EU Annex 11: How to Stay Compliant
EU Annex 11 lays out the European Union’s regulations for using computerised systems during clinical trials. Any sponsor or site who wants their new medical treatment approved in the EU must follow Annex 11.
In this post, we’ll answer the questions:
- What is Annex 11?
- Does Annex 11 apply to clinical trials?
- Does Annex 11 apply to medical devices?
- What is the difference between 21 CFR Part 11 and Annex 11?
- How can you stay compliant with Annex 11?
When talking about how you can stay compliant, we’ll also break down each part of the Annex 11 regulations. Let’s dive in.
This post is intended as guidance, not as legally binding regulations. For in-depth compliance information, please contact a member of our compliance team at firstname.lastname@example.org.
What is Annex 11?
Annex 11 contains the EU’s regulations for using electronic systems during clinical trials. It is part of the EudraLex, the Rules Governing Medicinal Products in the European Union. The European Commission creates and updates the EudraLex, which applies to sites, CROs and sponsors working in the EU.
Volume 4 of the EudraLex is called Good Manufacturing Practice (GMP): Medicinal Products for Human and Veterinary Use. Since Volume 4 covers the process of creating new medicines, it contains many clinical trial regulations.
Annex 11 was added to Volume 4 in 30 June 2011 because of the growing popularity of healthcare software for clinical trials. The European Commission wanted to make sure all technology used for clinical trials in the EU was private, compliant, and secure.
If you’d like to learn more about varying regulations around electronic documents, check out our blog on how to approach global clinical trial regulations.
What is the difference between 21 CFR Part 11 and Annex 11?
The main difference is that 21 CFR Part 11 applies to electronic clinical trial documents submitted to the FDA in the U.S. Annex 11 applies to electronic clinical trial documents submitted to the European Medicines Agency (EMA) within the EU.
There are also a few other similarities and differences:
- 21 CFR Part 11 and EU GMP Annex 11 both regulate electronic documents and signatures used during clinical trials
Differences (other than Part 11 applying to the U.S. and Annex 11 to the EU):
- 21 CFR Part 11 focuses very closely on electronic documents and signatures
- Annex 11 is broader and includes more instructions on software, hardware, personnel, and risk management
Does Annex 11 apply to clinical trials?
Yes! Annex 11 applies to all computerised systems used to bring Medicinal Products to market in the EU.
A clinical trial must follow Annex 11 regulations if it:
- Involves a new medical treatment or drug
- Wants approval from the European Medicines Agency
- Uses electronic systems
Does Annex 11 apply to medical devices?
No. Annex 11 only specifies that it applies to Medicinal Products. Medical devices have a separate process, called a conformity assessment, to receive a CE (Conformité Européenne) mark. Annex 11 only applies if the medical device is used in conjunction with a new medication.
However, some medical device trials still opt to follow Annex 11 (or Part 11 from the U.S.) to ensure their electronic systems are compliant and private. For more on Annex 11 and Part 11, check out:
How can you stay compliant with Annex 11?
The basic idea of Annex 11 is that “when a computerised system replaces a manual operation, there should be no resultant decrease in product quality, process control or quality assurance. There should be no increase in the overall risk of the process.”
To ensure electronic systems meet these requirements, you’ll need to work closely with your software vendor.
For legally binding compliance information, you should always refer to the Annex 11 regulations. But we’ll also break down what you need to know and how your software vendor can help you here!
1. Risk Management
When you implement new software, your team will create a risk assessment of the computerised system. The risk assessment should account for patient safety, data integrity, and product quality.
Ask your software vendor if they can help you create a risk assessment and update your Standard Operating Procedures. Although responsibility for risk management ultimately lies with sites and sponsors, many vendors (Florence included) are happy to help with the process.
Annex 11 states that “All personnel should have appropriate qualifications, level of access and defined responsibilities to carry out their assigned duties.”
Most clinical trial platforms manage this through giving each user a separate login with permissions based on their assigned role. These permissions determine which documents and data they can access and what changes they can make.
For more on roles and permissions, check out eRegulatory capabilities checklist.
3. Suppliers and Service Providers
The third section of Annex 11 states that when sites, sponsors, and CROs work with a supplier or service provider (like a software vendor), the clinical research team must have an agreement outlining the responsibilities of the vendor.
The regulations also emphasise that clinical research teams should look for “competence and reliability” in their vendors. Because clinical research is a highly regulated industry, you need a software vendor who’s willing to be a true partner, answer all of your compliance and security questions, and go through audits when needed.
The Florence implementation team will explain what forms of regulatory support we provide, but you can see a preview of what regulatory responsibilities we take on as a software vendor. We assume all responsibilities that lie with the vendor according to regulatory authorities. We also place a great deal of emphasis on customer support.
Nearly every site, sponsor, or CRO has questions about software validation, which is required by both Annex 11 and by Part 11. During software validation, the vendor provides documentation that the software performs its intended function and meets all of the customers’ requirements without major bugs or errors.
What software validation looks like varies from system to system–the validation process is different for a Clinical Trial Management System (CTMS) than for an eConsent platform or electronic Investigator Site File (eISF).
To have a successful validation process, you should:
- Check with your security team to see if you have internal validation requirements (we discuss this more in our tips for implementation success.)
- Ask the software vendor to provide documentation of their software validation process. If your team has your own separate requirements, give those to the vendor so they can validate their software against them.
Any computerised system that will share data with other systems needs to transfer data securely and accurately. Sit down with your software vendor and talk about what practices they have in place to protect your data. This could include secure log-ins, encryption, or an incident response plan.
For more on data security, check out our guide to data protection and GDPR.
6. Accuracy Checks
Data in electronic systems must be double-checked for accuracy. This process can be performed manually or through built-in features within the software. We use audit trials and version control so you can see when data has been changed.
7. Data Storage
Data must be stored for the entire required retention period, and data backups must be available. Florence meets this requirement by keeping documents in secure, long-term archives for 25 years, in accordance with EU and other global regulations.
It should be possible to print out electronically stored data and audit trails that show when data is changed. Although the software needs to have this feature, most sites, sponsors, and CROs rarely use it to save paper.
9. Audit Trails
According to Annex 11, the risk assessments should say whether a clinical trial platform needs an audit trail to track changes. The audit trail should show which changes were made to documents or data, when, and by which users.
Florence includes automated audit trails in the following platforms:
10. Change and Configuration Management
Vendors should make changes to clinical trial platforms in a controlled manner with a defined procedure. Before buying a platform, ask the vendor to share their change management plan with you.
11. Periodic Evaluation
Your internal security team may want to periodically review the software to ensure it’s still compliant with Annex 11. Your vendor should be willing to help with this. The vendor should also show you the internal plan they use to validate their software.
This section of Annex 11 focuses on secure logins. The platform should ensure that every user has an individual identification, verified through a password or biometrics. Florence currently uses passwords.
Each user’s login should give them a limited set of permissions. When users are added or removed, the audit trail should also record the change.
13. Incident Management
Security breaches, bugs, and other incidents can occur even among the best platforms, as companies like Apple, Twitter, Facebook and Samsung have proven. Your vendor should have an incident management plan to address these issues as soon as they arise.
Check out our article on clinical trial cybersecurity to learn more about the importance of incident management for software vendors.
14. Electronic Signatures
Annex 11 only has one short section on electronic signatures, unlike Part 11, which goes into far more detail. If you follow the recommendations for advanced electronic signatures in Part 11, you will easily comply with the electronic signature requirements in Annex 11.
To stay Part 11 and Annex 11-compliant, look for eSignatures that are:
- Uniquely linked to the signer;
- Capable of identifying the signer;
- Created in a way that the signer can, with a high level of confidence, use under their sole control; and
- Linked to the Electronic Record in such a way that any subsequent change in the data is detectable.
Florence meets these standards by giving each user a unique login and requiring them to reenter their password before signing documents. We also ensure that signatures show the user’s name, job title (optional), and reason for signing. Finally, the audit trail records every time there has been a change to a document.
15. Batch Releases
If the certification of the product and its approval for batch release takes place within the electronic system, the system should ensure that the person doing the certification is authorized to do so. The person should enter their advanced electronic signature before doing the certification or batch release.
16. Business Continuity
Clinical research teams should work with the vendor to come up with a documented backup plan to use when or if the computerised system breaks down. This can be part of your incident management plan.
When clinical research teams archive data, they should be able to retrieve it. Florence ensures this is possible by offering long-term, cloud-based storage for 25 years.
Annex 11 Compliance Made Easy
Annex 11 and other clinical trial regulations can feel overwhelming. That’s why it’s so important to work with a software vendor who’s familiar with the regulations and who can explain what aspects of the regulations they handle and which aspects your team will need to handle.
Your vendor should help you create a comprehensive implementation plan that will empower you to use your clinical trial software while complying with Annex 11.
Want to learn more about the regulations you need to follow in the European Union? Check out our guide to the EU Clinical Trials Regulation. And if you’d like to learn more about Part 11 in the U.S., try our Part 11 checklist.