The European Union’s (EU) and the U.S. Food and Drug Administration’s (FDA) guidances for life sciences are increasingly relevant. With manufacturers digitising at a rapid rate, understanding the core of the EU’s guidelines, Annex 11, and its approximate FDA counterpart, 21 CFR Part 11 (aka Part 11), is more critical than ever. They are central to understanding the conditions for life sciences manufacturers’ electronic data in the EU and the U.S.
While there are many similarities between Annex 11 and Part 11, the two documents are also quite different. They’re both guidance for good manufacturing practices (GMP) for the quality and compliance of computerised data systems for the manufacture of pharmaceuticals and medical devices. But the pair are also unique and contain nuances, which are important to understand.
In today’s high-stakes manufacturing world, where companies are increasingly turning to digital tools and automated processes for competitive advantages, governance, and validation of electronic forms, documents, and systems are more pertinent than ever. As such, life sciences companies need to keep up to speed on regulatory affairs so that they’re well prepared for inspections and product submissions. Pharma and medtech companies invest millions of dollars in products, and the last thing they want to encounter are regulatory hiccups and setbacks during approvals.
“Both documents share the mutual goal of safe, validated, computer systems for drug manufacturing and — in the case of the FDA — medical device manufacturing as well,” said Martin Browning, president and co-founder of EduQuest in the white paper “Annex 11: The EU’s New Expectations for Regulated Computerized Systems.” “However, the two documents approach this goal differently. Annex 11 is ‘how to’ in tone while Part 11 is ‘thou shalt.’”1
The EU published Annex 11 in 1992 as one of several guidance documents that supplements the 27-member states’ GMP rules. It applies to all human and veterinary medicinal products made or sold in the EU. Annex 11 was created to ensure that when a computer is used in place of a manual operation in the manufacture of pharmaceuticals, there is no further risk to limb or paw when it comes to product quality, efficacy, or patent safety. While Annex 11 is not a legal requirement, it is a strongly recommended guideline.
In contrast, the FDA established Part 11 in 1997 as guidance for pharma manufacturers after electronic online records and signatures became more common for product system validations. An updated Part 11 guideline came out in 2003 to enforce Part 11’s requirements.2 Part 11 is a U.S. government regulation with fully enforceable requirements that emphasize identity verification, accountability of actions by authorised individuals, and the reporting of obligations.
In 2011, the EU updated Annex 11 to include all computerised systems that are part of the GMP-related activities to reflect the increased use and complexity of automated systems.3 These include the following:
A noteworthy edition to the updated guidelines is the inclusion of electronic forms, documents, and signatures. The reworked Annex 11 is intended to address issues stemming from an increasingly digital environment in which electronic programming can potentially replace human judgment.3
“… While Annex 11 doesn’t have the teeth of the (FDA’s Part 11) or similar regulations, it is key to compliance with GMP principles (of related EU regulations),” Browning said. “… Ignoring it … would be just as detrimental as ignoring the regulations.”
Although the EU guideline wasn’t drafted with medical devices in mind, medtech manufacturers can benefit from aligning their activities with Annex 11, said Browning, a former FDA investigator who helped draft Part 11.
“Annex 11 represents the clearest thinking yet from the EU on the use of electronic recordkeeping and electronic signatures in a regulated environment,” he said. “Complying now with Annex 11 will help medical device manufacturers go a long way toward meeting future European medical device expectations,” especially from a notified body auditor’s viewpoint.4
In addition to including computerised systems and electronic forms and signatures, the updated Annex 11 also weighs in on a few other key points:
The second principle of Annex 11 requires manufacturers to validate the application and qualify the system’s IT infrastructure. Enhanced documentation and process evidence must be submitted, and computer system validations must be performed periodically and when migrating to another system.
Electronic signatures should be permanently linked to corresponding records and include the time and date they were applied. Data can be archived but checked for accessibility, readability, and integrity.
As part of an organisation’s risk management system, decisions about validation and data integrity controls should be based off a documented risk assessment of the company’s computer system. Risk assessments should be conducted to evaluate when a supplier audit is needed and to build audit trails.
For enhanced security, access to physical and logical controls should be restricted to authorised individuals. Management systems should be created to record the identity of persons entering, changing, confirming, or deleting data by time and date.
Seeking approval for a new drug or device in most regions of the world is costly and challenging. It’s even more so the case in Europe, where manufacturers often must meet the requirements of multiple regulatory agencies in addition to the European Medicines Agency (EMA). Human and veterinary drugs that fall under the scope of centralised procedures require use of the EMA’s marketing authorisation applications (MAAs). Yet thousands of pharmaceuticals not under the umbrella of those procedures must submit applications to the national regulatory agencies of any number of individual countries or mutual-recognition agreements.
For medical devices, manufacturers must obtain approval from decentralised regulatory bodies of each EU member state and individual European country as well as comply with the EU’s Medical Device Regulation (MDR).
Moreover, Annex 11 increases the scrutiny of GMP site inspections to assess manufacturers’ computerised systems.
Using Annex 11 and Part 11 as standards, inspectors may review a company’s computer system inventory and examine risk assessments to identify critical systems and prioritise the extent and sequence of validation activities. Manufacturers should be prepared to justify their risk assessment decisions to an inspector.
A life sciences company facing regulatory submissions and inspections using a manual or hybrid data system will find the process can be cumbersome. The inefficiencies, lack of document control, and lack of data security inherent with a paper-based system prevent a company from realising the level of quality and compliance needed to profitably get product to market.
Digitisation makes the entire process considerably less daunting. An automated quality management system (QMS) offers a centralised, cloud-based solution for real-time data management, change control, audit management, and data security processes. It also digitises the MAA document management process. This improves efficiency and connectivity with other compliance processes, which accelerates a product’s speed to market by increasing its inspection readiness.
Annex 11 and Part 11, collectively, entail greater GMP preparation and vigilance of electronic data on the part of life sciences companies. But at the same time, they also provide clear direction of the regulatory expectations. In a global environment that is moving toward modern manufacturing solutions, life sciences companies that digitise find that having the right tools can simplify regulatory compliance. In addition, companies taking advantage of digital solutions find greater efficiencies, faster time to market, and increased return on investment (ROI) from the resulting quality data and compliant products.
References: