TL;DR: Compliance for automated inspection systems in packaging is not a single certification — it depends on which market you’re shipping into, what the system touches, and whether your inspection data qualifies as a quality record under GMP.
TL;DR: EU machinery installations under CE marking require a conformity assessment against EN ISO 13849-1 for safety-rated control functions, with a minimum Performance Level PLd for guarded entry points on high-speed lines running above 40 cycles/min.
What Automated Inspection Compliance Actually Covers — and What It Doesn’t #
The compliance question we hear most often from brand partners is: “Does your inspection system have the right certifications?” That framing misses half the picture. Regulatory obligations for automated vision inspection systems in packaging fall into three distinct layers, and each layer has different owners.
Layer 1 — Machine safety: The inspection hardware itself must conform to machinery directives in the installation market. In the EU, this means the Machinery Directive 2006/42/EC (transitioning to Machinery Regulation 2023/1230 from January 2027). In the US, OSHA 29 CFR 1910.217 and ANSI/RIA R15.06 govern machine guarding. In China, GB 5226.1-2019 covers electrical safety of industrial machinery.
Layer 2 — Product compliance evidence: When the inspection system is used to verify food-contact packaging, pharmaceutical blisters, or cosmetic primary packaging, the inspection log becomes a compliance document. FDA 21 CFR Part 11 applies if the records are electronic and are used to satisfy a regulatory requirement. EU GMP Annex 11 applies to pharmaceutical packaging lines in European-market supply chains.
Layer 3 — System validation: Inspection software that makes pass/fail decisions on regulated packaging must be validated, not just installed. GAMP 5 (published by ISPE) classifies vision inspection software as Category 4 — configured software requiring installation qualification (IQ), operational qualification (OQ), and performance qualification (PQ).
On our production lines, we separate these three layers clearly in our pre-production documentation package, which we internally track as Form QC-19. A brand partner asking only “do you have CE?” is only checking Layer 1.
The Misdiagnosed Problem: Treating Inspection Data as Informal Records #
This is where most compliance audits find gaps, and the root cause is rarely intentional — it’s a classification problem that gets inherited from how inspection systems are initially commissioned.
When a vision inspection system is installed on a packaging line, the commissioning engineer typically focuses on defect sensitivity, false reject rate, and throughput speed. What the system does with its data — where the reject logs go, how long they’re retained, whether they’re tamper-evident — is treated as an IT question and deferred. That deferral becomes a problem the moment a brand’s customer (a pharmaceutical manufacturer, a major food retailer, or a cosmetics brand under EU Regulation 1223/2009) requests a quality record from the production run.
Under FDA 21 CFR Part 11, electronic records used to satisfy regulatory requirements must meet specific controls: audit trails that capture who changed what and when, restricted access with user authentication, and record retention for a defined period (typically 3 years minimum for device labeling records, but check the applicable product regulation). A vision system generating CSV exports to an unlocked shared folder does not satisfy Part 11, even if the detection performance is excellent.
The confirmation test is simple: pull the inspection log from any production run and answer three questions. Can you tell if the log was modified after the run completed? Is there a user ID associated with every operator change to sensitivity parameters? Is the record stored in a location where only authorized personnel can delete it? If any answer is no, the system’s records are informal, regardless of the hardware’s CE mark.
Our threshold for flagging this to brand partners: any packaging line supplying a product category covered by FDA, EU GMP, or ISO 15378:2017 (pharmaceutical primary packaging) requires Part 11 or Annex 11-compliant data handling. We’ve had to retrofit compliant data logging on three separate lines after this was identified late in customer audits — it’s a 4–8 week remediation depending on the system’s software architecture.
Corrective Actions by Impact and Feasibility #
-
Classify your inspection records immediately. Review whether the packaging categories running through your inspection system are subject to FDA, EU GMP, or ISO 15378. This costs nothing and can be done in a day. If they are, escalate to Layer 2 and 3 compliance requirements before the next brand audit.
-
Enable audit trail logging in existing vision software. Most commercial vision platforms (Cognex, Keyence, Omron) include audit trail modules that are shipped but not activated by default. Activating this within existing software costs little but requires a revalidation of the OQ/PQ documentation. Budget 2–3 weeks for the paperwork, not the software change.
-
Conduct an IQ/OQ/PQ validation against GAMP 5 Category 4. This is the thorough path. A full validation for a single inspection station typically takes 6–10 weeks and requires a validation engineer. It’s expensive relative to Steps 1–2, but it’s the only path that fully satisfies a pharmaceutical customer audit. Fixes the compliance gap completely for that line.
-
Upgrade data storage to a compliant document management system. If inspection logs currently live on a local drive or shared folder, migration to a validated DMS (like MasterControl or Veeva Vault) with controlled access resolves the Part 11 record-keeping exposure. Coordinate this with your IT and QA teams — the transition requires data migration verification.
-
Review machinery safety classification under the new EU Machinery Regulation. If you export packaged goods to the EU and your inspection system was CE-marked before 2023, the transition to EU Machinery Regulation 2023/1230 requires you to confirm whether any design changes have been made since the original conformity assessment. Changes to guarding, software control logic, or operational speed can invalidate an existing CE declaration.
Market Compliance Comparison #
| Requirement Area | EU | US | China |
|---|---|---|---|
| Machine safety standard | Machinery Regulation 2023/1230 / EN ISO 13849-1 | OSHA 29 CFR 1910.217 / ANSI/RIA R15.06 | GB 5226.1-2019 |
| Electronic records (pharma) | EU GMP Annex 11 | FDA 21 CFR Part 11 | NMPA GMP (2010 revision, data integrity addendum 2020) |
| Software validation framework | GAMP 5 (ISPE) | GAMP 5 (ISPE) | No equivalent mandated; GAMP 5 accepted by NMPA auditors |
| Primary packaging standard | ISO 15378:2017 | ISO 15378:2017 / USP standards | GB/T 19633 (equivalent scope) |
| AQL sampling reference | ISO 2859-1 | ANSI/ASQ Z1.4 | GB/T 2828.1 (harmonised with ISO 2859-1) |
| Chemical compliance | REACH (EC 1907/2006) | Varies by state / TSCA | GB 9685-2016 (food contact) |
The practical gap between markets: China’s NMPA data integrity requirements are real and enforceable, but the audit trigger is typically a product registration dossier review, not a routine factory inspection. FDA and EU GMP auditors will check data systems during on-site audits as standard procedure.
Prevention — What to Specify Upfront #
When commissioning a new inspection system or qualifying a new packaging line, build these requirements into the equipment purchase specification and the supplier brief before installation begins:
- State the target market explicitly (EU / US / CN / combination) — this determines which machinery directive and data integrity standard applies.
- Specify whether inspection records will be used as regulatory quality records — if yes, invoke GAMP 5 Category 4 and 21 CFR Part 11 / Annex 11 in the purchase order.
- Request the IQ/OQ/PQ validation protocol from the equipment vendor before sign-off, not after commissioning.
- For EU-market pharmaceutical or cosmetic packaging, require the CE Declaration of Conformity and the technical file index as part of supplier documentation.
The document to request at the start of every new line qualification: a completed Equipment Qualification Master Plan with regulatory scope identified.
Specification Notes for Brand Partners #
When you brief us on a new packaging line that will include automated inspection, the first thing we need to know is the end market and the product category. Those two data points determine whether the inspection system’s records are informal production logs or regulatory documents — and the documentation requirements and lead times are completely different.
The brief gap that causes the most sample iterations is leaving market destination vague (“global” or “mainly US and Europe”). This delays our compliance mapping because EU and US have different records management requirements under Annex 11 and Part 11 respectively, and those differences affect how we configure data logging before we run the first qualification sample.
Our standard timeline for commissioning a compliant inspection station on an existing line is 8–12 working days for setup and initial calibration, plus 3–6 weeks if a formal OQ/PQ validation run is required. Lines supplying pharmaceutical or regulated cosmetic packaging always require validation. FMCG and general consumer goods packaging typically do not, unless the brand’s customer requires it by contract.
Does CE certification on the inspection machine cover all our compliance obligations?
No. CE marking confirms the machine met EU machinery safety requirements at the point of manufacture. It says nothing about how your electronic inspection records are managed, whether your software has been validated under GAMP 5, or whether your data logging satisfies FDA 21 CFR Part 11 or EU GMP Annex 11. Those are separate obligations triggered by your product category and target market, not by the hardware specification.
We run inspection on food packaging — do FDA 21 CFR Part 11 records requirements apply to us?
It depends on whether your inspection records are used to satisfy a specific regulatory requirement. Part 11 applies when electronic records are created, modified, or maintained to satisfy an FDA regulation. For most standard food packaging, inspection logs are internal quality records and Part 11 doesn’t apply. For packaging used with FDA-regulated devices or pharmaceutical products, it does. The distinction matters — and we flag it formally during our QC-19 pre-production documentation review.
What AQL level should we specify for a vision inspection system?
AQL specification under ISO 2859-1 is a starting point, not a complete answer. An inline 100% vision inspection system doesn’t sample — it inspects every unit. AQL levels are relevant for the outgoing audit sample that confirms the inline system is performing correctly, typically AQL 0.65 or AQL 1.0 for critical defects on regulated packaging, and AQL 2.5 for minor cosmetic defects on general consumer goods. Specifying an AQL without also specifying the inline system’s minimum detection threshold (in pixels or mm²) leaves a gap the two numbers are measuring different things.
How long do we need to retain inspection records?
That depends on the applicable regulation for the product, not the packaging. For packaging supplied into pharmaceutical supply chains, EU GMP requires retention for at least 1 year past expiry date or 5 years from batch release, whichever is longer. FDA device records under 21 CFR Part 820 require 2 years minimum from manufacture date. For general consumer goods with no specific regulatory retention requirement, our standard is 3 years, which we’ve aligned with most major retailers’ supplier audit requirements. If your customer has a specific requirement in their supplier agreement, that takes precedence over our default.
Planning a packaging project? Contact our team to request a complimentary specification review and sample quote.
The Layer 2 point is the one that burned us. We had a vision inspection system logging foil seal rejections on a Bordeaux-format 750ml line and nobody had flagged that those logs were being pulled into our EU GMP documentation package — so when an Annex 11 audit came through in early 2023, the validation trail for the software was essentially nonexistent. Category 4 under GAMP 5, zero IQ/OQ documentation. Took four months to remediate and we couldn’t ship to two EU market customers in the interim.
The GAMP 5 Category 4 validation piece catches people off guard every time — we ran IQ/OQ/PQ on a Cognex In-Sight 9000 series integration for a pharmaceutical blister line last year and the full validation package ended up at 340 pages of documentation before our notified body would sign off. PLd on the guarded entry points wasn’t the bottleneck; it was the 21 CFR Part 11 audit trail configuration that pushed our go-live back 6 weeks.
The Layer 2 point is the one that keeps catching our contract fillers off guard — we had a 14-week validation backlog at our Nevada co-packer last year because nobody flagged the 21 CFR Part 11 requirement until the vision system was already installed and running trial batches.
Worth flagging on the China side — GB 5226.1-2019 alignment tripped up our Shanghai co-manufacturer last quarter when we installed a Keyence CV-X series inline label verification unit. The NMPA auditor accepted our GAMP 5 IQ/OQ documentation but still required a separate GB conformity declaration for the control cabinet wiring that added 9 weeks to our launch timeline.
One tradeoff that doesn’t come up enough: EN ISO 13849-1 PLd versus PLe for guarded entry points isn’t just a safety philosophy debate, it’s a sourcing decision. We spec’d PLe on a 60-cycle/min nitrogen-flush tea canister line in Rotterdam last year because our integrator flagged that redundant safety relay architecture (PLe) uses off-the-shelf Pilz PNOZ components versus the custom safety PLC logic required for some PLd configurations — actually shorter lead time and easier to revalidate after a line speed change.
The Layer 3 framing is right for pharmaceutical, but we’ve found it breaks down when the same vision system is doing double duty on a cosmetic line where the records aren’t satisfying a regulatory requirement — just internal QC. Our co-packer in Tijuana ran a Cognex DataMan 370 setup that the GAMP 5 Category 4 validation was technically optional for, but their customer audit template assumed full IQ/OQ/PQ regardless, so the practical requirement ended up being audit-driven rather than regulatory. Worth knowing the distinction before you scope the validation budget.
The Layer 1 / Layer 2 ownership split is real — our quality team spent three months assuming the OEM’s CE declaration covered our Annex 11 obligations on a chilled treat pouch line, and it absolutely did not.
Switching our 750ml spirit boxes from virgin SBS to 80% PCW kraft last spring exposed a gap nobody in our compliance chain had thought about — the inline OCV system we’re using for lot code verification suddenly had degraded read rates because the recycled substrate has 15–20% more surface variance, and that triggered enough false rejects that we had to revalidate the contrast thresholds entirely before the data logs were usable as quality records.
Retrofitting our existing Omron FH-series vision system to meet Annex 11 logging requirements cost us roughly £4,200 in software configuration and IQ/OQ documentation alone — no hardware touched. That’s the number that surprises brand partners when they assume the OEM CE declaration means the compliance work is already done.