EMA Issues Revised Annex 11, New Annex 22, And Associated Documents On Data Governance

By Peter H. Calcott, Ph.D., FRSC, president and CEO, Calcott Consulting LLC

The EMA issued three new draft documents in a consultation recently (July 7, 2025), all related to the advancement of the use of electronic technology in the regulated world, particularly GMP.¹ Two are revisions of established documents and one is a brand-new document. Comments are welcome until October 7, 2025. The three documents include:

1. A new annex on artificial intelligence (AI), Annex 22
2. An expansion and update to Annex 11, computerized systems
3. A comprehensive rewrite of Volume 4 Part 1 Chapter 4 on documentation

With the advent and expansion of the use of electronic systems in the pharmaceutical industry, there has been a need to update Annex 11, which was initially issued in 2011. At the time, the annex was relatively short at five pages. This new draft, out for comment, has expanded to 19 pages. There have been expansions in the number of topics as well as the scope of each section. While the FDA was quicker to issue its equivalent guidance (21 CFR Part 11) in 2003, it too is the subject of a revision, but the agency has not issued anything yet. With these changes, the original section of the GMPs on documentation is also in need of modernization and expansion: in this case from nine to 17 pages. AI is another area that is beginning to make inroads in the industry. Both the FDA and EMA are wrestling with this technology and are active in this area. This new draft annex, at six pages, is the first significant foray into the AI regulation arena for the EMA – and I forecast this will not be the last on this topic. The interrelationship of the three documents is shown in Figure 1.

Figure 1: Relationship of the three new documents

Key Highlights/Takeaways Of Annex 22 On AI

The new annex on AI (Annex 22) sets the stage for EMA’s views on the technology. From the opening paragraphs it is very clear the annex applies only to static models of AI to be used in GMP systems that could impact the safety, efficacy, and quality of the end product. That is, it applies to systems employing AI that do not change after construction and learning. In the development stage of the application, we might use machine learning to create the system’s functionality, but after it is complete it does not continue to learn. These, the annex states, can be used in GMP critical applications. Of course, the beauty of AI is that it is possible to develop a system that continues to learn and adjust to new data it experiences. The EMA is clear on these adaptable systems: they “are not covered by this document and should not be used in critical GMP applications.” Further, “the document does not apply to generative AI and large language models (LLM), and such models should not be used in critical GMP applications.”.

That said, the regulator continues to state that if those latter systems are used, they should only be used in noncritical GMP applications that do not have direct impact on patient safety, product quality, and data integrity. If they are used under these circumstances, the systems should be qualified and under direct control of qualified personnel who have the final say on outputs. The annex uses the phrase human in the loop (HITL) for this requirement. The principles applicable to the static systems should be considered and incorporated as appropriate. I predict that after enough experience is gained in the application of Annex 22’s principles, the more dynamic systems will be incorporated in the future, because we are also still learning.

The structure of this annex takes on a predictable form focusing on the underpinning of the security and predictability of the system. People should be skilled in understanding potential ramifications, documentation should be complete, and quality risk management techniques should be used. The central principle in this annex is very similar to the techniques we use to implement computer-based systems. There is a heavy emphasis on user requirements and establishing that the system meets these requirements. This can be accomplished by subdividing functions and tasks that can be individually assessed and then assessed again as a whole. Where we have HITL, the responsibilities of these humans should be defined so their decisions are clear and defendable.

Sections on acceptance criteria, test data, and its independency are defined, and key points include the following.

• Assure that the acceptance criteria and test metrics generate a system as good as the system it is replacing.
• Criteria for “accept and reject” should be clear and defendable.
• Test data should represent the full spectrum of experience, not a subset.
• Any elements of data “manipulation” (data processing, exclusion, etc.) should be verified to assure no bias.
• Data used for the system to learn should be separate and separated from data used to test the system.
• Above all, documentation of what was done should be comprehensive.

Sections on test execution, explainability, confidence, and operation assure that the end product is fully justified. As with any validation activity it is critical to define the plan and to control and minimize change in the execution. Test plans should be followed with deviations recorded and justified. The use of modern techniques like SHAP values (SHapley Additive exPlanations), LIME (local interpretable model-agnostic explanations), and heat maps should be used to describe the interplay of parameters and reliability of the decisions emanating. Of course, good documentation is essential. Confidence in the decisions is essential and, again, modern techniques of confidence scoring and threshold analysis give measure of the validity and robustness of the outputs. During the execution of the scripts and data processing there must be adherence to good change control as well as requiring configuration control. Deviations should be documented and investigated thoroughly and their impact assessed. The system should be monitored to assure it is performing as predicted and that the data is still within the defined parameters, with robust ranges of the defined testing areas as predicted. Any use of the outputs by humans for decisions should be fully documented and defendable.

A useful glossary is included.

Key Highlights/Takeaways From Annex 11 On Computerized Systems

An offshoot of Annex 22 is the need to update Annex 11 to modern thinking. While substantial parts of this annex are unchanged, there are significant additions and adjustments that I will focus on. In the introduction, there are references to life cycle management, data integrity, and outsourced activities. The sections on data integrity are also expanded to modern ICH Q9 principles.² Even cloud services are referenced.

A new section (Pharmaceutical Quality Systems) fully integrates the computer world into the GMPs, putting these systems in the same categories of physical operations. The standard approach in industry (GAMP5)³ to computer-based systems selection and implementation is embraced in sections on system requirements, supplier and service management, and qualification and validation

Configuration of systems is a critical element and the annex describes criteria for alarm setting and operation, access and identity management, audit trails, electronic signatures, and security. In operation, data input and verification, periodic reviews, backup, and archiving are included and are comprehensive. Interestingly, I did not see any reference to time management – assuring the date stamps on data are accurate. They are generally acceptable for web-based or SAAS systems, but on several audits, I have observed the time and data function on PC-based software is often left unprotected on a Windows program that is not configured appropriately. Incidentally, FDA has observed that and documented it in warning letters several times.

A comprehensive glossary is included. Overall, this update captures most elements and holds no surprises.

Key Highlights/Takeaways Of Chapter 4 On Documentation

With issuance of Annex 22 and revision of Annex 11, Chapter 4 of GMP is in need of revision to reflect the use of electronic systems for documentation. As with Annex 11, new sections are added, as well as revisions made to other sections. However, many sections are unchanged.

Two new sections on data governance and risk management are included. With data integrity being a significant focus for the industry, data governance describes the interplay of these systems. The principles of ICH Q9² are captured in the risk management section. The section on general requirements for documentation has been expanded to include data integrity principles and AI.

Within good documentation principles, some new sections include data integrity as a major focus. A comprehensive separate section dedicated to data integrity is also included. The definition of signatures includes wet as well as electronic. The use of hybrid systems is included. These are all compatible with the well-established guidance on data integrity issued by EMA in 2016.⁴

All other sections are either the same or the revisions are minor and do not change the philosophy or breadth. Overall, there are no surprises.

Conclusion

The two revised documents (Chapter 4 and Annex 11) do not spring any surprises. The new Annex 22 on AI is a bold step forward, but by embracing only static AI rather than adaptive or learning AI, it’s a conservative step. The more venturesome approach will come later. Finally, because the EMA is requesting input, they included in the issuance a paper on privacy of data explaining how they will use the comments they receive.

References

1. Stakeholders’ Consultation on EudraLex Volume 4 - Good Manufacturing Practice Guidelines: Chapter 4, Annex 11 and New Annex 22 (2025) https://health.ec.europa.eu/consultations/stakeholders-consultation-eudralex-volume-4-good-manufacturing-practice-guidelines-chapter-4-annex_en
2.  ICH Q9 Quality Risk Management (2023) https://database.ich.org/sites/default/files/ICH_Q9%28R1%29_Guideline_Step4_2025_0115.pdf
3. ISPE GAMP 5: A Risk-Based Approach to Compliant GxP Computerized Systems (Second Edition) (2022) https://ispe.org/search?query=gamp5%20computer
4. Data Integrity: Key to Public Health Protection (2016) https://www.ema.europa.eu/en/news/data-integrity-key-public-health-protection

About The Author:

Peter H. Calcott, D.Phil., is president and CEO of Calcott Consulting LLC, which delivers solutions to pharmaceutical and biotechnology companies in the areas of corporate strategy, supply chain, quality, clinical development, regulatory affairs, corporate compliance, and enterprise e-solutions. He has also served as an expert witness. He also teaches at the University of California, Berkeley in the biotechnology and pharmaceutics postgraduate programs. Previously, he was executive VP at PDL BioPharma, chief quality officer at Chiron and Immunex Corporations, and director of quality assurance for SmithKline Beecham and for Bayer. He has also held positions in R&D, regulatory affairs, process development, and manufacturing at other major pharmaceutical companies. He has successfully licensed products in the biologics, drugs, and device sectors on all six continents. Calcott holds a doctorate in microbial physiology and biochemistry from the University of Sussex in England. He has been a consultant for more than 20 years to government, industry, and academia.