systems which are used to make GMP decisions”.
The concept paper has the following statement note on what to address in qualification and validation; “product quality and data integrity and parts, which have been specifically designed or customized”. The updated Annex 11 is expected to provide more clarity on the terms qualification and validation, what aspects suppliers and regulated companies should be addressing and where the focus is for making an initial assessment as part of validation planning across a wider range of systems and use cases:
- A complex system may consist of many different modules that support the overall business process, each of which may have a different impact and criticality and thus differing appropriate levels of verification and testing. We recommend the Annex 11 update to consider process and data mapping as an initial starting point in the validation exercise, to define such differences and check what test evidence already exists or is still required to provide evidence of the intended use.
- In case of simple systems, it may be adequate to perform lean functional testing as the configuration variations are limited or the system is identical to other systems or deployments which have already been established or ‘stress tested’. Referencing the maturity of the system and it’s impact is recommend to be included in the initial process and data assessment.
- Selection and assessment of capable and competent suppliers is important upfront to justify and define how to utilize their qualification efforts as part of system validation. As above with the move to cloud and configurable systems then the supplier role in software quality is of greater importance, we recommend the Annex 11 is updated to define the typical responsibilities.
Demystification of technical requirements
The new Annex 11 will need to resolve several misconceptions or confusions with how to handle common technical requirements that often generate findings in audits. Particularly for legacy systems or those not directly designed for GxP, then more explanation on the following topics is clear from the number of notes stated in the paper:
There are 8 separate notes (notes 17-23) related to Audit Trails, underlying these are common industry challenges to understand:
- What is an audit trail, how does it differ from transactional GxP records (reviewed as part of batch record for example)
- The guidelines for acceptable review frequency of audit trails
- The segregation of other data (like system event, alarm acknowledgement data) from audit trail entries
- Review focus on manual changes made to the system
- Mandatory requirement for audit trail functionality for GMP relevant data.
- No provision for deactivation or editing of audit trail entries
- Reconsideration of requirements related to printing of audit trail entries
The concept paper notes several topics related to the physical and logical controls of computer systems, it is expected the update will cover detailed requirements across:
- User authentication checks
- Authentication mechanisms for network resources
- Role of network security administrators
- Procedural controls for network security and management of network user accounts
- Periodic review of active users
- Granting of temporary access and procedure to control remote access
- Protection of internet connected systems through a suitable firewall
- Updates of antivirus and firewall
- Access and security management for applications
- Database security/integrity
Several concept paper notes refer to more clarity being needed on key considerations related to data backup and archival:
- The types of backups
- Frequency of data backup
- Retention period for backup
- Data/applications covered in a backups
- Physical separation for backups
- Validated procedures for long term backup (Archival) and record accessibility
Annex 11 update is a great opportunity for Industry
What is apparent from the concept paper is that the regulators are highly active in guidance improvement and aware of the current change and challenge in the industry. The update of Annex 11 offers a golden opportunity for life science industries to 1) finally embrace Digitisation with confidence, 2) build in critical thinking to lean and systemise verification activities 3) harmonise and align overlapping regulatory guidance and 4) to move further forward in the journey to Quality by Design principles.
The paradigm shifts that are occurring now provide a driver and a roadmap for this improvement because if regulators are expecting to apply digital tools and risk-based approaches, then the industry can justify needed investments and be more comfortable to make faster changes to their legacy ways of working, to replace outdated and ineffective traditional methods without risk in inspection and audit.
Please contact us if you are looking for more insights on EU Annex 11 compliance, we have a team of experts to consult both industry and suppliers to get started