AI and Digitalisation in GMP: Preparing for Annex 22

Analysing the implications of the draft Annex 22 for AI integration and digital transformation

The pharmaceutical industry is on the brink of a digital revolution, and the draft GMP Annex 22 Artificial Intelligence signals a major shift in regulatory expectations for AI and digitalisation in GMP environments.

We have previously reviewed the content of the new Annex 22 Artificial Intelligence. The consultation period for this annex has now ended. Stakeholder feedback will be reviewed, with publication then expected in 2025 and enforcement beginning in 2027-2028.

Whilst some changes to the content of Annex 22 might be expected, the smart move is to take advantage of this transition period and start now considering and implementing the actions that you will need to take to ensure your future compliance.

This blog considers the implications of Annex 22, explores how AI can be integrated responsibly, and provides practical guidance for manufacturers preparing for this transformation.

Implications of Annex 22 Artificial Intelligence

Annex 22 aims to provide guidance on the use of advanced digital technologies, including AI, machine learning, and automation, within GMP frameworks. Key objectives include:

• Ensuring data integrity and transparency in AI-driven decisions.
• Defining validation requirements for adaptive algorithms.
• Encouraging risk-based approaches to digitalisation.
• Supporting innovation while maintaining patient safety.

Digitalisation extends beyond AI. Annex 22 promotes the adoption of technologies such as:

• Electronic Batch Records (EBR) for real-time documentation.
• IoT-enabled sensors for continuous monitoring.
• Cloud-based Quality Management Systems for global harmonisation.

These tools enhance efficiency and compliance but require robust cybersecurity and data integrity measures.

AI Use Cases in GMP

AI is already making an impact in GMP environments:

• Predictive Maintenance: Machine learning models forecast equipment failures, reducing downtime and improving reliability.
• Real-Time Release Testing: AI-driven analytics enable faster product release without compromising quality.
• Automated Visual Inspection: Advanced algorithms detect micro-defects with greater accuracy than manual methods.

These applications illustrate how Annex 22 can accelerate adoption of innovative technologies while ensuring compliance.

Emerging Digitalisation Trends: Predictive Compliance and Regulatory Sandboxes

Predictive compliance uses AI to monitor processes and predict potential deviations before they occur, enabling proactive interventions. Regulatory sandboxes (controlled environments where companies can test innovative solutions under regulatory oversight) are gaining traction globally. These initiatives foster collaboration between industry and regulators, reducing uncertainty and accelerating innovation.

Emerging Technologies

Annex 22 encourages innovation, and several technologies are shaping the future:

• Explainable AI (XAI): Improves transparency and regulatory acceptance.
• Blockchain: Ensures tamper-proof audit trails for data integrity.
• Digital Twins: Simulate processes for optimisation and predictive analytics.
• Advanced Analytics: Enable real-time decision-making and continuous improvement

Challenges and Risk Management

The integration of AI and digital systems into GMP environments introduces a new set of challenges that require robust risk management strategies. While the benefits are substantial, manufacturers must navigate technical, organisational, and regulatory hurdles to achieve compliant digital transformation.

Key Challenges

• High Initial Investment: Implementing advanced digital technologies and AI solutions often demands significant upfront capital for infrastructure, software, and workforce training. Organisations must balance these costs against long-term efficiency gains and compliance benefits.
• Validation Complexity: Adaptive AI systems, which learn and evolve over time, present unique validation challenges. Traditional static validation approaches may be insufficient, necessitating ongoing monitoring, periodic revalidation, and dynamic risk assessment to ensure continued compliance.
• Cybersecurity Risks: Increased connectivity and data exchange heighten the risk of cyber threats. Manufacturers must implement robust cybersecurity controls, including network segmentation, access management, and regular vulnerability assessments, to safeguard sensitive GMP data and maintain system integrity.
• Data Integrity and Governance: Ensuring the integrity, accuracy, and traceability of data generated and processed by AI systems is paramount. This requires comprehensive data governance frameworks, clear accountability, and regular audits to detect and address anomalies or unauthorised changes.
• Regulatory Uncertainty: As regulatory frameworks for AI in GMP are still evolving, manufacturers may face uncertainty regarding compliance expectations. Proactive engagement with regulators and participation in industry forums can help organisations stay informed and influence emerging standards.

Risk Management Strategies:

• Integrate Quality Risk Management (QRM): Apply QRM principles to identify, assess, and mitigate risks associated with AI and digital systems. This includes establishing risk registers, defining mitigation actions, and monitoring risk indicators throughout the system lifecycle.
• Phased Implementation: Consider a phased approach to digitalisation, starting with pilot projects in high-impact areas. This allows organisations to build expertise, demonstrate value, and refine risk controls before scaling up.
• Continuous Training and Awareness: Invest in ongoing training for staff to ensure they understand both the capabilities and limitations of AI systems. Foster a culture of digital literacy and quality ownership across all levels of the organisation.
• Incident Response Planning: Develop and regularly test incident response plans to address potential system failures, data breaches, or regulatory findings. Rapid, coordinated responses minimise operational disruption and regulatory risk.

By anticipating challenges and embedding risk management into every stage of digital transformation, pharmaceutical manufacturers can harness the full potential of AI while maintaining compliance and protecting patient safety.

Challenges for SMEs Adopting Digitalisation

Small and medium-sized enterprises (SMEs) face unique challenges:

• Limited budgets for advanced technologies.
• Lack of in-house expertise for AI validation.
• Concerns about regulatory scrutiny and resource allocation.

PharmOut recommends phased implementation—starting with digital readiness assessments and prioritising high-impact areas such as electronic batch records and automated data integrity checks.

Regulatory Expectations for Digitalisation

AI offers significant benefits for pharmaceutical manufacturing, such as predictive maintenance, real-time process optimisation, and automated quality checks. However, Annex 22 introduces new compliance challenges:

• Validation Complexity: Adaptive algorithms require ongoing monitoring and revalidation.
• Explainability: Regulators expect AI decisions to be transparent and interpretable.
• Governance: Manufacturers must establish clear accountability for AI-driven processes.

Annex 22 aligns with existing principles in EMA Annex 11 and FDA guidance on data integrity. Manufacturers should anticipate:

• Lifecycle validation for digital systems.
• Risk-based approaches to system implementation.
• Audit trails for all algorithm updates and system changes.

Validation Strategies for AI and Digital Systems

Validation of AI and digital systems under Annex 22 requires a paradigm shift from traditional approaches, reflecting the unique characteristics of adaptive algorithms and complex digital infrastructures. The core objective is to ensure that AI-driven processes are reliable, transparent, and compliant throughout their lifecycle.

Key Steps in Validation:

• Define Intended Use and Risk Assessment: Begin by clearly articulating the intended use of each AI system within the GMP environment. Conduct a comprehensive risk assessment to identify potential impacts on product quality, patient safety, and data integrity. This assessment should consider both the direct and indirect effects of AI decision-making.
• Establish Acceptance Criteria: Develop measurable acceptance criteria for system performance, accuracy, and reliability. These criteria should be aligned with regulatory expectations and organisational quality objectives. For AI models, this includes setting thresholds for prediction accuracy, false positive/negative rates, and system robustness under varying conditions.
• Challenge Testing and Edge Cases: Perform rigorous challenge testing, including the use of edge cases and atypical scenarios, to evaluate how the AI system responds to unexpected inputs or rare events. This helps to uncover hidden vulnerabilities and ensures the model’s resilience in real-world operations.
• Lifecycle Documentation and Governance: Maintain detailed documentation covering model training data, algorithm selection, version control, and update protocols. Establish governance frameworks that define roles and responsibilities for ongoing monitoring, revalidation, and change management. This is especially critical for adaptive algorithms that evolve over time.
• Adopt GAMP 5 Principles for AI: Tailor GAMP 5 (Good Automated Manufacturing Practice) principles to address the specific challenges of AI validation. This includes risk-based validation, continuous performance monitoring, and periodic re-assessment of model suitability. Validation activities should be proportionate to the system’s risk profile and potential impact on GMP compliance.
• Audit Trails and Traceability: Implement robust audit trails for all algorithm updates, model retraining events, and system changes. Ensure traceability from data input to final decision, supporting regulatory requirements for transparency and explainability.

Best Practice Tip:

Engage cross-functional teams—including quality, IT, data science, and regulatory affairs—early in the validation process to ensure all perspectives are considered and compliance gaps are addressed proactively. PharmOut recommends adopting GAMP 5 principles tailored for adaptive algorithms.

Practical Implementation Roadmap for GMP Digitalisation

Annex 22 and Global Impact

Annex 22 is not just a European initiative—it has global implications. As regulators worldwide observe the EMA’s approach, similar frameworks may emerge in other regions, driving harmonisation of digital compliance standards. For multinational manufacturers, this means preparing for a future where AI governance and digital validation become universal expectations.

Future Outlook

Annex 22 marks a transformative milestone for pharmaceutical manufacturing, signalling a decisive regulatory shift towards the adoption of digital technologies. This evolution empowers manufacturers to optimise operational efficiency, strengthen compliance, and uphold patient safety. As global regulators increasingly align standards, the industry can anticipate greater harmonisation and a growing reliance on artificial intelligence for real-time quality assurance.

But digitalisation is not just about implementing a technical upgrade—it requires a cultural transformation. Organisations must embrace data-driven decision-making, invest in workforce training, and foster collaboration between IT and quality teams. Leadership commitment is critical to ensure successful adoption and sustained compliance.

Companies that act now—by investing in governance, validation, and training—will gain a competitive edge and position themselves as leaders in digital GMP compliance.

PharmOut Services

PharmOut can help manufacturers prepare for Annex 22 through:

• Digital readiness assessments and gap analysis.
• Validation planning for AI and digital systems.
• Training on Annex 22 compliance and emerging technologies.

Explore our GMP training courses at onlinegmptraining.com for more practical insights, or contact us via the website or via email for assistance.

Frequently Asked Questions (FAQ)