Vaisala Annex 11 Application Note

Application Note

www.vaisala.com

Annex 11 compliance for environmental monitoring systems: Beyond electronic records and signatures

As a part of European Good Manufacturing Practice guidelines, Annex 11 outlines the proper use of computerized systems used in GxP-regulated industries. Annex 11 is published by the executive branch of the European Union, known as the European Commission (EC). The EC proposes legislation, upholds EU treaties, and oversees trade that can benefit from regulatory oversight. Good manufacturing practice falls under the last function of the EC.

Much like the FDA's 21 CFR Part 11, Annex 11 defines the criteria by which electronic records and electronic signatures can be considered equivalent to paper documents. Unlike 21 CFR Part 11, Annex 11 is not a regulation; it

is a guideline. Annex 11 outlines basic compliance standards for GxP principles in the EU directives, which are the actual regulations contained in EudraLex.

Comprising 10 volumes, Eudralex Volume 1 and Volume 5 outline the regulations that are enforceable under law. The other 8 volumes contain guidelines. Eudralex Volume 4 contains 19 annexes, including Annex 11. Annex 11 refers to the use of computerized systems in GxP-regulated applications.

In 1991, the Pharmaceutical Inspection Co-operation Scheme (PIC/S) published non-binding requirements for computer systems. In 2011, these would be rereleased as Annex 11 and thereafter part of the EU's GxP guidelines.

A broader guidance

Annex 11 is often thought of as the European version of the US FDA’s 21 CFR Part 11. This is far from the truth. The full title

“Annex 11: Computerized Systems” immediately tell us that Annex

11 has a broader scope than Part

11. A greater scope of compliance entails a different approach than used in addressing a more focused regulation, such as 21 CFR Part

11. Annex 11 pertains to more than electronic records and takes a more holistic system life cycle perspective with a focus on risk assessment as a tool for ensuring product safety and efficacy.

Annex 11 is a short document; only five pages. The first page includes titles and legal preludes.

The section titled “Principle” states:

“Annex 11 applies to GMP computerized systems, including both software and hardware. The application should be validated and

IT infrastructure should be qualified. Using a computerized system should not cause any increase in quality, control, or risk.”

This means that Annex 11 applies to automated

environmental monitoring systems. Validation,

IT controls, and risk assessment are key topics in Annex 11 guidance.

Annex 11 controls

Technically, there are 17 controls listed in Annex 11. The first three controls come under the heading of “General” and should be regarded as a prelude to guide compliance with Annex 11. The first three areas of controls are:

1 RISK MANAGEMENT:

Use a documented risk management process that focuses on patient safety, data integrity, and product quality.

2 PERSONNEL:

Ensure close cooperation between all relevant personnel (including IT specifically) and verify that the people involved are qualified and supported by the organization.

	3	SUPPLIER AND
		SERVICE PROVIDERS:

Leverage third parties where possible. Use formal agreements to define responsibilities. Annex 11 refers to suppliers of third-party software having quality systems in place.

The wording of Annex 11 makes it clear that compliance activities are resource intensive and recommends a focus on critical

functions through risk assessment. The risk-based approach is cross-functional, that is, inclusive of quality, end users, IT, and third-party providers. If Annex

11 ended there, it would already have provided a lot of value in considering the cost of compliance and different levels of risk in different applications.

The instruction to leverage third parties is important, especially with the growing need for automation, increasing complexity in computerized systems, and new technologies. In terms of automated monitoring systems, the system vendor can aid in

compliance efforts by providing a product that was developed for quality systems in regulated environments; for example, by providing validation protocols.

Of the 14 specific controls remaining in Annex 11, we can categorize them as validation plus 13 ongoing controls. Supporting this perspective is the fact that the validation section of Annex 11 makes up more than 25% of the remainder of the document. In addition, the validation section is given the heading “Project Phase”, separate from the remaining controls that occur under the heading “Operational Phase”. This reflects the guidance’s focus on the life cycle of a system and it tells us that validation will be the foundation for ongoing compliance with Annex 11.

Project Phase – Validation

In Annex 11, validation is an ongoing activity that occurs through the entire life cycle of a system, from implementation to retirement, including change control as updates are made to the system. Annex

11 recommends an inventory to document all GMP computerized systems and critical systems. This inventory should include: detailed system descriptions, flow charts, and interfaces with other systems. These guidelines set the expectation that validation is a recursive activity, ongoing at your facility rather than a single effort directed at qualifying a single system.

Annex 11 outlines the validation process, starting with traceable User Requirements, which aligns with the GAMP® approach published by the International Society for Pharmaceutical Engineering (ISPE). We hear

echoes of the GAMP philosophy of leveraging supplier involvement;

Annex 11 recommends selecting systems developed in accordance with a modern

quality management system from an audited or assessed supplier. Validation testing is expected to be appropriate to the criticality of the application, which is another way of referencing risk assessment. And if data is transferred between systems, a focus on data integrity is expected.

Annex 11 outlines a validation approach that entails vendor cooperation by way of the vendor’s quality management system. A system vendor can meet customer needs with robust quality policies and supporting documentation. For example, Vaisala offers a comprehensive GxP Documentation Package for its viewLinc Continuous Monitoring System. The package includes

a template User Requirements document that is directly related to the system’s Installation Qualification/Operational Qualification (IQOQ) validation protocol through a Traceability Matrix, also contained in the package. Further, a vendor can offer an accompanying Risk Assessment document, as Vaisala does, to demonstrate that the critical system features are tested.