Why This Comparison Matters for Automation Engineers

If your client is a pharmaceutical company selling into both the US and European markets — which most large companies do — your SCADA system will need to satisfy both 21 CFR Part 11 and EU GMP Annex 11 simultaneously. They are not identical. Building to one and assuming the other is covered is a risk that surfaces at the worst possible moment: during a regulatory inspection.

The good news is that the overlap is significant. An engineer who understands the differences can design a system that satisfies both with minimal additional effort. The key is knowing which specific requirements differ — and there are only a handful that matter in practice.

Regulatory Status

21 CFR Part 11 is US federal law, enforceable by the FDA. EU GMP Annex 11 is European Union GMP guidance, enforced by national competent authorities (MHRA in the UK, BfArM in Germany, ANSM in France, etc.). Both carry the same practical weight — a finding under either can result in a warning letter or manufacturing suspension.

Origins and Structure

21 CFR Part 11 was published by the FDA in 1997 and has been amended infrequently since. It is a prescriptive regulation — it states specific requirements using "shall" language. It was written primarily in response to early concerns about data integrity in electronic systems replacing paper records.

EU GMP Annex 11 was first published in 1992 and significantly revised in 2011. Unlike Part 11, it is structured as guidance rather than hard regulation — it uses "should" language throughout, giving companies more flexibility in how they demonstrate compliance. A 2025 revision is in progress and expected to address cloud computing, remote access, and AI more explicitly.

The structural difference matters: Part 11 tells you what you must do with precision. Annex 11 tells you what outcomes you should achieve, and expects you to justify your approach through risk management.

The Detailed Comparison

EU GMP ANNEX 11 vs 21 CFR PART 11 — SIDE BY SIDE COMPARISON TOPIC EU GMP ANNEX 11 21 CFR PART 11 Type Legal basis Guidance (should language) Regulation (shall language) Scope What it covers All computerised systems in GMP Electronic records & e-signatures only Validation System testing Risk-based, lifecycle approach Validation required §11.10(a) Audit Trail Event logging Required §9 — reviewed regularly Required §11.10(e) — tamper-evident Access Control User management Required §12 — physical + logical Required §11.10(d) — unique user IDs Data Integrity ALCOA+ / accuracy ALCOA+ principles explicit §4.2 Accurate records §11.10(a,b) Business Continuity KEY DIFFERENCE Explicitly required §16 — backup, recovery, and BCP testing documented Not explicitly addressed — covered under §11.10(c) retention
// KEY DIFFERENCE: ANNEX 11 EXPLICITLY REQUIRES BUSINESS CONTINUITY AND BACKUP PROCEDURES — PART 11 DOES NOT. BUILD TO ANNEX 11 AND YOU EXCEED PART 11 ON THIS POINT.

The Four Differences That Actually Matter

Most requirements in both regulations are aligned closely enough that a system built to satisfy one will satisfy the other. But there are four areas where the requirements genuinely diverge and where engineers sometimes get caught out.

1. Scope — Annex 11 is broader

Part 11 applies only to electronic records and electronic signatures. A system that has no e-records or e-signatures — a PLC controlling a process that is documented entirely on paper — is technically outside Part 11 scope.

Annex 11 applies to all computerised systems used in GMP-regulated activities, regardless of whether they generate electronic records. This means even a PLC-only system without SCADA or historian needs to be considered under Annex 11.

2. Business continuity — Annex 11 is explicit

Annex 11 §16 explicitly requires that arrangements exist to ensure continuity of support for computerised systems in the event of a breakdown, and that backup and recovery procedures are tested. Your Validation Plan and the Recovery and Backup Procedure must document this.

Part 11 addresses this only implicitly through the record protection requirement (§11.10(c)). In practice, FDA inspectors expect to see backup and recovery testing regardless — but Annex 11 makes it unambiguous.

3. ALCOA+ — Annex 11 names it explicitly

Annex 11 is built around the ALCOA+ principles for data integrity: Attributable, Legible, Contemporaneous, Original, Accurate — plus Complete, Consistent, Enduring, and Available. These are referenced throughout the guidance and expected to be demonstrated in your validation evidence.

Part 11 has equivalent requirements scattered across §11.10 subsections, but never consolidates them under the ALCOA+ framework by name. If your client's QA team uses ALCOA+ language in their audit — and most EU-trained QA teams do — you need to be able to map your OQ evidence to each principle.

4. Supplier/vendor management — Annex 11 is more detailed

Annex 11 §3 dedicates significant attention to supplier assessment — evaluating the supplier's quality management system, technical competence, and ongoing support arrangements before contract award. The GAMP 5 validation lifecycle formalises this through the Supplier Assessment Questionnaire (SAQ) and Supplier Assessment Report (SAR).

Part 11 addresses vendor involvement primarily through the validation requirement itself — if the vendor supplied software that's in scope, that software must be validated. The explicit pre-contract assessment process is an Annex 11 addition.

The Practical Rule

Build your system to satisfy Annex 11 and you will satisfy Part 11. Annex 11 is broader in scope, more explicit on business continuity and supplier management, and uses a risk-based approach that covers everything Part 11 requires. The reverse is not always true — Part 11 compliance does not guarantee Annex 11 compliance.

Mapping Your OQ Evidence to Both Regulations

In practice, your OQ protocol needs to reference both regulations in a way that satisfies an inspector checking compliance with either. The most efficient approach is to add a regulatory reference column to each test case that cites both the Annex 11 section and the Part 11 section being evidenced.

For example, an audit trail test case would reference: Annex 11 §9 / 21 CFR Part 11.10(e). An access control test case would reference: Annex 11 §12 / 21 CFR Part 11.10(d). This dual referencing is exactly how the QLean OQ template is structured — each test case includes the regulatory clause column pre-populated.

The 2025 Annex 11 Revision — What to Expect

A revised Annex 11 is in consultation and expected to be finalised in 2026. The draft revision is known to address cloud computing arrangements, remote access and remote support, artificial intelligence in GMP systems, and cybersecurity requirements more explicitly than the current 2011 version.

For most PLC/SCADA projects in 2026, the current 2011 Annex 11 remains the operative document. The revision will not affect the core requirements covered in this article — audit trails, access control, validation, and data integrity — but will add new considerations for cloud-hosted or AI-assisted systems.

In the QLean Framework

Every OQ test case in the template includes a regulatory reference column pre-populated with both the Annex 11 section and the 21 CFR Part 11 clause. The URS template includes an ALCOA+ data integrity section with requirements mapped explicitly to each principle. The Validation Plan includes a section on applicable regulations that covers both frameworks simultaneously.