top of page

Annex 11 quality agreement with IT

Updated: Aug 10

There seems to be some work on updating EU GMP Volume 4, Annex 11. I'm looking forward to it!


But even in the current version we can read the following:


'3.1 When third parties (e.g. suppliers, service providers) are used e.g. to provide, install, configure, integrate, validate, maintain (e.g. via remote access), modify or retain a computerised system or related service or for data processing, formal agreements must exist between the manufacturer and any third parties, and these agreements should include clear statements of the responsibilities of the third party. IT-departments should be considered analogous.'


Wow! So this has been with us since 2011. Is the last sentence getting dealt with everywhere? Is it obvious that you need to have a quality agreement with your own IT department? Furthermore, who is really here that you as process owner should have an agreement with?


Let's check who should sit around the table.

Process (or data) owner: the person/department responsible for the process that is supported by the computerized system, and the GxP data in it; and the

System owner: the person/department responsible for the IT infrastructure and related IT processes.

And if you read the Annex 11 section again, let's focus on the following words: 'configure', 'validate', 'maintain'. Who does this? Usually neither process owners, nor system owners. We have found the third stakeholder: the administration team. They are the ones who are responsible for user management, master data management, and who knows what else.


So the best way the handle the requirement of Annex 11 is either having a tripartite quality agreement both with IT and the administration team, or having 2 separate quality agreements with them.

Let me also add that to capture the separation of the responsibilities is not only important to fulfill the requirement, but to have a good organizational solution for doing efficient business.

1 view0 comments

Recent Posts

See All

PQR, QMR, CPV, VMP/VMR, Computerized systems' periodic reviews, who knows what else...we manufacture these summaries, but exactly what for? Sometimes we spend so much time compiling these documents th

I just received a question that looked easy at first, but the laws and guidelines are surprisingly vague on this topic. The question is: how to choose between retest period and shelf-life for an API (

bottom of page