EU GMP Annex 11 governs computerized systems used in the manufacture, testing, storage, and distribution of medicinal products in Europe. It applies to any system that replaces a manual operation or could affect product quality and patient safety.
Whether you are preparing for an EMA inspection, a national competent authority audit, or simply reviewing your current state of compliance, this checklist covers the areas inspectors assess most closely.
Understanding Scope
Before checking individual requirements, confirm that your inventory is complete. Annex 11 applies to:
- Laboratory systems (LIMS, chromatography data systems)
- Manufacturing execution systems (MES, SCADA, PLC)
- Quality management systems (DMS, CAPA, change control)
- Warehouse management and serialisation systems
- Environmental monitoring systems
- Clinical trial management systems
If a system touches GxP data and you do not have it in your validated system inventory, that is your first gap.
Supplier Assessment & Contracts
- Supplier qualification documented for all GxP system vendors
- Quality Technical Agreement (QTA) in place covering responsibilities for validation, change control, and data access
- Supplier audit completed within your defined risk-based frequency (typically every 3 years for critical systems)
- Evidence of supplier's own quality system (ISO 9001, FDA-registered, GAMP-aligned)
- Service Level Agreement (SLA) covering incident response, data backup, and disaster recovery
Validation Documentation
- Validation Master Plan (VMP) or site validation policy references computerized systems
- System risk assessment completed and categorised (using GAMP 5 or equivalent methodology)
- User Requirements Specification (URS) defines all GxP functional requirements
- IQ, OQ, and PQ protocols executed and approved with discrepancy log
- Validation Summary Report signed and references all supporting documents
- Traceability matrix linking requirements to test cases exists and is current
Data Integrity Controls
- Audit trail is enabled for all GxP data fields - original data, changes, and deletions are captured
- Audit trail is regularly reviewed and the review is documented
- Timestamp is derived from a secure, controlled, and synchronised source (not user-adjustable)
- Data cannot be deleted or overwritten without a traceable record
- Backup and restore procedures tested and documented at defined frequency
- Raw data is defined, controlled, and distinguishable from processed data
Common inspection finding: Audit trails are enabled but never reviewed. Annex 11 Clause 9 requires that audit trail reviews are conducted based on risk and documented. A blank audit trail review log is a major finding.
Access Controls
- User access is based on a defined need-to-know / least-privilege model
- Role definitions are documented and approved
- Periodic access reviews conducted and documented (at least annually)
- Shared or generic usernames are prohibited for GxP activities
- Password policy enforced (minimum complexity, expiry, no reuse)
- Physical access to system hardware and administration interfaces is controlled
Change Control
- All changes to validated systems pass through a documented change control process
- Impact assessment completed for each change before implementation
- Re-validation scope defined based on impact assessment, not automatic full re-validation
- Emergency (break-glass) change procedures documented with mandatory retrospective review
- Vendor-initiated changes (patches, upgrades) captured in change control records
Periodic Review
- Periodic review schedule defined for all validated systems (typically annually for critical systems)
- Reviews assess: changes since last review, incidents, audit trail reviews, access reviews, and continued fitness for purpose
- Review outcome documented with a clear conclusion and any follow-up actions tracked to closure
Printouts and Data Exports
- Printed records include sufficient metadata to reconstruct the context (date, time, system, operator, version)
- Electronic signatures on printed documents are clearly identifiable
- PDF exports from validated systems are controlled and not editable
Preparation tip: Walk through each system with your CSV package and map every Annex 11 clause to a specific document, test, or control. If you cannot point to evidence for a clause, that is a gap to address before the inspector asks.
Free EU GMP Annex 11 Pre-Inspection Checklist
Download our 50-point pre-inspection checklist for EU GMP Annex 11 - covering risk management, validation, data integrity, incident management, and business continuity.
Get Free Checklist →