Organizations that wish to do business and obtain market approval in both the EU and USA must abide by the requirements of Eudralex Annex 11 and FDA 21 CFR Part 11 respectively. In this blog (a section from our popular Part 11 vs Annex 11 whitepaper), we present a standard approach to demonstrating compliance with both these regulatory directives.
Step 1. Perform a gap assessment
Assess the environment in which the computer system will be used. Identify the procedural and technical controls which must be in place to ensure the regulatory expectations are met. Begin with the regulatory mapping (provided in Table 1 of our new whitepaper - Approaching Compliance with 21 CFR Part 11 and Annex 11), then build on this table by describing how the system can (or cannot) meet each regulatory requirement.
Step 2. Plan and implement mitigation activities
Within the assessment, you may find that the system is incapable of meeting regulatory requirements (either technically or via procedural controls). Mitigation activities must be planned and implemented to close the identified “gaps”. Some examples of mitigation activities are presented in Table 3.
Example Identified Gap |
Example Mitigation Activity |
Daily backup jobs do not run on the system. |
The system must be added to data backup schedules. Standard Operating Procedures (SOPs) for data backup and retention need to be updated to capture the system within scope. |
System does not have a built-in user authentication process. |
Integrate the system with a third-party user authentication and management system. Validate this system integration. |
Underlying infrastructure is not qualified. |
For on-premise systems: qualify the infrastructure. For hosted (SaaS) systems: perform a supplier assessment to evaluate the capabilities of the supplier. |
At a minimum, system validation should always be identified as a mitigation activity. The validation strategy should be tailored to the complexity and criticality of the system (see Step 3).
Step 3. Validate the computer system following the GAMP® 5 approach
While Annex 11 provides some how-to guidance on implementing regulations, the industry has accepted publications such as ISPE’s GAMP® 5 to provide detailed recommendations on how to implement computerized systems for GxP compliant environments.
GAMP® 5 defines the industry’s standard framework for risk-based validation. As shown in Table 4, if one is willing to tolerate some minor variations between wordings, definitions and structures, the GAMP® 5 validation approach can result in compliance with both Annex 11 and 21 CFR Part 11.
It is worth noting that a supplier cannot sell a “validated system” as validation requires demonstration that the system performs as intended in its actual environment. Moreover, a supplier cannot sell a system that is certified as Annex 11 or 21 CFR Part 11 compliant. The supplier can only provide the functionality that enables compliance; system compliance and validation ultimately remain the responsibility of the regulated user of the system.
For more on where the two directives intersect. Check out our whitepaper below!
This article is part of a recent whitepaper titled "Approaching Compliance with 21 CFR Part 11 & Annex 11: A Practical Guide" and is a product of contributions from several Montrium consultants.