The previous Annex 11 was already adopted with identical content by the PIC/S (Pharmaceutical Co-Operation Scheme) with its more than 50 members distributed worldwide as PE 009-15: Annex 11 - Computerised Systems. This cooperation will also be continued in the revision of Annex 11.
Proposed timetable until the publication of the new EU GMP Annex 11
Deadline for comments on the concept paper: 16 November 2023.
Publication and commenting of a draft of the new Annex 11: March 2025.
Approval and publication by the European Commission: summer 2026.
Where is there a need for change and adaptation?
In 33 points, based on the structure and chapters of the existing Annex 11, new points to be included and topics to be updated are presented. Which topics should be included in the new Annex 11?
Where is there a need for adaptation in which Annex 11 chapters? (selection)
(3) Suppliers and Service Providers: Here, the topic of cloud service providers should be addressed in particular. The regulated user should have access to the validation documentation and the documentation for the secure operation of the system and also be able to show these during inspections.
(4) Validation: The topic of "agile methods" should be integrated here with regard to deviations from previous classic development documents.
(9) Audit trails: Most of the new topics are mentioned here. What has been a very short chapter so far, topic should be described much more comprehensively in the new Annex 11. The points to be tackled include: - Audit trails must not be editable - Audit trails must not be able to be switched off for the "normal user" of a system. - Statements should be made about the frequency of audit trail reviews. - Audit trail data as GMP requirements are often created together with log data. It should be possible to sort this data.
(12) (Security): This topic should also be integrated more strongly under the aspect of external threats. ISO 27001 (Information technology
Security techniques - Information security management systems - Requirements) is specifically mentioned here. So far, Annex 11 requires "Physical and/or logical controls...". The controls are to be described in more detail here.
It is clear that the current Annex 11 is partly outdated by technological and regulatory developments and that there is a corresponding need for adaptation. It remains to be seen how detailed the implementation will ultimately be in a first draft. The more detailed and more detailed the requirements, the less flexible the implementation will be.