GxP is a scope boundary, not a blanket requirement

The letters GxP — where x stands for any of the “good practice” domains (manufacturing, laboratory, clinical, distribution, pharmacovigilance) — describe the regulatory framework governing activities that affect pharmaceutical product quality, patient safety, and data integrity. When a software system operates within that scope, it falls under GxP regulation and must meet specific requirements for validation, documentation, data integrity, and change control. When it does not, those requirements do not apply.

This distinction sounds obvious. In practice, pharmaceutical organisations routinely misapply it in both directions — treating non-GxP business software as if it requires the same validation as a GxP-critical batch release system, or (less commonly but more dangerously) deploying AI in a GxP context without recognising the regulatory implications until an auditor raises them. Both errors are expensive, and both stem from the same root cause: insufficient clarity about where the GxP boundary actually sits for AI systems.

As reported in the ISPE Good Practice Guide on Data Integrity (2021), over 50% of FDA warning letters reference data integrity deficiencies (a directional industry-scale figure from the published guide, not an operational benchmark for any specific firm). PIC/S PI 041-1 (2021) establishes that data governance must cover the complete data lifecycle across all GxP-regulated activities.

Which “x” applies to AI in manufacturing?

The most relevant GxP domain for AI software in pharmaceutical manufacturing is GMP — Good Manufacturing Practice. GMP governs the production and quality control of pharmaceutical products, and any software system that participates in GMP-regulated activities falls under its requirements.

The key regulatory instruments:

21 CFR Parts 210 and 211 (United States) define current Good Manufacturing Practice for pharmaceuticals. Part 211 establishes requirements for production and process controls, laboratory controls, and records. AI systems that participate in any of these functions — process parameter control, in-process testing, quality control analytics, batch record management — are GMP-regulated software.

EU GMP Annex 11 (European Union) governs computerised systems used in GMP-regulated environments. It applies to any computerised system that creates, modifies, maintains, archives, retrieves, or transmits data that is required under GMP. An AI model that generates quality predictions, classifies inspection images, or flags process deviations falls within Annex 11 scope if the output of that model informs a GMP decision.

21 CFR Part 11 (United States) governs electronic records and electronic signatures. It applies when electronic records are used to meet a predicate rule requirement — meaning any GMP requirement that could be satisfied by a paper record but is instead satisfied electronically. An AI system that produces electronic records used for batch release, deviation documentation, or quality review is a Part 11 system regardless of whether it is also validated under GMP.

ICH Q10 (International) provides a harmonised pharmaceutical quality system framework. It does not impose specific software validation requirements, but it establishes the management responsibility and continuous improvement expectations that govern how AI systems should be integrated into the quality system.

In practice, most AI systems in pharmaceutical manufacturing interact with GMP processes — something we encounter in nearly every pharma engagement. The question is not usually “does GxP apply?” but rather “which GxP requirements apply, and with what intensity?”

The three dimensions of GxP scope for AI

Determining whether an AI system is GxP-regulated — and what that regulation requires — depends on three dimensions that should be assessed independently for each system.

Product quality impact. Does the AI system’s output directly or indirectly affect the quality of the pharmaceutical product? A computer vision model that determines whether tablets meet specification has direct product quality impact — it is unambiguously GxP. A predictive maintenance model that forecasts equipment failure has indirect impact — if the equipment failure would affect product quality, the model’s GxP status depends on whether it is the primary control or a supplementary signal. A meeting room scheduling algorithm has no product quality impact and is not GxP regardless of where it runs.

Patient safety impact. Does the AI system’s output affect patient safety? This dimension overlaps with product quality for many manufacturing applications but extends further for systems involved in clinical decision support, pharmacovigilance signal detection, or drug-device combination products. The threshold for patient safety impact is lower than for product quality — if there is any credible pathway from the AI system’s output to a patient safety consequence, the system warrants GxP classification assessment.

Data integrity impact. Does the AI system create, modify, or manage data that is subject to GxP data integrity requirements? Under the ALCOA+ principles (Attributable, Legible, Contemporaneous, Original, Accurate, plus Complete, Consistent, Enduring, Available), data that supports GMP decisions must maintain integrity throughout its lifecycle. An AI system that processes, transforms, or stores GxP data — even if it does not make the GMP decision itself — falls within the data integrity scope of 21 CFR Part 11 and EU GMP Annex 11.

A system that scores zero across all three dimensions is not GxP-regulated. A system that scores on any dimension requires a proportionate regulatory response — which is where the distinction between CSA and full CSV becomes operationally important.

What GxP-regulated AI software must demonstrate

Once an AI system is classified as GxP-regulated, the regulatory requirements are not optional and do not depend on the organisation’s comfort level with AI. They are:

Intended use documentation. The system must have a documented intended use that specifies what it does, in what context, and what decisions it supports. For AI systems, this includes the model’s input data, the type of output it produces, and the manufacturing context in which that output is used. The intended use document is the foundation for everything that follows — validation scope, risk assessment, and ongoing monitoring are all derived from it.

Risk-based validation. The system must be validated proportionate to its risk, as determined by the GxP scope assessment. We have seen organisations where this step stalls because quality teams interpret “validation” as exclusively meaning the full CSV lifecycle — IQ, OQ, PQ with comprehensive scripted testing. The current regulatory landscape, particularly the FDA’s CSA guidance, explicitly allows risk-proportionate validation. The validation must demonstrate that the system performs its intended use reliably, but the evidence required to demonstrate that reliability scales with risk.

Data integrity controls. The system must maintain the integrity of any GxP data it creates, processes, or stores. For AI systems, this means: audit trail for model outputs, version control for model artifacts (weights, configuration, preprocessing logic), and access controls that prevent unauthorised modification of the model or its training data. These controls apply under both US and EU regulatory frameworks, though the specific implementation details differ.

Change control. Any change to the validated AI system — including model retraining, preprocessing pipeline modification, or infrastructure changes that could affect model behaviour — must go through a documented change control process. The intensity of that process depends on the risk classification: high-risk changes may require revalidation, while low-risk changes may require only a documented impact assessment.

Periodic review. EU GMP Annex 11 requires periodic review of computerised systems. For AI systems, this translates to ongoing performance monitoring against the acceptance criteria established during validation. The validation-ready AI approach for GxP operations includes monitoring infrastructure as part of the validated system, not as a separate operational concern. A GxP AI system without continuous performance monitoring cannot demonstrate that it continues to meet its intended use — and a system that cannot demonstrate ongoing compliance is, from a regulatory perspective, not compliant.

The systems that are not GxP — and why that matters

The practical value of a clear GxP boundary is not just knowing what requires validation — it is knowing what does not.

In a pharmaceutical manufacturing facility, a substantial proportion of the operational software — including many potential AI applications — sits outside GxP scope entirely. Production scheduling optimisation, energy management, workforce planning, supply chain forecasting, equipment procurement analytics, and general business intelligence systems do not affect product quality, patient safety, or GxP data integrity. They require sound IT governance (access control, change management, backup) but not GxP validation. According to ISPE’s benchmarking of pharmaceutical IT operations (GAMP Community of Practice, 2022), pharmaceutical manufacturers spend billions annually on software validation activities, with a significant proportion directed at systems that fall outside GxP scope.

As reported in the ISPE GAMP 5 Second Edition (2022), applying risk-based approaches such as CSA can reduce validation documentation effort by 30–50% compared to traditional CSV for non-GxP and low-risk systems (a directional industry-scale figure from the published guide, not an operational benchmark), primarily through reduction in scripted testing and protocol documentation. Based on FDA pre-submission programme feedback (CDRH Digital Health Center of Excellence, 2023), a substantial share of AI-related pre-submission inquiries involve systems that do not require GxP classification.

Treating these systems as GxP-regulated wastes validation resources on documentation that no regulator requires, delays deployment of tools that could improve manufacturing efficiency, and — perhaps most importantly — dilutes the quality team’s attention from the systems that genuinely need rigorous validation. When everything is treated as high-risk, the actual high-risk systems do not receive proportionate attention — they receive the same attention as the scheduling dashboard, which is either too much for the dashboard or too little for the batch release system.

The first step in any AI deployment programme within pharmaceutical manufacturing is a system-by-system GxP scope assessment that draws this boundary clearly. A GxP Regulatory Scope Analysis maps each planned AI system against the three dimensions — product quality, patient safety, data integrity — and classifies the appropriate regulatory response before the first line of validation documentation is written.