Annex 11.1
Risk management
Risk assessment documented per system; a living artefact, not a one-time document.
Regulatory backbone · Pharma · Biotech · MedTech
GAMP 5, Annex 11 and 21 CFR Part 11 — the regulation your validation stands on.
Risk-based validation per GAMP 5 Second Edition, EU GMP Annex 11 and FDA 21 CFR Part 11 — for a validation that holds under audit, without becoming a validation programme of its own.
01
GAMP 5 Second Edition
Risk-based · lifecycle · critical thinking
02
EU GMP Annex 11
17 control points · EMA · BfArM
03
21 CFR Part 11 + CSA
E-signatures · audit trail · CSA bridge
100 % audit pass rate
0 critical findings
60+ validated systems
FDA · EMA · BfArM inspections
01 GAMP 5
GAMP 5 ist mehr als „ein Framework".
The 2022 Second Edition shifts the focus from compliance documentation to critical-thinking risk-based decisions. Where it helps — and where it doesn't.
GAMP 5 — the ISPE guide — defines a risk-based, lifecycle-oriented and critical-thinking-centred validation approach. Five categories of computerised systems (1 / 3 / 4 / 5), explicit testing rigor per category, and an end-to-end qualification framework that maps onto Annex 11 and 21 CFR Part 11.
- Risk-based — testing rigor scales with patient/data-integrity risk, not with software complexity.
- Lifecycle — every phase from concept to retirement is mapped, including operation and decommissioning.
- Critical thinking — qualified decisions over predefined test scripts.
The Second Edition (2022) addresses what changed in pharma IT since 2008: cloud, agile delivery, continuous SaaS releases, and the FDA's CSA initiative as bridge to a risk-based approach.
- Stronger critical-thinking emphasis — fewer prescribed test artefacts, more qualified rationale.
- Cloud + agile lifecycle — guidance on continuous validation in SaaS/PaaS contexts.
- CSA bridge — explicit mapping to the FDA Computer Software Assurance guidance (2022 final).
GAMP 5 is a framework — not a project plan. Three areas where it deliberately stops, and where consulting adds value:
- Concrete test protocols — GAMP 5 sets categories and rigor, not the actual test steps per platform.
- Platform-specific approach — what works for SAP differs from Veeva or MES. GAMP 5 is platform-neutral by design.
- Validation velocity — "how to cut from 14 to 9 months" is not a GAMP-5 chapter.
02 Annex 11
What EU inspectors really check — the 17 Annex-11 points.
Each card maps to one of the 17 Annex-11 control points. The heat marker shows how often this point appears in BfArM, EMA and Swissmedic findings (from our project experience).
Annex 11.2
Personnel
Qualification records and defined responsibilities; training logs in a consistent chain.
Annex 11.3
Suppliers + service providers
Supplier audits with the right depth; cloud/SaaS vendors require clear responsibility separation.
Annex 11.4.1
Validation master plan
Strategy document with scope, responsibilities, risk categorisation; lives with every system change.
Annex 11.4.2
Specifications + requirements
URS, FS, DS with clear traceability across all test phases.
Annex 11.5
Data transfer + migration
Migration validation with clear acceptance criteria; sampling plans with statistical reasoning.
Annex 11.6
Accuracy checks
Plausibility checks for critical data entries; automated checks where possible.
Annex 11.7.1
Data storage + backup
Backup strategy with restore tests; retention obligations defined per data category.
Annex 11.7.2
Data integrity (ALCOA+)
ALCOA+ end-to-end: Attributable, Legible, Contemporaneous, Original, Accurate — plus Complete, Consistent, Enduring, Available.
Annex 11.8
Printouts
Printouts from GxP systems with clear status marking and audit-trail reference.
Annex 11.9
Audit trails
Audit-trail reviews with documented periodicity and escalation paths; most frequent inspector finding.
Annex 11.10
Change management
Separate change vs. configuration; every change with risk assessment and re-test scope.
Annex 11.11
Periodic evaluation
Periodic review per system; living risk assessment rather than one-off initial evaluation.
Annex 11.12
Security
Access control, role concept, regular permission reviews; segregation of duties.
Annex 11.13
Incident management
Deviation and CAPA handling with audit-trail linkage; measure and report closure rates.
Annex 11.14
Electronic signatures
E-signature workflows per Annex 11.14 + 21 CFR Part 11; ensure equivalence to handwriting.
Annex 11.15
Batch release
Batch release gate with four-eyes principle; every release traceable to operator, equipment, method.
Annex 11.16
Business continuity
DR plan with tested recovery times; Annex 11.16 expects documented BCP exercises.
Annex 11.17
Archiving
Long-term archiving with defined retention; read-back tests at regular intervals.
Findings:
frequent
medium
rare
03 21 CFR Part 11 + FDA CSA
The US complement and the bridge to risk-based.
A validation programme has to serve EMA and FDA simultaneously. The two regimes share roots but enforce differently — here's the practical mapping.
EU
EMA · BfArM · Swissmedic
-
Annex 11 + GMP chapter 4
EU GMP Guide as primary anchor; Annex 11 covers 17 control points for computerised systems.
-
Strong focus on QP responsibility
Qualified Person (QP) signs every batch release — Annex 11 derives back to that signature.
-
Documentation-heavy inspections
EU inspectors typically request the validation master plan, change logs and audit-trail reviews up-front.
US
FDA · ORA
-
21 CFR Part 11 + CSA Guidance
Part 11 covers electronic signatures and records; CSA (final 2022) reframes validation as critical-thinking risk assessment.
-
Predicate-rule logic
Part 11 sits on top of predicate rules (e.g. 21 CFR 211, 820). Always validate the predicate first, then Part 11.
-
Field-investigator style inspections
FDA ORA investigators emphasise live walkthroughs, operator interviews and observed practice over paper alone.
04 Risk-based
More test scripts ≠ more compliance.
The four GAMP categories (1 / 3 / 4 / 5) define how much testing rigor a system needs. Most programmes over-test the lower categories and under-test the top. We re-balance.
Kat. 5
Custom
applications
applications
Bespoke software, in-house development. Full lifecycle validation with URS, FS, DS, FAT/SAT, OQ/PQ. Document-heavy, risk-justified at every step.
~100 % effort baseline
Kat. 4
Configured
products
products
Commercial platforms with custom configuration (SAP, Veeva Vault, MasterControl). Configuration boundaries decide the test scope.
~60 % vs Cat 5
Kat. 3
Non-configured
products
products
Off-the-shelf software used as-is. Vendor audit + supplier qualification often cover most of the validation effort.
~25 % vs Cat 5
Kat. 1
Infrastructure
Operating systems, databases, network infrastructure. Qualified via IT operations control, not via individual validation.
~10 % vs Cat 5Effort numbers are typical baselines from our 60+ system audits — your platform mix may differ.
05 Inspection-ready
The inspection day — walked through before the inspector arrives.
Pre-inspection walkthrough · mock audit · on-day support. The full three-step preparation belongs to its own service page — here just the connection.
Track record
15+ years of GAMP 5, Annex 11, 21 CFR Part 11 in practice.
100%
audit pass rate
FDA · EMA · BfArM · Swissmedic
60+
validated systems
LIMS · MES · Veeva · SAP · MasterControl · eQMS
0
critical findings
on systems under our responsibility
15+
years of practice
Pharma · Biotech · MedTech
06 FAQ
Common questions before the first conversation.
We already have a validation master plan. Do we still need GAMP-5 consulting?
Often yes — selectively. The master plan is a strategy document; consulting comes in where critical-thinking rationales are missing, test scripts are over-dimensioned, or cloud/SaaS portions are validated under 2008-era logic. We typically run a half-day gap walk before proposing a consulting scope.
How compatible is GAMP 5 with CSA? Do we need to run two programmes?
No. CSA and GAMP 5 Second Edition share the critical-thinking core. A well-structured GAMP 5 programme serves CSA simultaneously — without duplicate test artefacts. The art is in the setup: structure risk assessment, test templates and traceability so both inspector logics are served.
What if we have gaps in our Annex 11 implementation and an inspection is 8 weeks away?
8 weeks is enough for a focused audit preparation. We start with a 1-day walkthrough, identify the top 4–6 risks, document closure paths for the most critical points, and run 1–2 mock audits. Honestly: 8 weeks beats 4. If you have less time, we tell you straight.
How do you handle GxP systems in Category 5 (Custom)?
Category 5 requires full lifecycle validation — but with critical-thinking risk assessment per component. We work modularly: critical components get full depth, less critical ones get risk-based reduced depth. This saves 30–40 % test effort on a typical custom system vs. "validate everything fully".
What does GAMP-5 compliance consulting cost?
Day-rate based, with clear phase gates. A typical initial walkthrough is 1–2 consulting days; a full audit preparation programme ranges between 8 and 20 days depending on scope. We always start with a 2-week initial phase before long-term commitments — so both sides know what makes sense.
Let's make your project
audit-proof.
Your project deserves a validation that accelerates go-live — not blocks it. Benefit from the assurance of 60+ successful projects.
60+
Projects
15+
Years
100 %
Audit-Pass
0
Findings
Free initial assessment · Focus on your project, not slides