EU Publishes New Version of EU GMP Guide Annex 11 "Computerised Systems"

GMP News
16 April 2008

EU Publishes New Version of
EU GMP Guide Annex 11 "Computerised Systems"

The timetable for the revision of Annex 11 "Computerised Systems" was announced by the European Commission as early as in December 2006 (see our GMP News of 16 January 2007).
Now, the draft agreed on by the Inspectors Working Group was released on 11 April 2008 for public consultation. Comments on the draft can be handed in until 31 October 2008.

Against the background that computerised systems are also used for documenting GMP-relevant data, as announced, chapter 4 "Documentation" of the EU GMP Guide was adapted, too, as a harmonisation measure.

Even if the principles of the old version of Annex 11 have long been implemented in the assessment of computerised systems, many requirements from new regulatory and technological developments could be deducted from it only in an indirect way.

The draft in hand includes the developments of the past years, it quotes in particular from PIC/s Guidance PII 011-1 "Good practices for computerised systems in ‚GxP' regulated environments", the ISO 17799 "A code of practice for information security management" and GAMP 5.

The contents of the old version of Annex 11 can be found in the new version, too, but in some places they have been extended considerably.


  • Risk Management
  • Personnel
  • Validation
  • System
  • Software
  • Data
  • User testing and the system's fitness for purpose
  • Security
  • Accuracy Checks
  • Audit Trails
  • Signatures
  • Change control and configuration management
  • Printouts
  • Data Storage
  • Back Up; Migration; Archiving; Retrieval
  • Business Continuity
  • Incident Management
  • Suppliers
  • Batch Release
  • As before, apart from Annex 11, other relevant GMP principles also have to be observed. The use of computerised systems must not result in a lower product quality or reduced quality assurance. Here, the validation of the systems is meant to form the foundation of trust both for the manufacturing authorisation holder and for the supervisory authority. The manufacturing authorisation holder always has to be in control of the development / validation of the systems.

    What also becomes clear is the new role of risk management. Even chapter 1 requires expressly that the scope of validation and the data integrity controls be determined on the basis of a verifiably and documented risk analysis in view of product quality and product safety as well as of data security and data quality.

    The topic of validation has been extended considerably. Some important statements on this point:

    • User requirements - must be traceable throughout the whole validation lifecycle
    • Periodic checks should include statements on the current state of system functionality, on error logs, upgrade history, performance, reliability, security of the system and on the validation status report

    The validation of databases is another subject dealt with in detail. Among other things, they should include:

    • Provisions for data security
    • Recovery mechanisms
    • Performance tests

    Concerning hardware, the document now requires an inventory of all computerised systems. The following points should be listed:

    • Site and purpose of the system
    • Risk classification for each system
    • Identification of the systems with impact on regulatory activities

    Furthermore, current system specifications describing the following items must exist:

    • The required system functions
    • Modules and their relationship
    • Interfaces and external connections
    • System limits
    • Hardware and software prerequisites

    One can dare say that this draft does not contain any requirements that could be called "new". All those who, in the past, orientated their activities towards PIC/s PI 011-1 or the GAMP Guides should not encounter any implementation problems. It also becomes clear that this new Annex 11 will again define terms of reference for the complete field of computerised systems in the pharmaceutical industry. It is not the aim of this Annex to explain in detail how these terms must be implemented in a concrete case - and it cannot be. Here, the user is asked to choose his own strategy in compliance with the requirements, implement it – and, of course, document it!

    Andreas Mangel
    On behalf of ECA

    Comments can be sent to the following addresses until the end of October:  und

    1st Assessment by Dr Wolfgang Schumacher, F. Hoffmann-La Roche Ltd.

    From our point of view the following topics need our attention:

    • Emphasis on risk based validation approach,
    • Very strong emphasis on the inventory of systems including their validation status and risk rating
    • Challenge testing evidence required (3.5)
    • Comprehensive periodic reviews must be performed, including security (3.6)
    • Complete system specifications are needed (4.2)
    • Supplier audit reports/assessments must be available to the inspectors
    • Independent check of critical parameters is a requirement (9.2)
    • Business Continuity must be tested (16.1)
    • Formal contract with suppliers including responsibility matrix (18.1)


    Go back

    GMP Conferences by Topics