StartseiteLeistungenSchulungsdatenbankLebenslaufUsefull LinksCleaning ValidationNew EU GMP Annex 11

New EU GMP Annex 11:


Project Phase

Operational Phase

Table 1: Risk based Approach

Table 2: Suppliers and Service Providers

Table 3: Comparison of Annex 11 versions

Check Your Knowledge






Risk Management

The new annex 11 emphasizes RISK MANAGEMENT and a RISK BASED APPROACH. While the word “risk” is used only once in the current annex it appears 12 times in the new version, exactly 11 times in the annex text (please refer to table “Risk based Approach of EU Annex 11”) and – by coincidence – one more time in the header of the document.

On one hand the DOCUMENTED RISK ASSESSMENT demanded by the annex offers the chance to tailor validation efforts exactly to each individual APPLICATION, on the other hand it is challenging to industry to keep all the risk assessments up to date. The regulated user needs to establish a process which links CHANGE CONTROL, PERIODIC EVALUATION, the INVENTORY OF THE RELEVANT SYSTEMS AND RISK ASSESSMENTS. PharmAdvice recommends creating and maintaining a controlled inventory file listing not only the relevant systems and their GMP functionality as required by chapter 4.3 but including all associated system life cycle documents and the date of their last review. Depending on the amount of systems to be monitored this may be a sophisticated database or a spreadsheet with appropriate protection against unintentional changes in the listing. Furthermore PharmAdvice recommends to include not only the RELEVANT SYSTEMS but also to include – as far as reasonable - those systems which have been rated “not GxP relevant” by the regulated user. The reason for that decision should also be included. PharmAdvice also strongly recommends considering end user applications like MS Excel ® spreadsheets and MS Access ® databases, because “End User applications tend to be among the most under-documented systems used in GxP environments”. This approach capturing all computerised systems has two advantages. In the first place it ensures that validation of GMP-relevant systems will not be overlooked and secondly the reasons not to validate are clearly stated and comprehensible to everybody. PharmAdvice admits, that this recommendation is very close to the wording of the 2008 draft “An inventory, or listing, of all computerised systems is essential. The inventory should mention the site and purpose of the computerised system. This list should indicate the risk assessed category of each system. Systems that have an influence on regulated activities need to be identified.” Note that the GxP-relevance might change when the CURRENT RANGE OF FUNCTIONALITY of the system is shifting.

Suppliers and Service Providers

As with GAMP 5i the role of the suppliers and service providers becomes more obvious and critical in the new annex 11. Suppliers of software and services are rated critical to GMP and consequently they need to be treated just like suppliers of APIs or excipients i.e. they should be assessed and may be subject to an audit. Where the current annex 11 only states one sentence the new annex 11 provides the requirements in four detailed sub parts (please refer to table “Suppliers and Service Providers”). Nota bene: IT-DEPARTMENTS SHOULD BE CONSIDERED ANALOGOUS to third parties and AUDIT INFORMATION RELATING TO SUPPLIERS OR DEVELOPERS OF SOFTWARE AND IMPLEMENTED SYSTEMS SHOULD BE MADE AVAILABLE TO INSPECTORS ON REQUEST. The regulated user will need to establish a policy on how much details of such audit information he will report to the inspector.


The somehow vague term “key personnel” in the current annex 11 is very precisely defined now “There should be close cooperation between all relevant personnel such as PROCESS OWNER, SYSTEM OWNER, QUALIFIED PERSONS AND IT.” The terms Process Owner and System Owner are explained in the GLOSSARY (a new feature of this annex) and the explanation are nearly exact copies of the GAMP 5 definition [words in brackets are not transferred from GAMP 5]:

Process Owner
The person [ultimately] responsible for the business process [or processes being managed].
Based on this definition PharmAdvice recommends that the Process Owner should finally sign and release User Requirement Specifications.

System Owner
The Person [ultimately] responsible for the availability [, and support] and maintenance of a system and for the security of the data residing on that system.
This definition seems equally clear at first glance. However, who will be the System Owner may not be so easy to decide. One might get the impression that someone from IT may be appropriate as he or she will be the right SME (subject matter expert) for designing or releasing system design specifications, backup and archiving procedures, security measures etc. However as IT departments should be treated as “third parties” there is some conflict. Clearly, a third party can care about system availability etc, but it is PharmAdvice’s opinion, that the third party will not be ultimately responsible. So the System Owner should rather be from business but needs to have a good understanding of IT.