Computer System Validation: Comparison between 21 CFR Part 11 and EU Annex 11

In last week’s blog post, Arithmos wrote about the importance of Computer System Validation for life sciences technology, pointing out that their are laws and regulations which guide CSV practices. This week, Arithmos discusses a comparison of 21 CFR Part 11 and EU Annex 11, in particularly with regards to electronic records and signatures. This month, Arithmos Chief Operating Officer, Stefano Piccoli, instructed a course on Part 11 and Annex 11 in Milan.

21 CFR Part 11 and EU Annex 11 share a common intent: that all computerized systems used in GxP-regulated environments require compliance for ensuring integrity of records and data. Part 11 is strictly applicable to the United States in all FDA (Food & Drug Administration) program areas as well as to all manufacturers outside the U.S. who wish to gain FDA market approval. Annex 11, on the other hand, applies to the European Union as well as foreign manufacturers who are seeking EU market approval.


21 CFR Part 11 Scope: Part 11 applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted under any records requirements set forth in agency regulations. It is applicable to all GxP computerized systems that are used to store and manage electronic records and signatures that are required by the predicate rule.

EU Annex 11 Scope: Annex 11 applies to Good Manufacturing Practices (GMP) for medicinal products for human use, investigational medicinal products for human use and veterinary medicinal products and concerns those computerized systems used in the GMP environment.

It is important to note that the EU Annex 11 is not a legal requirement, but a guideline – albeit a strongly recommended guideline. 21 CFR Part 11 is, however, a regulation set by the U.S.

Both Part 11 and Annex 11 apply to electronic records and signatures. Under 21 CFR Part 11, e-Signatures must include a printed name , verification of identity of the individual signing the document, requirements to prevent forgery and unique codes and passwords. Meanwhile, under Annex 11 e-Signatures have the same impact of a handwritten signature and must be permanently linked to a record as well as include a time and date.

Picture1However, Annex 11 goes beyond Part 11 in four key areas:

  • Supplier and service provider audits – in accordance with GAMP 5, the role of the supplier has been put in the spotlight due to the trend of purchasing clinical trial systems and outsourcing computer system related services.
  • IT infrastructure qualification – Validation of computer systems is an element of a project phase and takes center stage, and validation has been expanded to cover the complete life cycle. Annex 11 includes the qualification of the IT infrastructure.
  • Risk Management – The EU Annex 11 has added a new clause on risk management and taking a risk based approach to CSV. Computerized systems that support GxP processes must be validated in proportion to the level of risk they present to patient safety, product quality and integrity of regulated records.
  • Integrity of system operations and information stored in the system- Annex 11 goes beyond Part 11 to cover general, project phase, operational phase, data, data storage, audit trails and periodic review and security.

In conclusion, although Annex 11 is just a guideline, it has a much broader scope than Part 11 and has improved standards for regulated users and systems. The FDA is expected to report on the industry’s understanding of Part 11 implementation and focus on areas such as validation, audit trail, copies of records and record retention. The review will most likely generate revised/new revisions, closing the gap between Annex 11 and Part 11.

Arithmos and CSV

The Arithmos team has extensive experience in validating systems in the healthcare sector. To ensure patient safety and full adherence to regulatory requirements, we validate regulated systems in a cost-effective, efficient and fully compliant manner. We provide full evidence of the validation exercise, and when requested, fix non-compliant areas.

Related Links

Best Practices: Implementing Computer System Validation




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s