EU GMP Annex 11

Compliance
checklist
This checklist is a nexus of EU GMP Annex 11’s clauses and
Scilife expertise. As a leading SaaS platform, Scilife’s QMS
harmonizes seamlessly with these mandates, guiding your
digital transformation path. This matrix unveils alignment
and synergy, where regulations find their match in Scilife's
functionalities.

EU GMP Annex 11 is a guidance document that

supplements
the EU's GMP rules and provides guidelines for
computerized systems used in GMP-regulated activities in
the Life Sciences.
 APPLICABLE
ITEM # & TITLE REQUIREMENT / DESCRIPTION EXPLANATION
YES/NO

Validation

Risk management should be applied throughout the lifecycle of

As part of the qualification, testing is
the computerised system taking into account patient safety, data
Risk done against Functional Specifications,
integrity and product quality. As part of a risk management
1 Managemen No as per defined validation procedure and
system, decisions on the extent of validation and data integrity
t individual validation plans developed
controls should be based on a justified and documented risk
for modules, to minimize the risks.
assessment of the computerised system.

Internal policies for acceptable use,

There should be close cooperation between all relevant personnel
data integrity and access control are
such as Process Owner, System Owner, Qualified Persons and IT.
established.
2 Personnel All personnel should have appropriate qualifications, level of Yes
access and defined responsibilities to carry out their assigned
Training management isdone as per
duties.
defined procedure.
 APPLICABLE
ITEM # & TITLE REQUIREMENT / DESCRIPTION EXPLANATION
YES/NO

When third parties (e.g. suppliers, service providers) are used

e.g. to provide, install, configure, integrate, validate, maintain
(e.g. via remote access), modify or retain a computerised system
or related service or for data processing, formal agreements must
exist between the manufacturer and any third parties, and these
agreements should include clear statements of the
responsibilities of the third party.
Supplier management is followed as
per defined procedure.
Suppliers The competence and reliability of a supplier are key factors when
3 and Service selecting a product or service provider. The need for an audit Yes
Suppliers assessments, change
Providers should be based on a risk assessment.
management,and agreements are
performed and available.
Documentation supplied with commercial off-the-shelf products
should be reviewed by regulated users to check that user
requirements are fulfilled.

Quality system and audit information relating to suppliers or

developers of software and implemented systems should be
made available to inspectors on request.

Validation documentation is prepared

The validation documentation and reports should cover the according to Scilife’s procedure and
4 Validation Yes
relevant steps of the life cycle. individual validation plans for each
module.
 APPLICABLE
ITEM # & TITLE REQUIREMENT / DESCRIPTION EXPLANATION
YES/NO

Computerized systems exchanging data electronically with other

systems should include appropriate built-in checks for the correct
5 Data No No data is exchanged by the system
and secure entry and processing of data, in order to minimize the
risks.

For critical data entered manually, there should be an additional System requires unique User IDs and
check on the accuracy of the data. This check may be done by a mandatory passwords for each active
Accuracy
6 second operator or by validated electronic means. The criticality Yes user. System requires authentication
checks
and the potential consequences of erroneous or incorrectly for any deletion and modification in the
entered data to a system should be covered by risk management. system.

Records are maintained till retention

Data should be secured by both physical and electronic means period.
Data against damage. Stored data should be checked for accessibility, Only authorized users can have access
7 Yes
Storage readability and accuracy. Access to data should be ensured to records, using user ID and password.
throughout the retention period. Additionally MFA authentication can be
configured.

Regular back-ups of all relevant data should be done. Integrity Back-ups, integrity and accuracy
Data
8 and accuracy of backup data and the ability to restore the data Yes checks are done as per defined
Storage
should be checked during validation and monitored periodically. procedure.
 APPLICABLE
ITEM # & TITLE REQUIREMENT / DESCRIPTION EXPLANATION
YES/NO

Audit trails available in viewable and

printable in human-readable form.
System allows the user to view and
It should be possible to obtain clear printed copies of
9 Printouts Yes print entire contents of records. When
electronically stored data.
electronic records are displayed,
printed, or copied, their meaning and
content are preserved.

Audit trail is available in the application

Consideration should be given, based on a risk assessment, to which records all operator entries with
building into the system the creation of a record of all GMP- user name, date, time and action
relevant changes and deletions (a system generated "audit performed.
10 Audit trails trail"). For change or deletion of GMP-relevant data the reason Yes All records changes in the application
should be documented. Audit trails need to be available and are version controlled and audit trail is
convertible to a generally intelligible form and regularly view only.
reviewed. Audit trail are retained and are
available for review and copy.

Change and
configuratio Any changes to a computerized system including system
Changes are made as per predefined
11 n configurations should only be made in a controlled manner in 12 Yes
procedure
managemen accordance with a defined procedure
t
 APPLICABLE
ITEM # & TITLE REQUIREMENT / DESCRIPTION EXPLANATION
YES/NO

Computerized systems should be periodically evaluated to

confirm that they remain in a valid state and are compliant with
Periodic GMP. Such evaluations should include, where appropriate, the Periodic evaluation is made as per
13 14 Yes
evaluation current range of functionality, deviation records, incidents, predefined procedure
problems, upgrade history, performance, reliability, security and
validation status reports.

Physical and/or logical controls should be in place to restrict

access to computerized system to authorized persons. Suitable Access is restricted to authorized users.
methods of preventing unauthorized entry to the system may
include the use of keys, pass cards, personal codes with System requires unique User IDs and
passwords, biometrics, restricted access to computer equipment mandatory passwords for each active
and data storage areas. user.

The extent of security controls depends on the criticality of the System asks for electronic signature for
15 Security 16 Yes
computerized system. creation, modification or confirmation
of records as per module
Creation, change, and cancellation of access authorizations configurations.
should be recorded. Each executed electronic signature
contains printed name of the signer,
Management systems for data and for documents should be date and time of signature and
designed to record the identity of operators entering, changing, meaning of the signature.
confirming or deleting data including date and time.
 APPLICABLE
ITEM # & TITLE REQUIREMENT / DESCRIPTION EXPLANATION
YES/NO

All incidents, not only system failures and data errors, should be
Incident
reported and assessed. The root cause of a critical incident Incidents are reported and assessed as
17 Managemen 18 Yes
should be identified and should form the basis of corrective and per defined procedure
t
preventive actions.

System asks for electronic signature for

Electronic records may be signed electronically. Electronic creation, modification or confirmation
signatures are expected to: of records as per module
Electronic a. have the same impact as hand-written signatures within the configurations.
19 Yes
signature boundaries of the compan Each executed electronic signature
b. be permanently linked to their respective record contains printed name of the signer,
c. include the time and date that they were applied. date and time of signature and
meaning of the signature.

When a computerised system is used for recording certification

System enforces electronic signature
and batch release, the system should allow only Qualified Persons
Batch authentication with name of the signer,
20 to certify the release of the batches and it should clearly identify Yes
release date and time of signature & meaning
and record the person releasing or certifying the batches. This
of the signature.
should be performed using an electronic signature.
 APPLICABLE
ITEM # & TITLE REQUIREMENT / DESCRIPTION EXPLANATION
YES/NO

For the availability of computerized systems supporting critical

processes, provisions should be made to ensure continuity of
support for those processes in the event of a system breakdown Defined procedures are established to
Business (e.g. a manual or alternative system). The time required to bring handle events and incidents, requiring
21 Yes
continuity the alternative arrangements into use should be based on risk proper management and disaster
and appropriate for a particular system and the business process recovery plan.
it supports. These arrangements should be adequately
documented and tested.

Data may be archived. This data should be checked for

accessibility, readability, and integrity. If relevant changes are to
22 Archiving be made to the system (e.g. computer equipment or programs), 23 Yes As per defined procedures
then the ability to retrieve the data should be ensured and
tested.