EU Annex 11 and the Integrity of Erecs | IVT

Peer Reviewed: Computer Validation

Note: The content of this paper is a chapter of a new book on computer systems validation using Annex 11. This will be published by early 2015.


The safety of a computer system is reflected by the confidentiality, integrity, and availability of the system. The integrity of the systems includes the integrity of the electronic records (erecs). Records provide evidence of various actions taken to demonstrate compliance with instructions (e.g., activities, events, investigations, and, in the case of manufactured batches, a history of each batch of product, including its distribution). Records include the raw data that is used to generate other records. For electronic records, regulated users should define which data are to be used as raw data. At least, all data on which quality decisions are based should be defined as raw data (1).

Data Integrity - The property that data has not been altered in an unauthorized manner. Data integrity covers data in storage, during processing, and while in transit. (2)

When an inspector of a competent authority has to assess an installed computer system at a regulated user’s site, the inspector considers the potential risks, from the computer system to product/material quality or data integrity, as identified and documented by the regulated user in order to assess the fitness for purpose of the particular system (3).

Erecs can be easily changed with no cross-outs or other indications of the change. The design of database software systems can incorporate functions to automatically maintain an audit trail of changed erecs. This audit trail should maintain original erecs, its source, and any changed erecs, along with the date and identity of the initiator(s). Alternatively, access to software and erecs files can be restricted with physical and logical methods to authorized individuals in addition to the use of manual methods to create and maintain audit trails.

The ability to write to critical software or erecs files can be restricted by hardware or software. The access to individual records within a database or a file should be controlled to prevent simultaneous editing of a record or a file by more than one user. Record-locking is a software technique that limits access, with editing authority, to individual records in a database. Similar techniques are employed in source code control programs to prevent unauthorized changes to a program's source code files.

This paper discusses the controls proposed by the European Union (EU) Annex 11 (4) in support of electronic records integrity.

EU Annex 11 is not a legal requirement; it is a guideline in the context of the EU good manufacturing practices (GMPs). However, Annex 11 is mandatory on each EU national level since the member states have to endorse the EU GMP Guideline within the scope of the national healthcare legislation.

The precise implementation of Annex 11 ensures that the computer systems can be used in the manufacture of medicinal products without any adverse impact on quality, efficacy, or patient safety, including electronic records integrity.

Data Integrity

Latest data integrity issues uncovered by the regulatory agencies and competent authorities to the regulated users have resuscitated the dialog within the industry on this subject.

Figure: Inspection Trends from 1990 to 2014.Inspection Trends from 1990 to 2014.

Since 2004, worldwide inspection trends have seen an increased focus on data integrity. The regulatory requirements regarding the integrity of electronic records cover paper-based records as well.

This attention to the erecs integrity may be related with the better understanding by the regulatory agencies, competent authorities, and the industry around the United States Food and Drug Administration Code of Federal Regulations Title 21 Part 11, Electronic Records: Electronic Signatures.

Table I depicts the recent cases on computer-related data integrity documented by regulatory agencies or competent authorities after the associated inspections.

Table I: 2013– 2014 Data Integrity Cases.

Company Name Date   Regulation Note
Hospira March 2013 483 211.180(d) Data Integrity.
Puget Sound Blood Center and Program April 2013 Warning Letter (WL) 211.68(b) Lack of I/O Verification (Data Accuracy).
RPG Life Sciences Limited May 2013 WL 211.68(b) The computer system being used for high-performance liquid chromatography (HPLC) did not have adequate controls to prevent unrecorded changes to data.
Fresenius Kabi AG July 2013 WL API Unacceptable practices in the management of electronic data.
Aarti Drug Limited July 2013 WL API Failure to implement access controls and audit trails for laboratory computer systems.
Wockhardt Limited July 2013 WL 211.194(a) Fail to ensure that laboratory records included complete data derived from all tests necessary to assure compliance with established specifications and standards.
Posh Chemicals Pvt Ltd August 2013 WL API Failure to protect computerized data from unauthorized access or changes.
Agila Specialist Private Limited September 2013 WL 211.68(b) The computer system being used for HPLC did not have adequate controls to prevent unrecorded changes to data.
Smruthi Organics Ltd.’s October 2013 Statement of non-compliance with GMPs. European Union’s GMP guideline The agency observed manipulation and falsification of documents and data in different departments. There was no raw data available in the quality control laboratory for the verification of compendial analytical methods (French Health Products Safety Agency).
Ind-Swift Limited October 2013 Statement of non-compliance with GMPs. European Union’s GMP guideline It was not possible to confirm the validity of stability testing data. Several falsified and inaccurate results had been reported in long-term stability and batch testing. Discrepancies between electronic data and those results formally reported were identified. Established processes to verify data accuracy and integrity had failed, and there had been no formal investigation raised by the company. The company provided commitments to address the data integrity concerns and initiated a wider review of quality critical data. Additional discrepancies were identified in process validation and release data. During on-going communications with the licensing authority regarding the data review, the company failed to disclose data integrity issues for all products. No satisfactory explanation was given for this discrepancy (Medicines and Healthcare Products Regulatory Agency [MHRA]).
Zeta Analytical Ltd November 2013 Statement of non-compliance with GMPs. European Union’s GMP guideline The computer system being used for HPLC did not have adequate controls to prevent unrecorded changes to data (MHRA).
Wockhardt Limited December 2013 WL 211.68(b) The computer system being used for HPLC did not have adequate controls to prevent unrecorded changes to data.
Seikagaku Corporation December 2013 Statement of non-compliance with GMPs. European Union’s GMP guideline The critical deficiency concerns systematic rewriting/manipulation of documents, including QC raw data. The company has not been able to provide acceptable investigations and explanations to the differences seen in official and non-official versions of the same documents (Competent Authority of Sweden).
Ranbaxy Laboratories, Inc. January 2014 483 211.68(b) The computer system being used for HPLC did not have adequate controls to prevent unrecorded changes to data.
Punjab Chemicals and Crop Corporation Limited January 2014 Statement of non-compliance with GMPs. European Union’s GMP guideline One individual training file of an employee has been observed to be recently re-rewritten; the batch manufacturing record was lacking details with regards to manufacturing steps and in-process controls. The sample retention logbook for Trimethoprim had falsified entries (French Health Products Safety Agency).
USV Limited February 2014 WL 211.68(b) The computer system being used for quality control laboratory did not have adequate controls to prevent unrecorded changes to data.
Canton Laboratories Private Limited February 2014 WL API The computer system being used for atomic absorption spectrophotometer did not have adequate controls to prevent unrecorded changes to data.
SOMET March 2014 Statement of non-compliance with GMPs. European Union’s GMP guideline Complete records of raw data generated during cleanliness tests by thin layer chromatography are missing (French Health Products Safety Agency).
Smruthi Organics Ltd.’s March 2014 WL API Failure to maintain complete and accurate laboratory test data generated in the course of establishing compliance of APIs to established specifications and standards.

The deficiencies found in the recent cases of data integrity include: 

  • Insufficient controls on security
  • Inconsistencies between erecs and paper-based records
  • Computer users in the laboratory being able to delete data from analyses
  • Audit trail function disabled
  • Lack of records for the acquisition or modification of laboratory data
  • Personnel sharing login IDs for systems
  • No procedure for the backup and protection of data on the standalone workstations
  • Analysts sharing the username and password for the Windows operating system
  • No computer lock mechanism being configured to prevent unauthorized access to the operating systems.

The principles set forth in Annex 11 won’t correct the behavior of the regulated users that deliberately employ unreliable or unlawful behavior.

In December 2013, the MHRA, UK’s medicines and medical devices regulatory agency, declared that as of 2014, pharmaceutical manufacturers, importers, and contract laboratories are expected to verify data integrity in the context of self-inspections.

Annex 11 Erecs Integrity Basics

Erecs integrity controls maintain and assure the accuracy and consistency of erecs over its entire lifecycle, and it is a critical aspect to the design, implementation, and usage of any system that stores, processes, or retrieves GMP-related records (i.e., regulated records in this paper) in electronic format.

The Commission Directive 2003/94/EC, setting out the legal requirements for EU GMP, establishes the basic principles of erecs integrity in its Chapter II, Article 9 (5):

“When electronic, photographic or other data processing systems are used instead of written documents, the manufacturer shall first validate the systems by showing that the data will be appropriately stored during the anticipated period of storage. Data stored by those systems shall be made readily available in legible form and shall be provided to the competent authorities at their request. The electronically stored data shall be protected, by methods such as duplication or back-up and transfer on to another storage system, against loss or damage of data, and audit trails shall be maintained.”

A similar requirement can be found in 91/412/EEC (6).

These two directives are implemented via the Annex 11. As depicted in Table II, Annex 11 covers the preservation of the content, context, and structure of the electronic records implementing the following controls on erecs, erecs storage, audit trails and periodic review, and security.

Table II: Annex 11 Clauses and Erec Lifecycle

Analysis and Design Erecs Creation, Access, and Use and Reuse Erecs Archiving Erecs Destruction
11-1 Note: Based on Annex 11-1, the implementation to the Annex 11 items listed under “Access, use and Reuse” are designed project phase. 11-4.8; 11-5; 11-6; 11-7; 11-8; 11-9;11-11; 11-12; 11-16 11-17 Discard and purged erecs according to an approved procedure.

Each of the Annex 11 clauses are implemented during the applicable system lifecyle (SLC) phase. Refer to Table III.

Annex 11 Erecs Integrity Approach

To establish the integrity of the erecs, they must be trustworthy.

In the context of the good clinical practice (GCP) (7), to consider trustworthy the electronic source data (8) and the erecs that hold those source data, a number of attributes must be achieved. These include that the data and records are:

  • Accurate 
  • Legible 
  • Contemporaneous 
  • Original 
  • Attributable 
  • Complete 
  • Consistent 
  • Enduring 
  • Available when needed.

Centered on the US National Archives and Records Administration (NARA) record management viewpoint, all of the above trustworthy attributes to an erecs can be summarized as: reliability, authenticity, integrity, and usability:

  • Reliability: A reliable record is one whose contents can be trusted as a complete and accurate representation of the transactions, activities, or facts to which they attest and can be depended upon in the course of subsequent transactions or activities (9).
  • Authenticity: A condition that proves that a record is authentic and/or genuine based on its mode (i.e., method by which a record is communicated over space or time), form (i.e., format and/or media that a record has when it is received), state of transmission (i.e., the primitiveness, completeness, and effectiveness of a record when it is initially set aside after being made or received), and manner of preservation and custody (10).
  • Integrity: Data that has retained its integrity has not been modified or tampered with.
  • Usability: In the context of erecs, usability is the extent to which the erecs can be used by specified users to achieve specified goals with effectiveness, efficiency, and satisfaction in a specified context of use (11).

These attributes allow those individual who depend on the erecs to correctly fulfill their business function.

To ensure authentic, reliable, complete, and usable records, a record-keeping system must preserve the following:

  • Content: The information within the records
  • Context: The circumstances under which the records were created or received (who, when, how, and why)
  • Structure: The relationship between the parts of the record.

Regulatory Guidance

“A means of ensuring data protection should be established for all computerized systems.” (12).

If these three factors are not properly controlled, the information that the erecs must convey might not be complete, accurate, or usable.

The processing and integrity of the data initially recorded in electronic format (electronic source data) to the final output (erecs) is considered to be critical for every computer system. Added criticality can be characterized to computer systems performing decisions on product quality.

The technical and procedural controls of a computer system should address the erecs integrity issues thought the lifecycle of the records: the source data, erecs throughout the record retention period, and destruction of the record.

The validation of a computer system must address the implementation and maintenance of the controls to enable integrity, including data entered manually and automatically acquired and data processing.

Technical and procedural controls are required to maintain the accuracy, integrity, and reliability of erecs. Documentary evidence is needed to demonstrate these controls are fit for purpose, including:

  • A written specification and design that describes the purpose of the system and the system’s methodology
  • A written test plan based on the specification and design, including both structural and functional analysis
  • Test results and an evaluation of how these results demonstrate that the predetermined specification, design, and controls have been met; furthermore, periodic verifications and evaluations of the implementation of the controls to assess business and regulatory compliance.

Understanding the erecs lifecycle concept can help in conceptualizing the controls applicable to ensure authenticity and trustworthiness of the records. Creation, access, use and reuse, and, finally, destruction of erecs can be considered as the phases of erecs lifecycle The lifecycle is all phases in the life of the system from initial requirements until retirement including design, specification, programming, testing, installation, operation, and maintenance (4). Refer to Table II.

Table III: Controls Based on SLC Phase

Computer SLC Phase Records Life Cycle Erecs Controls
General Phase – Requirements Analysis
  1. Identify data and erecs integrity related controls based on a risk assessment. Manage the risks through the SLC (11-1).
  2. If data are transferred to another data format, identify the new format. (11-4.8 and 11-8.1) and control requirements (11-5).
  3. Identify interfaces (11-5) and the data to be entered manually (11-6).
  4. The requirements document must include requirement(s) uncovered during the assessments of the risks.
  5. Based on risk assessment, assess the need of audit trails (12.4) and controls to prevent unauthorized access to the application and the operating systems (11-7.1, 11-12 and 21 CFR 11.10(g)).
  6. Design the reports (11-8.1), operational system checks (21 CFR Part 11.10(f)), authority checks (21 CFR Part 11.10(g)), and device checks (21 CFR Part 11.10(h)).
Project Phase – Specification, Design, Programming, Testing, Installation Analysis
  1. As part of the qualification of the application and associated controls, test the backup and restoration procedure(s) and verify the output of the backup (11-7.2).Each backup set should be checked to ensure that it is error-free.
  2. Verify audit trail capabilities, as applicable (11-7.1).
  3. Verify accuracy of reports and audit trail reports (11-8).
  4. As applicable and based on the operational sequencing, test accuracy of erecs (11-7.1).
  5. If erecs are transferred to another format, the qualification must include checks that erecs new format are not altered/or meaning during the migration process. (11-4.8)
  6. Information technology (IT) infrastructure must be qualified to ensure security and erecs integrity. (Principle b)
Operational and Maintenance Phases Creation, Access, Use and Reuse, Archiving, Transfer, Archiving, or Destruction
  1. A means of ensuring erecs protection must be established for all computer systems (Health Canada GMP Guidelines for API (GUI-0104) Dec 2013, ICH Q7 Aug 2001, EU Annex 11-4.8, 11-5, 11-6, 11-7, 11-8.1, 11-12).
  2. Written procedures must be available for the operation and maintenance of computer systems. Performance monitoring (11-11), change control program (11-10) and erecs security (11-12), calibration and maintenance (11-10), personnel training (11-2), emergency recovery (11-16), management of incidents (11-17), erecs entry (11-6) and modifications (WHO 4.2), and periodic re-evaluation (11-11) are some of the procedures impacting erecs integrity.
  3. The procedures and records pertaining to the security of the system and security of the erecs is very important and must be based on the IT policies of the regulated user and in conformance with the relevant regulatory requirements (11-12.1).
  4. There should be written procedures for recovery of the system following a breakdown; these procedures should include documentation and record requirements to assure retrieval and maintenance of GxP information (11-16).
  5. Erecs must be secured by both physical and electronic means against damage, including unauthorized access and changes to erecs (11-12). As part of the physical security, it must be considered security to devices used to store programs, such as tapes, disks, and magnetic strip cards. Access to these devices should be controlled.
  6. Periodic (or continuous) reviews must be performed after the initial validation (11-11). As part of a periodic review, verify stored, backup an archived erecs for accessibility, readability, and accuracy; furthermore, verify the output of the backup; accuracy of audit trail. As applicable, verify accurate and reliable erecs transfer (WHO 3.2).
  7. Access to erecs should be ensured throughout the retention period (11-7.1).
  8. The electronically stored erecs should be checked regularly for availability and integrity (11-7.1).
  9. Following changes to the system, change control should ensure the availability and integrity of the erecs on the backup copies by restoring the erecs on a trial basis (11-10 and 11-7.2).
  10. Erec errors, complete loss in data, and loss in data integrity must be reported and investigated. Corrective action(s) must be taken in accordance to the investigation (11-13). The GMP regulators expect any resulting recommendations to be implemented as soon as reasonably practical.
  11. When applicable, there must be controls to prevent system turned off and erecs not captured (11-5).
  12. For critical records entered or erecs amended (WHO 4.2) manually, there should be an additional check on the accuracy of the data and only entered by authorized personnell authorized (11-6).
  13. Where an erec is deleted prior to meeting its approved retention, an audit trail of the deletion is required until the end of the approved retention period (11-7.1).
  14. When outside agencies are used to provide a computer service, there should be a formal agreement including a clear statement of the responsibilities of that outside agency (11-3.1).
Retirement Phase Erec Destruction
  1. In the context of the computer system retirement:
    • If the erecs are transferred to another erecs format or system, validation should include checks that erecs are not altered in value and/or meaning during this migration process (11-4.8).
    • If the erecs are transferred to another system, the ability to retrieve the erecs should be ensured and tested (11-7).

The above correlation establishes the applicable controls relative to the computer system lifecycle phase. Note that a risk evaluation and mitigation must be applied during the operational phase via the regular periodic reviews (11-11).

One of the most neglected areas in erecs integrity is the preservation of erecs as part of the planning to retire the computerized system-generating erecs.

The erecs preservation plan must include one of the following options:

  • Assurance that a new system will be able to retrieve erecs from previous systems
  • Preservation of previous applications
  • An archive of hard copies (when allowed)
  • Completion of system documentation and validation dossier.

After executing the erecs preservation plan, ensure that Quality Assurance (QA) Unit of the regulated user performs an audit on the preservation documentation. The audit will verify the traceability between planning and implementation and will assess the successful execution of the preservation plan (14).


Since 2004, the worldwide inspection trends have focused on data integrity. The key factor in order to consider erecs as trustworthy records is that the record-keeping functions within the computer system must preserve the content, context, and structure of the electronic records. The controls to preserve the content, context, and structure of an electronic record are comprehensively contained in the Annex 11.

These controls must be part of the design and enforced during the operations of computer systems. During the periodic reviews, the system and the risks associated with the computer system are reviewed, and the controls may be re-evaluated.


  1. European Commission, EudraLex - Volume 4 Good manufacturing practice (GMP).
  2. NIST, Special Publication 800-33: Computer Security, National Institute of Standard and Technology, December 2011.
  3. PIC/S, PIC/S Guide PI 011-1, Section 4.12, Good Practices for Computerised Systems in Regulated “GXP” Environments, August 2003.
  4. EU, EudraLex - Volume 4 Good manufacturing practice (GMP): Annex 11 Computerized Systems (January, 2011).
  5. EU, Directive 2003/94/EC, European Commission Directive Laying Down the Principles and Guidelines of Good Manufacturing Practice  for Medicinal Products for Human Use and Investigational Medicinal Products for Human Use, 2003.
  6. EU, Directive 91/412/EEC, European Commission Directive Laying Down the Principles and Guidelines of Good Manufacturing Practice for Veterinary Medicinal Products, 1991.
  7. EMA, “Reflection paper on expectations for electronic source data and data transcribed to electronic data collection tools in clinical trials,” EMA/INS/GCP/454280/2010, GCP Inspectors Working Group (GCP IWG), 2010.
  8. Electronic Source Data: Data initially recorded in electronic format or certified copies of original records. (EMA/ INS / GCP/ 454280 / 2010 GCP Inspectors Working Group (GCP IWG), “Reflection paper on expectations for electronic source data and data transcribed to electronic data collection tools in clinical trials.”  Certified Copy: A copy (paper or electronic) of original information that has been verified, as indicated by a dated signature, as an exact copy, having all of the same attributes and information as the original (FDA, Guidance for Industry – Electronic Source Data in Clinical in Clinical Investigations (Rockville, MD, Sept. 2013).
  9. National Archives and Records Administration, USA National Archive.
  10. DOD, 5015.2-STD Electronic Records Management Software Applications Design Criteria Standard, USA Department of Defense (Washington, D.C., April 25th, 2007).
  11. ISO 9241, Ergonomics of Human System Interaction, August 2009.
  12. HC-GC, Health Canada GMP Guidelines for API (GUI-0104) (Ottawa, CA, December 6th, 2013) and ICH Q7, Good Manufacturing Practices for Active Pharmaceutical Ingredients (Geneva, CH, November 10th, 2000).

General References 

  1. CEFIC, Computer Validation Guide, API Committee of CEFIC, December 2002.
  2. ISPE/PDA, Good Electronic Records Management (GERM), 2002.
  3. WHO, “Validation of Computerized Systems, Annex 4, Part 5” Technical Report Series 937, 2006,
  4. G. Wingate, Validating Automated Manufacturing and Laboratory Applications: Putting Principles into Practice, Taylor & Francis, 1997.
  5. O. López, “Maintaining the Validated State in Computer Systems,Journal of GXP Compliance 17 (2), 2013, available here.

Product Added Successfully

This product has been added to your account and you can access it from your dashboard. As a member, you are entitled to a total of 0 products.

Do you want access to more of our products? Upgrade your membership now!

Your Product count is over the limit

Do you want access to more of our products? Upgrade your membership now!

Product added to cart successfully.

You can continue shopping or proceed to checkout.

Comments (0)

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
  • Use to create page breaks.
Enter the characters shown in the image.
Validated Cloud logo