EU GMP Annex 11: What It Requires for Computerised Systems in Pharma

EU GMP Annex 11 governs computerised systems in pharma manufacturing. Its data integrity, validation, and access control requirements are specific.

Written by TechnoLynx Published on 07 May 2026

Annex 11 is about data integrity, not software testing

EU GMP Annex 11 — part of EudraLex Volume 4, the EU guidelines for good manufacturing practice — governs the use of computerised systems in pharmaceutical manufacturing. It applies to any system that creates, modifies, maintains, archives, retrieves, or transmits data required under GMP. Its core concern is not whether software functions correctly (that is a validation question). Its core concern is whether the data produced and managed by computerised systems is attributable, legible, contemporaneous, original, and accurate — the ALCOA principles.

The annex was last revised in 2011 but remains the primary EU regulatory reference for computerised systems in GMP environments. It operates alongside the PIC/S guidance on data integrity (PI 041) and the MHRA’s data integrity expectations, all of which reinforce the same principles with varying levels of prescriptive detail.

Key requirements by section

Annex 11 Section	Requirement	Practical implication
1. Risk management	Risk assessment throughout the system lifecycle	Document risk to data integrity and product quality at each system phase
3. Suppliers and service providers	Formal agreements with IT suppliers	Supplier audits, quality agreements, access to audit trails
4. Validation	Documented evidence of fitness for intended use	Validation proportionate to system risk; lifecycle approach required
5. Data	Built-in checks for correct and secure data entry	Input validation, range checks, data verification controls
7. Data storage	Protection against damage, accessibility, readability	Backup, disaster recovery, data migration validation, format longevity
9. Audit trails	Recording of all GMP-relevant changes	Who changed what, when, and why — immutable, reviewable
10. Change and configuration management	Controlled process for system changes	Impact assessment, change approval, re-validation scope determination
11. Periodic evaluation	Regular assessment of validated state	Periodic reviews confirming system remains fit for purpose
12. Security	Physical and logical access controls	Role-based access, unique user IDs, session management, access logs

The audit trail requirement is non-negotiable

Section 9 of Annex 11 states that consideration should be given to building audit trails for all GMP-relevant changes and deletions into the system. In practice, EU inspectors treat audit trail capability as mandatory for any system processing GxP data. The audit trail must record the original value, the new value, who made the change, when the change was made, and why.

Critically, the audit trail must be immutable. A system that allows administrators to modify or delete audit trail entries fails this requirement regardless of how thoroughly the rest of the system was validated. This has direct implications for AI systems: if a machine learning model is retrained and the previous model version’s decisions are overwritten without preserving the original predictions, the system violates Annex 11’s data integrity requirements.

The full scope of Annex 11’s requirements for computerised systems extends beyond audit trails to include electronic signatures, business continuity planning, and cloud computing provisions — each carrying specific technical obligations.

What does Annex 11 mean for AI deployments?

Annex 11 does not explicitly mention artificial intelligence or machine learning — the 2011 text predates the current generation of pharmaceutical AI applications. However, its principles apply directly:

An AI model making GMP-relevant decisions (batch disposition, deviation classification, environmental monitoring alerts) is a computerised system under Annex 11 scope.
Its training data, model versions, and prediction outputs constitute GMP data requiring audit trail coverage.
Any model update (retraining, fine-tuning, hyperparameter changes) constitutes a system change requiring change control and impact assessment.
Periodic evaluation (Section 11) must include model performance review — not just software version checks.

The gap between Annex 11’s deterministic assumptions and AI’s non-deterministic behaviour is where most pharmaceutical companies encounter implementation friction. Addressing this gap requires the risk-based validation approaches described in the GAMP 5 Second Edition rather than attempting to force AI systems into the traditional IQ/OQ/PQ framework.

How does Annex 11 differ from 21 CFR Part 11 in practice?

While both Annex 11 and 21 CFR Part 11 address computerised systems in pharmaceutical manufacturing, they differ in scope, specificity, and enforcement approach. Understanding these differences is essential for companies operating in both EU and US markets.

Annex 11 takes a broader scope than Part 11. Annex 11 covers the entire lifecycle of computerised systems (from selection through retirement), while Part 11 focuses specifically on electronic records and electronic signatures. A system may comply with Part 11’s electronic records requirements but lack the lifecycle documentation (validation plan, periodic review, retirement plan) that Annex 11 requires.

Annex 11 is more prescriptive about specific controls. It explicitly requires: risk assessment as the basis for validation scope, involvement of the quality unit in system lifecycle activities, supplier assessment and management, data migration validation, and business continuity planning. Part 11 implies many of these through general requirements but does not specify them explicitly.

Enforcement differs between the two jurisdictions. FDA inspections in the US have historically focused on data integrity and audit trail compliance within Part 11’s scope. European inspections (by national agencies implementing EU GMP) tend to review the broader lifecycle documentation that Annex 11 specifies, including supplier audit evidence, periodic review records, and change control documentation.

For companies operating in both markets, we recommend using Annex 11 as the primary compliance framework (since it is more comprehensive) and mapping Part 11’s specific requirements onto the Annex 11 framework to confirm coverage. In our experience, this approach ensures compliance with both frameworks without maintaining two separate compliance programmes.

What Is GxP in Pharma? A Practical Guide for Engineering and Quality Teams

10/05/2026

GxP covers the regulatory practices — GMP, GLP, GCP, GDP — that govern pharmaceutical product quality, safety, and data integrity.

What Is cGMP? Current Good Manufacturing Practice Explained for Pharma Teams

10/05/2026

cGMP is the FDA's regulatory framework for pharmaceutical manufacturing quality. The 'current' means standards evolve with available technology.

What Does GxP Stand For? Breaking Down Pharma's Regulatory Shorthand

10/05/2026

GxP stands for Good x Practice — a collective term for GMP, GLP, GCP, GDP, and GVP regulatory frameworks governing pharmaceutical quality.

Validation vs Verification in Pharma: Why the Distinction Matters for AI Systems

10/05/2026

Verification confirms a system meets specifications. Validation confirms it meets user needs. For AI in pharma, both are required but address different.

Pharmaceutical Supply Chain: Where AI and Computer Vision Solve Visibility Gaps

10/05/2026

Pharma supply chains span API sourcing to patient delivery. AI addresses the serialisation, cold chain, and counterfeit detection gaps manual tracking.

Pharmaceutical Companies in Pennsylvania: A Manufacturing and Compliance Landscape

10/05/2026

Pennsylvania hosts major pharma manufacturers and CDMOs with strict cGMP requirements. The state's regulatory infrastructure shapes AI adoption patterns.

Pharmaceutical Regulatory Compliance: How AI Helps Navigate the Regulatory Landscape

9/05/2026

Pharma regulatory compliance spans GxP, market authorisation, and post-market surveillance. AI reduces the documentation burden without reducing rigour.

Pharma Automation Companies: What to Look For When Selecting a Technology Partner

9/05/2026

Pharma automation partners must understand GxP validation, process control, and regulatory requirements — not just industrial automation technology.

Medicine Manufacturing: From API to Patient-Ready Product

9/05/2026

Medicine manufacturing converts APIs into dosage forms through formulation, processing, and quality control — all under cGMP regulatory oversight.

GxP Validation Explained: What Pharma Teams Need to Know About Software Validation

9/05/2026

GxP validation is documented evidence that a system performs as intended. For AI software, it requires risk-based, continuous approaches.

GxP Systems: What Qualifies and What the Classification Means for Software

9/05/2026

A GxP system is any computerised system that affects pharma product quality, safety, or data integrity. Classification determines validation obligations.

GxP Compliance in Pharma: What It Means and What It Requires

9/05/2026

GxP compliance requires validated systems, audit trails, data integrity, and change control — scoped to quality-affecting processes, not every system.

GAMP Software: What It Means and How to Apply the Framework to Modern Systems

9/05/2026

GAMP software refers to any computerised system validated under the GAMP 5 framework. The Second Edition extends coverage to AI, cloud, and agile.

GAMP Software Categories: How to Classify Pharmaceutical Systems for Validation

8/05/2026

GAMP classifies software as Category 1, 3, 4, or 5 based on complexity and configurability. AI/ML systems challenge traditional category boundaries.

GAMP Guide for Validation of Automated Systems: What It Covers and How to Apply It

8/05/2026

The GAMP guide provides a risk-based framework for validating automated systems in pharma. The Second Edition extends guidance to AI, agile, and cloud.

GAMP Software Categories Explained: What Each Category Means for Pharma Validation

8/05/2026

GAMP categories 1, 3, 4, and 5 determine validation effort for pharmaceutical software. Classification depends on configurability, not just complexity.

GAMP 5 Guidelines: How to Apply Risk-Based Validation to Pharma Software

8/05/2026

GAMP 5 provides a risk-based framework for validating pharmaceutical software. The Second Edition extends this to AI and machine learning systems.

Drug Manufacturing: How Pharmaceutical Production Works and Where AI Adds Value

7/05/2026

Drug manufacturing transforms APIs into finished products through formulation, processing, and packaging. AI improves process control, inspection, and.

Continuous Manufacturing in Pharma: How It Works and Why AI Is Essential

7/05/2026

Continuous pharma manufacturing replaces batch processing with real-time flow. AI-based process control is essential for maintaining quality in continuous.

Computer System Validation in Pharma: What Engineering Teams Need to Implement

7/05/2026

Computer system validation in pharma requires documented evidence of fitness for use. CSA now offers a risk-based alternative to full CSV for lower-risk.

cGMP vs GMP: What the Difference Means for Pharmaceutical Manufacturing

6/05/2026

cGMP is the FDA's evolving standard for manufacturing quality. GMP is the broader WHO/EU framework. The 'current' modifier changes what compliance means.

cGMP in Pharmaceutical Manufacturing: What the Regulations Actually Require

6/05/2026

cGMP pharmaceutical regulations define minimum quality standards for drug manufacturing. Compliance requires documentation, process control, and personnel.

Automated Visual Inspection in Pharma: How CV Systems Replace Manual Quality Checks

6/05/2026

Automated visual inspection in pharma uses computer vision to detect defects in vials, syringes, and tablets — faster and more consistently than human.

Aseptic Manufacturing in Pharma: Process Control, Risks, and Where AI Fits

6/05/2026

Aseptic manufacturing prevents microbial contamination during sterile drug production. AI monitoring addresses the environmental control gaps humans miss.

Computer Vision in Pharmacy Retail: Inventory Tracking, Planogram Compliance, and Shrinkage Reduction

5/05/2026

CV in pharmacy retail addresses unique challenges: regulated product tracking, controlled substance security, and planogram compliance across thousands of SKUs.

AI-Driven Pharma Compliance: From Manual Documentation to Continuous Validation

5/05/2026

AI shifts pharma compliance from periodic manual audits to continuous automated validation — catching deviations in hours instead of months.

AI Enables Real-Time Monitoring of Aseptic Filling Lines — Here's What's Changing

5/05/2026

New AI-driven monitoring systems detect contamination risk in aseptic filling by analysing environmental and process data continuously rather than via batch sampling.

AI in Pharmaceutical Supply Chains: Where Computer Vision and Predictive Analytics Deliver ROI

5/05/2026

Pharma supply chain AI delivers measurable ROI in three areas: serialisation verification, cold-chain anomaly prediction, and visual inspection automation.

GxP Regulations Explained: What They Mean for AI and Software in Pharma

5/05/2026

GxP is a family of regulations — GMP, GLP, GCP, GDP — each applying different validation requirements to AI systems depending on lifecycle role.

Pharma POC Methodology That Survives Downstream GxP Validation

2/05/2026

A pharma AI POC that survives GxP validation: five instrumentation choices made at week one, removing the 6–9 month re-derivation at validation handover.

EU GMP Annex 11 Requirements for Computerised Systems in Pharmaceutical Manufacturing

25/04/2026

Annex 11 governs computerised systems in EU pharma manufacturing. Its data integrity requirements and AI implications are more specific than teams assume.

How to Classify and Validate AI/ML Software Under GAMP 5 in GxP Environments

24/04/2026

GAMP 5 categories were designed for deterministic software. AI/ML systems require the Second Edition's risk-based approach and continuous validation.

How Computer Vision Replaces Manual Visual Inspection in Pharmaceutical Quality Control

23/04/2026

CV-based pharma QC inspection is a production engineering problem, not a model accuracy problem. It requires data, validation, and pipeline design.

Proven AI Use Cases in Pharmaceutical Manufacturing Today

22/04/2026

Pharma manufacturing AI is deployable now — process control, visual inspection, deviation triage. The approach is assessment-first, not technology-first.

What GxP Compliance Actually Requires for AI Software in Pharmaceutical Manufacturing

21/04/2026

GxP applies to AI software that affects product quality, safety, or data integrity — not to every system in a pharma facility. The boundary matters.

The Real Cost of Pharmaceutical Batch Failure and How AI Prevents It

21/04/2026

Pharmaceutical batch failures cost waste, rework, and regulatory exposure. AI-based process control prevents the failure classes behind most rejections.

Why Pharma Companies Delay AI Adoption — and What It Costs Them

20/04/2026

Pharma AI adoption stalls from regulatory misperception, scope inflation, and transformation assumptions. Each delay has a measurable manufacturing cost.

When to Use CSA vs Full CSV for AI Systems in Pharma

20/04/2026

CSA and full CSV are different validation approaches for AI in pharma. The right choice depends on system risk, not regulatory habit.

GPU Computing for Faster Drug Discovery

7/01/2026

GPU computing in drug discovery: how parallel workloads accelerate molecular simulation, docking calculations, and deep learning models for compound property prediction.

The Role of GPU in Healthcare Applications

6/01/2026

Where GPUs are essential in healthcare AI: medical image processing, genomic workloads, and real-time inference that CPU-only architectures cannot sustain at production scale.

AI Transforming the Future of Biotech Research

16/12/2025

AI in biotech research: how machine learning accelerates compound screening, genomic analysis, and experimental design decisions in biological research pipelines.

AI and Data Analytics in Pharma Innovation

15/12/2025

Machine learning in pharma: applying biomarker analysis, adverse event prediction, and data pipelines to regulated pharmaceutical research and development workflows.

AI in Rare Disease Diagnosis and Treatment

12/12/2025

AI for rare disease diagnosis: how small dataset constraints shape model selection, transfer learning strategies, and the clinical validation requirements.

Visual analytic intelligence of neural networks

7/11/2025

Neural network visualisation: how activation maps, layer inspection, and feature attribution reveal what a model has learned and where it will fail.

MLOps for Hospitals - Staff Tracking (Part 2)

9/12/2024

Hospital staff tracking system, Part 2: training the computer vision model, containerising for deployment, setting inference latency targets, and configuring production monitoring.

MLOps for Hospitals - Building a Robust Staff Tracking System (Part 1)

2/12/2024

Building a hospital staff tracking system with computer vision, Part 1: sensor setup, data collection pipeline, and the MLOps environment for training and iteration.

AI in Pharmaceutics: Automating Meds

28/06/2024

Artificial intelligence is without a doubt a big deal when included in our arsenal in many branches and fields of life sciences, such as neurology, psychology, and diagnostics and screening. In this article, we will see how AI can also be beneficial in the field of pharmaceutics for both pharmacists and consumers. If you want to find out more, keep reading!

The Synergy of AI: Screening & Diagnostics on Steroids!

3/05/2024

Computer vision in medical imaging: how AI systems accelerate screening and diagnostic workflows while managing the false-positive rates that determine clinical acceptance.

Back See Blogs