The European Commission has launched a public consultation for three pivotal updates to EudraLex Volume 4 of the EU GMP guidelines: Chapter 4 (Documentation), a revision of Annex 11 (Computerized Systems), and the release of an entirely new annex, Annex 22 (Artificial Intelligence).
These updates aim to align GMP expectations with current technological capabilities and regulatory priorities, particularly data integrity, hybrid systems, and algorithmic decision-making. Below is a structured analysis of the key changes and their practical implications.
Chapter 4 [Draft]: Documentation
The proposed update to Chapter 4 reflects a fundamental shift in how GMP documentation is conceptualized and managed. Rather than focusing solely on static documents, the revised chapter emphasizes the importance of data governance, metadata control, and system integration within the Pharmaceutical Quality System (PQS).
Expanded Focus on Data Lifecycle and Metadata
The 2025 draft introduces the concept of the data lifecycle, requiring companies to maintain not only documents but also associated metadata, audit trails, and ownership responsibilities throughout their lifecycle.
Hybrid systems, those combining paper and electronic records, are formally recognized and must be controlled under validated procedures.
Integration of ALCOA++ and QMS
While the 2011 version focused on handwritten and legible entries, the new draft mandates ALCOA++ principles and explicitly ties documentation systems into the Pharmaceutical Quality System (PQS).
This includes controlling access based on user roles, timestamping entries, and preventing unauthorized edits or deletions.
Introduction of Supporting Structures
The revised Chapter 4 includes:
- A glossary defining terms such as audit trail, certified copy, and metadata
- An annex of document examples relevant to GMP operations, such as batch records, validation protocols, and test methods
Implications for GMP Operations
These changes significantly raise the expectations for documentation control, particularly in environments with hybrid or fully digital systems. Companies will need to:
- Validate documentation systems, including templates and audit trails
- Revise procedures to incorporate metadata retention and secure access
- Train personnel on ALCOA++ and real-time data recording practices
The updates also strengthen regulatory expectations for inspection-readiness, emphasizing that controlled records; whether paper or electronic; must be traceable, retrievable, and secured throughout their lifecycle.
| Section | 2011 Version | 2025 Draft Update | Type of Change | Implication / Notes |
|---|---|---|---|---|
| Principle | Documentation may exist in paper-based, electronic, or photographic form. Emphasized controlling and recording all activities impacting quality. | Strong focus on data lifecycle, metadata, ALCOA++, hybrid systems, and QMS linkage. Data governance now explicitly required. | Major Update & Expansion | Aligns with modern digital expectations and Annex 11. Stronger regulatory expectations for data integrity. |
| Required GMP Documentation | Described basic types: SMF, specs, SOPs, protocols, reports, etc. | Clarifies document types as instructions, records, certificates. Introduces metadata ownership and responsibility. | Expanded & Rephrased | Better reflects data handling complexity and current regulatory interpretations. |
| Generation and Control (4.1–4.6) | Basic control of documents including hybrid forms and master copies. | Adds template control, access roles, system validation, and digital audit trails. Explicit hybrid system expectations. | Expanded | Supports traceability and consistency in hybrid/electronic environments. |
| Good Documentation Practices (4.7–4.9) | Handwritten entries must be indelible, legible, real-time. Corrections not to obscure originals. | Introduces ALCOA++, contemporaneous entries, secure audit trails, metadata controls, and user access roles. | Major Expansion | Reinforces real-time entry, traceability, and auditability, especially in e-systems. |
| Retention of Documents (4.10–4.12) | Minimum retention per product expiry. Obsolete documents to be removed. | Adds long-term readability, digital record retention (metadata + audit trail), hybrid system validation. | Expanded & Clarified | Supports digital documentation and inspection-readiness over long durations. |
| Document Approval and Control (4.13–4.14) | Approval by authorized person, dated, controlled versions. | Adds version control procedures, template validation, digital signatures, and audit trail for changes. | Expanded & Digitally Oriented | Supports compliance in electronic document systems and centralized controls. |
| Document Use (4.15–4.16) | Documents must be available and legible in work areas. | Reinforces use of current, controlled versions. Access control by user role added for e-systems. | Expanded | Helps prevent errors from outdated or unauthorized instructions. |
| Documentation of Activities (4.17–4.21) | Activities must be recorded in real time and corrections justified. | Requires audit trail, timestamps, reason for changes, secure metadata retention, and system-based control. | Major Expansion | Critical for digital compliance and consistent execution of activities. |
| Certificates of Analysis and Reports | Brief mention; part of GMP documentation. | Adds traceability to raw data, automated reporting rules, review workflows, and integrity controls. | New Details Added | Enhances reliability and audit-readiness of analytical and QC documentation. |
| Handling Hybrid Systems and Metadata | Not addressed. | Fully defined. Control over hybrid systems, metadata ownership, retention, and QMS integration required. | New Section | Fills gap for common modern setups (e.g., paper + LIMS combo). High regulatory relevance. |
| Glossary | None. | Defines ALCOA++, audit trail, metadata, raw data, certified copy, backup, etc. | New Section | Supports consistent interpretation across EU GMP documents and inspections. |
| Annex – Document Examples | None. | Annex listing sample GMP documents (batch records, SOPs, protocols, etc.). | New Section | Adds clarity for practical implementation and harmonization. |
Annex 11 [Draft]: Computerized Systems
The proposed update to Annex 11 represents a major regulatory realignment of computerized systems with current and emerging technologies used across the pharmaceutical industry. While the 2011 version focused primarily on validation and access control in traditional IT setups, the 2025 draft broadens both the scope and depth of expectations.
The update addresses cloud infrastructure, artificial intelligence, and digital service providers, while placing a stronger emphasis on data integrity and the lifecycle management of computerized systems.
Broadening of Scope to Modern Technologies
The new draft significantly expands the scope of Annex 11 to include:
- Cloud services (SaaS, PaaS, IaaS)
- Mobile applications
- Artificial intelligence and machine learning (static models only)
- Blockchain technologies
- Industrial IoT (IIoT)
Systems with indirect impact on product quality or data integrity are now explicitly subject to Annex 11 controls.
Strengthening of Data Integrity and System Lifecycle Controls
The 2025 version requires:
- Risk-based validation, including of configurations and interfaces
- Secure, tamper-evident audit trails with user linkage
- Periodic system reviews, including cybersecurity status and data integrity performance
- Role-based access control and segregation of duties
Implications for GMP Operations
Companies must now treat computerized systems not as supporting tools, but as critical GMP-controlled assets. The update reinforces that:
- Responsibility cannot be outsourced, even when services are delivered by cloud or AI providers
- Validation must address functionality, data integrity, and cybersecurity
- Suppliers must be qualified based on service type, risk, and technical controls (e.g., SLAs, audits, compliance assessments)
Organizations will need to invest in training, risk documentation, and revised validation protocols to meet these expanded expectations.
| Section | 2011 Version | 2025 Draft Update | Type of Change | Implication / Notes |
|---|---|---|---|---|
| Principle | • Computerized systems should be validated • Must not negatively impact product quality or patient safety |
• Integral to Pharmaceutical Quality System (PQS) • Requires defined responsibilities • Data integrity controls and lifecycle management • Must align with QMS principles |
Major Update & Expansion | Elevates computerized systems from supportive tools to core GMP-controlled systems. Strengthens connection to quality oversight and lifecycle thinking. |
| Scope | Applies to all computerized systems used in GMP-regulated activities. | • Includes mobile apps, cloud (SaaS, PaaS, IaaS), AI, ML, IIoT, blockchain • Covers indirect GMP impact systems |
Expanded | Brings modern technologies into GMP oversight. Ensures systems with indirect GMP impact are no longer overlooked. |
| Risk Management | Risk management should be applied throughout the lifecycle. | • Risk decisions must be documented and traceable • Considers criticality, data complexity, cybersecurity |
Expanded & Clarified | Pushes for structured risk documentation and aligns with ICH Q9(R1). More emphasis on cybersecurity and critical data assessment. |
| Personnel | Personnel should have appropriate qualifications and training. | • Digital literacy and data integrity training mandatory • Roles clearly defined, especially for admin and users |
Expanded | Tighter requirements on competence for handling complex digital systems and audit trails. |
| Suppliers and Service Providers | Suppliers should be appropriately evaluated. | • Categorizes service providers (SaaS, AI, cloud) • Requires SLAs, audits, quality agreements |
Expanded | Reinforces that outsourcing doesn’t transfer responsibility. Supports risk-based supplier qualification and digital service control. |
| Validation | All GMP-relevant computerized systems should be validated. | • Risk-based, traceable validation required • Includes configurations, interfaces, migration activities |
Expanded | Strong focus on traceability, configuration control, and formal change management. Aligns with CSA and GAMP 5 principles. |
| Data | Data should be secured by both physical and electronic means. | • Covers lifecycle, classification, protection, traceability • Requires metadata and contextual info preservation |
Major Expansion | Deepens focus on integrity and availability of GMP data. Strengthens metadata control in hybrid/electronic systems. |
| Audit Trails | Changes and deletions of GMP-relevant data should be recorded. | • Secure, time-stamped, tamper-evident audit trails • User-linked and reviewable |
Major Expansion | Meets modern data integrity expectations. Enables traceability and supports remote audits. |
| Security and Access Control | Access must be limited to authorized personnel. | • Unique credentials, role-based access • Includes cloud security and duty segregation |
Expanded & Detailed | Addresses cybersecurity risks and enforces controlled access to critical operations and data. |
| Electronic Signatures | Permitted where legally acceptable. Should be equivalent to handwritten signatures. | • Must be secure, traceable, validated • 2FA or biometrics recommended |
Expanded | Strengthens expectations for identity verification. Prepares for increased remote work and digital signing. |
| Change Management | Should be formally documented. | • Requires risk assessment, impact evaluation, testing • Audit-trailed change logs |
Expanded & Clarified | Improves transparency and control over digital system updates and patches. |
| Periodic Review | System functionality should be periodically reviewed. | • Requires scheduled reviews of performance, incidents, cybersecurity | Expanded & Formalized | Supports continuous compliance and system reliability assurance. |
| Backup and Recovery | Data should be regularly backed up. | • Validated, documented, tested • Must retain metadata and enable full recovery |
Expanded | Ensures business continuity and complete restoration of GMP-relevant data. |
| Glossary | Included a limited glossary defining key terms like audit trail, GMP-relevant, metadata, signature, validation. | • Includes ALCOA++, hybrid systems, cloud, governance | Expanded | Updates terminology to reflect evolving regulatory focus on data integrity, digital systems, and lifecycle expectations. |
Annex 22: Artificial Intelligence in GMP Systems
The publication of Annex 22 signals a pivotal moment in pharmaceutical regulation: for the first time, the use of artificial intelligence (AI) and machine learning (ML) within GMP environments has been formally recognized and regulated.
The annex introduces detailed guidance on how AI/ML systems must be designed, validated, monitored, and maintained to ensure patient safety and data integrity.
Defined Scope for AI/ML Usage
Annex 22 sets boundaries for the use of artificial intelligence. It applies only to:
- Static, deterministic AI/ML models used within computerized systems
- Applications with direct GMP impact (e.g., product release decisions, data classification)
It excludes:
- Generative AI (e.g., LLMs like ChatGPT)
- Adaptive or self-learning models without fixed behavior
Validation and Performance Requirements
Annex 22 introduces:
- Clearly defined intended use, bias analysis, and human-in-the-loop roles
- Requirement for test data independence and statistical robustness
- Defined acceptance criteria, including metrics like F1 score, sensitivity, and specificity
- Mandatory model explainability using tools like SHAP or LIME
Lifecycle and Change Management
AI models are subject to:
- Formal change control
- Ongoing performance monitoring
- Controls for input drift and re-validation triggers
Implications for GMP Operations
Annex 22 marks a regulatory milestone by formally acknowledging AI in GMP. For companies exploring or using AI in quality control, batch review, or deviation detection, this annex provides:
- A pathway for regulated AI validation
- Assurance that explainability, test documentation, and human oversight are enforceable requirements
- A clear prohibition on uncontrolled or adaptive algorithms in critical GMP areas
These measures are intended to preserve traceability, predictability, and patient safety in the face of algorithm-driven decisions.
| Section | 2025 Draft Update | Implication / Notes |
|---|---|---|
| Scope | - Applies to AI/ML models in GMP-relevant computerized systems - Covers only static, deterministic models - Excludes dynamic models and generative AI (e.g., LLMs) |
Establishes boundaries for AI in GMP. Dynamic/adaptive models are not permitted in critical GMP areas. |
| Principles | - Requires multidisciplinary collaboration (QA, IT, SMEs, Data Scientists) - Documentation responsibilities, even for external providers - Risk-based implementation |
Aligns AI systems with core GMP principles: traceability, qualification, and documented risk control. |
| Intended Use | - Clearly defined intended use - Description of input data, limitations, and biases - Defined human-in-the-loop roles and subgrouping strategies |
Promotes traceability and structured process understanding before model deployment. |
| Acceptance Criteria | - Pre-set performance metrics required (e.g., sensitivity, specificity, F1 score) - Model must meet or exceed performance of the replaced process |
Shifts validation to model-based criteria. Requires statistical confidence instead of only process qualification. |
| Test Data | - Must be statistically significant, well-labeled, and representative - No unjustified exclusions - Rationalized pre-processing |
Supports rigorous AI testing. Ensures model generalizability and robustness. |
| Test Data Independency | - Strict separation between training and test data - Access control, audit trails, and 4-eyes principle where needed |
Prevents biased outcomes and ensures objective model performance evaluation. |
| Test Execution | - Formal test plans required - Deviations must be justified and documented - Complete traceability and access control required |
Aligns AI validation with existing GMP lifecycle documentation and approval processes. |
| Explainability | - Model decisions must be explainable (e.g., via SHAP, LIME, heatmaps) - Required for rejection, classification, and critical decisions |
Increases transparency and accountability for AI-assisted decisions. |
| Confidence | - Confidence scores must be recorded - Low-confidence predictions must default to 'undecided' where necessary |
Prevents inappropriate automated decisions. Supports human verification in edge cases. |
| Operation | - AI models subject to configuration and change control - Requires continuous monitoring for input space drift - Human review when applicable |
Integrates AI systems into the GMP lifecycle. Ensures AI remains valid, controlled, and auditable over time. |
| Glossary | - Adds terms like SHAP, LIME, overfitting, training dataset, explainability, etc. | Supports harmonized understanding across QA, regulatory teams, and auditors. |
Conclusion: Alignment with a Digital GMP Future
The draft revisions to Chapter 4 and Annex 11, along with the introduction of Annex 22, signal a comprehensive shift toward a digitally mature GMP framework. They emphasize that:
- Documentation must be controlled beyond paper, including metadata and system audit trails
- Computerized systems are central to quality, not auxiliary
- Artificial intelligence, where permitted, must be governed like any critical process
Stakeholders are encouraged to review these drafts in detail and provide feedback during the consultation period. Preparing now for these changes will support smoother compliance once the revisions are finalized.
