EU Annex 11

EU GMP Annex 11 is the rule that governs any computerised system used as part of a GMP-regulated activity for medicinal products in the EU, the UK (post-Brexit, MHRA maintains an equivalent), and every PIC/S jurisdiction (Australia, Canada, Singapore, Switzerland, Japan and many others). It applies to any system that captures, processes, reports, or stores GxP data: ERPs, MES, LIMS, eBMR/eDHR, calibration management, environmental monitoring, training records, document management — anything where a regulator could ask 'show me the data and the trail'.

Annex 11 is the European answer to 21 CFR Part 11, but the scope is wider. Part 11 governs electronic records and electronic signatures. Annex 11 governs the whole computerised system: the supplier, the validation, the change control, the user training, the data lifecycle, the business-continuity plan, the periodic review and the retirement. A Part 11 audit asks 'is your audit trail intact?'; an Annex 11 audit asks 'show me your validation, your supplier audit, your data-flow diagram and your DR plan'.

Annex 11 is structured as seventeen clauses across three groups: General, Operational, and System. The Principle statement opens it: 'When a computerised system replaces a manual operation, there should be no resultant decrease in product quality, process control or quality assurance.' Every clause flows from that principle.

General (clauses 1–4)

Clause 1 — risk management throughout the system lifecycle. Clause 2 — personnel: defined responsibilities for system owner, process owner, qualified persons and IT. Clause 3 — supplier and service providers: formal agreements, audits, supplier-quality-management evidence. Clause 4 — validation: documentation, requirements specification, validation plan, IQ/OQ/PQ, traceability matrix.

Operational (clauses 5–14)

Clause 5 — data: data captured electronically should be protected against damage. Clause 6 — accuracy checks for critical data. Clause 7 — data storage: physical and logical security, backup, restoration testing. Clause 8 — printouts: clear printed copies that show changes to the original entry. Clause 9 — audit trails: 'consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions.' Clause 10 — change and configuration management. Clause 11 — periodic evaluation. Clause 12 — security: physical/logical access control. Clause 13 — incident management. Clause 14 — electronic signature.

System (clauses 15–17)

Clause 15 — batch release: certification of a batch via a computerised system requires that the QP can review all batch-relevant information. Clause 16 — business continuity: contingency arrangements for system failure. Clause 17 — archiving: data should be checked for accessibility, readability and integrity, and migration where systems are changed.

Both rules emerge from the same regulatory anxiety: computerised systems must not degrade the GMP control that paper provided. They converge on audit trails, e-signatures, and validation. They diverge on scope.

A system designed for Part 11 will normally satisfy Annex 11 audit trails and e-signatures, but will fall short on supplier-audit evidence, periodic-evaluation evidence, and the business-continuity / archiving clauses. Conversely an Annex 11 system from a non-FDA-experienced vendor often fails Part 11 on the e-signature meaning and binding clauses.

Annex 11 clause 4 is the longest in the rule. It mandates documentation that supports the use of the system across its lifecycle: requirements specification (URS), validation plan, IQ (Installation Qualification), OQ (Operational Qualification), PQ (Performance Qualification), traceability matrix from requirement to test, periodic re-validation triggered by change.

The industry framework for delivering on clause 4 is GAMP 5 (the ISPE Good Automated Manufacturing Practice guide, second edition 2022). GAMP 5 introduces a risk-based, category-based approach: category 1 (infrastructure), category 3 (non-configured COTS), category 4 (configured COTS), category 5 (custom). The validation effort scales with the category and the GxP risk.

Modern SaaS eQMS platforms collapse most of the customer's validation effort into supplier-provided documentation: validated builds, vendor-run IQ/OQ on the released version, customer-run PQ on their workflows, and a continuous-validation model where every release ships with regression test evidence. This is the path Annex 11 + GAMP 5 explicitly bless.

Clause 9 is the most-discussed Annex 11 clause: 'Consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a 'system generated audit trail'). For change or deletion of GMP-relevant data the reason should be documented. Audit trails need to be available and convertible to a generally intelligible form and regularly reviewed.'

The phrase 'based on a risk assessment' has been misread to mean 'optional'. It is not. The MHRA 2018 data-integrity guidance makes clear that for any GxP-relevant data, an audit trail is the default expectation. The risk assessment determines the granularity (per field vs per record vs per session), not whether the trail exists.

'Regularly reviewed' is the second teeth in clause 9. Audit-trail review must be a defined activity with its own SOP, frequency, and responsible role. An untouched audit trail is a finding even if it exists.

Clause 3 distinguishes Annex 11 sharply from Part 11. It requires a formal agreement between the regulated user and any IT supplier providing a GxP-relevant service — quality agreement, supplier audit, evidence of the supplier's quality management system, and clarity on who owns which lifecycle responsibility (incident management, change control, periodic evaluation).

For SaaS systems the customer cannot audit the supplier's infrastructure directly. The accepted alternative is a third-party audit report (SOC 2 Type II, ISO 27001) supplemented by a supplier audit questionnaire and a quality agreement signed with the supplier. Modern eQMS vendors publish a customer audit pack that covers all of this.

The MHRA 2018 GxP Data Integrity guidance explicitly anchors data-integrity expectations to Annex 11 and the predicate rule. Every GxP data point must be Attributable, Legible, Contemporaneous, Original and Accurate; extended to ALCOA+ with Complete, Consistent, Enduring and Available.

Annex 11 supports ALCOA+ at the system level: clause 5 protects data from damage, clause 6 demands accuracy checks for critical data, clause 7 demands secure storage and backup, clause 8 demands printouts that show changes, clause 9 demands the audit trail. A system that satisfies these clauses satisfies ALCOA+ by construction.

Clause 16 is short — one sentence — but operationally heavy: 'For the availability of computerised systems supporting critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (e.g. a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and appropriate for a particular system and the business process it supports.'

In practice this means every Annex 11 system needs a documented contingency plan. For an eBMR, the plan typically defines a paper fallback packet that QA can release in case of system unavailability, with a clear path to enter the data back into the system when service is restored. For an LIMS, the plan defines an offline result capture procedure. The plan must be tested, not just written.

1. Audit trail exists but is never reviewed — clause 9 operational failure.
2. Validation evidence does not match the installed version — change-control gap.
3. Supplier audit pack is more than three years old or covers a different version of the service.
4. No traceability matrix from URS to OQ test — clause 4 documentation gap.
5. Periodic-evaluation report has not been done in the cycle defined by the SOP.
6. Backups are taken but restoration has never been tested — clause 7 failure.
7. Printouts of records do not show changes to original entries — clause 8 failure.
8. Business-continuity plan exists but the alternative process has not been tested.
9. E-signature meaning is generic ('signed') rather than action-specific ('reviewed and released').
10. Archive migration from a retired system was done by export-to-PDF without preserving the audit trail.

V5 is designed to satisfy Annex 11 by construction. Every architectural decision maps to one of the seventeen clauses.

• Validated builds — every release ships with a regression test pack, a release-notes pack that maps to URS items, and a vendor IQ/OQ on the released version. Customer effort focuses on PQ for their workflows.
• Immutable audit trails — every GxP-relevant change writes to an append-only audit trail with the user, the timestamp, the old value, the new value, and the reason where required.
• Audit-trail review — the platform ships a periodic audit-trail review report that QA signs off as evidence of clause 9 review.
• Supplier pack — SOC 2 Type II, ISO 27001, quality agreement template, and supplier audit questionnaire are available to every customer on request.
• Periodic evaluation — V5 generates a periodic-evaluation report covering uptime, incident history, security events, and changes since the last review, ready for QA sign-off.
• Business continuity — paper fallback packets for kiosk operation are downloadable per work order, and the documented restoration procedure has been tested in customer environments.
• Archive migration — the regulated-reports bucket retains structured data, audit trails and rendered PDFs for the full predicate-rule period. Export tools preserve the audit trail in machine-readable form.
• Annex 11 + Part 11 alignment — every e-signature carries a meaning enum, two-component authentication, and binding to the record it signs. The same platform satisfies the EU and US rules without dual configuration.

See below for the regulator-grade answers to the questions buyers ask most often about Annex 11.