An Assessment of the ‘Elevens’: EU’s Annex 11 and FDA 21 CFR Part 11
Though the European Union’s (EU) and the U.S. Food and Drug Administration’s (FDA) guidances for life sciences manufacturers’ electronic data isn’t new, it doesn’t mean it’s still not incredibly relevant. In fact, it could be argued that in today’s ever more digitally connected world, understanding the core of the EU’s guidelines, Annex 11, and its approximate FDA counterpart, 21 CFR Part 11, (the so-called “elevens”) is more critical than ever.
Much like how Eleven, the young heroine with supernatural powers, is the central character in Netflix’s breakout throwback-vibe, sci-fi series “Stranger Things,” so are the regulatory “elevens” central to understanding the conditions for life sciences manufacturers’ electronic data in the Europe and the U.S.
And while there’s many similarities between Annex 11 and Part 11, the two documents are also quite different. They’re both guidances for good manufacturing practices (GMP) for the quality and compliance of computerized data systems for the manufacture of pharmaceuticals and medical devices. But the pair are also unique and nuance-filled, much like a good TV drama series.
In today’s high-stakes manufacturing marketplace, where companies are increasingly turning to digital tools and automated processes for competitive advantages, the governance and validation of electronic forms, documents and systems is more pertinent than ever. As such, life sciences companies need to keep up to speed on regulatory affairs so that they’re well prepared for inspections and product submissions. While people enjoy scares, thrills and surprises in their entertainment options, the same does not go for pharma and medtech companies that invest millions of dollars in products only to experience costly regulatory hiccups and setbacks during approvals.
“Both documents share the mutual goal of safe, validated, computer systems for drug manufacturing and — in the case of the FDA — medical device manufacturing as well,” said Martin Browning, president and co-founder of EduQuest in the white paper “Annex 11: The EU’s New Expectations for Regulated Computerized Systems.”( 1) “However, the two documents approach this goal differently. Annex 11 is ‘how to’ in tone while Part 11 is ‘thou shalt.’”
Back to the Future
The EU published Annex 11 in 1992 as one of several guidance documents that supplements the 27-member states’ GMP rules. It applies to all human and veterinary (though not extra-terrestrial) products made or sold in the EU. Annex 11 was created to ensure that when a computer is used in place of a manual operation in the manufacture of pharmaceuticals, there is no further risk to limb or paw when it comes to product quality, efficacy or patent safety. While Annex 11 is not a legal requirement, it is a strongly recommended guideline, as a popular pair of fictional pirates may have once voiced.
In contrast, the FDA established Part 11 in 1997 as guidance for pharma manufacturers after electronic online records and signatures became more common for product system validations. An updated Part 11 guideline came out in 2003 to enforce Part 11’s requirements.(2) Part 11 is a U.S. government regulation with fully enforceable requirements that emphasize identity verification, accountability of actions by authorized individuals, and the reporting of obligations. A more detailed, side-by-side breakdown of the two regulatory documents can be found in the article, “Annex 11 and 21 CFR Part 11: Comparisons for International Compliance.”
In 2011, the EU updated Annex 11 to include all computerized systems that are part of the GMP-related activities to reflect the increased use and complexity of automated systems.(3) These include the following:
- Quality system
- Corrective and preventative action (CAPA)
- Material supply
- Process controls
- Laboratory testing
- Clinical trials
- Records and documentation
- Product release
Another hallmark of 2011’s newly added guidelines is the inclusion of electronic forms, documents and signatures. The reworked Annex 11 is intended to address issues stemming from an increasingly digital environment in which electronic programming can potentially replace human judgment (which can be terrifying like a creepy sci-fi film).(3)
“… While Annex 11 doesn’t have the teeth of the (FDA’s Part 11) or similar regulations, it is key to compliance with GMP principles (of related EU regulations),” Browning said. “… Ignoring it … would be just as detrimental as ignoring the regulations.”
Annex 11 and Medical Devices
Although the EU guideline wasn’t drafted with medical devices in mind, medtech manufacturers can benefit from aligning their activities with Annex 11, said Browning, a former FDA investigator who helped draft Part 11. “Annex 11 represents the clearest thinking yet from the EU on the use of electronic recordkeeping and electronic signatures in a regulated environment,” he said. “Complying now with Annex 11 will help medical device manufacturers go a long way toward meeting future European medical device expectations,” especially from a notified body auditor’s viewpoint.(4)
2011: A ‘Key Changes to Annex 11’ Odyssey
In addition to including computerized systems, electronic forms and signatures, the updated Annex 11 also weighs in on a few other key points:
- Validation: The second principle of Annex 11 requires manufacturers to validate the application and qualify the system’s IT infrastructure. Enhanced documentation and process evidence must be submitted, and computer system validations must be performed periodically and when migrating to another system.
- Electronic Signature and Archiving: Electronic signatures should be permanently linked to corresponding records and include time and date they were applied. Data can be archived but checked for accessibility, readability and integrity.
- Risk Management: As part of an organization’s risk management system, decisions about validation and data integrity controls should be based off a documented risk assessment of the company’s computer system. Risk assessments should be conducted to evaluate when a supplier audit is needed and to build audit trails.
- Security: For enhanced security, access to physical and logical controls should be restricted to authorized individuals. Management systems should be created to record the identity of persons entering, changing, confirming or deleting data by time and date.
Non-Supernatural Challenges to EU Compliance
Seeking approval for a new drug or device in most regions of the world is costly and challenging. It’s even more so the case in Europe, where manufacturers must often meet the requirements of multiple regulatory agencies in addition to the European Medicines Agency (EMA). Human and veterinary drugs that fall under the scope of centralized procedures require use of the EMA’s marketing authorization applications (MAAs). Yet thousands of pharmaceuticals not under the umbrella of those procedures must submit applications to the national regulatory agencies of any number of individual countries or mutual-recognition agreements.
For medical devices, manufacturers must obtain approval from decentralized regulatory bodies of each EU member state and individual European country along with the EU’s Medical Device Regulation (MDR).
Moreover, Annex 11 increases the scrutiny of GMP site inspections to assess manufacturers’ computerized systems. Using Annex 11 and Part 11 as standards, inspectors may review a company’s computer system inventory and examine risk assessments to identify critical systems and prioritize the extent and sequence of validation activities. Manufacturers should be prepared to justify their risk assessment decisions to an inspector.
A life sciences company facing a monstrous gauntlet of regulatory submissions and inspections using a manual or hybrid data system will find the process can be as frightening as the eerie, opposite-universe called the Upside Down in “Stranger Things.” The inefficiencies, lack of document control and lack of data security inherent with a paper-based system prevent a company from realizing the level of quality and compliance needed to profitably get product to market.
In less daunting realms, an automated quality management system (QMS) offers a centralized, cloud-based solution for real-time data management, change control, audit management and data security processes. An electronic tool digitizes the MAA document management process for improved efficiency, connectivity with other compliance processes that accelerates a product’s speed to market by increasing its inspection readiness.
It’s no fiction that Annex 11 and Part 11, collectively, entail greater GMP preparation and vigilance of electronic data on the part of life sciences companies. But at the same time, they also provide clear direction of the regulatory expectations. In a more technologically sophisticated global environment, life sciences companies that invest in digital data solutions find they help take the fear our of what can be an unsettling experience. Better yet, companies taking advantage of technological solutions find greater efficiencies, faster speed to market and increased ROI from the resulting quality data and compliant products.
- “Annex 11: The EU’s New Expectations for Regulated Computerized Systems” white paper by Martin Browning. MasterControl. https://www2.mastercontrol.com/sales=336
- “Annex 11 and 21 CFR Part 11: Comparisons for International Compliance” white paper by Orlando Lopez. 2012. https://www2.mastercontrol.com/sales=337
- “The Rules of Governing Medicinal Products in the European Union: Volume 4, Good Manufacturing Practice Medicinal Products for Human and Veterinary Use.” European Commission. June 30, 2011. https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-4/annex11_01-2011_en.pdf
- “What the Revised European Union’s Annex 11 Means to Life Sciences Companies” white paper by Martin Browning. MasterControl. https://www2.mastercontrol.com/sales=340
Mike Rigert is a content marketing specialist at MasterControl’s headquarters in Salt Lake City, Utah. He has nearly a decade and a half of experience creating marketing and journalism content for the tech industry, news media, and higher education. Rigert has written a wide gamut of content types from feature magazine articles to industry white papers and technical product documents to press releases and blog posts. At MasterControl, a portion of his duties include serving as editor of the organization’s prospect blog, GxP Lifeline. Rigert holds a bachelor’s degree in political science with an emphasis in international relations from Brigham Young University.
Originally published at https://www.mastercontrol.com.