#4 Who's afraid of Annex 11?

Annex 11 – Part 4

Or in other words: Another episode in the series "Who’s Afraid of Annex 11?"

This time we focus on one of my favorite and most formative paragraphs in the context of regulatory expectations.

Annex 11 outlines #GMP requirements for computerized systems and is part of the European regulatory framework for quality management in the pharmaceutical and biopharmaceutical industries. It’s not a new document, but it still sparks discussion — and rightly so. Why? Because it touches not only on technology, but on culture.

Section 2: Personnel

"There should be close cooperation between all relevant personnel, such as the Process Owner, System Owner, Qualified Persons, and IT. All personnel should have appropriate qualifications, levels of access, and defined responsibilities to carry out their assigned duties."

Let’s begin there.

Remember when someone told you the lab manager can’t be an admin? This is where it comes from. But does the paragraph actually say it’s forbidden? No. It doesn’t. So what does it say?

Interpreting the requirement — it’s not just technical, it’s organizational

1. Collaboration is a baseline expectation. Yes, that’s the first sentence. And yes, it applies to all of us. The requirement opens with a clear directive: cooperate. And not just generally — but between well-defined roles: Process Owner, System Owner, QA, and IT.

2. Computerized systems are not just IT’s business. The regulator makes it explicit: multiple functions must be involved — including Quality and Business stakeholders. In other words, trying to implement or manage a system without these voices is a regulatory gap.

3. Defined roles, access levels, and competencies. Everyone with system access must have:

• the right training,

• the appropriate level of access,

• and clearly defined responsibilities.

The regulator doesn’t tell you who signs off on what — but expects you to define it, document it, and follow it.

What lies beneath the requirement?

You could call it an access control rule. But I prefer to call it a requirement for a healthy organizational culture.

Trust in systems is not created through technology alone — it demands clear checks and balances. When responsibilities are vague, roles are undefined, and permissions are given out based on convenience — control is lost. And that’s where the real risk lies.

The Golden Triangle: IT, Business, QA

I call it the Golden Triangle:

• The Business – the team that wants the system

• IT – the team that implements it

• Quality – the team that ensures compliance

Without all three — the system will not succeed.

But it doesn’t stop there. Each point in the triangle often has its own triangle: additional stakeholders, levels of responsibility, access groups. And these must be aligned — not just once, but continuously throughout the system lifecycle.

For the triangle to remain balanced:

• Roles must be clearly defined

• Responsibilities must be assigned

• Access must be appropriate and justified

Together, these form the foundation of control — and ultimately, trust.

Why does this matter now?

Because as systems become more complex, and as we embed automation, AI, and cloud solutions — the need for clarity, boundaries, and structure only increases.

In the next chapters, we’ll continue exploring the deeper layers of Annex 11. But for now, start with this simple question:

Do you know who is responsible for what — and who has access to which data?

If not — Annex 11 already knows the answer.

📌 This blog post is part of a content series on Annex 11 and Data Integrity. 👀 Also available on my website: www.dintegrity.net ✉️ Feel free to share, comment, or reach out directly.

#DataIntegrity #Annex11 #GxP #CSV #RegulatoryCompliance #QualityCulture