WHERE

21 CFR PART 11 &

ANNEX 11 MEET
A Practical Guide to Compliance
Where 21 CFR Part 11 & Annex 11 Meet

ACKNOWLEDGMENTS This whitepaper is a product

of contributions from several
members of Montrium’s
Professional Services Team:

Gianna De Rubertis
Director of Professional Services
Montrium

Stephanie Tanguay
Director of Quality Assurance
Montrium

Michael Zwetkow
Chief Innovation Officer
Montrium

1
OVERVIEW

Introduction ���������������������������������������������������������������������������������������������������������������������������������������������������������������������� 3

Overview of 21 CFR Part 11������������������������������������������������������������������������������������������������������������������������������������������� 4

Overview of Annex 11 ����������������������������������������������������������������������������������������������������������������������������������������������������� 5

What is a computerized system? ������������������������������������������������������������������������������������������������������������������������������ 6

Where do Annex 11 and 21 CFR Part 11 Intersect? ������������������������������������������������������������������������������������������������� 7

Where are Annex 11 and 21 CFR Part 11 Different? And Why?�������������������������������������������������������������������������� 13

Three Steps to be Annex 11 and 21 CFR Part 11 Compliant ������������������������������������������������������������������������������� 15

Mapping Annex 11 to 21 CFR Part 11 and GAMP 5 ������������������������������������������������������������������������������������������������ 16

Implement a Quality Management System to Achieve Compliance ������������������������������������������������������������ 22

Considerations for Cloud-based Systems ������������������������������������������������������������������������������������������������������������ 23

Conclusion ���������������������������������������������������������������������������������������������������������������������������������������������������������������������� 24

References ��������������������������������������������������������������������������������������������������������������������������������������������������������������������� 24

Glossary �������������������������������������������������������������������������������������������������������������������������������������������������������������������������� 24

2
Where 21 CFR Part 11 & Annex 11 Meet

Introduction

Over the last few decades, technology and

computerized systems have changed the way
of doing business. This has been necessary
in order to stay competitive in the market.
However, in the life sciences industry, this
transition is accompanied by the additional
expectation of compliance with various
regulations. Regulatory bodies across the
globe have acknowledged the importance of
controlled use of computerized systems and
electronic records within the life sciences, and
have responded with the enactment of relevant
rules and guidelines. All share the common
intent of ensuring the integrity of electronic
data and records.

This paper focuses on the rules and guidelines

of the US Food and Drug Administration (FDA)
and of the European Union (EU):

• 21 CFR Part 11: Electronic Records;

Electronic Signatures
ANNEX 11
• EudraLex Volume 4, Annex 11:
Computerised Systems

In this whitepaper, the similarities and

differences between these two regulatory
21 CFR
directives are analyzed. The purpose of this Part 11
analysis is not to find gaps between Annex 11
and the analogous 21 CFR Part 11 regulations.
Rather, the goal is to recommend a standard
approach to demonstrate compliance with both
of these regulatory directives simultaneously.

3
Where 21 CFR Part 11 & Annex 11 Meet

Overview of 21 CFR Part 11

The Food and Drug Administration (FDA) is Furthermore, the law is applicable to US
a US government agency that regulates the program areas as well as foreign
pharmaceutical industry (including human manufacturers wishing to obtain US market
and veterinary drugs, vaccines, and biologics), approval. See Figure 1.
the cosmetics industry, as well as the food
and beverage industry. Title 21 of the Code of
Federal Regulations (CFR) is reserved for rules
Chronological History
of the FDA and each section (or Part) of 21 CFR
discloses a specific regulated area. 1991 – Project Launched

1992 – Advanced Notice

For over 20 years, 21 CFR Part 11 has remained 1994 – Proposed Rule
a key component to the FDA’s approach to the
1997 – Final Rule
use of electronic systems in compliance. 21
CFR Part 11 (or Part 11 in short) was enacted 1999 – Computerized Systems Used in Clinical Trials
(CSUCT)
in 1997. It is a law that applies to all FDA’s
areas of jurisdiction. 21 CFR Part 11 defines the 2000 – Electronic Records

criteria under which electronic records and 2003 – “Scope and Application” Guidance
electronic signatures are considered to be 2004 – Draft Computerized Systems Used in
trustworthy, reliable and generally equivalent Clinical Trials Guidance
to paper records and handwritten signatures. 2007 – Final Guidance Published
21 CFR Part 11 fundamentally allows the
replacement of any paper record and
handwritten signature with an electronic one.
Figure 1 – Illustration of how 21 CFR Part 11 oversees other Title 21 chapters.

21 CFR Subchapter C - Drugs: General

Part 210: Current Good Manufacturing Practice in Manufacturing, Processing, Packing,
or Holding of Drugs: General
Part 11: Electronic Records; Electronic Signatures

21 CFR Subchapter C - Drugs: General

Part 211: Current Good Manufacturing Practice for Pharmaceutical Products
21 CFR Subchapter A - General

21 CFR: Subchapter A - General

Part 58: Good Laboratory Practice for Nonclinical Laboratory Studies

21 CFR Subchapter H - Medical Devices

Part 820: Quality System Regulation

21 CFR Subchapter B - Food for Human Consumption

Part 110: Current Good Manufacturing Practice in Manufacturing, Packing,
or Holding Human Food

Other 21 CFR parts

4
Where 21 CFR Part 11 & Annex 11 Meet

Overview of Annex 11
In the European Union (EU), EudraLex is the systems within GMP-regulated activities. When
collection of rules and regulations governing used in conjunction with Chapter 4, Annex 11
medicinal products (for human use as well as for provides guidance for the use of electronic
veterinary use). documents (electronic records and electronic
signatures) within a GMP environment.
EudraLex consists of 10 volumes, of which only
Volume 1 (concerning medicinal products for The relationship between Annex 11 and the
human use) and Volume 5 (concerning medicinal EudraLex volumes and chapters is depicted in
products for veterinary use) present official Figure 2.
legislation. The basic legislation is supported by a
series of guidelines that are published within the Annex 11 was revised and issued in 2011 as a result
other eight volumes. of the increased use and increased complexity
of computerised systems. It is applicable to EU
EudraLex Volume 1 and Volume 5 both embody program areas as well as foreign manufacturers
a series of Directives issued by the European wishing to obtain EU market approval. Moreover,
Commission (the executive body responsible for while Annex 11 is defined for all member states of
proposing legislation in the EU). Particularly, two the European Union, other countries that are PIC/S
directives laying down principles and guidelines of members (like Australia and Canada) have also
good manufacturing practice (GMP) for medicinal embraced Annex 11 as defining requirements for
products were adopted: the use of Computerised Systems in regulated
GxP environments
•D
 irective 2003/94/EC laying down
the principles and guidelines of good Figure 2 - Relationship between Annex 11 and the EudraLex
manufacturing practice in respect of medicinal volumes and chapters.
products for human use and investigational
medicinal products for human use EudraLex Volume 1: EudraLex Volume 5:
Pharmaceutical Legislation Pharmaceutical Legislation
•D
 irective 91/412/EEC laying down Medicinal Products for Medicinal Products for
Human Use Veterinary Use
the principles and guidelines of good
manufacturing practice for veterinary
medicinal products
Directive 2003/94/EC Directive 91/412/EEC
These Directives are the focus of EudraLex Volume
4, which contains guidance for the interpretation
of the principles and guidelines of GMP. Although
Volume 4 is not legislation in and of itself, the
European Commission has stated that the guide EudraLex Volume 4:
to GMP will be used in assessing applications for Guide to GMP
manufacturing authorizations and as a basis for
inspection of manufacturers of medicinal products.
Chapter 4:
EudraLex Volume 4 consists of three Parts Documentation
and a series of nineteen Annexes. Within Part
1, guidelines pertaining to Documentation are
presented in Chapter 4. Moreover, Annex 11 Annex 11:
Computerised Systems
includes guidelines for the use of computerised

5
Where 21 CFR Part 11 & Annex 11 Meet

What is a Computerized System?

A computer system is a set of software and
hardware (physical or virtual) components
which together fulfill certain functionalities. In
contrast, a computerized system refers to a
function (process or operation) integrated with
a computer system and performed by trained
people. See Figure 3.
The focus of 21 CFR Part 11 is narrow and is
restricted to electronic records and electronic
signatures, a small portion of a computerized
system (see Figure 3). The Final Rule of
21 CFR Part 11 is structured with the
following sections:
• Subpart A – General Provisions
• Subpart B – Electronic Records
• Subpart C – Electronic Signatures

Figure 3 – Components of a Computerized System The focus of Annex 11 is broad and covers
in its Operating Environment.
covers e-records, e-Signatures, and entire
computerised systems. Annex 11 is structured
with the following sections:
Operating Environment
• Principle
• General
Computerized System • Risk Management
• Personnel
• Suppliers and Service Providers
Computer Controlled
System Process • Project Phase
• Validation
Hardware Operating • Operational Phase
(Physical or Procedures and
Virtual) Trained People • Data
• Accuracy Checks
Controlled • Data Storage
Software
Equipment
• Printouts
• Audit Trails
• Change and Configuration Management
• Periodic Evaluation
• Security
Electronic Records,
Electronic Signatures • Incident Management
• Electronic Signature
• Batch release
• Business Continuity
• Archiving

6
Where 21 CFR Part 11 & Annex 11 Meet

Where do Annex 11 & Part 11 intersect?

Despite the scope of application being largely different, Annex 11 and 21 CFR Part 11 both share the
common intent of ensuring the integrity of electronic records. To achieve this goal, both Annex 11 and
21 CFR Part 11 advocate the following principles:

• Computerized systems that are used to create/manage electronic records must be validated.
• Persons must be qualified to perform tasks within computerized systems that are used to create/
manage electronic records.
• Persons must be authorized to access computerized systems that are used to create/manage
electronic records.
• Electronic records (data) should be protected and should be readily retrievable throughout the
required retention period. It should be possible to obtain legible, printed copies of electronic data.
• Audit trails should capture the creation, change, or deletion of an electronic record.
• Electronic records may be signed electronically. Electronic signatures are understood to be equally
binding as handwritten signatures. Electronic signatures should be linked to their respective
electronic record.

In Table 1, Annex 11 guidelines are mapped to 21 CFR Part 11 requirements. This highlights the areas
where Annex 11 intersects 21 CFR Part 11.

Table 1: Mapping Annex 11 to 21 CFR Part 11

Annex 11 21 CFR Part 11

Section Description Section Description

1. Principle Scope:
• Applies to all forms of
computerised systems as part
of GMP regulated activities
11.1 (b) • Applies to records in an
11.1(e) electronic form that are
required by predicate rule.
• Computer systems, controls,
and documentation shall be
available for FDA inspection

Validation: 11.10 (a) • Validation of systems

• Application should be
validated
• IT infrastructure should
be qualified

7
Where 21 CFR Part 11 & Annex 11 Meet
Annex 11
Section Description
1. Principle (cont.) Computerised systems can
replace manual operations:
• No resultant decrease in
product quality, process
control or quality assurance
• No increase in the overall risk
2. Personnel Cooperation between
personnel and the ability
to carry out assigned duties
• Process Owner, System
Owner, Qualified Persons, IT
• Appropriate qualifications,
level of access, and
defined responsibilities
3. Completeness No equivalence
21 CFR Part 11
Section Description
11.1 (a) • Electronic records,
11.2000 (a) electronic signatures, and
handwritten signatures
executed to electronic
records are reliable and
equivalent to paper records
and handwritten signatures
executed on paper.
• For records required to
be maintained but not
submitted: Electronic
records may be used in
lieu of paper records and
electronic signatures may be
used in lieu of handwritten
signatures
• For records required to
be submitted: Electronic
records may be used in
lieu of paper records and
electronic signatures may be
used in lieu of handwritten
signatures
11.10 (i) • Must have the education,
11.10(d) training, and experience to
11.10(k)(1) perform assigned tasks.
• Limiting system access to
authorized individuals.
• Systems documentation:
Controls for distribution,
access and use of
documentation for system
operation and maintenance.
No equivalence No equivalence
8
Where 21 CFR Part 11 & Annex 11 Meet

Annex 11 21 CFR Part 11

Section Description Section Description

4. Validation Validation Documentation
• Validation documentation
and reports throughout the
system life cycle, based on
risk assessment
• Change control records and
deviations during
validation process
• Systems inventory
• System description
11.10 (a) • Validation of systems.
11.10 (h) • Use of device checks
11.10 (k)(1), (2) • Systems documentation:
Controls for distribution,
access and use of
documentation for system
operation and maintenance;
Document revision and
change control.

User Requirements
Specifications (URS):
• Required functions of
computerised system
• Based on risk assessment
and GMP impact
• Traceable

Development
• Ensure computerised system
has been developed in
accordance with appropriate
quality management system

Customized Computerised
Systems
Formal assessment and
reporting of quality and
performance measures

Test Methods and

Test Scenarios
• Scenarios should include
system (process) parameter
limits, data limits,
error handling
• Documented assessment of
automated testing tools and
test environments

Data migration
(transferring data to
another format or system)
• Checks to ensure data
remains unaltered during
migration process

9
Where 21 CFR Part 11 & Annex 11 Meet
Annex 11
Section Description
5. Data Computerised system
exchanging data electronically
with other systems
• Built-in checks to ensure
correct and secure entry
and processing of data
6. Accuracy Checks Critical data entered
manually
• Additional checks (manual or
electronic) on accuracy
of data
• Risk management for
criticality and potential
consequences of erroneous
or incorrectly entered data
7, Data Storage • Physical and logical security
of data
• Regular verification of
stored data
• Access to data throughout
the retention period
• Regular back-ups of data
• Verification of back-up data
8. Printouts • Clear printed copies of
electronically stored data
• Records supporting batch
release: Printouts available to
indicate if any data has been
changed since original entry
9. Audit Trails • Record of all GMPrelevant
changes and deletions
• Based on risk assessment
• System generated
• Documented reason for
change or deletion of data
• Need to be available, legible,
and regularly reviewed
21 CFR Part 11
Section Description
11.10 (h) • Use of device checks.
11.10 (f) • Use of operational
11.30 system checks.
• Controls for open systems
to ensure the authenticity,
integrity, and,
the confidentiality of
electronic records.
11.10 (h) • Use of device checks.
11.30 • Controls for open systems
to ensure the authenticity,
integrity, and,
the confidentiality of
electronic records.
11.10 (c) • Protection of records
to enable their retrieval
throughout the
retention period.
11.10 (b) • The ability to generate
11.10 (e) accurate and complete
copies of records in both
human-readable and
electronic form.
• Use of secure,
computergenerated,
time-stamped audit trails to
record the date and time of
operator entries and actions
that create, modify, or delete
electronic records.
11.10 (e) • Use of secure,
11.10 (k) (2) computer-generated,
time-stamped audit trails to
record the date and time of
operator entries and actions
that create, modify, or delete
electronic records.
• Systems documentation:
Document revision and
change control.
10
Where 21 CFR Part 11 & Annex 11 Meet
Annex 11
Section
10.Change and Configuration
Management
11. Periodic Evaluation
12. Security
13. Incident Management
Description
Changes to computerised
systems should be made
in a controlled manner
• In accordance with
defined procedure
• Includes system
configurations
Periodic evaluation of
computerised systems
• Confirm system remains in a
validated state and
compliant with GMP
Includes evaluations of:
• Current range of functionality
• Deviation records
• Incidents
• Problems
• Upgrade history
• Performance
• Reliability
• Security
• Validation status reports
• Physical and logical controls
to restrict system access
authorized persons
• Methods of preventing
unauthorized entry (Keys,
Pass cards, Personal codes
with passwords, Biometrics)
• Extent of controls based on
criticality of system
• Record of the creation,
change, and cancellation of
access authorisations
• Record of the identity,
date and time of operators
entering, changing,
confirming or deleting data
No equivalence
21 CFR Part 11
Section Description
11.10 (k) (2) • Systems documentation:
11.10 (d) Document revision and
change control.
• Limiting system access to
authorized individuals.
11.300 (b) • Identification code and
11.300 (e) password issuances are
11.10 (k) (2) periodically reviewed.
• Initial and periodic testing
of devices that bear or
generate identification code
or password information.
• Systems documentation:
Document revision and
change control.
11.10 (d) • Limiting system access to
11.10 (e) authorized individuals.
11.10 (g) • Use of secure, computer
11.10 (k)(1), (2) generated,
11.200 time-stamped audit trails to
11.300 record the date and time of
operator entries and actions
that create, modify, or delete
electronic records.
• Use of authority checks.
• Systems documentation:
Controls for distribution,
access and use of
documentation for system
operation and maintenance;
Document revision and
change control.
• Electronic signature
components and controls.
• Controls for identification
codes/passwords.
No equivalence No equivalence
11
Where 21 CFR Part 11 & Annex 11 Meet
Annex 11
Section
14. Electronic Signature
15. Batch Release
16. Business Continuity
Description
Periodic evaluation of
computerised systems
• Have the same impact as
handwritten signatures within
boundaries of the company
• Permanently linked to record
• Include time and date of
signature
Periodic evaluation of
computerised systems
• Only Qualified Persons
• Clearly identify and record
person releasing or certifying
the batches
• Done by electronic signature
No equivalence
21 CFR Part 11
Section Description
11.1 (a) • Electronic records,
11.3 (b)7 electronic signatures, and
11.10 (e) handwritten signatures
11.50 (a) (2) executed to electronic
11.70 records are reliable and
equivalent to paper records
Subpart C: and handwritten signatures
11.100 executed on paper.
11.200 • Definition of
11.300 “electronic signature”
• Use of secure, computer
generated,
time-stamped audit trails to
record the date and time of
operator entries and actions
that create, modify, or delete
electronic records.
• Signature manifestations
shall include date and time
when the signature
was executed
• Signature/record linking.
• General requirements of
electronic signatures:
• Electronic signature
components and controls.
• Controls for identification
11.10 (g) • Use of authority checks.
No equivalence No equivalence
12
Where 21 CFR Part 11 & Annex 11 Meet
Where do Annex 11 & Part 11 Differ?
The dissimilarities between Annex 11 and 21
CFR Part 11 are few and can be traced back to
two points:
1. 21 CFR Part 11 is a US federal law whereas,
in contrast, Annex 11 is not a legal
document, but a strongly recommended
guideline that provides a more practical
approach to being compliant with the
requirements of the law.
2. Annex 11 applies to computerised systems.
This is a much broader scope of application
than 21 CFR Part 11, which applies to
electronic records and signatures (merely a
small piece of a computerised system).
Table 2: Sections of Annex 11 that do not intersect with 21 CFR Part 11
Annex 11
1. Risk Management
3. Suppliers and Service Providers
4. Validation
Although the Annex 11 guideline covers all
topics related to computerised systems, it
lacks in-depth details with regard to electronic
records and electronic signatures provided in
21 CFR Part 11.
The areas of Annex 11 which are not discussed
in 21 CFR Part 11 are listed in Table 2. Although
there is no equivalence in Part 11, applicable
procedural control may be implemented to
close the gaps.
Annex 11 Description
Principle Risk management
• Throughout the lifecycle of computerised system
• Consider patient safety, data integrity and product quality
• Validation and data integrity controls should be based on
risk assessment
Third Party
• Formal agreements defining responsibilities between
manufacturers, third party suppliers and service providers must
exist.
• Competence and reliability of a supplier should be considered
before selecting a product or service provider. The need for a
vendor audit should be based on risk assessment.
• Documentation supplied with COTS should be reviewed.
• Information about the vendor’s quality system and audit
findings are subject to inspection if required
Inventory of Computerised Systems
• Up-to-date listing of systems with GMP functionality
• Description of critical systems
• Physical and logical arrangements
• Data flows and interfaces with other systems/processes
• Hardware and software prerequisites
• Security measures
13
Where 21 CFR Part 11 & Annex 11 Meet
Annex 11
13. Incident Management
16. Business Continuity
A noteworthy difference is the approach to risk
management. Annex 11 points to documented
risk assessment as the start of compliance
activities, including validation and vendor
audits. Although Part 11 does not openly speak
of risk assessments, the FDA does recommend
basing the validation approach and other
decisions affecting the maintenance of records
on a documented risk assessment (refer to the
Guidance for Industry (Ref. [4]) which provides
FDA’s nonbinding recommendations for the
scope and application of Part 11).
Annex 11 acknowledges the importance of
third parties (suppliers and service providers)
in the use and maintenance of computerised
systems. With the intent of enhancing the level
of quality by which computerised systems are
implemented, operated and maintained, third
parties should be evaluated for competency
and reliability. Typically, this evaluation is done
via a vendor audit. Audit reports should be
documented, and per Annex 11, this information
should be available to inspectors on request.
On the topic of validation, Annex 11 is
much more explicit. It begins by making a
clear distinction between the qualification
of infrastructure and the validation of
Annex 11 Description
Report and assessment of all incidents
• Root cause of critical incidents identified
• Form the basis of corrective and preventive actions
Business continuity of critical processes
• Provisions to ensure continuity of support for critical processes
in the event of system breakdown
• Documentation of alternative arrangements
• Testing of alternative arrangements
applications. Annex 11 advocates a risk-
based approach to validation and embraces
specific documentation that is not mentioned
within the US regulations, including Systems
Inventory and System Description.
Although many businesses fail to realize
the importance of business continuity
planning (and, by extension, disaster recovery
planning), Annex 11 does not overlook this
subject. Moreover, Annex 11 highlights that
having a plan is not sufficient; the plan needs
to be practiced (tested). Apart from this
being critical to maintaining data integrity,
business continuity planning also makes good
business sense.
Limited areas of 21 CFR Part 11 are dissimilar to
Annex 11. For the most part, these differences
are limited to the verification of identity
and accountability of actions by authorized
individuals, as well as reporting to authorities.
21 CFR Part 11 also differentiates security for
open and closed systems, with extra security
measures for open systems but without
reference to risk.
14
Where 21 CFR Part 11 & Annex 11 Meet
3 Steps to Annex 11 & Part 11 Compliance
Organizations that wish to do business and
obtain market approval in both the UE and
USA must abide by the requirements of
Annex 11 and 21 CFR Part 11 respectively. In
this section, we present a standard approach
to demonstrate compliance with both these
regulatory directives.
Step 1. Perform a gap assessment
Assess the environment in which the computer
system will be used. Identify the procedural
and technical controls which must be in place
to ensure the regulatory expectations are met.
Begin with the regulatory mapping provided in
Table 1, then build on this table by describing
how the system can (or cannot) meet each
regulatory requirement.
Step 2. Plan and implement mitigation
activities
Within the assessment, you may find that the
system is incapable of meeting regulatory
requirements (either technically or via
procedural controls). Mitigation activities must
be planned and implemented to close the
identified “gaps”. Some examples of mitigation
activities are presented in Table 3. Table 3:
Examples of system compliance gaps and
Table 3: Examples of system compliance gaps
and mitigation activities
Example Identified Gap
Daily backup jobs do not run on the system.
System does not have a built-in user authentication process.
Underlying infrastructure is not qualified.
At a minimum, system validation should always
be identified as a mitigation activity. The
validation strategy should be tailored to the
complexity and criticality of the system
(see Step 3).
Step 3. Validate the computer system
following the GAMP® 5 approach
While Annex 11 provides some how-to
guidance on implementing regulations, the
industry has accepted publications (such
as ISPE’s GAMP® 5) to provide detailed
recommendations on how to implement
computerized systems for GxP compliant
environments. GAMP® 5 defines the industry’s
standard framework for risk-based validation.
As shown in Table 4, if one is willing to tolerate
some minor variations between wordings,
definitions and structures, the GAMP® 5
validation approach can result in compliance
with both Annex 11 and 21 CFR Part 11.
It is worth noting that a supplier cannot sell
a “validated system” as validation requires
demonstration that the system performs as
intended in its actual environment. Moreover,
a supplier cannot sell a system that is certified
as Annex 11 or 21 CFR Part 11 compliant. The
supplier can only provide the functionality that
enables compliance; system compliance and
validation ultimately remain the responsibility
of the regulated user of the system.
Example Mitigation Activity
The system must be added to data backup schedules. Standard
Operating Procedures (SOPs) for data backup and retention
need to be updated to capture the system within scope.
Integrate the system with a third-party user authentication and
management system. Validate this system integration.
For on-premise systems: qualify the infrastructure.
For cloud-based systems: perform a supplier assessment to
evaluate the capabilities of the supplier.
15
Where 21 CFR Part 11 & Annex 11 Meet
Mapping Annex 11 to 21 CFR Part 11
and GAMP 5
Annex 11
Annex 11 Section Annex 11 Description
Principle Scope: 11.1 (b)
• Applies to all forms of 11.1(e)
computerised systems as part
of GMP regulated activities
Validation:
• Applications should
be validated
• IT infrastructure should
be qualified
Computerised systems can
replace manual operations:
• No resultant decrease in
product quality, process
control or quality assurance
• No increase in the overall risk
1. Risk Management Risk management
• Throughout the lifecycle of
computerised system
• Consider patient safety, data
integrity and product quality
• Validation and data integrity
controls should be based on
risk assessment
Part 11 GAMP 5
21 CFR Part 11 Section GAMP 5 Reference
N/A
11.10 (a) This is consistent with
the GAMP® 5 approach
to validate GxP regulated
applications and qualify IT
infrastructure (following
GAMP® 5 guidance regarding
Category 1 hardware).
11.1 (a) N/A
11.2 (a)
11.2 (b)
N/A This is consistent with the
overall risk-based approach
described in GAMP® 5.
Refer to:
• Section 5: Quality Risk
Management
• Management Appendix M3:
Science Based Quality Risk
Management
• Management Appendix M4:
Categories of Software and
Hardware
• Operation Appendix O2:
Establishing and Managing
Support Services
• Operation Appendix O6:
Operation Change and
Configuration Management
Operation
• Appendix O8: Periodic
Review Operation
• Appendix O9: Backup and
Restore
16
Where 21 CFR Part 11 & Annex 11 Meet
Annex 11
Annex 11 Section Annex 11 Description
2. Personnel Cooperation between
personnel and ability to carry
out assigned duties:
• Process Owner, System
Owner, Qualified Persons, IT
• Appropriate qualifications,
level of access, and defined
responsibilities
3. Suppliers and Service Third Party
Providers • Formal agreements defining
responsibilities between
manufacturers, third party
suppliers and service
providers must exist.
• Competence and reliability
of a supplier should be
considered before selecting
a product or service provider.
The need for a vendor audit
should be based on risk
assessment.
• Documentation supplied with
COTS should be reviewed.
Information about the
vendor’s quality system and
audit findings are subject to
inspection if required.
4. Validation Validation Documentation
• Validation documentation
and reports throughout the
system’s life cycle, based on
risk assessment
• Change control records
and deviations during
validation process
• Systems inventory
• System description
User Requirements
Specifications (URS)
• Required functions of
computerised system
• Based on risk assessment and
GMP impact
• Traceable
Part 11 GAMP 5
21 CFR Part 11 Section GAMP 5 Reference
11.10 (i) Refer to:
11.10 (d) • Operation Appendix O12:
11.10 (k) (1) System Administration
N/A Refer to:
• Section 6.1.4 Managing
Supplier Relationships
• Section 6.2.3.7 Supplier
• Section 7: Supplier Activities
• Management Appendix M2:
Supplier Assessment
• Management Appendix M6:
Supplier Quality and Project
Planning
11.10 (a) This is consistent with overall
11.10 (h) risk-based approach described
11.10 (k)(1), (2) in GAMP® 5. Refer to:
• Section 3: Life Cycle
Approach
• Section 6.1.5 Maintaining the
System Inventory
• Management Appendix M1:
Validation Planning
• Management Appendix M7:
Validation Reporting
• Management Appendix M10:
System Retirement
• Development Appendix
D6: System Descriptions
Operation Appendix O1:
Handover
Refer to:
• Development Appendix
D1: User Requirements
Specifications
• Development Appendix D2:
Functional Specifications
17
Where 21 CFR Part 11 & Annex 11 Meet

Annex 11 Part 11 GAMP 5

Annex 11 Section Annex 11 Description 21 CFR Part 11 Section GAMP 5 Reference

4. Validation (cont.) Development 11.10 (i) Refer to:
• Ensure that the computerised 11.10 (d) • Management Appendix M2:
system has been developed in 11.10 (k) (1) Supplier Assessment
accordance with appropriate
quality management system
controls.
• Supplier assessment

Customized Computerised Refer to:

Systems • Development Appendix D3:
• Formal assessment and Configuration and Design
reporting of quality and • Development Appendix D4:
performance measures Management, Development
and Review of Software
• Management Appendix
M5: Design Review and
Traceability

Test Methods and Test Refer to:

Scenarios • Appendix D5: Testing of
• Scenarios should include Computerized Systems
system (process) parameter
limits, data limits, error
handling
• Documented assessment of
automated testing tools and
test environments

Data migration (transferring Refer to:

data to another format or • Appendix D7: Data Migration
system)
• Checks to ensure data
remains unaltered during
migration process

18
Where 21 CFR Part 11 & Annex 11 Meet

Annex 11 Part 11 GAMP 5

Annex 11 Section Annex 11 Description 21 CFR Part 11 Section GAMP 5 Reference

5. Data Computerised system 11.10 (h) N/A
exchanging data electronically 11.10 (f)
with other systems 11.30
• Built-in checks to ensure
correct and secure entry and
processing of data

6. Accuracy Checks Critical data entered manually 11.10 (h) N/A

• Additional checks (manual 11.30
or electronic) on accuracy of
data
• Risk management for
criticality and potential
onsequences of erroneous or
incorrectly entered data
7. Data Storage • Physical and logical security 11.10 (c) Refer to:
of data • Section 4.3.6.1: Backup and
• Regular verification of stored Restore
data • Operation Appendix O9:
• Access to data throughout the Backup and Restore
retention period • Operation Appendix O11:
• Regular back-ups of data Security Management
• Verification of back-up data
8. Printouts • Clear printed copies of 11.10 (b) N/A
electronically stored data 11.10 (e)
• Records supporting batch
release: Printouts available to
indicate if any data has been
changed since original entry
9. Audit Trails • Record of all GMP - relevant 11.10 (e) N/A
changes and deletions 11.10 (k) (2)
• Based on risk assessment
• System generated
• Documented reason for
change or deletion of data
• Need to be available, legible,
and regularly reviewed
10. Change and Configuration Changes to computerised 11.10 (k) (2) Refer to:
Management systems should be made in a 11.10 (d) • Section 4.2.5.2: Change and
controlled manner Configuration Management
• In accordance with defined • Management Appendix M3:
procedure Science Based Quality Risk
• Includes system Management
configurations • Operation Appendix O6:
Operation Change and
Configuration Management
• Operation Appendix O7:
Repair Activity

19
Where 21 CFR Part 11 & Annex 11 Meet
Annex 11
Annex 11 Section
11. Periodic Evaluation
12. Security
13. Incident Management
14. Electronic Signature
Part 11 GAMP 5
Annex 11 Description 21 CFR Part 11 Section GAMP 5 Reference
Periodic evaluation of 11.300 (b) Refer to:
computerised systems 11.300 (e) • Management Appendix M3:
• Confirm system remains in a 11.10 (k) (2) Science Based Quality Risk
validated state and compliant Management
with GMP • Operation Appendix O3:
Includes evaluations of: Performance Monitoring
• Current range of functionality • Operation Appendix O8:
• Deviation records Periodic Review
• Incidents
• Problems
• Upgrade history
• Performance
• Reliability
• Security
• Validation status reports
• Physical and logical controls 11.10 (d) Refer to:
to restrict system access 11.10 (e) • Section 4.3.7.1: Security
authorized persons 11.10 (g) Management
• Methods of preventing 11.10 (k)(1), (2) • Section 5.2: Science Based
unauthorized entry (Keys, 11.200 Quality Risk Management
Pass cards, Personal codes 11.300 • Management Appendix M9:
with passwords, Biometrics) Document Management
• Extent of controls based on • Operation Appendix O11:
criticality of system Security Management
• Record of the creation,
change, and cancellation of
access authorisations
• Record of the identity,
date and time of operators
entering, changing, confirming
or deleting data
Report and assessment of all N/A Refer to:
incidents • Section 4.3.3: Incident
• Root cause of critical Management and CAPA
incidents identified • Operation Appendix O4:
• Form basis of corrective and Incident Management
preventive actions • Operation Appendix O5:
Corrective and Preventive
Action
• Operation Appendix O7:
Repair Activity:
Electronic records may be 11.1 (a) N/A
signed electronically, where 11.3 (b)7
electronic signatures: 11.10 (e)
• Have the same impact as 11.50 (a) (2)
hand-written signatures within 11.70
boundaries of the company
• Permanently linked to record Subpart C:
• Include time and date of 11.100
signature 11.200
11.300
20
Where 21 CFR Part 11 & Annex 11 Meet
Annex 11
Annex 11 Section
15. Batch Release
16. Business Continuity
17. Archiving
Part 11 GAMP 5
Annex 11 Description 21 CFR Part 11 Section GAMP 5 Reference
Computerised systems used to 11.10 (g) N/A
certify batch releases
• Only Qualified Persons
• Clearly identify and record
person releasing or certifying
the batches
• Done by electronic signature
Business continuity of critical N/A Refer to:
processes • Section 4.3.6.2: Business
• Provisions to ensure Continuity Planning
continuity of support for • Operation Appendix
critical processes in the event O10: Business Continuity
of system breakdown Management
• Documentation of alternative
arrangements
• Testing of alternative
arrangements
Archived data 11.10 (c) Refer to:
• Checks for accessibility, • Operation Appendix O13:
readability and integrity Archiving and Retrieval
Changes to the system:
• Retrieval of data ensured and
tested
21
Where 21 CFR Part 11 & Annex 11 Meet

Implement a Quality Management

System to Achieve Compliance
GAMP® 5 discusses the key requirements for processes that should be in place to support the
operation of a computerized system. A process is the highest level description of a strategy or
actions required to achieve a particular end. It described WHAT needs to be done. Within a Quality
Management System, documented procedures prescribe HOW to carry out a process. Moreover,
documented work instructions may be implemented to provide step-by-step instructions on HOW to
execute a procedure and WHO is responsible for performing specific tasks.

Process Procedure Work Instruction

Upon analysis of Part 11 and Annex 11, the following controlled processes are essential for achieving
and maintaining compliance. Policies, Procedures and/or Work Instructions should be followed
for each.

• Computerized System Validation

• Risk Management
• Supplier Management and Support Management
¤ Vendor assessments, Service Level Agreements, Contractual terms and conditions
• Change and Configuration Management
• Backup and Restore
• Record Archival and Retrieval
• Document Management
• System Administration
• Security Management (Physical and Logical Security)
• Performance Monitoring
• Incident Management and CAPA
• Training
• Periodic Review
• Business Continuity Management

22
Where 21 CFR Part 11 & Annex 11 Meet

Considerations for Cloud-based Systems

The adoption of cloud technology continues to increase across the life sciences industry. Cloud
service delivery models include: Infrastructure as a Service (IaaS), Platform as a Service (PaaS),
and Software as a Service (SaaS).

Although the responsibility for compliance with regulations governing computerized systems lies
with the regulated company, the cloud-service provider may have considerable involvement in
the process. The relationship between a cloud-service provider and a regulated company will vary
significantly depending upon the product, application, or service being provided.

Cloud-service provider are expected to operate within a Quality Management System (QMS).
Quality planning should define the activities, procedures, deliverables, and responsibilities for
establishing delivery and monitoring of the service. Such a plan is a contractual document, and as
such, should be approved for use by both the supplier and the regulated company. The required
information may be satisfactorily covered by other contractual documents such as a Service Level
Agreement or Quality Agreement. However, the final responsibility lies with the regulated company
to ensure that the shared responsibility between the supplier and the regulated user satisfactorily
complies with the governing regulations. The regulated user may ensure the effectiveness of
controls in the supplier’s QMS by performing periodic audits or leveraging the documents provided
by the supplier after being periodically audited by independent third-party auditors.

23
Where 21 CFR Part 11 & Annex 11 Meet

Conclusion
Annex 11 and 21 CFR Part 11 are fundamentally different in legislative authority. Annex 11 is a
guideline that should be strictly observed in order to be compliant, whereas 21 CFR Part 11 is law.
It follows that Annex 11 is interpretive while 21 CFR Part 11 is explicit. Despite these differences,
some organizations may need to comply with both these regulatory directives. By ensuring that
the system meets 21 CFR Part 11 requirements and by applying a risk-based approach to system
validation such as the approach outlined within GAMP® 5, the requirements set forth within
Annex 11 can be demonstrated as being met by the system.

References
Ref. [1] EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4, Good
Manufacturing Practice, Medical Products for Human and Veterinary Use, Annex 11: Computerised
Systems, 2011.
Ref. [2] U.S. Food and Drug Administration, Code of Federal Regulation, Title 21 Part 11: Electronic
Records; Electronic Signatures, 1997.
Ref. [3] ISPE, GAMP 5 - A Risk-Based Approach to Compliant GxP Computerized Systems, 2008.
Ref. [4] U.S. Food and Drug Administration, Guidance for Industry: Part 11, Electronic Records;
Electronic Signatures – Scope and Application, 2003.
Ref. [5] Pharmaceutical Engineering, ISPE GAMP COP Annex 11 Interpretation, July/August 2011.

Glossary
Acronym Definition
CFR Code of Federal Regulations
COTS Commercial off-the-shelf
EU European Union
FDA Food and Drug Administration
GMP Good Manufacturing Practice
A general term for Good (x) Practice quality guidelines and regulations, where (x) is a placeholder such as:
C: Clinical
GxP D: Distribution
L: Laboratory
M: Manufacturing
IT Information Technology
US(A) United States (of America)
PIC/S The Pharmaceutical Inspection Co-operation Scheme
ISPE International Society for Pharmaceutical Engineering
GAMP Good Automated Manufacturing Practice

24
Where 21 CFR Part 11 & Annex 11 Meet

About Montrium
Montrium is a knowledge-based company that leverages a deep understanding of GxP processes
and technologies to provide cost-effective solutions to life science organizations� Montrium’s
industry leading platform Montrium Connect, offers a truly collaborative and compliant document
and quality management environment in the cloud�

Our team is composed of seasoned engineers and scientists who have extensive experience in
the life sciences� Montrium is committed to investing in innovation to build dynamic, powerful and
intuitive solutions which enable our clients to improve their operational processes�

For more information about Montrium’s products and services please visit www�montrium�com

North American Headquarters European Headquarters

507 Place d’Armes, Suite 1050 Boulevard de Waterloo 77
Montreal 1000 Brussels
Quebec Belgium
H2Y 2W8 T: +32.2.808.3008
T: +1 (514) 223 9153 E: info@Montrium.com
E: info@Montrium.com

25