Annex 11 Changes: From Interpretive to Prescriptive

Introduction

EU good manufacturing observe (GMP) Annex 11 regulation on computerized methods has been efficient since 1992.¹ Following the info falsification uncovered at Ready Laboratories in 2005,² many information integrity (DI) points involving computerized methods have been uncovered throughout inspections.

In 2008, a proposed replace to Annex 11 to bolster DI controls was issued for trade remark.³ The revised model was issued in 2011⁴ together with an up to date EU GMP Chapter 4 on documentation.⁵ EU Annex 11 and Chapter 4 are additionally a part of Pharmaceutical Inspection Conference Scheme (PIC/S) GMP, which might be relevant in international locations comparable to Japan, South Korea, Australia, New Zealand, and many others.

In 2022, an idea paper on the revision of Annex 11 was issued by the European Medicines Company (EMA) and PIC/S for trade remark,⁶ and in July 2025, the revised variations of Annex 11 and Chapter 4 have been issued for stakeholder feedback.⁷ On the identical time, a brand new Annex 22 on synthetic intelligence (AI) was additionally issued for stakeholder remark.⁷ We is not going to be discussing Annex 22 right here.

This text gives detailed analyses of Annex 11 revision and the relevant clauses of Chapter 4 that influence computerized methods. The detailed dialogue on this article consists of:

One of many main issues with the revision is that it isn’t straightforward to map to the present model of the regulation. Sections seem to have been chosen by pulling names out of a hat.  

Why talk about Chapter 4 on documentation?

As famous above, Annex 11 and Chapter 4 are revised in parallel. The rationale is:

To Totally Perceive Annex 11, You Should Perceive Chapter 4.

What’s the rationale for needing to grasp the implications of Chapter 4 on Annex 11? The clue is within the chapter title: Documentation. This consists of danger administration, digital information, plus the underlying information/metadata, DI, information governance, ALCOA++ standards, grasp paperwork, hybrid methods, signatures on GMP paperwork and file retention.

Determine 1: Relationships between Annex 11 (computerized methods), Chapter 4 (documentation), Annex 15 (qualification and validation) and Chapter 7 (outsourced actions). Credit score: Bob McDowall.

Contemplating the 2 laws individually signifies that you miss the large image proven in Determine 1. Due to this fact, this important evaluation of the revised Annex 11 will embrace acceptable sections of Chapter 4 as computerized methods create, interpret, report and retailer regulatory paperwork, information and information. Sections of each paperwork not mentioned are proven in purple in Determine 1. Readers should additionally bear in mind that there are necessities in Annex 15 on qualification and validation⁸ and Chapter 7 on outsourced actions⁹ that influence each Annex 11 and Chapter 4, additionally proven in Determine 1. We are going to solely talk about related clauses the place relevant. Nevertheless, there’s a must have extra cross reference to relevant elements of EU / PIC/S GMP within the revision of Annex 11 than exists at the moment. For instance, Part 3 of the New Annex 11 is about pharmaceutical high quality system (PQS) however doesn’t point out Chapter 1.¹⁰

Naming conference: Clauses of the present Annex 11 might be A11 X and the brand new model as New X.Y. An analogous strategy is taken with Chapter 4: C4.X and New X.

Laws: black, white or fifty shades of gray?

Laws ought to be easy. The brand new draft has 111 clauses⁷ and is kind of stringent and detailed attempting to keep away from interpretation by regulated customers, whereas the present model is straightforward and desires interpretation.⁴ Linked carefully with Annex 11 is the replace to Chapter 4, which has ballooned from 32 to 85 clauses.⁷ These are paradigm adjustments.

Laws ought to observe this strategy:

1. Laws ought to outline What needs to be carried out.
2. Every firm interprets and decides How the laws might be applied.
3. Regulators examine to evaluate compliance with the laws: How = What?

Nevertheless, with the revision of Annex 11 and Chapter 4 there are numerous clauses that state How to conform reasonably than state What ought to be carried out.

Why are regulators attempting to inform us work?

The revision typically mandates comply; this regulatory overreach is illustrated in New 11.5:

… passwords ought to … include a mix of uppercase, lowercase, numbers and symbols.⁷

This goes above and past what ought to be in a regulation and raises a query: how is that this supposed to extend safety?

Moreover, password complexity is NOT a finest IT observe. Nationwide Institute of Requirements and Know-how (NIST) Particular Publication (SP) 800-63B (2017)¹¹ and the July 2025 replace¹² talk about passwords intimately:

• Appendix A Strengths of Passwords: Reviewing password complexity: analyses of breached password databases reveal that the advantage of such guidelines is much less important than initially thought, and the impacts on usability and memorability are extreme.¹²
• Part 3.1.1.1:

            o  Passwords SHALL both be chosen by the subscriber (consumer).

            o   1. … passwords which might be used as a single-factor authentication mechanism             to be a minimal of 15 characters in size. 
            A consumer ought to have the ability to choose their very own password.

            o   5. … SHALL NOT impose different composition guidelines (e.g., requiring

            mixtures of various character sorts) for passwords.

            o   6. … SHALL NOT require … to alter passwords periodically.
            Nevertheless, verifiers SHALL power a change if there may be proof that the             authenticator has been compromised.

            o   The whole password SHALL be topic to comparability, not substrings or             phrases that is perhaps contained therein (towards a block checklist).¹²

See additionally the article on passwords,¹³ which discusses the 2017 model of NIST SP800-63B. 

Utah Medical vs FDA court docket case

That is an instance of a regulator telling an organization qualify tools and validate software program. In 2005, FDA (Meals and Drug Administration) versus Utah Medical court docket case centred on the corporate’s strategy was totally different to FDA’s required strategy. The choose said: Many roads result in Rome.¹⁴ FDA asserted that Utah Medical ought to adjust to the 21 CFR 820 laws in a way passable to the FDA. The choose said that laws are:

• … common and versatile in order to cowl a broad spectrum of merchandise and actions, …
  Much like the A11.
• … have the advantage of generality and the vice of imprecision.¹⁴
  Not black or white however fifty shades of gray relying on circumstances of a person firm comparable to measurement and the merchandise being manufactured: strong dosage varieties or superior remedy medicinal merchandise (ATMP). That is danger administration in observe, as one measurement not often suits all.
• The choose discovered for Utah Medical as the corporate was answerable for their tools and software program, regardless that they didn’t observe what was mandated by FDA.¹⁴ For additional particulars, see the article by Burgess and McDowall.¹⁵

A lesson learnt?

Is there a lesson that may be discovered from the replace of Annex 1 (Manufacture of Sterile Medicinal Merchandise)?¹⁶ This replace, which got here into impact earlier than Annex 11, additionally ballooned in measurement to 59 pages and comprises an excessive amount of element. Though high quality danger administration (QRM) is included firstly into the scope, it doesn’t present the chance for impartial risk-based implementation, which has led to diverse interpretation of “required” language by international well being authorities and by international producers. In observe, some international regulators usually are not amenable to risk-based approaches (e.g., bracketing).

Annex 11 revision seems to be as whether it is going the identical method. Stakeholder suggestions might be essential right here.

Idea paper on the revision of Annex 11

The idea paper on the revision of Annex 11⁶ contained 33 subjects for consideration when updating the regulation and requested trade suggestions. Desk 1 maps the areas within the idea paper towards the clauses in New Annex 11.

Two key omissions are:

• Digitalization and technical controls over handbook processes. Given the transfer to digital transformation below Pharma 4.0,¹⁷ it is a missed alternative. This omission is compounded by 21 references to hybrid methods throughout the 2 updates.
• Cloud service suppliers (CSP) usually are not given the visibility they deserve, in distinction with the FDA steering on digital methods, digital information and digital signatures in scientific investigations: questions and solutions,¹⁸ EMA guideline on computerised methods and digital information in scientific trials¹⁹ and OECD GLP (good laboratory observe) 17 complement 1 on GLP & Cloud Computing.²⁰

Desk 1: Comparability of 2022 Idea Paper with New Annex 11 2025

^a For disposal of information see chapter 4.79

^b Integrated in chapter 4.13

^c Additionally thought of in chapter 4.76
^d See Annex 22 (out of scope of this text)

Gone, however not forgotten?

In New Annex 11, present key necessities from the present model have been omitted:

• A11 Precept: … IT infrastructure ought to be certified.
  That is an abysmal omission as questions have been raised already: as this has been omitted from the draft, given the prescriptive nature of the doc, I don’t must qualify my infrastructure anymore? That is equal to constructing a home with out foundations; see our feedback below part 2.
• A11 3.4 Audit info of suppliers
  Availability of provider high quality system and audit info ought to be made obtainable to inspectors on request is now not in New Annex 11.
• A11 4.3 Stock and system description
  The stock of methods and system description for important methods are omitted – why? These are important omissions, as you want a listing of methods for asset administration in addition to regulatory compliance. After a system danger evaluation, ALL computerized methods might be listed in an up-to-date stock in order that objects which might be non-GMP tools, devices or methods in a GMP-area are correctly recognized and labelled Not for GMP use.
• A11 4.7 Automated check instruments
  … Automated testing instruments and check environments ought to have documented assessments for his or her adequacy. Given the rise of validation administration instruments since 2011, this paragraph ought to have been expanded and enhanced, not dropped. It additionally gives justification for not validating automated check instruments, as some suppliers state these have to be validated, however documenting them for adequacy.

o   There’s a point out of utilizing a instrument for traceability in New 6.5 however it’s inadequate given the present availability of lifecycle instruments.

o   Nevertheless, out of nowhere in New 4.23 and 4.25 there are mentions of computerized validation scripts,⁷ these usually are not equal to the usage of automated check instruments.

o   There have to be a piece discussing regulatory necessities about instruments supporting GxP/GMP actions comparable to automated testing instruments and validation administration methods nevertheless it have to be in Annex 11 not in Chapter 4.

• A11 4.8 Information migration
  If information are transferred to a different information format or system, validation ought to embrace checks that information usually are not altered in worth and/or which means throughout this migration course of.⁴
  New 10.3 has a clause on information migration, however doesn’t cowl the alteration in worth and/or which means.
• A11 8 Printouts
  These are now not required throughout an inspection, the emphasis is on e-records. A change for the great.
• A11 13 Incident administration
  IT incidents and issues are key inputs for periodic critiques. Once more, one other important omission from the revision.
• A11 15 Batch launch
  Launch of batches by a certified individual (QP) utilizing an digital signature is omitted however that is lined in Annex 16.²¹ In New Annex 11, it’s changed by a requirement to permit a QP entry to audit path entries. Good luck with that! A QP ought to at all times have entry to all information and knowledge related to the batch, the place vital they carry out a assessment with the assistance of skilled(s).
• Glossary
  Course of and system house owners are deleted: this avoids allocation of tasks. Moreover, IT incidents and issues usually are not outlined nor are IT adjustments. Glossaries are mentioned later on this article.

Regulatory plagiarism?

It’s déjà vu once more with a few of the clauses in each Annex 11 and Chapter 4.  The place have they arrive from? See Determine 2.

• An info safety administration system (ISMS) below ISO 27001 turns up once more in New 15.1. An upper-case ISMS was proposed within the 2008 replace of Annex 11³ and rejected by the trade however makes an unwelcome lower-case return.⁷ Second time fortunate? Mentioning this means that an ISO 27001 ISMS²² ought to be applied and licensed, which can be not possible for small regulated customers.
• PIC/S PI-041²³ gives enter to many sections to Chapter 4. This isn’t stunning as part 3.7 of PIC/S PI-041 states This information isn’t necessary or enforceable below regulation.²³ What you see is a distillation of key elements of PIC/S PI-041 steering into regulation, e.g., management of clean varieties is in steering paperwork and is included in Chapter 4 to grow to be a regulation.⁷ Ideally, it is advisable to digitalize processes to eliminate paper.
• WHO’s TRS 1033 Annex 4 DI steering from 2021²⁴ gives some enter to New Chapter 4.
• The most important copy and paste supply is from a GLP doc: OECD GLP 25 on IT safety,²⁵ revealed in late 2024, which will be mapped fully or partly to 10 clauses in Annex 11 Part 15 and 5 clauses of Part 16, that are copied both verbatim or with minor modifications (see Desk 2 for the instance for anti-virus software program). Contemplating the totally different context inside GxP, the query is whether or not it’s useful to push and combine GLP necessities and definitions into GMP? The reply is exterior of our dialogue on this article.
• OECD GLP 17 on Computerised Techniques is the verbatim supply for 9 of the entries within the New Annex 11 glossary.²⁶ A word to the authors, copy and paste is nice however the definition for COTS software program nonetheless comprises the GLP time period check facility administration (TFM). Doh!
  The issue with COTS is that the time period isn’t per GAMP 5 SE.²⁷ We are going to talk about COTS later on this article.

Determine 2: Enter sources to the proposed revision of Annex 11 and Chapter 4. Credit score: Bob McDowall.

Desk 2: Sections on anti-virus software program from OECD GLP No 25 and New Annex 11

Observe: phrases not matching are in italic font and underlined.

Part 2 precept

As talked about earlier, the next ten phrases have to be retained on this part:
The applying ought to be validated; IT infrastructure ought to be certified.

This clearly encapsulates the essence and one of many key necessities of Annex 11. Omission within the launched model can be an abrogation of obligation by EMA and PIC/S.

• 2.2 High quality danger administration
  Part 4 is on QRM and refers to ICH Q9 (R1).²⁸ QRM is repeated in New 4.3, 6.2, 7.2 and 9.2, which agree that the extent of efforts for system validation ought to be outlined based mostly on the system danger evaluation and the supposed use. QRM is parroted all through each revisions when all that’s required is a single point out.
• 2.4. Information integrity
  DI is mentioned in sections 10, 11, 12 and 13. The enlargement is to Safety and information retention.
  New 2.4 mentions ALCOA+, whereas the proposed revision of Annex 11 lacks the dialogue of this precept. There may be additionally a foul day on the coordination workplace as Annex 11 mentions  ALCOA+ and New 4.63 ALCOA++ with the emphasis on traceability, just like the replace to USP <1029> on Good Documentation Tips and Information Integrity.²⁹ This disconnect is carried by way of to the Glossaries in each paperwork, as we critically assessment later.
• 2.6. Outsourced actions
  Part 7 explains the qualification necessities for vendor, service supplier and inner IT, nonetheless it lacks any clause on cloud providers. Use of cloud was a motive for the Annex 11 replace, as said within the idea paper and the New Annex 11.^6,7
• 2.8. No danger improve
  The assertion within the New Annex 11, The place a computerised system replaces a handbook operation, …  There ought to be no improve within the total danger of the method, is prolonged to incorporate alternative of 1 system by one other. That is the second key requirement of Annex 11 since 1992. Why has it been relegated to the again part of the precept, as a substitute of preserving it as a foremost precept?

The precept will be condensed drastically as a result of a lot of the content material is repeated later within the doc.

Part 3 pharmaceutical high quality system (PQS)

Why repeat what’s already in Chapter 1 PQS¹⁰ and Chapter 9 self-inspections³⁰ in clauses 3.1 i and three.1 iii? Why create repetition and redundancy? Cross reference can be higher.

Clause 3.1 ii covers adjustments to a computerized system, nonetheless A11 10 has a separate part and heading which highlights the significance of Change and Configuration Administration which is hidden within the replace.

A very good level is the reinforcement of the function of administration within the implementation and operation of computerized methods in New 3.1 iv and v.

BUT, there isn’t any level having administration in control of computerized methods in the event that they don’t perceive them. Tender Company and Stason Pharma have been cited in FDA warning letters^31,32 for lack of senior administration and high quality assurance oversight of computerized methods, for additional studying see the evaluation of those two warning letters.³³

We recommend incorporating these in part 5 personnel and coaching however reverse the order of those two sections to reinforce the tasks of administration and their coaching.

Part 4 danger administration

A11 1 on danger administration may be very easy: apply danger administration all through the lifecycle.⁴ This may be interpreted as vital relying on the chance posed by the system and the required controls to make sure the integrity of the info.  

In part 4, we’ve got 5 clauses going into element on lifecycle identification and evaluation, acceptable validation, mitigation and DI. As well as, 4.5 of New Annex 11 mentioned information vulnerability below DI. Our suggestion is to rephrase the subtitle into Information danger to remain per New Chapter 4 (4.13) and PIC/S PI-041 part 5.5.²³ Alternatively, file danger is a greater phrase. As mentioned earlier, QRM or danger administration is referred to 10 occasions in New Annex 11, which is an excessive amount of and too detailed.

Take A11 clause 1⁴ and add enterprise functionality or course of understanding because the fourth danger criterion and reference to ICH Q9(R1)²⁸ is all that’s required. 

Part 5 personnel and coaching

New 5.2 talked about … ample system particular coaching … Together with the GMP consciousness, coaching on information safety rules is a requirement as said in New 15.3 and is per part 5.3.2 of OECD GLP 17 complement 1.²⁰

Nevertheless, there isn’t any point out of any evaluation of competence or understanding. Competence must be ensured by totally different selections, e.g., utilizing a questionnaire³⁴ or simulated checks for cybersecurity (New 15.3). Once more, the latter choice in New 15.3 centred on How to do, not What to be achieved.

To seek out any coaching evaluation, it is advisable to go to New 4.45 (vi) … verification of the effectiveness of coaching. Nevertheless, EU / PIC/S GMP Chapter 2 clause 2.11 on coaching states that its sensible effectiveness ought to be periodically assessed.³⁵

The 2 clauses on the function of administration ought to be positioned right here, as talked about in Part 3 of this text. Don’t neglect that administration want coaching too, particularly on the implementation and validation of computerized methods!

Part 6 system necessities

A11 4.4 merely states:

Person Necessities Specs (URS) ought to describe the required features of the computerised system and be based mostly on documented danger evaluation and GMP influence. Person necessities ought to be traceable all through the life-cycle.⁴

A easy and straightforward to grasp clause: you want a URS and any additional specification paperwork to adequately outline the supposed use of the system. A URS is crucial doc in any validation undertaking because it defines the supposed use; no URS, no validation. Necessities ought to be traceable – the technique of how to do that is left open.

Nevertheless, each the prevailing and New part 6 don’t state supposed use coupled with underlying course of understanding and, the place acceptable, enchancment.

New Annex 11 has 6 clauses to explain doc consumer necessities, utility configuration and mandates a traceability matrix. All you want is a approach to show traceability – how that is achieved is as much as a regulated consumer. Traceability from the URS must also embrace SOPs, provider evaluation, set up and commissioning by a provider in addition to a validation abstract report (VSR). 

A very good VSR is important as it’s the place to begin for regulatory inspections as per clause 23.10 of PIC/S PI-011.³⁶ BUT a VSR isn’t outlined in GMP laws. Part 9 of New Annex 11 is poor as there isn’t any formal mechanism for system launch discussing the general validation – warts and all – by not concealing any issues encountered in a undertaking. Due to this fact, a VSR ought to be outlined in Annex 11.

A very good level that has been added is that consumer necessities reside paperwork and have to be up to date however model managed (New 6.4). As data of the system develops or extra features are used, the URS and different specs have to be up to date, with consequential knock on to different validation paperwork as vital, e.g., check scripts.

Configuration of an utility is essential and have to be prospectively specified and documented in a separate configuration specification (New 6.6), relying on system complexity. Nevertheless, the issue with New Annex 11 is that configuration can refer to 2 areas:

• Software configuration: the technical management settings to make sure DI and information safety, e.g., definition of consumer roles with entry privileges. Prototyping will help refine each consumer necessities and configuration settings.
• System configuration: an inventory of all elements of a system, comparable to digital or bodily pc system, information storage, peripherals, working system, utilities, middleware, database and utility. 

Each are important for change management. Nevertheless, the Glossary of the New Annex 11 solely refers to system configuration below the time period configuration.⁷

Part 7 provider and repair administration

That is expanded from A11 3 and now consists of 5 clauses. How a lot overlap is there with Chapter 7 on outsourcing? ⁹ A very good level in New 7.1 is that the duty and accountability stays with the regulated consumer of service suppliers, together with the corporate’s IT Division. New 9.9 reiterates this level below Authorisation.

Provider evaluation is now an audit or a radical evaluation in New 7.2, reasonably than a necessity for an audit ought to be based mostly on a danger evaluation. It seems that evaluation questionnaires are consigned to the spherical submitting cupboard of historical past as ineffective? See the article on number of a CSP³⁷ to separate clouds from clods.

Necessities for contracts are very detailed in New 7.5 and seems as a “how-to write a contract” instruction. There may be not a particular or detailed part on cloud computing which is barely talked about in passing. 

There’s a disconnect in New part 7 relating to the requirement on service degree agreements (SLA):

·         New 7.3 describes the extent of oversight by way of defining SLA and key efficiency indicators (KPI) for service supplier or an inner IT division,