未分類

Analysis of EU GMP Annex 11 Revision: The Significance of the 2025 Draft and Future Outlook

Analysis of EU GMP Annex 11 Revision: The Significance of the 2025 Draft and Future Outlook

Background: EU GMP and the Position of Annex 11

The EU pharmaceutical regulations consist of Volumes 1 through 9, with Volume 4 covering Good Manufacturing Practice (GMP). This GMP includes supplementary documents called Annexes. Annex 11, the eleventh chapter, defines regulatory requirements for Computerised Systems.

History of Annex 11 Development

From the 2008 Draft to the Establishment of the 2011 Version

The draft revision of Annex 11 was approved by the GMP/GDP Inspectors Working Group (IWG) in February 2008 and was published for public consultation in April 2008. This 2008 draft consisted of nine pages and was considered to have made regulatory requirements as specific as possible for that time. After collecting public comments until October 31, 2008, it was officially implemented in 2011.

The 2011 version of Annex 11 was structured around four main frameworks: “Principle,” “Personnel,” “Validation,” and “System,” comprising a total of five pages. This version took a conceptual approach with limited practical details. The 2011 version was also adopted by the Pharmaceutical Inspection Co-operation Scheme (PIC/S) with identical content, becoming an international standard applied in over 50 countries worldwide.

The 2022 Concept Paper and Publication of the 2025 Draft

The 2011 version of Annex 11 had been in use for approximately 14 years, during which information technology evolved rapidly. Technological developments that were unpredictable in 2011 occurred, including cloud computing, artificial intelligence (AI), machine learning (ML), mobile health technologies, and cybersecurity threats.

On November 16, 2022, the European Medicines Agency (EMA) and PIC/S published a concept paper on the revision of Annex 11 and solicited comments from the industry. This concept paper outlined the need and direction for revision in 33 points, emphasizing the necessity for regulatory requirements that address the modern technological environment, including data integrity, cloud services, AI/ML algorithms, and cybersecurity.

On July 7, 2025, the long-awaited draft revision was published along with drafts for Chapter 4 (Documentation) and the newly established Annex 22 (Artificial Intelligence). These were subject to joint stakeholder consultation by the European Commission and PIC/S, with public comments collected until October 7, 2025. The final version is expected to be published in mid-2026.

Key Features of the 2025 Draft Version

Significant Expansion

The 2025 draft has expanded from the 2011 version’s five pages to 19 pages, approximately four times larger. The structure has been significantly revised, consisting of eight fundamental principles, 17 sections, and a comprehensive glossary. This expansion reflects not merely an increase in document length but the clarification and specification of regulatory requirements.

Eight Fundamental Principles

The new draft clearly defines the following eight fundamental principles:

1. Lifecycle Management: Computerised systems must undergo qualification and validation before use and be continuously managed throughout their lifecycle.

2. Quality Risk Management: Quality Risk Management (QRM) principles based on ICH Q9(R1) must be applied throughout the system lifecycle.

3. No Risk Increase: Where a computerised system replaces another system or manual operation, there should be no increase in risk to product quality, data integrity, or patient safety.

4. Pharmaceutical Quality System: Regulated users should implement a Pharmaceutical Quality System (PQS) that encompasses computerised systems.

5. Identification and Analysis: Risks associated with the use of computerised systems in GMP activities should be identified and analyzed in a systematic and documented manner.

6. Appropriate Validation: The validation strategy and effort should be determined based on risk assessment.

7. Mitigation: Where applicable, risks associated with the use of computerised systems should be mitigated to an acceptable level.

8. Data Integrity: Quality risk management principles should be used to assess data criticality and implement appropriate controls.

Enhancement of Security and Cybersecurity

One of the most important additions in the 2025 draft is the detailed requirements for cybersecurity. The new Sections 15 and 16 require specific control measures including:

Technical Controls: Technical security controls such as firewalls, antivirus software, patch management, intrusion detection systems, and encryption are required.

Regular Security Assessments: High-risk systems require regular penetration testing.

Incident Response: Security incident response plans and disaster recovery plans must be developed.

Alignment with ISO 27001: Alignment with the international standard ISO 27001 for information security management systems is emphasized.

This enhancement responds to the increasing ransomware attacks and cyber-attacks targeting pharmaceutical manufacturing facilities in recent years. Cybersecurity is no longer merely an IT department issue but is positioned as a core GMP requirement.

New Requirements for Alarm Systems (Section 10)

Requirements for alarm systems, which were not mentioned in the 2011 version, have been added as new Section 10. This includes:

Appropriate definition and approval of alarm settings are required. Visual and audible signals are necessary when critical alarms occur. Critical alarms require acknowledgement. All alarms and acknowledgements must be automatically logged in an alarm log. Alarm logs must be searchable and sortable. Alarm logs must be periodically reviewed based on approved procedures.

This addition recognizes the increasing human dependence on alarms in automated manufacturing processes.

Supplier and Service Management (Section 8)

Section 8 has been significantly expanded in response to the increasing use of cloud service providers and external service providers.

Clarification of Responsibility: Even when outsourcing services, regulated users retain full responsibility. Responsibility cannot be delegated externally.

Supplier Audits: Audits may be required when relying on a supplier’s or service provider’s qualification.

Contractual Controls: Contracts with suppliers and service providers must include clear clauses to ensure compliance with GMP requirements.

Continuous Monitoring: The performance of suppliers and service providers must be continuously monitored.

Handling of Data (Section 12)

The importance of data integrity has been emphasized, and Section 12 has been expanded.

Manual Data Plausibility Checks: Mechanisms to verify the plausibility of manually entered data are required.

Validation of Data Movement: Data movement between systems must be validated.

Encryption: Where appropriate, data encryption is required.

Data at Rest and Data in Motion: Controls are required for both “data at rest” (stored data) and “data in motion” (transmitted data).

Requirements for Chapter 13 “Printouts”

Chapter 13 on “Printouts,” which was already noted in the 2008 draft, maintains an important position in the 2025 version. The current draft clarifies the following requirements:

“Printouts should indicate whether any changes have been made to the data since original entry. In the case of complex systems, it may be necessary for inspectors to have online access to and be able to investigate the system’s electronic records (e.g., database, chromatographic data, process control data, etc.).”

This requirement strongly suggests that regulatory authorities intend to conduct inspections using electronic records rather than paper media. Regulatory authorities clearly recognize that printouts alone cannot confirm complete data integrity.

Relationship with US FDA Part 11

Lessons from the Typewriter Excuse

In the United States, 21 CFR Part 11 (Electronic Records; Electronic Signatures) took effect in 1997. After the implementation of Part 11, a problem known as the “Typewriter Excuse” arose. This stemmed from pharmaceutical companies making the following claims:

“The true record is the paper record. We are simply using computers to create records.”

The FDA clearly countered this argument: “Printouts cannot be inherently trusted because they do not contain the metadata information necessary to reconstruct the data or reproduce it from raw data.”

In other words, printouts lack metadata information such as audit trails, and if regulatory authorities conduct inspections using paper media, they cannot confirm whether alterations have been made.

Challenges with Hybrid Systems

In many cases, so-called hybrid systems are operated. A hybrid system refers to creating records electronically and signing on paper media.

In this case, electronic records must not be deleted just because approval was given on paper media. This is because it could be judged that altered data was printed, approved, and then the evidence was destroyed.

Indeed, the FDA has issued Warning Letters for systems that deleted electronic records after printing. This is considered an extremely serious violation from a data integrity perspective.

The 2025 Annex 11 draft has thoroughly studied the discussions between US regulatory authorities and pharmaceutical companies and incorporated these lessons. While the use of hybrid systems is permitted, strict documentation management, procedural management, traceability assurance, and data integrity maintenance are essential conditions.

Alignment with FDA Computer Software Assurance (CSA)

The 2025 draft also aligns with the Computer Software Assurance (CSA) guidance published by the FDA in 2022. CSA evolves the traditional Computer System Validation (CSV) approach into a more risk-based and efficient approach.

Under CSA, validation efforts are adjusted according to the risk that software poses to quality. Rigorous scripted testing is required for high-risk functions, while low-risk tools can be qualified with supplier documentation and unscripted testing.

Alignment with International Standards

ICH Q9(R1) Quality Risk Management

The 2025 draft strongly aligns with ICH Q9(R1) “Quality Risk Management,” revised in 2023. ICH Q9(R1) is an internationally harmonized guideline on quality risk management for pharmaceuticals and recommends applying a risk-based approach throughout the lifecycle.

GAMP 5 (Second Edition)

GAMP 5 (Good Automated Manufacturing Practice), published by the International Society for Pharmaceutical Engineering (ISPE), is an industry standard for a risk-based approach to GxP computerised systems. The 2025 draft was developed with consideration for alignment with the second edition of GAMP 5 (published in 2022).

Citations from OECD GLP Documents

Interestingly, the 2025 draft contains numerous citations from Good Laboratory Practice (GLP)-related documents issued by the Organisation for Economic Co-operation and Development (OECD). In particular, OECD GLP 25 “IT Security,” published in 2024, serves as the basis for more than 10 clauses in Annex 11 Sections 15 and 16. Additionally, OECD GLP 17 “Computerised Systems” is the source for nine definitions in the Annex 11 glossary.

However, since GLP and GMP have different application contexts, there is room for discussion regarding the appropriateness of integrating GLP requirements directly into GMP.

ISO 27001 Information Security Management

Requirements for cybersecurity explicitly consider alignment with the 2022 version of ISO 27001 (Information Security Management Systems). ISO 27001 is an internationally recognized standard for managing information security risks.

Collaboration with PIC/S and International Harmonization

The revision of Annex 11 has been conducted under close cooperation with PIC/S. The EMA and PIC/S jointly developed the draft and jointly solicited public comments. This is expected to result in unified standards being applied not only in EU member states but also in over 50 countries participating in PIC/S.

PIC/S includes many important pharmaceutical regulatory authorities such as those in Japan, South Korea, Australia, New Zealand, Canada, Switzerland, and Singapore. Therefore, the revision of Annex 11 has global implications.

The revised PIC/S version is expected to be adopted around September 2026, following the publication of the EU final version. This is expected to further advance international regulatory harmonization.

Industry Impact and Preparation Requirements

Conducting Gap Analysis

Gap analysis should be conducted to compare current computerised systems and risk controls with the new structure of the 2025 draft. Particular attention should be paid to the following areas:

Cybersecurity controls (firewalls, patch management, antivirus, penetration testing), alarm system design and management, supervision of suppliers and service providers, data integrity management (ALCOA+ principles), audit trail management and periodic reviews, appropriate management of hybrid systems, and use of cloud services and AI/ML systems.

Updating Standard Operating Procedures (SOPs) and Quality Management Systems (QMS)

SOPs for Computer System Validation (CSV), Quality Management Systems (QMS), and supplier contracts need to be updated to address new requirements. In particular, the following documents require review:

Validation plans and protocols, risk assessment documents, supplier qualification procedures, change management procedures, security and access management procedures, and audit trail review procedures.

Developing Training Programs

Awareness and training workshops focusing on new requirements should be planned. All stakeholders (IT departments, quality assurance departments, manufacturing departments, engineering departments) need to understand and be able to implement the new requirements.

Preparation for Final Version Publication

While the final version is expected to be published in mid-2026, typically a transition period (usually 12-18 months) is provided after the final version is published. However, starting preparations early enables effective use of the transition period and smooth implementation.

Essential Importance of Data Integrity

At the foundation of the Annex 11 revision is the fundamental purpose of ensuring data integrity. The ALCOA+ principles (Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, Available) are emphasized as fundamental principles for electronic record management.

Regulatory authorities take data integrity deficiencies extremely seriously. In recent years, numerous Warning Letters have been issued for data integrity violations, and in some cases, manufacturing suspension orders or product recalls have occurred.

Electronic records and computerised systems are no longer merely tools for operational efficiency. They must be recognized as GMP-controlled assets that form the core of product quality, patient safety, and regulatory compliance.

Conclusion: Responding to Change and Continuous Improvement

The 2025 draft revision of EU GMP Annex 11 provides a comprehensive and modern regulatory framework that reflects the reality of pharmaceutical manufacturing in the era of digital transformation. From the 2008 draft through the 2011 established version to the significant revision in 2025, Annex 11 has evolved reflecting technological advancement and accumulated regulatory experience.

This revision is not merely an increase in regulatory requirements but aims to provide clearer, more specific, and more effective guidance. Requirements addressing the modern technological environment, including cloud computing, AI/ML, and cybersecurity, are incorporated.

For the industry, this revision is both a challenge and an opportunity. By starting preparations early, conducting gap analysis, and updating systems and procedures, a comprehensive system can be established for the final version publication in 2026.

Additionally, by reflecting the industry’s voice during the public comment period, it is possible to contribute to the creation of a more practical and implementable final version. Constructive dialogue between regulatory authorities and the industry is key to building an effective regulatory framework.

Through collaboration with PIC/S, this revision is expected to promote international harmonization and provide a more consistent regulatory environment for globally expanding pharmaceutical companies.

Most importantly, rather than viewing Annex 11 requirements as merely a compliance checklist, organizations should use them as an opportunity to permeate a culture of data integrity and quality assurance throughout the entire organization. While technology continues to evolve, the fundamental principles of data reliability, product quality, and patient safety remain constant.

From 2026 onward, a new era of more robust, secure, and data-driven pharmaceutical manufacturing is expected to arrive under the new Annex 11.

The Commencement of ER/ES Inspections by Regulatory Authorities: Historical Context and Current Practices Previous post Outlook for Part 11 Revision: Historical Context and Current Status Next post

Related post

Comment

There are no comment yet.