Regulatory Compliance

EU GMP Annex 11: A Practical Compliance Checklist for 2025

7 min read By Mohammad Awawdeh

EU GMP Annex 11 governs computerized systems used in the manufacture, testing, storage, and distribution of medicinal products in Europe. It applies to any system that replaces a manual operation or could affect product quality and patient safety.

Whether you are preparing for an EMA inspection, a national competent authority audit, or simply reviewing your current state of compliance, this checklist covers the areas inspectors assess most closely.

Understanding Scope

Before checking individual requirements, confirm that your inventory is complete. Annex 11 applies to:

  • Laboratory systems (LIMS, chromatography data systems)
  • Manufacturing execution systems (MES, SCADA, PLC)
  • Quality management systems (DMS, CAPA, change control)
  • Warehouse management and serialisation systems
  • Environmental monitoring systems
  • Clinical trial management systems

If a system touches GxP data and you do not have it in your validated system inventory, that is your first gap.

Supplier Assessment & Contracts

  • Supplier qualification documented for all GxP system vendors
  • Quality Technical Agreement (QTA) in place covering responsibilities for validation, change control, and data access
  • Supplier audit completed within your defined risk-based frequency (typically every 3 years for critical systems)
  • Evidence of supplier's own quality system (ISO 9001, FDA-registered, GAMP-aligned)
  • Service Level Agreement (SLA) covering incident response, data backup, and disaster recovery

Validation Documentation

  • Validation Master Plan (VMP) or site validation policy references computerized systems
  • System risk assessment completed and categorised (using GAMP 5 or equivalent methodology)
  • User Requirements Specification (URS) defines all GxP functional requirements
  • IQ, OQ, and PQ protocols executed and approved with discrepancy log
  • Validation Summary Report signed and references all supporting documents
  • Traceability matrix linking requirements to test cases exists and is current

Data Integrity Controls

  • Audit trail is enabled for all GxP data fields - original data, changes, and deletions are captured
  • Audit trail is regularly reviewed and the review is documented
  • Timestamp is derived from a secure, controlled, and synchronised source (not user-adjustable)
  • Data cannot be deleted or overwritten without a traceable record
  • Backup and restore procedures tested and documented at defined frequency
  • Raw data is defined, controlled, and distinguishable from processed data

Common inspection finding: Audit trails are enabled but never reviewed. Annex 11 Clause 9 requires that audit trail reviews are conducted based on risk and documented. A blank audit trail review log is a major finding.

Access Controls

  • User access is based on a defined need-to-know / least-privilege model
  • Role definitions are documented and approved
  • Periodic access reviews conducted and documented (at least annually)
  • Shared or generic usernames are prohibited for GxP activities
  • Password policy enforced (minimum complexity, expiry, no reuse)
  • Physical access to system hardware and administration interfaces is controlled

Change Control

  • All changes to validated systems pass through a documented change control process
  • Impact assessment completed for each change before implementation
  • Re-validation scope defined based on impact assessment, not automatic full re-validation
  • Emergency (break-glass) change procedures documented with mandatory retrospective review
  • Vendor-initiated changes (patches, upgrades) captured in change control records

Periodic Review

  • Periodic review schedule defined for all validated systems (typically annually for critical systems)
  • Reviews assess: changes since last review, incidents, audit trail reviews, access reviews, and continued fitness for purpose
  • Review outcome documented with a clear conclusion and any follow-up actions tracked to closure

Printouts and Data Exports

  • Printed records include sufficient metadata to reconstruct the context (date, time, system, operator, version)
  • Electronic signatures on printed documents are clearly identifiable
  • PDF exports from validated systems are controlled and not editable

Preparation tip: Walk through each system with your CSV package and map every Annex 11 clause to a specific document, test, or control. If you cannot point to evidence for a clause, that is a gap to address before the inspector asks.

Free EU GMP Annex 11 Pre-Inspection Checklist

Download our 50-point pre-inspection checklist for EU GMP Annex 11 - covering risk management, validation, data integrity, incident management, and business continuity.

Get Free Checklist →
EU GMP Annex 11 Data Integrity Audit Trail Supplier Qualification CSV Change Control

Frequently asked questions

EU GMP Annex 11 is the European Good Manufacturing Practice guideline that governs computerized systems used in pharmaceutical manufacturing and quality control. It covers the full system lifecycle - from risk assessment and supplier qualification through validation, data integrity, access controls, change control, and periodic review. Compliance is mandatory for any company placing medicinal products on the EU market.
Yes. Annex 11 applies to all computerized systems that process GxP data, regardless of whether they are hosted on-premise, in the cloud, or delivered as SaaS. For cloud and SaaS systems, supplier assessment requirements are particularly important - a Quality Technical Agreement must define responsibilities for validation, change control, data access, and business continuity.
The most common finding is audit trails that are enabled but never reviewed. Annex 11 Clause 9 requires that audit trail reviews are conducted based on risk and documented. Inspectors routinely check for evidence of regular, documented reviews - a blank audit trail review log is a major finding.
Annex 11 does not specify a fixed frequency, but the industry expectation is at least annually for GxP-critical systems. The review must assess changes since the last review, incidents, audit trail reviews, access control reviews, and continued fitness for purpose. Outcomes must be documented with clear conclusions and follow-up actions tracked to closure.

Preparing for an EU GMP Annex 11 Inspection?

PHARPRO performs structured gap assessments and produces an audit-ready remediation plan - usually within two weeks.

Get a Free Assessment View CSV Services
PHARPRO - Expert Pharma Consulting

Need a structured EU GMP Annex 11 compliance review? PHARPRO delivers CSV projects and gap assessments fully aligned with Annex 11 requirements.

CSV & EU GMP Annex 11 Consulting → Free Assessment
Related Insights

Keep reading

More in-depth guides from the PHARPRO compliance team.

21 CFR Part 11 Audit Trail: What Your System Must Capture
Which events must be logged, how to configure compliant audit trails, and the most common gaps.
CSV for SaaS and Cloud Applications in Pharma
Validation approach, vendor qualification, and documentation strategy for cloud-hosted GxP systems.
GAMP 5 Risk Categories Explained
What changed in the Second Edition, how to classify your system, and how category affects testing depth.
Risk Assessment in CSV: Applying GAMP 5 Principles
How to conduct a risk assessment for computerised systems and document it to regulatory standards.
How to Write a URS for a Pharmaceutical Computerised System
Structure, GxP requirements, and a step-by-step guide to a compliant User Requirements Specification.