The GMP/GDP Inspectors Working Group and the PIC/S Committee jointly recommended that the current version of Annex 11 on Computerised Systems be revised to reflect changes in regulatory and manufacturing environments. The revised guideline should clarify requirements and expectations from regulatory authorities, and remove ambiguity and inconsistencies
Annex 11 Background
In 2011, EudraLex The Rules Governing Medicinal Products in the European Union published Annex 11: Computerised Systems as part of Volume 4, Good Manufacturing Practice, Medicinal Products for Human and Veterinary. This annex applies to all forms of computerised systems used as part of a GMP regulated activities. A computerised system is a set of software and hardware components that together fulfill certain functionalities.
Annex 11 Computerised Systems 2025 Draft Version
The GMP/GDP Inspectors Working Group and the PIC/S Committee jointly recommended that the current version of Annex 11 on Computerised Systems, be revised to reflect changes in regulatory and manufacturing environments. The revised guideline would clarify requirements and expectations from regulatory authorities and remove ambiguity and inconsistencies.
The updated Annex 11 outlines the requirements for the use of computerised systems in GMP-regulated activities, thereby ensuring product quality, patient safety, and data integrity.
Let's understand the differences and what the new 2025 draft version of Annex 11 emphasizes
|
Expanded Scope |
|
|
Change Impact Assessment |
|
|
Data Integrity Focus |
|
|
Final review at decommissioning |
|
|
Identity, Access Management, and Security |
|
|
Risk-Based Frequency |
|
|
Cloud/SaaS |
|
|
Periodic Review |
|
|
Suppliers |
|
|
Audit Trail |
|
|
Data Handling |
|
|
Testing Rigor |
|
Area |
Version 2011 |
Version 2025 Draft |
|---|---|---|
|
Manual Data Entry (Input Verification) |
Not specifically addressed. |
Requires plausibility checks for manually entered critical data; alerts for out-of-range values. |
|
Data Transfer Between Systems |
General reference to accuracy. |
Encourages validated electronic interfaces over manual transcription; manual transcription must be controlled. |
|
Data Migration |
Briefly mentioned under validation. |
Full clause on migration as a validated process considering both sending/receiving systems. Requirement to validate value/meaning retention during migration. |
|
Encryption |
Not mentioned. |
Critical data should be encrypted where applicable. |
|
Critical Data |
Implied, not detailed. |
Emphasizes “critical data” consistently across subsections. |
Area |
Version 2011 Section 12: Security |
Version 2025 Draft Section 11: Identity and Access Management |
|---|---|---|
|
User Accounts |
No mention of shared vs. individual accounts. |
Unique, personal accounts only. Shared accounts allowed only for read-only access. Shared write access is a data integrity violation. |
|
Account Lifecycle |
Creation, change, and cancellation should be recorded. |
Continuous access management required: accounts should be granted, modified, and revoked promptly as roles change. |
|
Authentication Requirements |
General mention of personal codes with passwords. |
Specific authentication criteria: usernames and passwords, or methods of equal or higher assurance. Token-only logins not acceptable. |
|
Password Security |
Implied via general system controls. |
Explicit password rules: secure, confidential, unique, long, complex, changed on first login, not based on dictionary or personal data. |
|
Multifactor Authentication (MFA) |
Not mentioned. |
MFA for remote access to critical systems. |
|
Account Lockout |
Not mentioned. |
Auto-lockout after failed logins; unlock only after risk is removed. |
|
Session Timeout / Logout |
Not mentioned. |
Inactivity logout enforced by the system. Users cannot disable it. |
|
Access Logging |
User actions must be logged with identity and timestamp. |
Access logs must capture login/logout times, user roles, inactivity logouts; must be sortable/searchable or exportable. |
|
Segregation of Duties |
Not mentioned. |
Users must have minimum necessary access for their role. |
|
Least Privilege Principle |
Not mentioned. |
Users must have minimum necessary access for their role. |
|
Periodic Access Reviews |
Not mentioned. |
Recurrent access reviews required by managers. Applies to users and roles. Frequency should match risk. |
Area |
Version 2011 Section 9: Audit Trails |
Version 2025 Draft Section 12: Audit Trails |
|---|---|---|
|
General Requirement |
Consideration should be given to having audit trails based on risk. |
Mandatory audit trails for systems that control processes or manage data. |
|
Reason for Change |
Should be documented. |
System must prompt and capture a reason for any data change. |
|
Audit Trail Integrity |
Should be available, readable, and regularly reviewed. |
Should be enabled and locked at all times. Any attempt to edit or disable it must itself be logged. |
|
Access and Review |
Available in intelligible form and reviewed regularly. |
Should be sortable/searchable or exportable. Tools for review are encouraged. |
|
Audit Trail Review |
General requirement for regular review. |
Requires documented SOPs defining who, what, when, and how reviews are conducted. Reviews should be risk-based and timely. |
|
Reviewer |
Not specified. |
Must be done by independent personnel. |
Area |
Version 2011 Section 11: Periodic Evaluation |
Version 2025 Draft Section 14: Periodic Reviews |
|---|---|---|
|
Terminology |
Periodic evaluation |
Periodic review |
|
Purpose |
Confirm system remains validated and GMP compliant. |
Confirm system is still fit for intended use, validated, and identify if revalidation is needed. Assess impact on product quality, patient safety, and data integrity. |
|
Scope |
Review of deviations, changes, incidents, problems, validation status, and performance. |
|
|
Follow-up Items |
General references to change/deviation records. |
Explicit tracking of previous review actions, audits, inspections, and risk assessments. |
|
Frequency |
Not clearly defined. |
Should be planned, justified, and risk-based. Includes a final review at system retirement. |
Need more help with Annex 11 compliance and CSV activities?
Don’t have the time or expertise? Let our experienced consultants implement compliance for you. Contact us today.
TAGS: Quality & Compliance Computer Systems Validation (CSV) Annex 11
