EU Annex 11 lays out the European Union’s regulations for using computerised systems in Good Manufacturing Practice (GMP) of medicinal products. This includes using computerised systems during clinical trials. Any sponsor or site who wants their new medical treatment approved in the EU must follow Annex 11.
In this post, we’ll answer the questions:
- What is Annex 11?
- What is the difference between 21 CFR Part 11 and Annex 11?
- Does Annex 11 apply to clinical trials?
- Does Annex 11 apply to medical devices?
- How can you stay compliant with Annex 11?
- What changes are upcoming for EU Annex 11?
When talking about how you can stay compliant, we’ll also break down each part of the Annex 11 regulations. Let’s dive in.
This post is intended as guidance, not as legally binding regulations. For in-depth compliance information, please contact a member of our compliance team at email@example.com.
What is Annex 11?
Annex 11 contains the EU’s regulations for using electronic systems while manufacturing new medicinal products. Since clinical trials are often part of this process, Annex 11 relates to clinical trials.
Annex 11 is part of the EudraLex, the Rules Governing Medicinal Products in the European Union. The European Commission creates and updates the EudraLex, which applies to sites, CROs and sponsors working in the EU.
Volume 4 of the EudraLex is called Good Manufacturing Practice (GMP): Medicinal Products for Human and Veterinary Use. Since Volume 4 covers the process of creating new medicines, it contains many clinical trial regulations.
Annex 11 was added to Volume 4 in 30 June 2011 because of the growing popularity of healthcare software for clinical trials. Clinical research teams can use Annex 11 to make sure all technology used for clinical trials in the EU was private, compliant, and secure.
If you’d like to learn more about varying regulations around electronic documents, check out our blog on how to approach global clinical trial regulations.
What is the difference between 21 CFR Part 11 and Annex 11?
The main difference is that 21 CFR Part 11 applies to electronic clinical trial documents submitted to the FDA in the U.S. Annex 11 applies to electronic GMP documents, including clinical trial documents, submitted to the European Medicines Agency (EMA) within the EU.
There are also a few other similarities and differences:
- 21 CFR Part 11 and EU GMP Annex 11 both regulate electronic documents and signatures used during clinical trials
Differences (other than Part 11 applying to the U.S. and Annex 11 to the EU):
- 21 CFR Part 11 focuses very closely on electronic documents and signatures
- Annex 11 is broader and includes more instructions on software, hardware, personnel, and risk management
Does Annex 11 apply to clinical trials?
Yes! Annex 11 applies to all computerised systems used to bring Medicinal Products to market in the EU.
A clinical trial must follow Annex 11 regulations if it:
- Involves a new medical treatment or drug
- Wants approval from the European Medicines Agency
- Uses electronic systems
Does Annex 11 apply to medical devices?
No. Annex 11 only specifies that it applies to Medicinal Products. Medical devices have a separate process, called a conformity assessment, to receive a CE (Conformité Européenne) mark. Annex 11 only applies if the medical device is used in conjunction with a new medication.
However, some medical device trials still opt to follow Annex 11 (or Part 11 from the U.S.) to ensure their electronic systems are compliant and private. For more on Annex 11 and Part 11, check out:
How can you stay compliant with Annex 11?
The basic idea of Annex 11 is that “when a computerised system replaces a manual operation, there should be no resultant decrease in product quality, process control or quality assurance. There should be no increase in the overall risk of the process.”
To ensure electronic systems meet these requirements, you’ll need to work closely with your software vendor.
For legally binding compliance information, you should always refer to the Annex 11 regulations. But we’ll also break down what you need to know and how your software vendor can help you here!
1. Risk Management
When you implement new software, your team will create a risk assessment of the computerised system. The risk assessment should account for patient safety, data integrity, and product quality. You will also need to update your Standard Operating Procedures (SOPs).
Ask your software vendor if they can help you update your Standard Operating Procedures. Although responsibility for risk management ultimately lies with sites and sponsors, many vendors (Florence included) are happy to help with the process.
Annex 11 states that “All personnel should have appropriate qualifications, level of access and defined responsibilities to carry out their assigned duties.”
Most clinical trial platforms manage this through giving each user a separate login with permissions based on their assigned role. These permissions determine which documents and data they can access and what changes they can make.
For more on roles and permissions, check out eRegulatory capabilities checklist.
3. Suppliers and Service Providers
The third section of Annex 11 states that when sites, sponsors, and CROs work with a supplier or service provider (like a software vendor), the clinical research team must have an agreement outlining the responsibilities of the vendor.
The regulations also emphasise that clinical research teams should look for “competence and reliability” in their vendors. Because clinical research is a highly regulated industry, you need a software vendor who’s willing to be a true partner, answer all of your compliance and security questions, and go through audits when needed.
The Florence implementation team will explain what forms of regulatory support we provide, but you can see a preview of what regulatory responsibilities we take on as a software vendor. We assume all responsibilities that lie with the vendor according to regulatory authorities. We also place a great deal of emphasis on customer support.
Nearly every site, sponsor, or CRO has questions about software validation, which is required by both Annex 11 and by Part 11. During software validation, the vendor provides documentation that the software performs its intended function and meets its intended use.
What software validation looks like varies from system to system–the validation process is different for a Clinical Trial Management System (CTMS) than for an eConsent platform or electronic Investigator Site File (eISF).
To have a successful validation process, you should:
- Check with your security team to see if you have internal validation requirements. Add any relevant members of the security team to your implementation team (we discuss this more in our tips for implementation success.)
- Ask the software vendor to provide documentation of their software validation process.
Any computerised system that will share data with other systems needs to transfer data securely and accurately. Sit down with your software vendor and talk about what practices they have in place to protect your data. This could include secure log-ins, encryption, or an incident response plan.
For more on data security, check out our guide to data protection and GDPR.
6. Accuracy Checks
Data in electronic systems must be double-checked for accuracy. This process can be performed manually or through built-in features within the software. We use audit trials and version control so you can see when data has been changed.
7. Data Storage
Data must be stored for the entire required retention period, and data backups must be available. Florence meets this requirement by keeping documents in secure, long-term archives for their customers, in accordance with EU and other global regulations.
It should be possible to print out electronically stored data and audit trails that show when data is changed. Although the software needs to have this feature, most sites, sponsors, and CROs rarely use it to save paper.
9. Audit Trails
According to Annex 11, the risk assessments should say whether a clinical trial platform needs an audit trail to track changes. The audit trail should show which changes were made to documents or data, when, and by which users.
Florence includes automated audit trails in the following platforms:
10. Change and Configuration Management
Vendors should make changes to clinical trial platforms in a controlled manner with a defined procedure. Before buying a platform, ask the vendor to share their change management plan with you.
11. Periodic Evaluation
Your internal security team may want to periodically review the software to ensure it’s still compliant with Annex 11. Your vendor should also show you the internal plan they use to validate their software.
This section of Annex 11 focuses on secure logins. The platform should ensure that every user has an individual identification, verified through a password or biometrics. Florence currently uses passwords.
Each user’s login should give them a limited set of permissions. When users are added or removed, the audit trail should also record the change.
13. Incident Management
Security breaches, bugs, and other incidents can occur even among the best platforms, as companies like Apple, Twitter, Facebook and Samsung have proven. Your vendor should have an incident management plan to address these issues as soon as they arise.
Check out our article on clinical trial cybersecurity to learn more about the importance of incident management for software vendors.
14. Electronic Signatures
Annex 11 only has one short section on electronic signatures, unlike Part 11, which goes into far more detail. If you follow the recommendations for advanced electronic signatures in Part 11, you will easily comply with the electronic signature requirements in Annex 11.
To stay Part 11 and Annex 11-compliant, look for eSignatures that are:
- Uniquely linked to the signer;
- Capable of identifying the signer;
- Created in a way that the signer can, with a high level of confidence, use under their sole control; and
- Linked to the Electronic Record in such a way that any subsequent change in the data is detectable.
Florence meets these standards by giving each user a unique login and requiring them to reenter their password before signing documents. We also ensure that signatures show the user’s name, job title (optional), and reason for signing. Finally, the audit trail records every time there has been a change to a document.
15. Batch Releases
If the certification of the product and its approval for batch release takes place within the electronic system, the system should ensure that the person doing the certification is authorized to do so. The person should enter their advanced electronic signature before doing the certification or batch release.
16. Business Continuity
Clinical research teams should work with the vendor to come up with a documented backup plan to use when or if the computerised system breaks down. This can be part of your incident management plan.
When clinical research teams archive data, they should be able to retrieve it. Florence ensures this is possible by offering long-term, cloud-based storage to customers in accordance with global regulations.
What Changes Are Upcoming for EU Annex 11?
Because Annex 11 was first written in 2011, it will undergo revisions to bring it in line with current Good Manufacturing Practices (GMP) and modern technology. The draft guidance will come out in 2024. Stakeholders will have the opportunity to leave feedback in 2025, and the finalized guidance will take effect in 2026.
What will the revisions look like? The European Medicines Agency has issued a concept paper that gives sponsors, sites, and CROs an idea of what to expect. Here are a few key takeaways:
The concept paper calls for a few changes that will impact all parts of Annex 11:
- Requirements for data in motion and at rest
- Addressing digital transformation
Annex 11 will include requirements for data that is currently in use and data that is backed up or archived. These guidelines should help Annex 11 align more closely with the Global Data Privacy Regulation (GDPR), which was written after the original Annex 11.
The updated document will also address digital transformation: the fact that many sites, sponsors, and CROs have already replaced manual processes with electronic ones. Annex 11 will cover not just when a computerised system replaces a manual operation, but also when it replaces a different computerised system.
Changes to Risk Management
The new Annex 11 will reference ICH Q9, which are guidelines for quality risk management.
Changes to Suppliers and Service Providers
When clinical trial teams use cloud services, they will need documentation for the validation and safe operation of a system. (Most software vendors already help customers with this documentation.)
Changes to Validation
The new Annex 11 will clarify what “validation” and “qualification” means for software, making it easier for research organizations to discuss the processes with their software vendors. The concept paper also suggests that Annex 11 could accept agile validation processes with less-traditional documentation.
Changes to Accuracy Checks
Annex 11 will now define the “critical data” and “critical systems” that require accuracy checks.
Changes to Data Storage
The updated Annex 11 will provide clearer instructions for what physical or electronic data should be backed up, what types of backups are required, how often backups are made, and how long they are retained.
Changes to Printouts
The ability to print out documents, including the audit trail, may no longer be required (a major win for environmentalism!)
Changes to Audit Trails
The concept paper states that audit trails should be mandatory in all cases, not only when a risk assessment calls for one.
Audit trails should also:
- Identify the user who made a change
- Show what was changed
- Display the time and date when the change was made
- Ask for a reason for the change
To ensure all requirements are met, Florence offers full audit trail functionality in all of our products. You can learn more about our global compliance practices here.
Changes to Periodic Evaluation
Software platforms will no longer need periodic evaluations based on the platforms’ upgrade histories. Instead, clinical research teams can perform periodic evaluations based on hardware and software baseline changes over time. The new guidance will hopefully provide more detail on what baseline changes are.
Changes to Security
The current version of Annex 11 says that “Physical and/or logical controls should be in place to restrict access to computerised system to authorised persons.”
The new guidance will be more specific and name expected security controls, like:
- Multi-factor authentication
- Security patching
- Virus scanning
- Intrusion detection and prevention
- Logins specific to a single person
- Periodic review of system users and permissions
Changes to Archiving
The original version of Annex 11 recommends that clinical research teams check archived data for accessibility, readability, and integrity. However, the concept paper encourages teams to be proactive rather than reactive. Before the data is archived, teams should check to make sure the archiving process is validated and the data won’t be damaged.
Software vendors can help with this by validating their long-term archiving and providing clinical research teams with evidence that the system works.
Annex 11 Compliance Made Easy
Annex 11 and other clinical trial regulations can feel overwhelming. That’s why it’s so important to work with a software vendor who’s familiar with the regulations and who can explain what aspects of the regulations they handle and which aspects your team will need to handle.
Your vendor should help you create a comprehensive implementation plan that will empower you to use your clinical trial software while complying with Annex 11.
Want to learn more about the regulations you need to follow in the European Union? Check out our guide to the EU Clinical Trials Regulation. And if you’d like to learn more about Part 11 in the U.S., try our Part 11 checklist.