EU Annex 11 Guide to Computer Validation Compliance – Orlando Lopez, Markus Roemer

Recommended reading in 2015:

This book provides practical information to enable compliance with computer system validation requirements, while highlighting and integrating the Annex 11 guidelines into the computer validation program. The ideas presented in the book are based the author’s experience in the US Department of Defense and regulated industries in various computer systems development, maintenance, and quality functions. A practical approach is presented to increase efficiency and to ensure that software development and maintenance is achieved correctly.

March 27, 2015 Forthcoming by CRC Press
Professional – 368 Pages – 22 B/W Illustrations
ISBN 9781482243628 – CAT# K23442

Read more online

Computervalidierung Modul 1: Grundlagen, Regeln, GAMP 5, 24.-25.02.2015 in Unna bei Dortmund

Unsere Schulungsempfehlung für das Jahr 2015:

Im Modul 1 lernen Sie die Grundlagen der Computervalidierung kennen. Sie erhalten den Überblick und das Grundverständnis über die Phasen der Computervalidierung. Unterschiedliche Validierungsstrategien nach ISPE GAMP 5 werden Ihnen vorgestellt.

Aus Inspektorensicht erfahren Sie die gesetzlichen Anforderungen und Erwartungen (Anhang 11, AiM, PIC/S PI 011).

Sie erfahren und erarbeiten die ersten Schritte beim Start der Validierung computergestützter Systeme.

Zudem gibt es mehrere Work Shops zur Schulung, u.a. zu den Themen Datenintegrität, Inventarisierung und Lieferantenbewertung.

Lesen Sie mehr zum Modul 1… 

Zur erweiterten Seminarsuche zu verschiedenen Themen auf…

Part 11 and Annex 11 – Commonality Analysis for the number 11

It seems that the number 11 is prereserved to computerized system topics in the GMP regulated industry. Beside of EU EudraLex Vol.4 Annex 11 and 21 CFR Part 11 the PIC/S guideline for computerized systems hold this number (PI 011) or the German Expert Inspector Group with EFG 11.

What is it about the number 11, beside of the fact that the binary number 11 stands for the decimal number 3 or that 11 is the atomic number of the element sodium, the most common dissolved element by weight on Earth. And in same cases 11 is known as the number of imperfection and the crazy. Or for example in Mozilla Firefox, Opera, Google Chrome and Internet Explorer, the function key F11 key toggles full screen viewing mode.

Let’s switch to the full screen mode for Annex 11 and Part 11 and start with the 3 basic elements of both regulations: data, information and knowledge. Computerized systems manage electronic data and information (call it records or reports). Such information becomes to knowledge and quality decisions are based on qualified and robust knowledge. So it is important to realize that “good” and correct quality decisions are based on valid information derived from upright data (data integrity). Validation of computerized systems should proof and guarantee that at any time the data integrity is assured, by data control and proper management – yesterday, today and tomorrow. We provide systems for decision makers in order to make the right – GMP – decisions and to reduce the risk as far as possible.


In January 2011 the European Medicines Agency (EMA) has announced the updated revisions of EudraLex Volume 4 (GMP) – Annex 11 “Computerised Systems” [1] (short: Annex 11), and consequential amendment of EudraLex Volume 4 – Chapter 4 “Documentation” [2], because “documentation”, especially managed as electronic records correlate to the systems providing or containing such GMP records.

In Europe, defined for all member states of the European Union, other countries referring to the European GMP regulations like Switzerland, and with the update of the PIC/S GMP Guide (ref.  PE 009-10) on 1st January 2013 for all PIC/S members like Australia or Canada the EU GMP Annex 11 is defining the regulatory requirements for the use of Computerised Systems used as part of GMP regulated activities. Basically this GMP rule defines the approach for the commonly used terms of Computer System Validation and

the IT Infrastructure Qualification.

The European GMP regulations can be found at:; the rules governing medicinal products in the European Union is structured in three parts based on 9 chapters and 19 annexes.

Annex 11 and Chapter 4 versions of January 2011 have been revised simultaneously; both parts were fully synchronized drafted, commented, announced, and became valid on the same dates. Therefore Annex 11 must be read and understood always in combination with Chapter 4 – Documentation –

Compared to US-FDA 21 CFR Part 11 (short: Part 11) – electronic records; electronic signatures there are some differences which should be considered. Some people try to map one to one the regulations of Annex 11 to Part 11, which is nearly impossible and not useful. Also it might be alluring to compare both regulations because just the number “11” is identical and the context seems to be similar, both regulations are based on different regulatory structures and intentions.

Whereas Part 11 is from the year 1997 (final rule) and Annex 11 from 2011 (revision 1) even the titles are totally different: electronic records / electronic signatures vs. computerized systems.

Part 11 is based on the basic prerequisite that systems are validated according GMP 21 CFR Part 211 – Sec. 211.68 for GMP. Also Part 11 is relevant for GMP, GDP, GLP, GCP and medical devices (e.g. 21 CFR Part 820 or Part 58), Annex 11 is basically only relevant for GMP, but referenced also in other areas.

The commonalities of the newly interpreted Part 11 and revised Annex 11 are definitely the risk-based approach towards data integrity (true/exact copy), patient safety, and product quality. The intersections of both interpretations and integration approaches are based on the harmonized guidelines of ICH Q9 (QRM) and Q10 (PQS) containing a new interpretation of a quality paradigm, and the de-facto standard for validation based on ISPE GAMP 5 (from 2008). This means that the validation of an application is based on the GMP-relevant records and the quality decision making process. It is very clear that quality decisions must be made on valid data (raw data) and reproducible information and should be based on knowledge management, which is derived from historically analysed information, which is derived from data containing different data types such as raw data, master data, parameters, etc. and an IT system landscape is more and more vertically and horizontally interconnected.

Taking this into account the consistency can also be found in EU GMP Chapter 4 – documentation compared to 21 CFR Part 211 – Subpart J-Records and Reports. This background of required GMP documents & records defines a modern validation approach to a kind of records-, process, and data-flow view instead of a purely system-by-system validation approach. Finally the objective target of Annex 11 and Part 11 is identical. In any case such a modern validation approach will normally result into compliance for both regulations, if some minor different wordings, definitions and structures are considered.

Chapter 4 defines basically two types of electronic documents, these documentation given as “instructions” and “records/reports” and for example the definition of raw data for electronic forms is stated.  For example in chapter 4.20 “Batch Processing Records” are defined – identically to this 21 CFR Sec. 211.188 is defining “Batch production and control records”. Unfortunately the single terms are not exactly identically between both regulations/agencies, which would have been easier to understand or to map by regulated users in US and Europe. But finally both records are the basis of a quality decision and data integrity is of major importance irrespective how the records are named.

The “principles” section of Annex 11 defines that “The application should be validated; IT infrastructure should be qualified.”

It might be very interesting that the European inspectors have not defined that “computerized systems should be validated”; instead of the term “computerized system” they used the term of “application”. The term of “computerised systems” has really historical reasons from the 1980’s and the term of an “application” should also reflect the current status that “computers” are not anymore run as stand-alone solutions and are more and more connected to each other. An application can be understood as much more, including the exchange of data between systems or even as a regulatory application, e.g. “charge-in of components” (weighing process), where several systems are the collective data source (rational for a decision) for e.g. weighing records as part of a batch record. Such records are used as a basis for a quality decision, irrespective in which or for which region of the world this is happening. And in reality we do not validate a “computer” itself and the validation should not be purely based on a system type (e.g. ERP, MES, LIMS, etc.), the focus is to be set on the records delivered by the system and the GMP processes executed, controlled, and monitored by any system or any combinations of them.

This significant addition to the revised Annex 11 is also a new clause on IT management in general: IT infrastructure should be qualified, whereas the infrastructure can be understood as the operational platform for applications. This perception is very much in line with the ISPE GAMP 5 Guide and related GAMP Good Practice Guides (software category 1 definition, ref. [3] / [4]). Also Annex 11 is not exactly defining how the IT infrastructure qualification should look like, it is expected that such a qualification covers the technical part of infrastructure components (e.g. servers, middleware, etc.) and secondly that IT service management and IT security is managed on best practice standards like ITIL, COBIT or ISO standards (e.g. ISO 20.000, ISO 27.000).

An analysis of the content’s structure of Annex 11 is showing some more details. Annex 11 contains three overall parts indicated as “General”, “Project Phase” and “Operational Phase” with 17 chapters in total. The “General” part contains three chapters starting first with the chapter “Risk Assessment”, followed by “Personnel” and “Suppliers and Service Providers” – these are the basic elements required for a successful validation. The part of the “Project Phase” contains one single chapter defined for “validation”. The rest of 13 chapters are all assigned to the part of the “Operational Phase”; it should be very clear that inspectors may have a very clear focus on how applications and infrastructure are kept in a validated status (refer to [5]).

Annex 11 is a modern GMP rule containing several important aspects of “data integrity & compliance” and thus leads to a practical and efficient validation approach. Beside of the classical V-model approach it combines other multidisciplinary elements like risk, project, data, IT service and security, supplier & contract, release, requirements, test, development life cycle, and documentation management. Finally the result may be defined better to GMP eCompliance instead of the traditional term “computer system validation”.


  1. Eudralex – Volume 4 – Annex 11 – Computerised Systems – Revision January 2011
  2. Eudralex – Volume 4 – Chapter 4 – Documentation – Revision January 2011
  3. ISPE GAMP® 5: A Risk-Based Approach to Compliant GxP Computerized Systems
  4. ISPE GAMP® Good Practice Guide: IT Infrastructure Control and Compliance (2005)
  5. ISPE GAMP® Good Practice Guide: A Risk-Based Approach to Operation of GxP Computerized Systems (2010)

Computervalidierung: Grundlagen, Regeln, GAMP 5, 18.-19. November 2014 in Baden-Baden

10171123_695989470444500_3581129966563786518_nSpecial: Sondertraining wegen großer Nachfrage

Am 18. und 19. November bieten wir nochmals ein Sondertraining zur Computersystemvalidierung in Baden-Baden an.

Dieses Training beinhaltet ferner weitere Themen und Aspekte zur Computersystemvalidierung, z.B.:

  • Was versteht die US-FDA unter “exact/true copy” einer elektronischen Aufzeichnung?
  • Datenintegrität: Was sind Rohdaten, Meta-Daten, Stammdaten oder Audit Trail Daten?
  • Ausführliche Darstellung des ZLG Aide Memoire – Überwachung computergestützter Systeme Aide-memoire 07121202
  • Wie werden aus Daten entsprechend Informationen für die Qualitätsentscheidung?
  • Regulatorischer Cross-Walk: EU GMP Anhang 11 mit Kapitel 4, Kapitel 2 / Anhang 15, Anhang 16 und Qualitätskontrolle
  • Vorstellung neuer GAMP Guide: Entwicklung von Mobile Apps
  • Workshop und Fragerunden inklusive (mit Teilnahme eines deutschen Inspektors der Expertenfachgruppe 11 der ZLG)

Haben Sie Fragen – kontaktieren Sie uns gerne via email:

Mehr zum Programm und zur Anmeldung unter: Schulungsprogramm



BioLAGO-Projekt eArchiving – Daten sicher und dauerhaft speichern

Am 29. Juli 2014 fand der erste Workshop in Konstanz statt. Im Vordergrund des Workshops standen Themen wie: Ablage von Daten (Kundendaten/Mess- und Labordaten), Datenaustausch (u.a. mit Geschäftskunden), Zugriffsregelung, Sicherheit, GxP-Konformität, Analyse auf historischen Daten oder Rohdatenmanagement.

“eArchiving” wird gefördert durch die landesweite Initiative “smart businessIT: Die IT stärken. Das Land vernetzen”. Diese zielt darauf ab, den IT-Standort Baden-Württemberg und hier speziell das Segment der Unternehmenssoftware weiter zu stärken und bei Anbietern wie Anwendern dieser Branche für eine hohe Innovationsdynamik zu sorgen.

Lesen Sie mehr…


MHRA – Guidance on medical device stand-alone software (including apps)

The MHRA (Medicines and Healthcare Products Regulatory) has published a guidance on medical device stand-alone software (including apps) in March 2014.

The following guidance is for healthcare and medical software developers who are unsure of the regulatory requirements for CE marking stand-alone software as a medical device.

Read it online here: OPEN EXTERNAL LINK

Read more about App Validation and the US FDA Guidance for Industry


FDA – Q&A on cGMP – Records and Report from August 26, 2013

Question #3 of the Q&A section:

How do the Part 11 regulations and “predicate rule requirements” (in 21 CFR Part 211) apply to the electronic records created by computerized laboratory systems and the associated printed chromatograms that are used in drug manufacturing and testing?

Some in industry misinterpret the following text from “The Guidance for Industry – Part 11, Electronic Records; Electronic Signatures – Scope and Application” (Part 11 Guidance; lines 164 to 171) to mean that in all cases paper printouts of electronic records satisfy predicate rule requirements in 21 CFR Part 211.

“Under the narrow interpretation of the scope of part 11, with respect to records required to be maintained under predicate rules or submitted to FDA, when persons choose to use records in electronic format in place of paper format, part 11 would apply. On the other hand, when persons use computers to generate paper printouts of electronic records, and those paper records meet all the requirements of the applicable predicate rules and persons rely on the paper records to perform their regulated activities, FDA would generally not consider persons to be ‘using electronic records in lieu of paper records’ under §§ 11.2(a) and 11.2(b). In these instances, the use of computer systems in the generation of paper records would not trigger part 11.”

The Part 11 Guidance also states (in lines 150-152), that:

“…persons must comply with applicable predicate rules, and records that are required to be maintained or submitted must remain secure and reliable in accordance with the predicate rules.”

For High Performance Liquid Chromatography (HPLC) and Gas Chromatography (GC) systems (and other computerized systems involving user inputs, outputs, audit trials, etc.), the predicate rules, such as 21 CFR 211.68 and 21 CFR 211.180(d), require the electronic records themselves to be retained and maintained in accordance with those regulations. 21 CFR 211.180(d) requires records to be retained “either as original records or true copies such as photocopies, microfilm, microfiche, or other accurate reproductions of the original records.” 21 CFR 211.68 further states that: “[H]ard copy or alternative systems, such as duplicates, tapes, or microfilm, designed to assure that backup data are exact and complete and that it is secure from alteration, inadvertent erasures, or loss shall be maintained” (emphasis added). The printed paper copy of the chromatogram would not be considered a “true copy” of the entire electronic raw data used to create that chromatogram, as required by 21 CFR 211.180(d). The printed chromatogram would also not be considered an “exact and complete” copy of the electronic raw data used to create the chromatogram, as required by 21 CFR 211.68. The chromatogram does not generally include, for example, the injection sequence, instrument method, integration method, or the audit trail, of which all were used to create the chromatogram or are associated with its validity. Therefore, the printed chromatograms used in drug manufacturing and testing do not satisfy the predicate rule requirements in 21 CFR Part 211. The electronic records created by the computerized laboratory systems must be maintained under these requirements.

We recognize that there are cases where it could be appropriate for the printed chromatogram to be used within laboratories for the review of test results. Similarly, it also may be acceptable to provide the printed chromatogram during a regulatory inspection or for application review purposes. However, the electronic record must be maintained and readily available for review by, for example, QC/QA personnel or the FDA investigator.

In summary, decisions on how to maintain records for computerized systems should be based on predicate rule requirements. We recommend that these decisions be supported by a sound risk assessment.


• Guidance for Industry – Part 11, Electronic Records; Electronic Signatures – Scope and Application ( )
• 21 CFR 211.180(d): General Requirements
• 21 CFR 211.68: Automatic, Mechanical, and Electronic Equipment


Want to know more about raw data, master data and meta data management for GMP compliance?

Contact us at: 


Training: Experte für Dokumentation am 11.-13.11.2014 in Niederkassel bei Köln



EU GMP Kapitel 4 – Dokumentation – Rohdaten und elektronische Dokumentation richtig bewerten und verwalten:

Wie sind GMP Dokumentationsanforderungen und Gute Dokumentationspraxis in elektronischen Systemen darstellbar? Was sind Vorgabe- und Nachweisdokumente und was davon Rohdaten oder Metadaten? Wie verhält es sich mit Signaturen, wenn das Masterdokument elektronisch definiert ist? Wie sind konforme Ausdrucke (true / exact copy) zu erzeugen? Was bedeutet Datenmanagement (datability) bezogen auf ein PQS und Knowledge Management?

Das sind typische Fragen, die oft gestellt werden – und in der PTS Schulung beantwortet werden:

Komplexe Anforderungen an GMP-Dokumentation

Die GMP-Dokumentation ist das Kernelement zum Nachweis der Erfüllung gesetzlicher Anforderungen. Nicht nur bei behördlichen Inspektionen, sondern vielfach auch bei Lieferantenqualifizierungen steht eine Überprüfung der Dokumentation im Mittelpunkt zur Beurteilung der Qualität. Im Intensivtraining lernen Sie u.a. als Verantwortlicher diese Dokumentation zu erstellen, als Auditor diese zu prüfen und/oder als Qualitätsleiter/QP diese zu genehmigen und freizugeben.

Kenntnisse eines Experten für Dokumentation
Aktuelle gesetzliche Vorgaben stellen detaillierte Anforderungen an Vorgabedokumentation, spezielle Dokumente und aufzeichnende Dokumente. Sie lernen im Intensivtraining die Besonderheiten, die Inhalte und die Anwendungen der GMP-Dokumente kennen.
Als Experte für Dokumentation sind Ihre Kenntnisse über gesetzliche Anforderungen, Umsetzungen in die Praxis, Schulungen von Mitarbeitern, Mitwirkung bei der Planung und Implementierung elektronischer Systeme etc. nötig. Sie erhalten diese Informationen beim Intensivtraining. Zudem erhalten Sie einen vertiefenden Einblick in die Erstellung auswertender Dokumente wie z.B. in Reviews und Berichten.

Besuchen Sie die PTS Schulung am 11. bis 13. November 2014 – lesen Sie mehr: