Annex 11 Draft Update | Transforming Computerised Systems in GMP Environments

A review of the draft update to EU and PIC/S Annex 11 Computerised Systems

Can you remember what mobile phone you had in 2011? Was it even a smart phone? And now can you imagine how your life would work without one?

And yet in that time the Good Manufacturing Practice (GMP) annex that dictates the requirements for managing computerised systems has not been updated.

The pharmaceutical industry is undergoing a digital transformation, with computerised systems playing an increasingly critical role in ensuring product quality, patient safety, and data integrity.

The European Commission recognised the need for regulatory changes in this space some time ago. A number of additions and updates were recently published for EudraLex Volume 4 – Good Manufacturing Practice Guidelines for stakeholder consultation, including Annex 11 Computerised Systems.

The update is, not unexpectedly, significant. Whilst the structure of the annex has been somewhat maintained, it is now 4 times the length which represents a paradigm shift towards more comprehensive digital governance and now includes all computerised systems, as well as cloud services, artificial intelligence/machine learning systems and enhanced cybersecurity requirements.

The rewrite reflects the need for clearer guidance, harmonised practices, and enhanced controls in GMP-regulated environments. This blog explores the key changes introduced in the revised Annex 11 and their implications for pharmaceutical professionals.

Transforming Computerised Systems in GMP Environments

The changes to this annex have been understandably so significant that to review each change makes for a very long read. You can find a complete overview of each updated section, which highlights where content is new or changed in this supporting blog: Annex 11 Computerised Systems in Consultation.

Major content changes in Annex 11

There are 7 entirely new sections – a reflection of the technological advances made since 2011. The rest has been variously formalised, rescoped, expanded upon and otherwise significantly changed. No aspect of GMP for computerised systems has gone untouched.

• Scope and Principles: The entire document has been redefined with the use of 8 fundamental principles which highlights a focus on risk management, lifecycle, data integrity and supplier control.
• Pharmaceutical Quality System: Formalised in a new section, the PQS must assure deviation management and change control.
• Risk Management: High on agenda for this update, risk must be considered throughout the system lifecycle.
• Personnel and Training: A minor change which aligns to general GMP requirements whilst encouraging collaboration among stakeholders.
• System Requirements: This entirely new content might increase the burden on documentation and validation teams but will ensure better system control and audit readiness.
• Supplier and Service Management: This requirement has been reframed, providing greater clarity on key points such as personnel accountability, control and documentation
• Alarms: This new section itemises specific requirements for alarms, which were previously unmentioned in Annex 11, with an understanding of human reliance on such controls.
• Qualification and Validation: Now clearly mandating GMP Annex 15, this sections provides further requirements and processes specific for computerised systems.
• Handling of Data: This requirement has been rescoped to focus on manual data plausibility, data movement validation, and encryption.
• Identity and Access Management: With organisations still subject to inspection findings which breach data integrity due to poor access control, this new section will assure data traceability through appropriate account control.
• Audit Trails: Significant expansion of this section provides better guidance for the specific nuances of handling electronic data that the previous version didn’t offer.
• Electronic Signatures: Another significant expansion reflective of the changes in technology and the need for better control.
• Periodic Review: Aligning computerised systems with equipment and facility systems per periodic review requirements, this new section will verify that systems remain validated and fit for use.
• Security: A complete rewrite for this section introduces comprehensive security requirements to protect data and systems.
• Backup: Expanding on single clause, this new section recognises the particular needs and risks of digital data.
• Archiving: Further detail provided to assure enduring retention and accessibility.

New principles and concepts for Computerised Systems

This revision has provided the opportunity to include principles and technology into Annex 11 already in routine use for GMP.

Lifecycle management: Pharmaceutical products have long been managed a “whole life” premise, requiring initial and ongoing validation, change management and decommissioning processes. The same will now apply for computerised systems.

ALCOA+: Included under one of the new eight key principles, this basic tenet of data integrity is now identified as essential for electronic data capture and is highlighted for data handling, access control and signatures, audit trails and security.

Cloud services: Whilst no specific requirements have been included for services and storage provided directly over the internet, it should be assumed that with its mention in the opening paragraph, the revised annex fully applies.

AI/ML Systems: Artificial intelligence and machine learning seems to have moved into business and popular culture overnight and it is not going away. The revisions proposed should also apply to GMP data and systems in under this technology, but the Annex 11 revision makes no specific mention of either. Since the first draft was published in November 2022, when the first iteration of ChatGPT had barely been released a research preview, perhaps it is unsurprising that it hasn’t been directly acknowledged. That said, Annex 22 Artificial Intelligence, proposed under the same stakeholder review, should provide the regulatory control needed for computerised systems.

Key implications for pharmaceutical manufacturing

Whilst the breadth of the changes made will warrant a full gap assessment by all manufacturers, some key considerations will include:

• System Inventory Expansion: All computerised systems must be evaluated for GMP applicability
• Audit Trail Implementation: Mandatory audit trails for all GMP-critical systems
• Cybersecurity Assessment: ISO 27001-aligned security management system
• Supplier Re-qualification: All technology suppliers require assessment under new criteria
• Documentation Access: Complete validation documentation must be accessible for cloud services

Strategic considerations

Compliance with the new requirements will no doubt require a degree of investment for many organisations to assure modern technological integration. When planning for these changes, consider:

• Digital Transformation Enablement: Framework must support modern technology adoption
• Continuous Validation: Account for the shift from periodic to ongoing system monitoring
• Integrated Quality Management: Computerised systems should be fully integrated with Pharmaceutical Quality System
• Risk-Based Approach: ICH Q9 Quality Risk Management principles must be embedded throughout system lifecycle
• Global Harmonisation: Target alignment with FDA Computer Software Assurance guidance where applicable

Preparing for the future

The revised Annex 11 represents a significant advancement in the regulation of computerised systems within GMP environments and provides a comprehensive framework for modern pharmaceutical operations.

The new requirements transform computerised systems from supporting tools into critical GMP-controlled assets, requiring significant investment in technology, processes, and personnel to achieve compliance.

Organisations must prepare for substantial changes in validation approaches, supplier management, cybersecurity controls, and data integrity practices. Early adoption and strategic planning will be essential for successful implementation by the 2026 effective date.

Professionals must adapt their practices to align with the coming changes, ensuring compliance, reliability, and continued protection of patient safety and product quality. Those changes can start now.

PharmOut Services

At PharmOut, we specialise in delivering comprehensive consulting services tailored to the pharmaceutical industry.

If you need assistance determining the impact of regulatory changes on your organisation, there are a number of ways we can help:

• Conduct gap assessments, risk analysis and propose process and documentation updates. Contact us via the website or via email for assistance.
• Provide consultation on the steps that you need to take. To book a one-on-one chat with us, please go to our website: Consultancy Time
• Train you so you have all the knowledge you need, via online elearning or face to face. Visit our website to read about training options.

Frequently Asked Questions (FAQ)