21 CFR Part 11, EU Annex 11 & MHRA: A Compliance Checklist for QC Labs
What Is 21 CFR Part 11 (and How Does It Compare to Annex 11 & MHRA Guidelines)?
21 CFR Part 11 is the FDA’s regulation for electronic records and electronic signatures. It applies to any lab or organization submitting electronic data to the FDA. Annex 11, from the European Medicines Agency (EMA), serves a similar purpose across the EU. The MHRA in the UK also outlines expectations for data integrity under GxP guidelines, particularly for labs working under GMP or GLP.
At their core, all three frameworks expect labs to:
- Maintain secure, traceable records
- Use electronic signatures responsibly
- Validate software systems they use
- Prove that data hasn’t been altered or lost
Heads up: EU Annex 11 is currently being updated for the first time in over a decade, with the final version expected in 2026. We've noted what's changing at the relevant points throughout this guide.
Why This Matters for Small & Mid-Sized QC Labs
If your team still uses spreadsheets, shared folders, or manual forms, it’s hard to:
- Show who entered what data (and when)
- Prevent accidental (or intentional) changes
- Prove you’re following a consistent workflow
And while bigger labs might throw resources at the problem, smaller labs often don’t have that luxury. The solution? Get your systems working for you.
Explore: How LIMS Can Help Standardise Your Laboratory Processes
Compliance Checklist for Electronic Records and Signatures
Use this checklist to benchmark your lab’s setup against the key pillars of compliance:
System Validation
Required by: 21 CFR Part 11 | EU Annex 11 | MHRA GxP
- Have you validated your LIMS or software for its intended use?
- Do you have documented test results and sign-offs?
- Is your validation reviewed periodically?
LIMS Deployment: A Guide to Successful LIMS Implementation
Validation: Checklist for Successful LIMS Deployment.
What's changing under the revised Annex 11: The updated Annex 11 will expand what "validation" means in practice. Under the new version, if you use a cloud-based or SaaS LIMS, you'll also need to document that your vendor meets compliance requirements -not just the software itself. It sounds more complicated than it is; a well-set-up LIMS provider should already have this documentation ready to share with you.
Role-Based Access & User Authentication
Required by: 21 CFR Part 11 | Annex 11 | MHRA
- Does every user have a unique login?
- Are permissions managed based on user roles (e.g., tech vs QA)?
- Are logins secure and time-limited?
Data Security & Compliance: The Importance of Audit Trails
Audit Trails & Data Integrity
Required by: 21 CFR Part 11 | Annex 11 | MHRA
- Can your system track every action (edit, deletion, approval)?
- Are all audit logs time-stamped and user-specific?
- Can you search by sample ID, date, or user?
Top LIMS Features to Ensure Quality in Your Lab
Audit trail failures are consistently one of the most common reasons labs receive warning letters from the FDA and flag during MHRA inspections. Having an audit trail switched on isn't enough - inspectors want to see that someone is actually reviewing it regularly. If that's not part of your current process, it's worth building in.
Electronic Signatures
Required by: 21 CFR Part 11 | Annex 11
- Are e-signatures unique to each individual?
- Do they log when, why, and by whom the data was approved?
- Are they tamper-proof and traceable?
Lab Manager’s Guide to Reviewing Test Results for Accuracy & Compliance
21 CFR Part 11 requires e-signatures to use at least two identification components - typically a username and password. MFA goes a step further and is considered best practice for stronger security. LabHQ requires MFA at login across all plans, adding an extra layer of protection on top of the baseline requirement.
ALCOA+ Principles
Required by: All regulatory bodies
These principles help define good data integrity practices:
- Attributable
- Legible
- Contemporaneous
- Original
- Accurate
(+ Complete, Consistent, Enduring, Available)
You might also start seeing the term ALCOA++ used in newer guidance documents. The extra "+" adds one more attribute: Traceable - meaning you can follow a clear trail showing how data moved through your systems and who acted on it. It's a small addition, but one that's appearing in updated EU and international guidance, so it's worth being aware of.
How to Get Started Without IT Overheads
You don’t need a large IT department or big budget. Labs using LabHQ are often:
- Live with LabHQ in their lab, in under a day
- Fully supported (no IT staff required)
- Compliant, out-of-the-box
If you’re building your lab’s digital foundation, start here:
Getting Started Checklist for LIMS
How to Choose the Right LIMS for Your Lab
LabHQ is a cloud-based SaaS platform, which means vendor compliance, uptime guarantees, and data security documentation are already handled on your behalf.
Final Thoughts: Small Labs Can (and Should) Be Compliant
Compliance doesn’t have to be complicated or expensive. With the right tools and processes, small QC labs can:
- Stay audit-ready at all times
- Ensure trust in every result
- Scale confidently as the business grows
With regulations actively being updated, there's real value in getting set up properly now rather than scrambling when new requirements land. The labs that are already using a compliant LIMS will have very little to change. The ones still on spreadsheets will have a lot more to do.
Want to see how LabHQ simplifies 21 CFR Part 11, Annex 11, and MHRA data integrity in practice?
Book a demo or take our interactive walkthrough.
.jpg)
