EU Annex 11 (EudraLex Volume 4 - GMP Guidelines)
Purpose
To ensure that all computerized systems used in the manufacturing and quality control of medicinal products guarantee data integrity, traceability, and reliability throughout their lifecycle.
Key Requirements for Compliance
Category | What Circularo (or any e-signature platform) must demonstrate |
|---|---|
System Validation | Validation documentation proving the system performs as intended (Installation Qualification, Operational Qualification, Performance Qualification - IQ/OQ/PQ). |
Access Control | Secure, role-based permissions ensuring only authorized users can perform specific actions. |
Audit Trails | Automatic, time-stamped records of all system activities (signing, document changes, deletions, etc.). Audit trails must be tamper-proof and accessible for review. |
Electronic Signatures | Must be uniquely linked to one person, capable of identifying that person, and include date/time stamps. |
Data Integrity | Stored records must be protected from alteration or loss. Version control and traceability are key. |
Change Control & Configuration Management | Any change to the system or its configuration must be documented and validated. |
Training & SOPs | Staff using the system must be trained, and standard operating procedures (SOPs) must exist for all processes. |
Vendor Qualification | If Circularo is a software vendor, pharmaceutical clients must be able to audit or assess its development, testing, and security processes. |
Who Audits Annex 11 Compliance
There is no central “Annex 11 certification authority”. Compliance is verified through GMP inspections conducted by:
National Regulatory Agencies in the EU (e.g. EMA, MHRA in the UK, BfArM in Germany, AIFA in Italy).
During audits of a pharmaceutical company, inspectors also review their IT systems and vendors for Annex 11 compliance.
So, Circularo would be indirectly audited - usually by the client’s QA or compliance team or by regulators when the system is used in a validated environment.
In short: Annex 11 compliance = demonstrated through validation documentation, not a formal certificate.
Documentation Typically Required from the Vendor
To help clients prove compliance, Circularo should be able to provide or facilitate:
System Validation Package (IQ/OQ/PQ reports or vendor-supplied validation documents)
Technical & Security Architecture Overview
Audit Trail Samples
Data Retention and Backup Policy
Access Control and Authentication Policy
Change Control Procedures
Training and SOP documentation
Statement of Compliance outlining how the platform meets Annex 11 / Part 11 requirements
Annex 11 & 21 CFR Part 11 Compliance Mapping for Circularo
Compliance Area | How Circularo Demonstrates Compliance | Applicable Regulation(s) |
|---|---|---|
| Validation documentation confirming installation (IQ), operational (OQ), and performance (PQ) requirements are met. Includes functional tests, electronic signature validation, and audit-trail verification. | Annex 11 §4 |
| Role-based access, secure login with unique user IDs, password complexity rules, optional MFA, session-timeout policies, and revocation controls. | Annex 11 §12 |
| Immutable, time-stamped logs automatically recording all key user and system actions (sign, modify, delete, export). Audit data is tamper-evident and exportable for inspection. | Annex 11 §9 |
| Signatures uniquely linked to individual users and bound to signed content via cryptographic hash; capture of signer identity, date/time, and intent (“Approved”, “Reviewed”, etc.). | Annex 11 §14 |
| Encrypted storage, version control, checksums, and restricted deletion rights ensure authenticity and long-term readability of records. | Annex 11 §8 |
| HTTPS/TLS encryption in transit, AES encryption at rest, access logging, periodic vulnerability scans, and GDPR-compliant processing. | Annex 11 §7 |
| Formal change-management process; all configuration or feature changes are documented, tested, and approved before release. | Annex 11 §1–2 |
| Documented procedures for validation, security, backup, and incident response; staff training records maintained to ensure competence. | Annex 11 §2 |
| Circularo provides quality documentation and security policies for customer supplier-qualification or vendor-audit programs. | Annex 11 §3 |
10. Audit & Inspection Support | Platform offers exportable logs, configuration documentation, and validation evidence to support client GMP/FDA audits. | Annex 11 §9–14 |
11. Electronic Record Retention & Retrieval | Archived documents remain retrievable and readable for the full retention period defined by the customer; integrity verification ensures authenticity. | Annex 11 §8 |
12. Statement of Compliance | Vendor can issue a signed statement summarizing adherence to Annex 11 and 21 CFR Part 11 principles; supports clients’ validation packages. | Annex 11 |
Auditing & Certification
Regulation | Primary Audit/Inspection Body | Audit Approach |
|---|---|---|
EU Annex 11 | EU GMP authorities - e.g. EMA, MHRA, BfArM, AIFA | Verified during GMP inspections of pharma manufacturers; vendor audited by client QA/compliance teams. No central certificate issued. |