EU GMP Annex 11

What EU GMP Annex 11 is

Annex 11 — Computerised Systems is part of EudraLex Volume 4, the EU's Good Manufacturing Practice guidelines for medicinal products for human and veterinary use. It applies to any computerised system used as part of GMP-regulated activities, and it is system-and-lifecycle-centric: where the US Part 11 focuses on electronic records and signatures, Annex 11 governs the whole life of the system that produces them.

The text in force is the 2011 revision — a deliberately principle-based document covering risk management, supplier and service-provider responsibility, validation, data, accuracy checks, data storage, printouts, audit trails, change and configuration management, periodic evaluation, security, incident management, electronic signatures, batch release, business continuity, and archiving. PIC/S publishes an equivalent Annex 11 used by participating authorities beyond the EU.

Why Annex 11 shapes EU system decisions

For any company manufacturing or releasing product for the EU market, Annex 11 is the lens an EU inspector applies to every computerised system in GMP scope — the eQMS included. The questions follow its clauses: is the system validated for its intended use, who is responsible for it, what does the supplier do versus what do you do, is the data accurate and protected, can you show an audit trail, what happens when the system changes, and what happens when it fails.

Two Annex 11 themes hit cloud eQMS buyers hardest. First, supplier responsibility: outsourcing the system never outsources the accountability — the regulated user must understand and oversee what the provider does. Second, lifecycle governance: validation is not a go-live event but a state to be maintained through change control and periodic evaluation. The 2025 draft revision sharpens both, adding explicit cybersecurity and service-oversight expectations.

Annex 11 in the wider framework

Annex 11 never operates alone. The pieces it interlocks with:

• EU GMP Chapter 4 (Documentation) — the predicate for what records must exist; Annex 11 governs the systems that hold them. Chapter 4 was revised in draft alongside Annex 11 in July 2025
• 21 CFR Part 11 — the US counterpart; record-and-signature-centric where Annex 11 is system-centric. Most global systems must satisfy both — see Annex 11 vs Part 11
• GAMP 5 — the industry method most companies use to deliver the risk-based lifecycle Annex 11 expects
• ALCOA+ and PIC/S PI 041-1 — the data integrity expectations inspectors test Annex 11 systems against
• Draft Annex 22 (AI) — the new companion annex from the same July 2025 package, covering artificial intelligence in GMP

What inspectors ask Annex 11 systems to show

In practice, Annex 11 review is concrete: a validated state with evidence proportionate to risk; an inventory of GMP computerised systems; documented supplier assessment for outsourced services; controlled access with individual accounts; an audit trail that records GMP-relevant changes and deletions and is reviewed; change management with evaluated impact; periodic evaluation that confirms the validated state still holds; data backup, archiving, and a tested business continuity arrangement.

For cloud systems, the assessment extends into the provider: hosting model, data location, isolation, the provider's own change and release discipline, and how the customer learns about changes that affect the validated state.

How Complere maps to Annex 11

Complere's controls were built with Annex 11's clause structure in mind: role-based access with individual accounts, time-stamped audit trails on regulated records, electronic signatures with re-authentication, controlled change with impact assessment, and per-tenant isolation with customer-selected hosting region. The validation pack delivers the lifecycle evidence Annex 11 expects — and is regenerated on releases that affect validated functionality, supporting the periodic-evaluation posture. The clause-level walkthrough is on Electronic Records & Signatures and the Annex 11 validation playbook.