What is EU GMP Annex 11?

Annex 11 defines expectations for computerised systems used in EU GMP activities, including validation lifecycle, access control, audit trails, data integrity and periodic review.

How does Annex 11 relate to 21 CFR Part 11?

Annex 11 is an EU GMP annex; Part 11 is a US FDA rule on electronic records/signatures. A harmonised control set can satisfy both.

Do spreadsheets and instruments fall under Annex 11?

Yes, when used for GMP records or decisions. Controls include versioning, restricted access, verified data flows, and audit trails where risk warrants.

How does Annex 11 address cloud/SaaS?

Through supplier qualification and technical agreements addressing data ownership, availability, validated updates, security posture, backup/restore, and evidence retention.

Annex 11

Q: How often should periodic reviews occur?

Risk-based frequency, typically annually or every 2–3 years, and after significant changes, incidents, or vendor updates.

EU GMP Annex 11 – Computerised Systems

This topic is part of the SG Systems Global regulatory glossary series.

Updated October 2025 • EMA / EU GMP • Computerised Systems & Data Integrity

EU GMP Annex 11 sets expectations for computerised systems used in GMP activities across the EU/EEA. It complements the EU GMP Guide (esp. Chapter 4: Documentation) and aligns closely with U.S. 21 CFR Part 11 on electronic records/signatures. The goal is simple: ensure your digital process controls and data are fit for regulatory decisions, batch release, and inspections.

“Annex 11 is lifecycle + integrity: prove your system works, your data can be trusted, and your controls survive change, incident, and time.”

1) What It Is

Annex 11 describes how to specify, verify, operate, and maintain computerised systems in a GMP environment. It requires a documented, risk-based lifecycle—from user requirements through validation, periodic review, and retirement—plus procedural controls (SOPs, training, supplier agreements) that anchor day-to-day compliance.

TL;DR: Annex 11 demands risk-based lifecycle validation, secured access, audit trails, ALCOA+ data integrity, change/config control, backup/restore, and periodic reviews so electronic records/signatures remain reliable for GMP release.

Where it applies. Any GMP-relevant system: MES/eBR, LIMS, QMS, lab instruments with data acquisition, ERP interfaces, label/print control, data historians, warehouse systems—plus cloud/SaaS used for GMP activities.

Core expectations in Annex 11:

Validation for intended use. URS → risk assessment → test/verification → traceability → controlled release; scale depth to product/patient risk.
Data integrity (ALCOA+). Attributable, Legible, Contemporaneous, Original, Accurate—plus Complete, Consistent, Enduring, Available.
Access & security. Unique IDs, authentication strength, role-based permissions, segregation of duties, admin oversight, security monitoring.
Audit trails. Time-stamped, secured, capturing who/what/when/why (as appropriate); included in review-by-exception and investigations.
Electronic signatures. Uniquely bound, non-repudiable, meaning of signature defined (execute/review/approve/responsible).
Change & configuration control. Impact assessment, tested releases, versioned configuration/parameters, rollback plans.
Backup/restore, archiving, continuity. Periodically tested; long-term readability maintained.
Periodic review. Scheduled assessment of validation status, deviations, incidents, audit trail use, security posture, vendor changes.
Supplier oversight. Qualification, technical/quality agreements, service level & incident handling; audits where risk warrants.

Related Industries

Pharmaceutical Manufacturing (primary Annex 11 applicability, incl. biologics/steriles)
Medical Device Manufacturing (conditional—where drug constituents or EU GMP are in scope)
All Industries Overview

2) Practical Implementation & Cross-References

Global manufacturers typically harmonise Annex 11 with U.S. and international frameworks to avoid parallel systems. Map controls across:

21 CFR Part 11 – record/signature controls, audit trails, identity/access.
21 CFR 210 | 211 – pharma cGMP; 600–680 biologics.
21 CFR 820 (devices) and post-market rules 803, 806, 807, 821, 830.
Food/supplements digital controls under Part 117, 111, and importer Part 1 (FSVP) (for mixed-portfolio groups).

Annex 11 implementation checklist (team-ready):

URS with risk classification; traceability matrix linking URS ↔ test evidence ↔ SOPs.
Supplier qualification (questionnaires, audits as needed); quality agreement defining roles, data ownership, backups, change/incident processes.
Configuration management: parameter baselines, versioning, migration records.
Data governance: master data approval, reference table controls, audit-trail enabled on GMP-relevant objects; routine audit-trail review integrated into record review.
Security: RBAC, least privilege, privileged-access monitoring, periodic access recertification.
Backup/restore tests (evidence retained), disaster recovery RTO/RPO understood and demonstrated.
Periodic review procedure with triggers (patches, incidents, vendor updates, regulatory changes) and CAPA linkage.
Decommissioning/archiving plans to preserve readability and metadata for retention periods.

3) FAQ

Q1. How does Annex 11 differ from 21 CFR Part 11?
Annex 11 is an EU GMP annex focused on the system lifecycle and operational controls; Part 11 is an FDA regulation defining criteria for electronic records/signatures. Harmonising the two avoids duplicate validation.

Q2. Do spreadsheets/instruments fall under Annex 11?
Yes, when used for GMP decisions. Controls include versioned templates/methods, restricted access, verified data flows, and audit trails where risk warrants.

Q3. What do inspectors ask for?
Validation package with traceability, configuration/version history, access control evidence, audit-trail samples, backup/restore tests, incident/CAPA records, periodic review outputs.

Q4. How often to run periodic reviews?
Risk-based (commonly annually or every 2–3 years), and after significant changes, incidents, or vendor updates.

Q5. What about cloud/SaaS?
Apply supplier qualification and technical agreements; ensure data ownership/availability, export on demand, validated updates, security posture, and tested backups/DR; keep annex-11-relevant evidence from the provider.

4) How It Relates to V5

V5 by SG Systems Global operationalises Annex 11-aligned controls across manufacturing, quality, lab, and warehouse workflows, with Part 11 style enforcement for global deployments.

Validation lifecycle support. URS, risk, IQ/OQ/PQ-style testing, trace matrices, controlled releases sized by risk.
Identity & access. Unique users, RBAC, session control; enterprise IdP/ERP linking via V5 Connect API.
Audit trails where it matters. Recipes/specs, lots, test results, weighings, sign-offs—time-stamped and included in review-by-exception.
E-signatures & review by exception. Step sign-offs with defined meaning of signature; deviation triage into QMS.
Data integrity by design. Controlled masters in Recipe Management, enforced limits in eBR, label reconciliation in WMS.

End-to-end example. A pharma site implements eBR in V5: URS and risks documented; tests traced to requirements; role-based access enforced; audit trails reviewed during batch certification; periodic review examines incidents and vendor patches. The same controls satisfy Annex 11 and U.S. Part 11.

BACK TO GLOSSARY

By Industry

By ERP

Compliance Solutions

Annex 11

EU GMP Annex 11 – Computerised Systems

1) What It Is

Related Industries

2) Practical Implementation & Cross-References

Related Reading

3) FAQ

4) How It Relates to V5

By Industry

By ERP

Compliance Solutions

Annex 11

EU GMP Annex 11 – Computerised Systems

1) What It Is

Related Industries

2) Practical Implementation & Cross-References

Related Reading

3) FAQ

4) How It Relates to V5

Related Business Terms and Concepts