Skip to content
Cohera Documentation

EU GMP Annex 11 Compliance

This document maps Cohera platform features to EU GMP Annex 11 requirements for computerized systems. Annex 11 applies to all forms of computerized systems used as part of GMP regulated activities.

Overview

Section titled “Overview”

EU GMP Annex 11 (revised 2011) provides guidance on computerized systems used in pharmaceutical manufacturing and quality management. It emphasizes risk management, data integrity, and proper validation throughout the system lifecycle.

General Requirements

Section titled “General Requirements”

1. Risk Management

Section titled “1. Risk Management”
RequirementCohera Implementation
Risk assessment throughout lifecycleCohera provides system documentation supporting risk assessment. Platform architecture designed to mitigate common risks.
Risk-based validation approachValidation documentation supports risk-based approach per GAMP 5. System complexity documented for categorization.

2. Personnel

Section titled “2. Personnel”
RequirementCohera Implementation
Defined responsibilitiesRole-based access control supports defined responsibilities. Permissions documented per role.
Training documentationTraining acknowledgment workflows available. System access requires documented training completion.
IT and GMP cooperationPlatform documentation supports collaboration between IT and QA teams.

3. Suppliers and Service Providers

Section titled “3. Suppliers and Service Providers”
RequirementCohera Implementation
Supplier qualificationCohera maintains ISO 27001 certification, SOC 2 Type II audit reports available.
Formal agreementsService Level Agreement (SLA) documents responsibilities and service levels.
Audit rightsCustomer audit rights documented in contract. Remote and on-site audits supported.

Operational Phase

Section titled “Operational Phase”

4. Validation

Section titled “4. Validation”
RequirementCohera Implementation
Documented evidenceIQ/OQ/PQ protocols provided. Test scripts and expected results documented.
User requirementsURS template provided for customer requirements documentation.
Quality and functionalityValidation covers all quality-critical functions. Traceability matrix links requirements to tests.
Change controlAll platform changes undergo documented change control process. Release notes document changes and validation impact.

5. Data

Section titled “5. Data”
RequirementCohera Implementation
Built-in checksInput validation, range checks, and format validation enforced.
Data integrityALCOA+ principles implemented throughout platform.
Manual entriesManual data entry logged with user attribution.
Critical data verificationSystem supports second-person verification workflows.

6. Accuracy Checks

Section titled “6. Accuracy Checks”
RequirementCohera Implementation
Input/output verificationData validation on entry. Export verification checksums.
Critical processingCritical calculations logged with audit trail.

7. Data Storage

Section titled “7. Data Storage”
RequirementCohera Implementation
Physical and logical securityData encrypted at rest (AES-256) and in transit (TLS 1.3). Access controlled by authentication and authorization.
Backup verificationAutomated backups with integrity verification. Recovery testing documented.
Accessibility throughout retentionData remains accessible throughout configured retention period (up to 25 years).
Data migration testingData migration procedures documented and tested during upgrades.

8. Printouts

Section titled “8. Printouts”
RequirementCohera Implementation
Clear copiesData exportable in clear, readable formats (PDF, CSV, Excel).
Audit trail printoutComplete audit trails exportable with all required fields.
Data change indicationPrinted records indicate current status and version.

9. Audit Trails

Section titled “9. Audit Trails”
RequirementCohera Implementation
GMP relevant changes recordedAll changes to GMP data recorded with: timestamp, user ID, before value, after value.
Create, modify, delete operationsAll CRUD operations logged. Deletions are soft-deletes with full audit trail.
Record linkageAudit records linked to source records. Cannot be deleted independently.
Regular reviewAudit trail review workflows available. Reports for trend analysis.

10. Change and Configuration Management

Section titled “10. Change and Configuration Management”
RequirementCohera Implementation
Configuration documentationSystem configuration documented and versioned.
Controlled changesPlatform changes follow documented SDLC. Customer configuration changes logged.
Validated state maintenanceValidation status tracked. Impact assessment provided with releases.

11. Periodic Evaluation

Section titled “11. Periodic Evaluation”
RequirementCohera Implementation
Performance reviewSystem health dashboards and metrics available.
Functionality verificationPlatform functionality verified with each release through automated testing.
Validation status assessmentAnnual review support documentation provided.

12. Security

Section titled “12. Security”
RequirementCohera Implementation
Physical and logical controlsMulti-layer security architecture. Data center security per ISO 27001.
Record protectionRecords protected from unauthorized modification. Encryption at rest and in transit.
Authentication mechanismsUsername/password with configurable complexity. MFA available. SSO integration supported.
Authorization recordsPermission changes logged in audit trail.
Access control managementRole-based access control. User provisioning/deprovisioning workflows.
Data management systemsSecurity controls apply to archived and backup data.

13. Incident Management

Section titled “13. Incident Management”
RequirementCohera Implementation
Incident reportingSecurity incident reporting procedures documented. Customer notification within 24 hours for critical incidents.
Root cause analysisIncident investigation and remediation documented.
Corrective/preventive actionsCAPA process for significant incidents.

14. Electronic Signature

Section titled “14. Electronic Signature”
RequirementCohera Implementation
Binding and equivalenceElectronic signatures permanently linked to records. Legally binding per agreement.
Date and time inclusionSignature timestamp recorded with each signature.
Authority verificationSystem validates signer has required authority for specific signature type.

15. Batch Release

Section titled “15. Batch Release”
RequirementCohera Implementation
QP release supportBatch release workflows support Qualified Person review and release.
Electronic record reviewAll batch-related records accessible for review prior to release.
Release signatureQP release signature captured with meaning and timestamp.

16. Business Continuity

Section titled “16. Business Continuity”
RequirementCohera Implementation
Continuity measuresRedundant infrastructure across availability zones.
Documented proceduresBusiness continuity and disaster recovery procedures documented.
Manual operationsManual backup procedures documented for critical failures.
Restoration testingDisaster recovery testing performed and documented annually.

17. Archiving

Section titled “17. Archiving”
RequirementCohera Implementation
Data archivingAutomated archiving based on retention policies.
Integrity and accessibilityArchived data integrity verified. Accessible throughout retention period.
Retrieval proceduresData retrieval procedures documented. Export available in standard formats.

Implementation Guidance

Section titled “Implementation Guidance”

Data Integrity Controls

Section titled “Data Integrity Controls”

Cohera implements ALCOA+ principles:

ALCOA+ Principle    Cohera Control
─────────────────   ──────────────────────────────────────
Attributable        User ID linked to every action
Legible            Clear data display, PDF export
Contemporaneous    Real-time timestamping (UTC)
Original           Original records preserved immutably
Accurate           Input validation, checksums
Complete           Audit trail with no gaps
Consistent         Standardized data entry, workflows
Enduring           Encrypted storage, redundancy
Available          24/7 access, export capability

Audit Trail Content

Section titled “Audit Trail Content”

Every audit record includes:

FieldDescription
timestampUTC timestamp of action
user_idUnique identifier of acting user
user_nameFull name of acting user
actionType of action (create, update, delete, etc.)
entity_typeType of record affected
entity_idUnique identifier of affected record
previous_valueValue before change (for updates)
new_valueValue after change (for updates)
reasonUser-provided reason (when required)
signature_idAssociated electronic signature (if applicable)
client_infoIP address, user agent

Electronic Signature Implementation

Section titled “Electronic Signature Implementation”
{
  "signature_id": "sig_abc123def456",
  "record_type": "deviation",
  "record_id": "qe_deviation_789",
  "action": "approval",
  "meaning": "I have reviewed this deviation and approve its closure",
  "signer": {
    "user_id": "user_quality_manager",
    "name": "Dr. Maria Schmidt",
    "role": "Quality Manager",
    "email": "m.schmidt@pharma.com"
  },
  "timestamp": "2024-01-20T14:30:00Z",
  "record_hash": "sha256:abc123...",
  "verification_status": "valid"
}

Validation Support

Section titled “Validation Support”

Validation Documentation Package

Section titled “Validation Documentation Package”

Cohera provides:

DocumentPurpose
System OverviewArchitecture and design description
Functional SpecificationDetailed feature documentation
User Requirements TemplateTemplate for customer URS
IQ ProtocolInstallation verification tests
OQ ProtocolOperational functionality tests
PQ ProtocolPerformance verification tests
Traceability MatrixRequirements to test mapping
SOPsOperating procedures

Periodic Review Checklist

Section titled “Periodic Review Checklist”

Annual validation review should verify:

  • System remains in validated state
  • All changes properly controlled
  • Audit trail integrity maintained
  • Security controls functioning
  • User access appropriately managed
  • Backup/restore tested
  • Incidents properly managed
  • Training records current

Compliance Reporting

Section titled “Compliance Reporting”

Generate Annex 11 compliance reports:

Terminal window
curl -X POST "https://api.cohera.io/v1/audit-logs/reports/annex11" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "from": "2024-01-01T00:00:00Z",
    "to": "2024-03-31T23:59:59Z",
    "include_sections": [
      "data_integrity",
      "audit_trail_review",
      "electronic_signatures",
      "access_control_review",
      "change_control"
    ]
  }'