EU Commission Releases Draft Annex 11: Computerised Systems

12/02/2025

Photo by Taylor Vick on Unsplash

On July 7, 2025, the European Union (EU) Commission and Pharmaceutical Inspection Co-operation Scheme (PIC/S) published an updated draft of Annex 11: Computerised Systems, a supplementary guideline that is part of the Good Manufacturing Practice (GMP). Although it is GMP focused, the guiding principles of the annex can also be applied to other GxP standards. The previous update to Annex 11 came into effect in 2011 which came to pass due to the increasing use of computerised systems at the time. Since then, computerised systems have made their way into almost every corner of GxP and have changed and evolved exponentially. In the context of clinical trials, the majority of trials conducted today use some form of computerised or electronic system to recruit, screen, and randomize trial participants, record and store data derived from trials, and publishing the results online for the general public. Comments on the draft closed on October 11th, 2025, and the finalized version is expected to be released sometime mid-2026.    

The complete overhaul of Annex 11 saw it expand from a 5 to a 19-page document, elaborating on existing concepts such as systems lifecycle and risk management and introducing new ones like system alarms. The principles of the 2011 update were brief, simply stating “The application should be validated; IT infrastructure should be qualified” and that any manual process replaced by a computerised system should see no decrease in product quality. The new version significantly expands on this, breaking down its overarching principles into 8 subsections:

  • Lifecycle Management: While the term lifecycle was removed from the glossary in the latest version, the need for computerised systems to be validated throughout their lifecycle is reinforced through the annex.

  • Quality Risk Management: This is a concept used in many GxP areas but is especially important for computerised systems that conduct processes that affect participant safety and data integrity.

  • Alternative Practices: As computerised systems continue to evolve, if one develops a novel method to complete any of the activities noted in the annex, it must be shown that they have an equivalent or better risk control/management as the existing validated methods.

  • Data Integrity: The data derived a computerised system must be trustworthy and follow the principles of ALCOA+ (ALCOA+ was not included in the previous version).

  • System requirements: It should be clearly defined what functions a computerised system is expected to complete. How well it completes these functions should be used as the basis of system qualification and verification throughout its lifecycle.

  • Outsourced Activities: Like all other areas of GxP, any tasks or responsibilities that are outsourced need to be adequately monitored by the regulated user (a company regulated under GMP) to ensure they are being completed in adherence to the requirements outlined in annex 11.

  • Security: As computerized systems continue to evolve, so will the systems that are used to gain unauthorized access. Regulated users must remain vigilant about any new security risks/threats and ensure that preventative measures are in place to mitigate the risk of a breach.

  • No risk increase: This principle remains the same as it was in the previous version of the annex, should any manual process be replaced by a computerised system, there should be no loss of data integrity, participant safety, or product quality.

These 8 principles are the core values of Annex 11 and are reflected throughout the rest of the document which includes another 15 sections and an expanded glossary. The sections include:

3. Pharmaceutical Quality System  

4. Risk Management 

5. Personnel and Training 

6. System Requirements 

7. Supplier and Service Management  

8. Alarms 

9. Qualification and Validation 

10. Handling of Data 

11. Identity and Access Management 

12. Audit Trails  

13. Electronic Signatures  

14. Periodic Review  

15. Security  

16. Backup 

17. Archiving

This modernisation of Annex 11 also comes with other benefits to both regulated users and regulators. Regulated users now have a clear outline for what the regulators will be looking for during inspections and audits when it comes to computerised systems. Since the annex was published in tandem with PIC/S this also presents an opportunity for international harmonisation of standards making it easier for sponsors to conduct multinational studies with less regulatory burdens. From a regulator’s perspective, the update provides a more consistent framework for how inspections are conducted across different countries. Oversight of regulated users is also facilitated by the increased use of computerised systems, inspections become faster and more resource efficient as regulators pursue a more risk-based approach to inspections.

Like all changes however, there will likely be challenges and growing pains that come with the update to Annex 11. Regulated users and companies will be faced with the financial burden of developing and implementing these computerised systems or updating their existing systems in order to meet the requirements within the annex. Installing, maintaining, and troubleshooting these systems can take an entire IT team/department to adequately handle which may not be possible for smaller start-up companies or academic researchers with limited resources. On the regulatory side, agencies may notice an increase in variability on how regulated users interpret the annex. For example, electronic signatures (eSignatures) may seem simple enough on the surface, but as the annex explains, there are many factors that must be considered for an eSignature to be valid such as re-authentication, meaning (whether the signer is approving, reviewing, or the author), or hybrid solutions. The task of educating or communicating the specific requirements to these regulated users may fall on the regulatory agencies further burdening their resources. Additionally, regulatory agencies must now have inspectors who are knowledgeable in both traditional GxP concepts and principles as well as the new technical side of the computerised systems which may require additional staffing or education of existing staff.

It has not been formally announced how long regulated users will have to transition their systems into compliance with Annex 11 once it is finalized, however, it may be in their best interest to start as soon as possible with the information contained in the draft. The full document can be found here. If you or your company are in need of assistance in preparing your computerised systems for inspection, Clinical Pathways offers computer system validation services that will ensure your computerised systems are up to standard. We also offer a wide variety of other consulting and educational services for both FDA and EMA regulated trials. For a full list of services please visit our website and check out our online store and course catalog, or if you have any specific inquiries, feel free to contact us directly. While you are there, make sure to sign up for our free newsletter and weekly blog on clinical trial related news such as this.

-The Clinical Pathways Team

Enjoy this blog? Please like, comment, and share with your contacts.