traqxGxP Compliance Software
EU GMP Annex 11

EU GMP Annex 11: what computerised systems need to demonstrate

Reading time ~10 min · Daniel Herrmann

RIGID · V-MODEL URS CODE PQ EVOLVES MODULAR · RISK-BASED 01 Critical Thinking 02 Agile 03 Cloud 04 KI/ML

EU GMP Annex 11 applies to computerised systems used as part of GMP-regulated activities. The application should be validated, the IT infrastructure qualified, and the extent of controls based on a justified risk assessment. Relevant controls include traceable requirements, supplier oversight, restricted access, backup, change management and business continuity. The 2011 version remains applicable. The revision published in 2025 is a draft: the consultation has closed, but a final version is not yet in force.

Annex 11 starts with system use, not a document list

Many Annex 11 projects begin with a list of expected documents. That is practical, but incomplete. First establish which GMP process depends on the system, which data are critical and what a failure could mean for product quality, patient safety or data integrity.

The applicable 2011 version sets that frame. Annex 11 covers all forms of computerised systems used as part of GMP-regulated activities. The application should be validated and the IT infrastructure qualified. The depth of validation and data-integrity controls follows from a documented risk assessment, not a standard quantity of documents.

What EU GMP Annex 11 requires today

The annex does not prescribe one validation method. It defines control points that need to remain consistent across the lifecycle:

  • Requirements and traceability: The user requirements specification describes required functions, reflects GMP impact and risk, and remains traceable throughout the lifecycle.
  • Validation and migration: Documentation and reports cover the relevant lifecycle stages. Testing, deviations, change control and data migration are evidenced in proportion to risk.
  • Suppliers and services: Responsibilities with third parties are formally agreed. Competence and reliability inform selection; the need for an audit is risk-based.
  • Data and access: Critical data entered manually receive an additional accuracy check. Access is restricted to authorised people, and the creation, change and withdrawal of access rights are recorded.
  • Operation and change: Changes are controlled. Systems are periodically evaluated, including incidents, security, performance and validation status.
  • Availability: Backups must do more than exist. Their integrity, accuracy and restorability are checked, while critical processes require documented and tested continuity arrangements.

What ties them together matters more than any single document. Requirement, risk, test, change and operation must visibly describe the same system and intended use.

Annex 11 audit trails: risk-based, available and regularly reviewed

Audit-trail expectations are often quoted more absolutely than the current text allows. The 2011 version says that, based on risk assessment, consideration should be given to a system-generated record of all GMP-relevant changes and deletions. The reason for changing or deleting GMP-relevant data should be documented.

The job does not end when a technical feature is switched on. Audit trails need to be available, convertible into a generally intelligible form and reviewed regularly. Your procedure therefore needs to answer three questions: Which data and events are critical? Who reviews them? What triggers an investigation?

The same principle applies to electronic signatures. Annex 11 expects them to have the same impact as handwritten signatures within the company, remain permanently linked to the record and include date and time. A signature feature is not automatically fit for use: roles, process and validation still need to align.

Annex 11 does not demand blind logging of every click. It demands justified control of GMP-relevant changes.

What the 2025 draft revision may change

The European Commission draft responds to cloud services, more complex system landscapes and new technologies. It turns many concise expectations into a much more detailed lifecycle framework.

Four directions stand out: system requirements should stay current; traceability between requirements, design and testing becomes more explicit; oversight of vendors and external services is detailed; and audit trails, identity and access management, electronic signatures, security, backup and archiving receive substantially more depth.

You do not need to treat the draft as current law. It is sensible, however, to identify gaps that matter regardless of the final wording: outdated URS, unclear service responsibilities, missing traceability, audit trails that are not reviewed, or backups without a demonstrated restore.

Draft, not the applicable version

The consultation ran from 7 July to 7 October 2025 and is closed. EudraLex Volume 4 still lists the 2011 version of Annex 11 as applicable. Draft details may change before final publication.

A practical Annex 11 review in seven questions

You do not need a new document template for a useful first review. Take one real system and ask:

  1. Which GMP activity and critical data depend on it?
  2. Does the current URS describe the functionality actually in use?
  3. Are requirements, risks, tests and changes traceably connected?
  4. Which services does the vendor provide, and where does your responsibility begin?
  5. Which GMP-relevant changes does the audit trail record, and who reviews it?
  6. Are access, signatures and roles as clear in the procedure as in the system?
  7. Can you evidence restore, continuity and data access throughout retention?

If an answer can only be reconstructed across files, inboxes and individual memory, the gap is rarely a missing sentence. The evidence is not connected.

Annex 11 and AI: the system framework remains, Annex 22 adds the model

An AI-enabled tool is still a computerised system in the GMP process. Annex 11 therefore remains the framework for lifecycle, data, access, change and operation. Draft Annex 22 adds AI-specific questions such as intended use, test data, model performance and human review. The relationship is explained in Annex 22 vs Annex 11.

The traqx System does not replace your risk assessment or validation. It works one step earlier: sources, drafts, changes, open points and human review remain connected in the work item. That makes it faster to turn a requirement into reviewable evidence — without claiming compliance on behalf of the customer.

Frequently asked questions

What does EU GMP Annex 11 require for computerised systems?

EU GMP Annex 11 is the annex for computerised systems used as part of GMP-regulated activities. It combines risk-based validation with controls for data integrity, access, suppliers, change, operation, backup, electronic signatures and business continuity.

Which version of Annex 11 currently applies?

The 2011 version remains applicable. A revised version was published for consultation in 2025, and the consultation closed on 7 October 2025. Until a final version is published and brought into operation, the draft is an important direction of travel rather than an applicable requirement.

Does Annex 11 require an audit trail for every action?

No. The current text calls for a risk-based consideration of system-generated records for GMP-relevant changes and deletions. Audit trails need to be available, intelligible and regularly reviewed; their scope and review procedure should match criticality.

What is the difference between validation and qualification in Annex 11?

Annex 11 states it concisely: the application should be validated and the IT infrastructure qualified. Validation demonstrates that the application is fit for its intended GMP use; qualification demonstrates that the underlying infrastructure is suitable and operated under control.

Does Annex 11 apply to AI systems?

If an AI system is used as part of a GMP-regulated activity, Annex 11 remains the system framework. Draft Annex 22 adds AI-specific requirements but does not replace Annex 11. The exact scope follows from intended use, criticality and documented risk assessment.

Key takeaways

  • The 2011 version of Annex 11 remains applicable; the 2025 revision is still a draft.
  • Validation depth and data-integrity controls follow from a justified, documented risk assessment.
  • Audit trails are not a checkbox feature: scope, intelligibility and regular review must match risk.
  • URS, risks, tests, changes and operation need to form one continuous evidence chain.
  • For AI, Annex 11 remains the system framework while Annex 22 adds the AI-specific layer.

Sources

Author

Daniel Herrmann

Daniel Herrmann is Co-Founder and CEO of traqx and has worked at the intersection of GxP, CSV and digital quality for more than 15 years. This article interprets the applicable Annex 11 and its draft revision from the European Commission's original documents. It provides orientation, not legal or compliance advice, and does not replace an assessment of your specific system and process.