The Food and Drug Administration’s (FDA) Part 11 (21 CFR Part 11) and the European Union’s (EU) Annex 11 (EUDRALEX) Rules Governing Medicinal Products in the European Union, Volume 4, Good Manufacturing Practice (GMP), Medicinal Products for Human and Veterinary Use) share the same intent. Namely, all computerized systems used in GxP-regulated environments require compliance for ensuring integrity of records and data. Annex 11 moves beyond Part 11 for some obvious reasons – time and approach.

With eight years between the publication of FDA and EU documents, it is understandable that there would be significant differences. The FDA’s Part 11 regulation issued in 1997 was followed by “Guidance for Industry Part 11, Electronic Records; Electronic Signatures Scope and Application” in 2003. Annex 11 and EU GMP Chapter 4 requirements on generation, control, and retention of documents are more current, effective July 2011, and therefore issues many refinements on how to ensure trustworthy records.

However, there are many similarities between the regulations of Annex 11 and Part 11 (and Part 11 Guidance). In general, they both include risk management, personnel, validation, system management and documentation, software, data, security, audit trails, signatures, printouts, and data storage. 

Annex 11 introduces new categories that encompass infrastructure, as well as fine tuning requirements and interpretations. Here are several examples. Annex 11 expands computerized systems to include qualification of the IT infrastructure. Part 11 mentions protection of records, Annex 11 adds electronic records back-up with the identification of storage location and validation of storage system. 

Validation in Annex 11 embraces the product life cycle, critical systems inventory, user requirements specifications for each computerized system and traceability of requirements, quality management system, process for customized systems, and evidence of appropriate test methods. Annex 11 puts more accountability on individuals with responsibility for the business process and system maintenance. This is designed to ensure management involvement in compliance of critical systems.

The Annex 11 section on suppliers and service providers addresses formal agreements, supplier audits and software review. Accountability of third parties is now included in most guidance updates from manufacturing to distribution. It is worth noting that a supplier cannot sell a validated system as validation requires a risk based approach that the system performs as intended in its actual environment. Nor can a supplier sell a system that is certified as Annex 11 or Part 11 compliant, however it can provide the functionality that enables compliance.

Annex 11 still leaves room for interpretation as seen by the FAQs on the European Medicines Agency website.

This writing is meant only to highlight a few of the differences between regulatory mandates for computerized systems. While Part 11 may be light on guidance compared to Annex 11, the FDA defers to other documents such as ICH Q8-10 to enforce its predicate rules. Electronic records involved in critical risk-based processes must demonstrate compliance with FDA predicate rules, namely 210, 211, 820, etc. These rules tell you what records must be maintained.   

In 2011, FDA’s CDER is expected to report on industry’s understanding implementing Part 11. The agency will review observations from Part 11 focused inspections, especially on validation, audit trails, copies of records and record retention.  The review will likely generate revised or new regulations or guidance, closing the gap in differences between Annex 11 and Part 11.

Both Annex 11 and Part 11 need to be applied when introducing medicines into the U.S. and Europe.  For a comparison of requirements of Annex 11 and other regulations, click here.

While Annex 11 provides some how-to guidance on implementing regulations, industry publications such as GAMP 5 provide detailed suggestions on how to implement computerized systems for GxP compliant environments.
Prior to the new Annex 11, there were only a handful of inspectors worldwide that had the training and experience to understand regulatory compliance of computerized systems. It will be interesting to see the outcome from EU Inspectorates’ observations on computerized systems to the new Annex 11, as well as FDA results from its Part 11 inspectional initiative.