Revision of PIC/S GMP Annex 11: Computerised Systems

Background and Publication of the Concept Paper

On November 17, 2022, the Pharmaceutical Inspection Co-operation Scheme (PIC/S) published a News Release titled “Concept Paper on the revision of EU-PIC/S GMP Annex 11 (Computerised Systems).” This announcement addressed the public release of a concept paper outlining the planned revision of PIC/S GMP Annex 11. Notably, the European Union GMP Annex 11 was undergoing revision simultaneously, with the European Medicines Agency (EMA) and PIC/S working collaboratively through a joint EMA-PIC/S drafting group to maintain global harmonization of standards.

Rationale for the Revision

The revision was initiated in recognition of the fact that the current Annex 11, originally published in 2011, no longer provides sufficient guidance across numerous areas of application. Since its last update, there has been extensive progress in the use of information technology (IT) and digital technologies within the pharmaceutical manufacturing environment. The concept paper identified 33 specific areas requiring revision or clarification to address these technological advances and evolving regulatory expectations.

Key examples of the areas requiring attention include:

Data Integrity Enhancement: The revised Annex 11 was planned to include comprehensive requirements for both “data in motion” and “data at rest” (encompassing backup procedures, archival processes, and data disposal). This reflects the growing regulatory focus on data integrity throughout the entire data lifecycle.

Digital Transformation: The revision was designed to address “digital transformation” and similar emerging concepts, providing clear regulatory expectations for modern pharmaceutical manufacturing environments. This includes considerations for cloud computing services, software-as-a-service (SaaS) platforms, and other contemporary IT delivery models.

Quality Risk Management Integration: The concept paper proposed adding explicit references to ICH Q9 (Quality Risk Management), emphasizing the application of risk-based approaches throughout the lifecycle of computerised systems. Following the revision of ICH Q9 to ICH Q9(R1) in 2023, this alignment became even more critical for establishing a consistent global framework.

Harmonization with FDA Guidance: The concept paper specifically acknowledged the U.S. Food and Drug Administration’s (FDA) draft guidance on “Computer Software Assurance (CSA) for Production and Quality System Software,” released in September 2022 and finalized in September 2025. The document stated that “this guidance and its implications will be considered regarding potential regulatory-related aspects of GMP Annex 11,” demonstrating a commitment to international harmonization.

Public Consultation Process

A public consultation period for the concept paper was conducted from November 16, 2022, to January 16, 2023 (originally stated as 2022 in some sources, but the deadline year was 2023). This two-month consultation period allowed stakeholders to provide input on the proposed revision scope and approach. Stakeholders were encouraged to submit comments through appropriate channels to help shape the development of the draft guidance.

Original Timeline Outlined in the Concept Paper

The concept paper outlined an ambitious timeline for the revision process (key dates extracted from the original document):

Milestone	Original Target Date
Concept Paper Public Comment Deadline	December 2022
Discussion in EMA GMP/GDP IWG and PIC/S Drafting Group	From March 2023
Draft Guidance Release for Public Consultation (3-month period)	December 2024
Draft Guidance Public Comment Deadline	March 2025
Adoption by EMA GMP/GDP IWG	March 2026
Publication by European Commission	June 2026
Adoption by PIC/S Sub-committee on GMDP Harmonisation	September 2026

Actual Timeline and Current Status (as of January 2026)

The revision process experienced some delays from the original timeline, but significant progress has been achieved:

July 7, 2025: The European Commission and PIC/S jointly released draft versions of three interconnected documents for public consultation:

• Revised Annex 11 (Computerised Systems) – expanded from 5 pages to 19 pages
• Revised Chapter 4 (Documentation) – expanded from 9 pages to 17 pages
• New Annex 22 (Artificial Intelligence) – entirely new 6-page guidance document

Public Consultation Period: July 7, 2025 to October 7, 2025 (3-month consultation period)

Expected Final Publication: Mid-2026 (estimated)

Expected Implementation Date: It is anticipated that following publication of the final versions, there will be a transition period before mandatory implementation, likely extending into 2027.

Key Enhancements in the Draft Revised Annex 11

The draft revised Annex 11 represents the most significant overhaul to computerised systems requirements in over a decade. Major enhancements include:

Expanded Scope and Applicability

The revised Annex 11 significantly broadens its scope to encompass:

• Cloud Computing Services: Explicit requirements for Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) solutions
• Systems with Indirect Impact: Computerised systems that have indirect effects on product quality or data integrity now fall explicitly within scope
• Outsourced and Service Provider Activities: Enhanced requirements for oversight of external service providers and outsourced IT operations
• Modern Software Delivery Models: Recognition of agile development methodologies, continuous integration/continuous deployment (CI/CD), and modern software development practices

Pharmaceutical Quality System Integration

A new section fully integrates computerised systems into the Pharmaceutical Quality System (PQS), establishing that:

• Computerised systems must be considered GMP-critical assets, not merely supporting tools
• Quality Risk Management principles per ICH Q9(R1) must be comprehensively applied throughout the system lifecycle
• Regulatory responsibility cannot be outsourced, even when services are delivered by cloud providers, AI vendors, or external consultants
• The regulated user maintains ultimate accountability for all systems impacting GMP activities

Lifecycle Management Requirements

The revised Annex emphasizes comprehensive lifecycle management:

• Requirements must be traceable throughout the entire system lifecycle
• Validation strategies and effort should be determined based on a formal risk assessment
• Configuration management becomes a critical element with specific criteria for alarm setting, access control, and system modifications
• Regular review of system performance and suitability must be conducted

Enhanced Data Integrity Requirements

Data integrity principles are substantially expanded, aligned with ICH Q9(R1) and incorporating ALCOA+ principles:

• Data in Motion: Requirements for data being transmitted between systems or components
• Data at Rest: Requirements for stored data, including backup and archival processes
• Audit Trail Requirements: More prescriptive requirements for audit trail functionality, including:
  • Mandatory audit trails for all manual interactions with GMP-critical data
  • Positive user identification for all changes
  • Prohibition of audit trail editing or deactivation
  • Clear guidance on acceptable audit trail review frequency

Security and Access Control

Comprehensive security requirements reflecting modern cybersecurity threats:

• Regulated users must stay informed about emerging security threats to GMP systems
• Enhanced requirements for identity and access management
• Multi-factor authentication considerations for high-risk systems
• Alignment with international information security standards (e.g., ISO 27001)

Supplier and Service Management

Detailed requirements for managing relationships with software suppliers and service providers:

• Vendor qualification and audit programs
• Service level agreements (SLAs) with clear quality and availability expectations
• Right to audit service providers and inspect facilities
• Clear definition of roles and responsibilities in service agreements
• Requirements for supplier notification of significant changes that may affect the validated state

Introduction of Annex 22: Artificial Intelligence

Perhaps the most significant development in this revision cycle is the introduction of Annex 22, the first official EU GMP guidance specifically addressing the use of Artificial Intelligence (AI) and Machine Learning (ML) in pharmaceutical manufacturing. This represents a regulatory milestone acknowledging that AI is becoming integral to pharmaceutical operations.

Scope of Annex 22

Annex 22 applies specifically to:

• Static, Deterministic AI/ML Models: Models that produce consistent outputs for identical inputs
• GMP-Critical Applications: AI systems with direct impact on patient safety, product quality, or data integrity
• Operational AI: Models deployed in production environments, not experimental or development systems

Explicit Exclusions

The following AI technologies are explicitly excluded from critical GMP applications under Annex 22:

• Dynamic AI models that continuously learn from new data during operational use
• Probabilistic models with variable outputs for identical inputs
• Generative AI systems (e.g., large language models, image generators)
• Large Language Models (LLMs) for critical decision-making

These excluded technologies may be used in non-critical GMP contexts, provided a robust “human-in-the-loop” approach is implemented.

AI Lifecycle Requirements

Annex 22 establishes a comprehensive AI lifecycle framework encompassing:

1. Intended Use Definition: Clear, documented description of what the AI model does, what data it uses, and under what conditions it operates
2. Model Selection and Design: Justification for model selection, consideration of simpler alternatives, and design documentation
3. Training Data Quality: Requirements for representative, unbiased, and well-documented training datasets with appropriate data segregation
4. Model Validation: Performance metrics, test data management, and validation protocols appropriate to the risk level
5. Implementation and Qualification: Integration testing, user training, and system qualification
6. Operational Monitoring: Continuous oversight including performance monitoring, input data drift detection, and change control
7. Periodic Review: Regular reassessment of model performance and continued suitability

Key Compliance Requirements

The draft Annex 22 establishes ten mandatory checkpoints for AI implementation:

1. Documented intended use with clear boundaries and limitations
2. Formal risk assessment per ICH Q9(R1) principles
3. Quality assurance of training data, including data provenance and bias assessment
4. Appropriate model validation with defined performance metrics
5. Clear documentation of the model architecture and decision-making logic
6. Robust change control for the model, software, and input data sources
7. Continuous performance monitoring with predefined acceptance criteria
8. Detection and management of input data drift
9. Human oversight and review mechanisms, particularly for critical decisions
10. Regular audit and review of AI system performance and compliance

Relationship to Other GMP Requirements

Annex 22 is designed to complement, not replace, existing GMP requirements. It works in conjunction with:

• Annex 11: AI models are considered specialized computerised systems and must also comply with applicable Annex 11 requirements
• Chapter 4: All data created, processed, or influenced by AI models must meet GMP documentation and data integrity standards
• ICH Q9(R1): Risk management principles must be applied throughout the AI lifecycle

Updates to Chapter 4: Documentation

The concurrent revision of Chapter 4 on Documentation reflects fundamental shifts in how pharmaceutical documentation is conceptualized and managed in a digital age.

Data Governance Framework

The revised Chapter 4 introduces comprehensive data governance concepts:

• Documentation is now viewed as part of a broader data lifecycle, not as isolated documents
• Risk management principles are integrated within the data governance system
• Requirements extend beyond traditional documentation to include metadata, system audit trails, and electronic records management

Hybrid Documentation Systems

Recognition of modern documentation practices:

• Support for paper, digital, and hybrid documentation systems
• Requirements for maintaining document integrity regardless of format
• All documentation, whether in text, image, video, or audio form, must remain complete, readable, and retrievable throughout its lifecycle
• Clear guidance on managing transitions between different documentation formats

Electronic Records and Signatures

Enhanced clarity on electronic records and signatures:

• Requirements aligned with revised Annex 11 for computerised systems
• Data integrity principles applied consistently across all record types
• Specific requirements for electronic signature implementation and controls

Alignment with International Standards and Guidelines

The revision of Annex 11, along with the new Annex 22 and revised Chapter 4, demonstrates strong alignment with international standards and guidelines:

ICH Q9(R1) Quality Risk Management

The final ICH Q9(R1) guideline was adopted in January 2023 (published May 2023). The revised GMP documents incorporate key concepts from ICH Q9(R1):

• Risk-Based Decision-Making: Emphasis on using risk management principles to determine appropriate levels of control and oversight
• Formality Spectrum: Recognition that the level of formality in risk management should be commensurate with uncertainty, importance, and complexity
• Subjectivity Management: Techniques for managing and minimizing subjectivity in risk assessments
• Product Availability Risks: Consideration of risks to product availability arising from quality and manufacturing issues
• Knowledge Management: Integration of knowledge management principles into risk management activities

FDA Computer Software Assurance (CSA)

The FDA’s Computer Software Assurance guidance provides a risk-based alternative to traditional computer system validation:

• Draft Guidance: Released September 13, 2022
• Final Guidance: Published September 24, 2025
• Key Principles:
  • Identification of intended use
  • Risk-based approach to assurance activities
  • Reduced emphasis on documentation for low-risk systems
  • Focus on critical thinking over checkbox compliance
  • Leveraging of vendor documentation and testing

The revised Annex 11 incorporates several concepts from FDA’s CSA guidance, including risk-based validation strategies and recognition of vendor qualification activities, while maintaining its own European regulatory framework.

GAMP 5 Second Edition

The revised Annex 11 aligns with principles from GAMP® 5: A Risk-Based Approach to Compliant GxP Computerised Systems (Second Edition, 2022), published by the International Society for Pharmaceutical Engineering (ISPE). The guidance acknowledges industry-standard approaches to:

• Software categorization and risk assessment
• Validation lifecycle approaches
• Use of commercial off-the-shelf (COTS) software
• Supplier assessment and management

ISO 27001 Information Security

References to information security standards reflect the increasing importance of cybersecurity in pharmaceutical manufacturing:

• Alignment with ISO/IEC 27001:2013 (revised to 27001:2022) for information security management systems
• Consideration of current cybersecurity threats and vulnerabilities
• Integration of security considerations throughout the system lifecycle

Practical Implications for Pharmaceutical Manufacturers

The comprehensive revisions to Annex 11, Chapter 4, and the introduction of Annex 22 will have significant practical implications:

Immediate Actions (During Consultation Period)

Manufacturers should:

1. Review Draft Documents: Carefully analyze the draft guidances to understand new requirements
2. Conduct Gap Assessments: Evaluate current systems, processes, and documentation against draft requirements
3. Submit Comments: Participate in the public consultation process to help shape final requirements (consultation closed October 7, 2025, but understanding industry feedback can help predict final requirements)
4. Identify AI Usage: Create an inventory of existing or planned AI/ML applications in GMP processes

Preparation for Implementation (2026-2027)

Organizations should begin preparing for implementation:

1. Quality Management System Updates: Revise SOPs, work instructions, and quality system documents to reflect new requirements
2. Training Programs: Develop and deliver training on new requirements for relevant personnel
3. System Assessments: Evaluate existing computerised systems for compliance with revised requirements
4. Vendor Management: Review and update vendor qualification programs and service level agreements
5. Data Governance: Strengthen data integrity programs and data lifecycle management practices
6. AI Governance Framework: If using or planning to use AI, establish appropriate governance structures, validation templates, and monitoring procedures

Long-Term Strategic Considerations

Looking beyond immediate compliance:

1. Digital Transformation Strategy: Align digital transformation initiatives with GMP requirements from the outset
2. Technology Roadmap: Consider how emerging technologies can be implemented in compliance with new standards
3. Continuous Improvement: Establish programs for ongoing monitoring and improvement of computerised systems
4. Collaboration: Engage with industry groups, regulatory agencies, and technology providers to stay informed of evolving expectations

Relationship to Other Regulatory Frameworks

Understanding how these revisions fit within the broader regulatory landscape:

Global Harmonization Efforts

The EMA-PIC/S collaboration on these revisions represents a commitment to global harmonization:

• PIC/S participating authorities span 59 jurisdictions worldwide (as of January 2026)
• The revision process includes consideration of approaches taken by major regulatory agencies including FDA, Health Canada, TGA (Australia), and others
• Alignment with WHO GMP guidelines is also considered

Regional Implementation

Different regions may implement these requirements at different times:

• European Union: Direct implementation through EudraLex Volume 4
• PIC/S Members: Adoption through the PIC/S GMP Guide (PE 009-17)
• Non-PIC/S Jurisdictions: Many countries base their GMP requirements on WHO guidelines, which often incorporate concepts from ICH and PIC/S guidance

Industry Feedback and Concerns

During the consultation period, industry stakeholders raised several important considerations:

Annex 11 Concerns

• Prescriptive Nature: Some industry representatives noted that the revised Annex 11 has become significantly more prescriptive compared to the principle-based approach of the 2011 version
• Implementation Burden: The expanded scope and detailed requirements may create substantial implementation burdens, particularly for small and medium-sized manufacturers
• COTS Software: Questions about the treatment of commercial off-the-shelf software and the extent of validation required
• Retrospective Application: Concerns about applying new requirements to legacy systems

Annex 22 Considerations

• Limited Scope: Some stakeholders suggested the scope might be too narrow, excluding valuable AI technologies that could enhance pharmaceutical quality
• Pace of Innovation: Questions about whether the static model requirement could stifle innovation in AI applications
• Validation Challenges: Concerns about the practical challenges of validating complex AI models, particularly regarding explainability and interpretability
• Dynamic Environment: The pharmaceutical AI landscape is evolving rapidly; fixed regulatory requirements may quickly become outdated

Future Outlook and Continuing Developments

As the pharmaceutical industry continues to digitalize, regulatory expectations will continue to evolve:

Expected Developments

1. Final Publication: The final versions of revised Annex 11, Chapter 4, and new Annex 22 are expected in mid-2026
2. Implementation Period: A transition period (likely 12-18 months after publication) will probably be provided before mandatory compliance
3. Supplementary Guidance: Regulatory agencies may publish additional guidance documents, Q&A documents, or interpretation papers
4. Inspection Focus: GMP inspections will increasingly focus on computerised systems, data integrity, and AI implementation

Emerging Technologies

The regulatory framework will need to continue adapting to address:

• Advanced forms of AI including large language models
• Blockchain and distributed ledger technologies
• Internet of Things (IoT) and connected devices in manufacturing
• Advanced analytics and real-time release testing
• Digital twins and process simulation

Industry Initiatives

Industry associations and working groups are actively supporting implementation:

• ISPE: Continuing development of GAMP guidance and best practices
• PDA (Parenteral Drug Association): Technical reports and training on computerised systems validation
• EFPIA (European Federation of Pharmaceutical Industries and Associations): Industry perspectives on implementation
• Industry Consortia: Collaborative initiatives to develop shared approaches to complex challenges

Conclusion

The revision of PIC/S GMP Annex 11, along with the introduction of Annex 22 on Artificial Intelligence and the concurrent update to Chapter 4 on Documentation, represents a comprehensive modernization of regulatory expectations for computerised systems in pharmaceutical manufacturing. These changes reflect both the opportunities and challenges presented by digital transformation in the industry.

Key takeaways for pharmaceutical manufacturers:

1. Comprehensive Scope: The revised requirements encompass traditional IT systems, cloud services, AI applications, and hybrid documentation approaches
2. Risk-Based Approach: Emphasis on quality risk management principles throughout the system lifecycle, aligned with ICH Q9(R1)
3. Data Integrity Focus: Enhanced requirements for ensuring data integrity across all formats and throughout the data lifecycle
4. Shared Responsibility: Clear articulation that regulatory responsibility cannot be outsourced, even when using external service providers
5. AI Regulation: First-ever formal regulatory framework for AI in GMP, establishing clear boundaries and requirements
6. International Harmonization: Alignment with FDA CSA guidance, GAMP 5, ICH Q9(R1), and international standards

The pharmaceutical industry should view these revisions not merely as compliance obligations, but as an opportunity to enhance quality systems, improve operational efficiency, and responsibly adopt innovative technologies. Organizations that proactively prepare for these changes and embrace modern quality management approaches will be well-positioned for success in an increasingly digital pharmaceutical landscape.

As we move toward final publication and implementation, continued engagement with regulatory agencies, participation in industry working groups, and investment in appropriate systems and training will be essential for ensuring successful compliance with these modernized requirements.

References and Resources

Official Regulatory Documents

1. PIC/S News Release: Concept Paper on the revision of EU-PIC/S GMP Annex 11 (November 17, 2022) – https://picscheme.org/en/news
2. PIC/S Concept Paper (PI 011) – https://picscheme.org/docview/4967
3. Draft EU-PIC/S GMP Annex 11: Computerised Systems (July 7, 2025) – https://health.ec.europa.eu/
4. Draft EU-PIC/S GMP Annex 22: Artificial Intelligence (July 7, 2025) – https://health.ec.europa.eu/
5. Draft EU-PIC/S GMP Chapter 4: Documentation (July 7, 2025) – https://health.ec.europa.eu/
6. FDA Guidance: Computer Software Assurance for Production and Quality System Software (Final, September 24, 2025) – https://www.fda.gov/regulatory-information/search-fda-guidance-documents/computer-software-assurance-production-and-quality-system-software
7. ICH Q9(R1): Quality Risk Management (Final, May 2023) – https://www.ich.org/

Industry Resources

1. ISPE GAMP® 5 Second Edition: A Risk-Based Approach to Compliant GxP Computerised Systems (2022)
2. PDA Technical Reports on Computer System Validation
3. ISO/IEC 27001:2022 Information Security Management Systems

Consultation Information

• EU Stakeholder Consultation Portal
• PIC/S Publications and Consultation Procedures
• Comments accepted through October 7, 2025 (consultation period now closed)

This document was prepared as of January 2026 and reflects the most current information available regarding the revision of PIC/S GMP Annex 11 and related documents. Readers should consult official regulatory publications for the most up-to-date requirements.