Annex 11 and Clinical Trial Implications Explained

The origins of Annex 11 go all the way back to 1991 when the Pharmaceutical Inspection Cooperation Scheme (PIC/S) created a document, Annex 5, for their requirements for computerized systems used in GMP – that's Good Manufacturing Practice. This was incorporated in 1992 as Annex 11, a supplement to existing EU GMP rules which applied to all human and animal products that were made or sold in the EU.

The idea behind Annex 11 was to ensure that when a computer was used instead of a manual operation, there was no risk to product quality, efficacy or patient safety. As the complexity of automated systems grew and the use of systems increased, in 2011 the EU updated Annex 11 to include all GMP-related activities such as production, quality systems, records and documents, electronic forms, process controls – to name just a few! Validation, change control of systems and requirements for data integrity were also included.

Annex 11 is currently undergoing a further update because the version of the guidance does not give sufficient guidance within a number of areas as there has been extensive progress in the use of new technologies within the industry in the last few years. A five-page concept paper was released towards the end of last year and is open for comments until November 2023.

Annex 11 applies to all computerized systems used to develop medicinal products in clinical trials. Although applicable to GMP, Annex 11 has been widely adopted outside of this remit as a standard of excellence for computerized system implementation. Annex 11 must be followed where a software system is being used, as part of the new treatment or drug being trialed where approval is required from the EMA. So, most software used as part of clinical trials will follow Annex 11.

The Annex 11 guidance is important because it builds confidence that clinical study information is complete and consistent and being managed safely, which is vital as the data from trials is used to support decision-making for the treatment of medical conditions. The patient also needs to be assured that there are robust systems in place when it comes to data integrity as part of these trials.

Think of it like a management framework for computerized systems that provides guidance on:

• Risk Management – always be thinking of the impact on patient safety and data integrity.
• Validation – systems should be validated and IT systems qualified ahead of use.
• System change control – management of changes to ensure there is no impact on the product, system itself or integrated systems.
• Data – ensuring data is safely and securely managed throughout its lifecycle.
• Security – ensuring that controls are in place and that only the right people have access to what they need, along with measures in place to manage unauthorized access, changes and data management.

While Teckro is not governed by GMP, we understand that to support our clients in their good practice and regulations (GxP) activities it is important to implement Annex 11 compliant software systems as relevant to our business. To achieve this at Teckro, we take a risk-based approach in all our activities in our support of Annex 11. We have procedural controls in place which are built into information systems to ensure data is managed and controlled. Teckro also assures the confidentiality, integrity and availability of data through our ISO 27001 certification process. In terms of IT processes in-house, we have security policies to manage who has access to data.

With the validation process, we support Annex 11 through our risk assessments, validation, testing and change control processes. We provide a full validation documentation package for each release of our product. We qualify our IT infrastructure and auxiliary software systems in support of our Teckro application. We assess our processes continuously to improve and ensure compliance for our customers.

Annex 11 has three sections that incorporate data integrity as part of guidance. These include: risk management as part of the general section, the project phase covering validation and the operational phase in how we manage, check and store data. Annex 11 also requires that there are built in checks for data, that critical data requires additional checks are in place, such as access controls and permissions where data is stored along with appropriate data management.

Data integrity is so important as it forms the basis on which our decisions are made around our products. Data we gather from validation of systems, to data gathered from our laboratory – or clinical trial results data, is integral in whether our products are fit for intended use. Implementation of data integrity principles also provides regulators with the assurance that the industry has applied relevant measures and controls to ensure data is safe, secure and consistent and forms part of the development and manufacturing processes.

So, this is an interesting question because while the concept behind the two are similar, there are some key differences, and it can be easy to get confused. To summarize, with Annex 11 the guidance is more rounded because it is not focused on one area – it is like a management framework for computerized systems. FDA 21 CFR Part 11 applies to electronic records required to be maintained by a predicate rule and submitted to the FDA, while Annex 11 applies to all forms of computerized systems used in GMP-regulated activities.

Annex 11 provides the blueprint for any company to implement processes in support of the guidance. Companies should start with risk management practices, then build on requirements and design specifications, which support the validation process and ensure validation is completed. Having robust procedural, technical, auditing measures and controls around the key Annex 11 requirements underpins success over the lifecycle of a system.