EU GMP Annex 11

What is EU Annex 11?

EU Annex 11 is a European Union (EU) guideline that outlines the requirements for computerized systems used to manufacture human and veterinary medicinal products. The purpose of EU Annex 11 is to establish clear guidelines for using computerized systems in GMP-regulated activities, ensuring the reliability and security of electronic systems.

EU Annex 11 is divided into three main parts:

• General Requirements: Provide general guidance on using computerized systems in GMP-regulated activities. It covers risk management, personnel, suppliers, and service providers.
  
  
• Project Phase: Focuses on the activities and considerations during implementing and validating computerized systems. It covers topics such as system validation, user requirements specifications, and performance assessment, among others.
  
  
• Operational Phase: Addresses the ongoing use and maintenance of computerized systems in GMP-regulated processes. It includes requirements related to data storage, printouts, audit trails, change management, security, electronic signatures, and more.

Read the full Annex 11 here: https://www.gmp-compliance.org/files/guidemgr/annex11_01-2011_en.pdf

Good practice recommendations

Create an internal privacy policy

Companies need an internal privacy policy to take care of privacy issues, as they house tons of personal information about employees and customers – not to mention confidential information about the company itself.

Create an external privacy policy

Companies also need an external privacy policy for their customers, vendors and website visitors etc.

Do an inventory of your IT

What systems are you using and who in your company is using what system? Identify, track and manage all hardware and software assets your organization owns or uses. This includes servers, laptops, mobile devices, printers, network devices, software licenses, and other technology-related items contributing to the organization's IT infrastructure.

Personnel access

Document your employees responsibilities and translate these into different access groups in your system. Not everyone needs access to everything in your system. By limiting access where it is not needed you can increase the security in your system and reduce the risk of administrative errors.

Have formal agreements in place

Make sure formal agreements between the manufacturer and third parties are in place. These agreements should include well-defined responsibilities. This should also be done internally. You should have a clear agreement of your own IT responsibilities in the company.

Incident management

Security breaches, bugs, and other incidents can occur even among the best platforms. It is good to have an incident management plan to address these issues as soon as they arise. All incidents, including system failures and data errors, need to be reported and assessed. Critical incidents should be investigated to identify root causes and implement corrective and preventive actions.

Have an archiving process

Data can be archived and needs to be regularly checked for accessibility, readability, and integrity. If any changes are made to the system, such as computer equipment or programs, the ability to retrieve archived data should be ensured and tested.

Do a risk assessment 

IT risk assessments are a crucial part of any successful company. Risk assessments allow you to see how your organization’s risks and vulnerabilities are changing over time, so decision-makers can put appropriate measures and safeguards in place to respond to risks appropriately. 

Risk assessments should be conducted on a regular basis (e.g. annually) and whenever major changes occur within your organization (e.g., acquisition, merger, re-organization, when implementing new technology to handle a key business process, when employees suddenly move from working in an office to working remotely). 

1. Identify company assets 
These could be proprietary information, hardware, software, client information, network topology, etc. It’s best to collaborate with other departments to determine other valuable company assets and which ones to prioritize.

2. Recognize the threats 
Be aware of these main sources of threats that an organization usually encounters: Natural disasters, Human error/malicious intent, System failure etc.

3. Spot the vulnerabilities 
Vulnerabilities are security weaknesses that can expose information, data, and assets to various threats. Conduct internal audits, penetration testing, continuous employee training, and raise awareness to find IT vulnerabilities in your organization.

4. Assess the likelihood of incidents
Evaluate the assets’ vulnerability to threats, from there, assess the likelihood of an incident happening. This can be done while considering various factors that affect an organization’s security such as risks, compliance and policy, and continuity plans, among others.

5. Specify possible repercussions
One or a combination of the following can happen if company assets get impacted by threats and other forms of vulnerabilities: legal action, data loss, production downtime, fines and penalties, negative impact on company reputation, etc.

6. Determine controls
Determine what controls are already existing to mitigate threats. From there, work on identifying how to improve protection against potential vulnerabilities. New controls may need to be implemented or old ones updated to adapt to new and changing threats.

7. Improve continuously
Conduct risk assessment regularly or as frequently ideal as possible. This helps proactively identify inconsistencies in security, thus, addressing them even before they cause actual threats. Document and review the results of IT risk assessments and always watch out for new security issues.

Here is an example of what a risk assessment can look like: