EU Annex 11 vs. US-FDA Part 11

In January 2011 the European Medicines Agency (EMA) has announced the updated revisions of EudraLex Volume 4 (GMP) – Annex 11 “Computerised Systems” [1] (short: Annex 11), and consequential amendment of EudraLex Volume 4 – Chapter 4 “Documentation” [2], because “documentation”, especially managed as electronic records correlate to the systems providing or containing such GMP records.

In Europe, defined for all member states of the European Union, other countries referring to the European GMP regulations like Switzerland, and with the update of the PIC/S GMP Guide (ref. PE 009-10) on 1st January 2013 for all PIC/S members like Australia or Canada the EU GMP Annex 11 is defining the regulatory requirements for the use of Computerised Systems used as part of GMP regulated activities. Basically this GMP rule defines the approach for the commonly used terms of Computer System Validation and the IT Infrastructure Qualification.

The European GMP regulations can be found at:; the rules governing medicinal products in the European Union is structured in three parts based on 9 chapters and 19 annexes.

Annex 11 and Chapter 4 versions of January 2011 have been revised simultaneously; both parts were fully synchronized drafted, commented, announced, and became valid on the same dates. Therefore Annex 11 must be read and understood always in combination with Chapter 4 – Documentation – .

Compared to US-FDA 21 CFR Part 11 (short: Part 11) – electronic records; electronic signatures there are some differences which should be considered. Some people try to map one to one the regulations of Annex 11 to Part 11, which is nearly impossible and not useful. Also it might be alluring to compare both regulations because just the number “11” is identical and the context seems to be similar, both regulations are based on different regulatory structures and intentions.

Whereas Part 11 is from the year 1997 (final rule) and Annex 11 from 2011 (revision 1) even the titles are totally different: electronic records / electronic signatures vs. computerized systems.

Part 11 is based on the basic prerequisite that systems are validated according GMP 21 CFR Part 211 – Sec. 211.68 for GMP. Also Part 11 is relevant for GMP, GDP, GLP, GCP and medical devices (e.g. 21 CFR Part 820 or Part 58), Annex 11 is basically only relevant for GMP, but referenced also in other areas.

The commonalities of the newly interpreted Part 11 and revised Annex 11 are definitely the risk-based approach towards data integrity, patient safety, and product quality. The intersections of both interpretations and integration approaches are based on the harmonized guidelines of ICH Q9 (QRM) and Q10 (PQS) containing a new interpretation of a quality paradigm, and the de-facto standard for validation based on ISPE GAMP 5 (from 2008). This means that the validation of an application is based on the GMP-relevant records and the quality decision making process. It is very clear that quality decisions must be made on valid data and reproducible information and should be based on knowledge management, which is derived from historically analysed information, which is derived from data containing different data types such as raw data, master data, parameters, etc. and an IT system landscape is more and more vertically and horizontally interconnected.

Taking this into account the consistency can also be found in EU GMP Chapter 4 – documentation compared to 21 CFR Part 211 – Subpart J-Records and Reports. This background of required GMP documents & records defines a modern validation approach to a kind of records-, process, and data-flow view instead of a purely system-by-system validation approach. Finally the objective target of Annex 11 and Part 11 is identical. In any case such a modern validation approach will normally result into compliance for both regulations, if some minor different wordings, definitions and structures are considered.

Chapter 4 defines basically two types of electronic documents, these documentation given as “instructions” and “records/reports” and for example the definition of raw data for electronic forms is stated. For example in chapter 4.20 “Batch Processing Records” are defined – identically to this 21 CFR Sec. 211.188 is defining “Batch production and control records”. Unfortunately the single terms are not exactly identically between both regulations/agencies, which would have been easier to understand or to map by regulatory users in US and Europe. But finally both records are the basis of a quality decision and data integrity is of major importance irrespective how the records are named.

The “principles” section of Annex 11 defines that “The application should be validated; IT infrastructure should be qualified.”

It might be very interesting that the European inspectors have not defined that “computerized systems should be validated”; instead of the term “computerized system” they used the term of “application”. The term of “computerised systems” has really historical reasons from the 1980’s and the term of an “application” should also reflect the current status that “computers” are not anymore run as stand-alone solutions and are more and more connected to each other. An application can be understood as much more, including the exchange of data between systems or even as a regulatory application, e.g. “charge-in of components” (weighing process), where several systems are the collective data source (rational for a decision) for e.g. weighing records as part of a batch record. Such records are used as a basis for a quality decision, irrespective in which or for which region of the world this is happening. And in reality we do not validate a “computer” itself and the validation should not be purely based on a system type (e.g. ERP, MES, LIMS, etc.), the focus is to be set on the records delivered by the system and the GMP processes executed, controlled, and monitored by any system or any combinations of them.

This significant addition to the revised Annex 11 is also a new clause on IT management in general: IT infrastructure should be qualified, whereas the infrastructure can be understood as the operational platform for applications. This perception is very much in line with the ISPE GAMP 5 Guide and related GAMP Good Practice Guides (software category 1 definition, ref. [3] / [4]). Also Annex 11 is not exactly defining how the IT infrastructure qualification should look like, it is expected that such a qualification covers the technical part of infrastructure components (e.g. servers, middleware, etc.) and secondly that IT service management and IT security is managed on best practice standards like ITIL, COBIT or ISO standards (e.g. ISO 20.000, ISO 27.000).

An analysis of the content’s structure of Annex 11 is showing some more details. Annex 11 contains three overall parts indicated as “General”, “Project Phase” and “Operational Phase” with 17 chapters in total. The “General” part contains three chapters starting first with the chapter “Risk Assessment”, followed by “Personnel” and “Suppliers and Service Providers” – these are the basic elements required for a successful validation. The part of the “Project Phase” contains one single chapter defined for “validation”. The rest of 13 chapters are all assigned to the part of the “Operational Phase”; it should be very clear that inspectors may have a very clear focus on how applications and infrastructure are kept in a validated status (refer to [5]).

Annex 11 is a modern GMP rule containing several important aspects of “data integrity & compliance” and thus leads to a practical and efficient validation approach. Beside of the classical V-model approach it combines other multidisciplinary elements like risk, project, data, IT service and security, supplier & contract, release, requirements, test, development life cycle, and documentation management. Finally the result may be defined better to GMP eCompliance instead of the traditional term “computer system validation”.


[1] Eudralex – Volume 4 – Annex 11 – Computerised Systems – Revision January 2011

[2] Eudralex – Volume 4 – Chapter 4 – Documentation – Revision January 2011

[3] ISPE GAMP® 5: A Risk-Based Approach to Compliant GxP Computerized Systems

[4] ISPE GAMP® Good Practice Guide: IT Infrastructure Control and Compliance (2005)

[5] ISPE GAMP® Good Practice Guide: A Risk-Based Approach to Operation of GxP Computerized Systems (2010)