Comparison of FDA’s Part 11 and the EU’s Annex 11

Introduction
The relationship between FDA’s Part 11 (21 CFR Part 11) and the European
Union’s Annex 11 (EUDRALEX Rules Governing Medicinal Products in the
European Union, Volume 4, Good Manufacturing Practice, Medicinal Products
for Human and Veterinary Use) diverges in philosophy. Both documents cover
the same topic, the use of computerized systems in regulated activities. However, the approach of Part
11 is to make clear there are requirements to be met in order to conform to regulations. The emphasis is
on activities and reporting.

In contrast, the approach of Annex 11 is to make clear how to conform to its rules. Annex 11 is a
detailed guide to the areas of compliance that need documentation. A significant difference is the
approach to risk management. Annex 11 points to risk assessment as the start of compliance activities.
Part 11 differentiates security for open and closed systems, with extra security measures for open
systems but without reference to risk or criticality. The aggregate of these differences is represented
visually with the point-to-point comparison matrix shown below.

Table 1: High Level Comparison of Annex 11 and Part 11

Annex 11 Part 11

Computerized systems as part of GMP

Electronic records and electronic
regulated activities.
Scope/Principle signatures as used for all FDA
Application should be validated.
regulated activities.
IT infrastructure should be qualified.

Using electronic records and

Risk- based quality management of
Focus signatures in open and closed
computerized systems.
computer systems.

Using a computerized system should Electronic records and signatures

ensure the same product quality and should be as trustworthy and reliable
Objective
quality assurance as manual systems as paper records and handwritten
with no increase in the overall risk. signatures.

EduQuest, Inc. * 1896 Urbana Pike, #14, Hyattstown, MD 20871 USA* www.EduQuest.net * +1 (301) 874-6031
 Comparison of FDA’s Part 11 and the EU’s Annex 11

Table 2: Cross-Reference from Annex 11 to Part 11

Annex 11 Annex 11 Part 11 Cross Reference

Section No. Title (substantially equivalent)
11.2(b)- Implementation
Principle
11.10(a)- Validation
General
1 Risk Management not covered
2 Personnel 11.10(i)- Personnel
3 Suppliers and Service Providers not covered
3.1 formal agreements not covered
3.2 audit supplier not covered
3.3 review documentation for COTS not covered
3.4 supplier audit available on request not covered
Project Phase
4 Validation 11.10(a)- Validation
4.1 cover life cycle not covered
4.2 change control and deviations 11.10(k)- Documentation control
4.3 systems inventory not covered
4.4 user requirement specifications not covered
4.5 quality management system not covered
4.6 process for customized systems not covered
4.7 evidence of appropriate test methods not covered
4.8 data transfer validation 11.10(h)- Device checks
Operational Phase
11.10(f)- Operational system checks
5 Data
11.30- Controls for open systems
6 Accuracy Checks 11.10(f)- Operational system checks
7 Data Storage 11.10(c)- Protection of records
11.10(d)Limiting system access
7.1 secured and accessible 11.10(e)-Secure Records
11.10(g)-Authority checks
7.2 back-up not covered
8 Printouts
11.10(b)- Generate accurate and
8.1 clear printed copies
complete copies
8.2 batch release/changed since original not covered

EduQuest, Inc. * 1896 Urbana Pike, #14, Hyattstown, MD 20871 USA* www.EduQuest.net * +1 (301) 874-6031
 Comparison of FDA’s Part 11 and the EU’s Annex 11

Annex 11 Annex 11 Part 11 Cross Reference

Section No. Title (substantially equivalent)
11.10(e)- Electronic audit trail,
9 Audit Trails
11.10(k)(2)- Documentation control
Change and Configuration 11.10(d)- Limiting system access
10
Management 11.10(e)- Electronic audit trail
11.300(b) and (e)- periodically checked
11 Periodic evaluation
11.10(k)- Documentation control
12 Security 11.10(c)- Protection of records
11.10(d)- Limiting system access
11.10(g)- Authority checks
12.1 physical/logical 11.200(a) and (b)biometrics
11.300(a) Unique
11.300(d)- prevent unauthorized use
12.2 criticality not covered
11.300(b)and (c)-Controls for
12.3 Security-record events
Identification Codes/Passwords
12.4 data management/operators entries 11.10(e)-Controls for Closed Systems
13 Incident Management not covered
14 Electronic Signature 11.50-Signature manifestations
11.1(a) Scope
11.3(b)(7) Definitions
14(a) same as hand-written
11.100(c) Certify equivalent to
handwritten
14(b) permanent link 11.70- Signature/record linking
14(c) time and date 11.10(e)- Electronic audit trail
15 Batch release not covered
16 Business Continuity not covered
11.10(c)- Protection of records for
17 Archiving
accurate retrieval

EduQuest, Inc. * 1896 Urbana Pike, #14, Hyattstown, MD 20871 USA* www.EduQuest.net * +1 (301) 874-6031
 Comparison of FDA’s Part 11 and the EU’s Annex 11

Table 3: Cross-Reference from Part 11 to Annex 11

Part 11 Part 11 Annex 11 Cross Reference

Section No. Title (substantially equivalent)
Subpart B--Electronic Records
11.10 Controls for closed systems
11.10(a) Validation 4-Validation
11.10(b) Generate accurate and complete copies 8.1-Printouts
17-Archiving, 12-Security
11.10(c) Protection of records for accurate retrieval
7-Data Storage
7.1- secured and accessible
10- Change and Configuration
11.10(d) Limiting system access to authorized individuals
Management
12.1-Security, physical/logical
7.1- secured and accessible
9-Audit Trails
10-Change and Configuration
11.10(e) Record of operator entries (audit trail) Management
12.4- data
management/operators entries
14(c)-Electronic Signature
11.10(f) Operational system checks 5-Data, 6- Accuracy Checks
7.1- secured and accessible
11.10(g) Authority checks
12.1-Security, physical/logical
11.10(h) Device checks 4.8-Validation
Personnel (who develop, users and maintain
11.10(i) 2-Personnel
systems)
User accountability for actions initiated under
11.10(j) not covered
e-signatures
9-Audit Trails
4.2- change control and
deviations
11.10(k) Documentation control
10-Change and Configuration
Management
11- Periodic evaluation
Principle (all systems)
11.30 Controls for open systems
5. Data

EduQuest, Inc. * 1896 Urbana Pike, #14, Hyattstown, MD 20871 USA* www.EduQuest.net * +1 (301) 874-6031
 Comparison of FDA’s Part 11 and the EU’s Annex 11

Part 11 Part 11 Annex 11 Cross Reference

Section No. Title (substantially equivalent)
11.50 Signature manifestations 14-Electronic Signature
11.70 Signature/record linking 14(b)-Electronic Signature
Subpart C--Electronic Signatures
11.100 General requirements
11.100(a) Unique/not reused not covered
11.100(b) Verify identity not covered
11.100(c) Certify equivalent to handwritten 14(a) same as hand-written
11.200 Electronic signature components and controls.
11.200(a) not based on biometrics 12.1-Security, physical/logical
11.200(b) based on biometrics 12.1-Security, physical/logical
11.300(a) Unique 12.1-Security, physical/logical
11. Periodic Evaluation
11.300(b) periodically checked
12.3-Security- record events
11.300(c) procedures to deauthorize 12.3-Security, record events
11.300(d) prevent unauthorized use 12.1-Security
11.300(e) proper function 11-Periodic evaluation

Conclusions
Annex 11 for computerized systems impacts manufacturers who export to the EU and those who
manufacture products in the EU. Close scrutiny of the parallel FDA and EU rules shows the authorities
share a mutual intent to have safe, validated computer systems and qualified networks for drug and
device manufacturing.

Limited areas of Part 11 are dissimilar to Annex 11; these, for the most part, are limited to the
verification of identity and accountability of actions by authorized individuals, as well as to the reporting
to authorities. Part 11 applies to e-submissions to the FDA. Annex 11 is different from Part 11 in that it
takes a risk management approach to criticality and emphasises a systems approach to periodic
evaluations. Annex 11 is ‘how to’ while Part 11 is ‘thou shalt’ in tone. Together they form a robust and
usable guide for computer validation professionals leading their companies and clients to compliance.

About EduQuest
EduQuest is a global team of FDA compliance experts based near Washington, DC. Founded by former senior FDA
officials, EduQuest provides practical auditing, validation and training services to bio-pharmaceutical and medical
device companies worldwide.

EduQuest, Inc. * 1896 Urbana Pike, #14, Hyattstown, MD 20871 USA* www.EduQuest.net * +1 (301) 874-6031
 White Paper

Annex 11 and 21 CFR

Part 11: Comparisons for
International Compliance
By Orlando Lopez, Independent Consultant
 White Paper

Introduction

The two essential resources available to regulated life-science professionals

regarding the validation of computer systems are: the Food and Drug
Administration’s (FDA) rule on Electronic Records/Signatures (21 CFR Part 11
aka Part 11) and the European Medicine Agency’s (EMEA) Guidelines to Good
Manufacturing Practice (GMPs) - Annex 11, Computerized Systems (aka EU
Annex 11).

Part 11 establishes the requirements for the technical and procedural controls
that must be met by the regulated user if the regulated user chooses to maintain
regulated records electronically. Part 11 was published in March 1997. It is strictly
applicable in the United States to all FDA program areas. Part 11 is also applicable
to manufacturers outside of the United States and its territories who wish to
gain FDA market approval. Part 11 applies to records in electronic form that are
created, modified, maintained, archived, retrieved, or transmitted under any records
requirements set forth in agency regulations. For the purpose of this analysis it is
required to consider the Part 11 Guideline (2003). This guidance is the one used by
the FDA for interpretation and to enforce the Part 11 requirements established in
the Part 11 regulation. (See Analysis of Part 11).

European Union (EU) Annex 11 covers the interpretation of the principles and
guidelines of GMP-regulated activities to computer systems. The first edition
of EU Annex 11 dates back to 1992. The current updated version was published
January 2011. EU Annex 11 is strictly applicable to the EU, although U.S.
manufacturers who wish EU market approval need to take it into account as an
applicable requirement. It applies to Good Manufacturing Practices (GMP) for
medicinal products for human use, investigational medicinal products for human
use and veterinary medicinal products. (See Analysis of EU Annex 11.)

This article discusses how the updated Annex 11 compares with Part 11. A
matrix containing a comprehensive comparison of Annex 11, Part 11 and other
regulations/guidelines can be downloaded for free at
www.computer-systems-validation.com.

Comparing the 11’s

There are two primary common areas between the EU’s EMEA Annex 11 and
the FDA’s Part 11. The first common area is the electronic signatures (e-sigs)
elements within these documents. The second common area is the elements
covered in Part 11.10, Controls for Closed Systems.

Electronic Signatures

Speaking strictly about e-sigs, Part 11 goes beyond Annex 11. Back in the early
1990s, the main reason for initiating Part 11 was to approve online electronic
batch records.

Annex 11 and 21 CFR Part 11: Comparisons for international Compliance 1

 White Paper

E-sigs in the EU Annex 11 is covered under 11-14. The use of e-sigs to sign
electronic records (e-recs) is permitted. It is expected that e-sigs will:

• have the same impact as handwritten signatures within the boundaries of the
company (11.100(a) and (b) 11.200(a)(2));
• be permanently linked to their respective record(s) (11.70); and
• include the time and date of signature (11.50(a)(2)).

The direct EU Annex 11 corresponding e-sigs guideline associated with Part 11

regulation can be found in parentheses above.

In addition, Part 11 includes the following e-sig requirements not covered in the
EU Annex 11:

11.50(a)(1) and (3); 11.50(b)

Section 11.50 requires signature manifestations to contain information associated

with the signing of e-recs. This information must include the printed name of the
signer, and the meaning (such as review, approval, responsibility, and authorship)
associated with the signature. In addition, this information is subject to the same
controls as e-recs and must be included in any human readable forms of the e-rec
(such as electronic display or printout).

11.100(c)(1) and (2)

Under the general requirements for e-sigs, at Sec. 11.100, before an organization
establishes, assigns, certifies, or otherwise sanctions an individual’s e-sig, the
organization shall verify the identity of the individual.

11.200(a)(1)(i) and (ii); 11.200(a)(3); 11.200(b)

Section 11.200 provides that e-sigs not based on biometrics must employ at
least two distinct identification components such as an identification code and
password. In addition, when an individual executes a series of signings during a
single period of controlled system access, the first signing must be executed
using all electronic signature components and the subsequent signings must be
executed using at least one component designed to be used only by that individual.
When an individual executes one or more signings not performed during a single
period of controlled system access, each signing must be executed using all of the
electronic signature components.

E-sigs not based on biometrics are also required to be administered and executed
to ensure that attempted use of an individual’s e-sig by anyone else requires the
collaboration of two or more individuals. This would make it more difficult for
anyone to forge an electronic signature. E-sigs based upon biometrics must be
designed to ensure that such signatures cannot be used by anyone other than the
genuine owners.

Annex 11 and 21 CFR Part 11: Comparisons for international Compliance 2

 White Paper

11.300

Under Sec. 11.300, e-sigs based upon use of identification codes in combination
with passwords must employ controls to ensure security and integrity. The
controls must include the following provisions: (1) The uniqueness of each
combined identification code and password must be maintained in such a way
that no two individuals have the same combination of identification code and
password; (2) persons using identification codes and/or passwords must ensure
that they are periodically recalled or revised; (3) loss management procedures
must be followed to deauthorize lost, stolen, missing or otherwise potentially
compromised tokens, cards, and other devices that bear or generate identification
codes or password information; (4) transaction safeguards must be used to
prevent unauthorized use of passwords and/or identification codes, and to detect
and report any attempt to misuse such codes; (5) devices that bear or generate
identification codes or password information, such as tokens or cards, must be
tested initially and periodically to ensure that they function properly and have not
been altered in an unauthorized manner.

The above Part 11 e-sig descriptions were directly obtained from the Part 11
regulation preamble.

Controls for Closed Systems

Section 11.10 describes the controls that must be designed by the regulated user
to ensure the integrity of the computer system operations and the information
stored in the closed system.

On the controls framework, the Part 11 regulation considers computer systems in

two groupings: closed and open. Closed and open systems are defined in Part 11.3.
The access in closed systems is controlled by persons responsible for the content
of electronic records on that system. An open system is an environment in which
system access is not controlled by persons who are responsible for the content
of electronic records on the system. Annex 11 does not make this distinction.
Implicitly, Annex 11 covers these security related controls in 11-12.

Speaking strictly about the integrity of system operations and information stored in
the system, Annex 11 goes beyond Part 11. The requirements covered by Part 11 on
the controls for closed systems are: validation, copy and protection of e-recs, audit
trails, system documentation, computer system access, and experience of people
developing/maintaining/using the computer system.

• Validation (11.10(a))

Validation is the “formal assessment and reporting of quality and

performance measures for all the lifecycle stages of software and system
development, its implementation, qualification and acceptance, operation,
modification, re-qualification, maintenance and retirement. This should

Annex 11 and 21 CFR Part 11: Comparisons for international Compliance 3

 White Paper

enable both the regulated user, and competent authority to have a high
level of confidence in the integrity of both the processes executed within
the controlling computer system(s) and in those processes controlled by
and/or linked to the computer system(s), within the prescribed operating
environment(s).” The FDA has maintained the requirement for validation
because the agency believes that it is necessary that software be validated to
the extent possible to adequately ensure performance.

The correct validation implementation program on computer systems

“ensures accuracy, reliability, consistent intended performance, and the
ability to discern invalid or altered records.”

In the EU Annex 11, validation of computer systems is an element of the project

phase and takes center stage. The validation phase has been extensively
expanded in the updated Annex 11 to cover the complete computer system
life cycle. One of the main principles of this Annex states that: “The application
should be validated; IT infrastructure should be qualified.”

A significant and essential activity at the beginning of a computer system’s

lifecycle is to establish the intended use and proper performance of computer
systems. The “intended use” is one of the factors which helps to determine
the granular level of the computer systems validation.

The phrase “proper performance” relates to the general principle of

validation. Planned and expected performance is based upon predetermined
design specifications, consequently, “intended use.”

All computer systems automating any regulated function must be validated

for its intended use. This requirement applies to any computer system
automating the design, testing, raw material or component acceptance,
manufacturing, labeling, packaging, distribution, complaint handling, or to
automate any other aspect of the quality system.

In addition, computer systems creating, modifying, and maintaining electronic

records and managing electronic signatures are also subject to the validation
requirements. Such computer systems must be validated to ensure accuracy,
reliability, consistent intended performance, and the ability to discern invalid
or altered records.

Software for the above applications may be developed in-house or under

contract. However, software is frequently purchased off-the-shelf for a
particular intended use. All production and/or quality system software, even
if purchased off-the-shelf, should have documented requirements that fully
define its intended use, and information against which testing results and
other evidence can be compared, to show that the software is validated for its
intended use.

Annex 11 and 21 CFR Part 11: Comparisons for international Compliance 4

 White Paper

Appropriate installation and operational qualifications should demonstrate

the suitability of computer hardware and software to perform assigned tasks.

• The ability to generate accurate, complete copies of records (11.10(b))

According to this requirement, also contained as well in Annex 11-5

documentation, it must be possible to obtain clear printed copies of
electronically stored e-records. When generating an electronic copy of an
electronic record, any file conversions must be qualified.

• Protection of records (11.10(c) and (d))

Computer systems electronic records must be controlled including records

retention, backup and security.

The data collected in a computer system should be secured by both physical

and electronic means against damage. The access to data should be ensured
throughout the retention period.

One of many activities supporting this requirement is backups. Backups

must be performed on electronic copies of electronic records and stored
separately from the primary electronic records. The objective of the backup is
to guarantee the availability of the stored data and, in case of loss of data, to
reconstruct all GMP-relevant documentation.

According to 11-7.2 and similarly to an electronic file, the integrity and

accuracy of backup data and the ability to restore the data should be verified
during validation and periodically (Annex 11-7.1). The frequency and extent
of backup should be based on the effort involved to recreate the data. This
should be defined in the backup procedure.

Measures must be taken, however, to assure that backup data are exact
and complete and that they are secure from alteration, inadvertent
erasure, and loss.

Security is an issue covered in all regulations. The basic principle in Annex 11 is

that computer systems must have adequate controls to prevent unauthorized
access or changes to data, inadvertent erasures, or loss (Annex 11-7.1)

• Use of computer-generated, time-stamped audit trails (11.10(e), (k)(2) and

associated requirements in 11.30).

One of the first references on the use of audit trails in FDA guidelines is
from the 1978 current good manufacturing practices (cGMP) preamble.
The comment on paragraph 186 states: “If a computer system has the
capability, however, to verify its output, such as with audit trials, this could be
considered as a check for accuracy.”

Annex 11 and 21 CFR Part 11: Comparisons for international Compliance 5

 White Paper

As in Annex 11-9, the system-generated audit trail referenced in 11.10(e) or

other physical, logical, or procedural security measures must be in place to
ensure the trustworthiness and reliability of the records. The appropriate
measures should be based on a risk assessment. For change or deletion of
cGMP-relevant data the reason should be documented.

This is one requirement where, since 2003, the FDA has exercised
enforcement discretion. Regulated firms must still comply with all applicable
predicate rule requirements related to documentation of date, time or
sequencing of events, as well as any requirements for ensuring that changes
to records do not obscure previous entries.

Audit trails are appropriate when the regulated user is expected to create,
modify or delete regulated records during normal operation.

• Use of appropriate controls over systems documentation.

Computer system documentation means records that relate to system

operation and maintenance, from high-level design documents to end-user
manuals. All regulatory provisions applicable to software are also applicable
to its documentation.

Computer system documents are generated/updated during the

implementation/maintenance project, correspondingly. These documents
may be either printed material or electronic records, such as computer files,
storage media or film. Storing a large number of documents increases the
cost of document management because of the increasing difficulty of keeping
the documents consistent with the computer system. Computer system
documents must be available if needed for review. Obsolete information must
be archived or destroyed in accordance with a written record retention plan.

Even Annex 11 provides guidance on documentation; there is no explicit

guidance on controls over computer systems documentation. The applicable
controls on documentation can be found in the new version of Chapter 4
(“Documentation”) of the EU Guideline to GMP. Chapter 4 can be used as a
guidance to implement 11.10(k).

• System access be limited to authorized individuals (11.10(d), (g) and (h))

Security is a key issue in computer systems, including the use of authority

checks (21 CFR 11.10(g)) to ensure that only authorized individuals can use
the system and alter records.

Part 11 security requirements listed in 11.10(d), (g) and (h), are covered in
Annex 11-7.1 and 11-12. In addition, Annex 11-4.3 calls for “An up-to-date
listing of all relevant systems and their GMP functionality (inventory) should
be available...and security measures should be available.”

Annex 11 and 21 CFR Part 11: Comparisons for international Compliance 6

 White Paper

• A determination that persons who develop, maintain or use electronic records

and signature systems have the education, training, and experience to
perform their assigned tasks.

Annex 11-2 covers this Part 11 requirement.

The revised Annex 11 lists in a comprehensive manner 11.10 requirements.

In the context of the content of Part 11 and Annex 11, the main difference
between the two is that Part 11 is a regulation. The nature of a regulation
restricts the granularity of the guidance that a regulator may provide. The
regulated user will get less guidance in Part 11 than in the Annex 11. The
guidance by the regulator on Part 11 can be found in the preamble of this
regulation and in the 2003 guidance document.

Conclusion

Annex 11 has a much broader scope than Part 11. Speaking strictly about e-recs
and e-sigs, Part 11 goes beyond Annex 11, but Annex 11 works well with 21
CFR Part 11. Annex 11 can be used in different regulated environments, such
as the United States, as a regulatory guideline to comply with the regulatory
requirements applicable to computer systems supporting GxP applications.

The narrow scope of Part 11 started the awareness of regulated industry on

e-recs and e-signatures. The updated EU Annex 11 has improved the standard for
regulated users and systems. EU Annex 11 gives the specificity guidance in areas
that are not covered in Part 11 regulations.

References

(1) The regulated Good Practice entity, that is responsible for the operation of a
computerized system and the applications, files and data held thereon. PIC/S PI
011-3.

(2)FDA, 21 CFR Part 11, “Electronic Records; Electronic Signatures; Final Rule.”
Federal Register Vol. 62, No. 54, 13429, March 20, 1997.

(3) The European Medicines Agency is an agency of the European Union. The
Agency is responsible for the scientific evaluation of medicines developed by
pharmaceutical companies for use in the European Union.

(4) Annex 11 to Volume 4 of the Rules Governing Medicinal Products in the

European Community, Computerized Systems.

(5) FDA, Part 11, Electronic Records; Electronic Signatures — Scope and
Application, 2003.

Annex 11 and 21 CFR Part 11: Comparisons for international Compliance 7

 White Paper

(6) Preamble - Analysis preceding a proposed or final rule that clarifies the
intention of the rulemaking and any ambiguities regarding the rule. Responses
to comments made on a proposed rule are published in the preamble preceding
the final rule. Preambles are published only in the FR and do not have a binding
effect.

(7) Pharmaceutical Inspection Co-operation Scheme. “Good Practices for

Computerized Systems in GxP Regulated Environments,” PIC/S PI 011-3,
September 2007.

(8) Center for Drug Evaluation and Research, Center for Biologics Evaluation
and Research, and Center for Devices and Radiological Health Food and Drug
Administration, “Guideline on General Principles of Process Validation,” U.S. FDA,
Rockville, MD, May 1987.

(9) An electronic means of auditing the interactions with records within an

electronic system so that any access to the system can be documented as
it occurs for identifying unauthorized actions in relation to the records, e.g.,
modification, deletion, or addition. (DOD 5015.2-STD)

About the Author

Orlando Lopez, Independent Consultant

Orlando Lopez is an independent consultant with 20+ years of information

technology experience and more than a decade with QA and compliance. He
has managed a complete validation project at a medical device manufacturing
facility, including facility, utilities, process equipment, R&D/QA laboratories, and
processes (formulation and fabrication).

He established the computer validation compliance initiative for multiple Johnson

& Johnson companies such as McNeil and ITCS.

Recognized globally for expertise in computer systems compliance, he was

member of the PDA Part 11 Core Team and member of the GAMP Infrastructure
Special Interest Group. As part of the GAMP4 Guide, he led the development of the
Operation Appendix O6, “Guidelines for Record Retention, Archiving and Retrieval.”
He has lectured globally, chairing several computer validation conferences.

He is the author of two books: “21 CFR Part 11 - “A Complete Guide to

International Compliance,” published by Sue Horwood Publishing Limited, and
“Computer Infrastructure Qualification for FDA Regulatory Industries” published
by Davis Healthcare International Publishing. Mr. Lopez may be reached at
olopez6102@msn.com.

Annex 11 and 21 CFR Part 11: Comparisons for international Compliance 8

 White Paper

About MasterControl

MasterControl Inc. creates software solutions that enable life science and other
regulated companies to deliver life-improving products to more people sooner.
MasterControl’s integrated solutions accelerate ROI and increase efficiencies by
automating and securely managing critical business processes throughout the
entire product lifecycle. More than 1,000 companies worldwide, ranging in size
from five employees to tens of thousands, rely on MasterControl cloud solutions
to automate processes for new product development, clinical, regulatory, quality
management, supplier management, manufacturing and postmarket surveillance.
MasterControl solutions are well-known for being scalable, easy to implement, easy
to validate and easy to use. For more information, visit www.mastercontrol.com.

© 2019 MasterControl Inc. All rights reserved.

WPXXXXUSENLT-02/19

Annex 11 and 21 CFR Part 11: Comparisons for international Compliance 9