EU GMP Annex 11: what it requires for computerised systems in pharma

EU GMP Annex 11 governs how computerised systems are validated, operated, and controlled in regulated pharmaceutical environments. The requirements cover the full lifecycle: from initial validation through ongoing operation, change control, and eventual retirement.

The core obligations are well established. Your system must be validated. Audit trails must capture who did what and when. Access must be controlled by role. Data integrity must follow ALCOA+ principles - Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, Available. These are not new ideas. What changes with each revision is the depth of expectation around each area.

For temperature monitoring specifically, Annex 11 requirements mean your monitoring platform carries the same documentation burden as any other GxP system. The software is in scope. The audit trail is in scope. The validation records are in scope.

The July 2025 draft is the most significant Annex 11 update in years. The document grew from 5 to 19 pages - which tells you something about how expectations have shifted. The comment period closed on October 7, 2025, and the final version is expected mid-2026.

The changes that matter most for quality teams fall into four areas. Each one tightens an expectation that was previously handled by interpretation.

• Audit trail scope: Audit trails must now capture data creation events, not only changes and deletions. If a temperature reading is logged, that log event itself must be traceable.
• Periodic validation review: Validation status must be reviewed on a documented schedule. A one-time IQ/OQ/PQ is no longer sufficient without evidence of ongoing review.
• Cybersecurity and access management: Dedicated sections now address access controls, user authentication, and system security - previously covered only by implication.
• Penetration testing: Critical systems may require regular penetration testing. This is a materially new expectation for most pharma IT and quality teams.

Audit trail review frequency under the draft: monthly for high-risk systems, quarterly for routine systems, and always before batch release when temperature data supports the release decision.

The gap between what Annex 11 requires and what manual processes deliver is where audit findings come from. The table below shows what the daily workflow looks like with a fragmented, manual setup - and what it looks like when it is automated.

The manual approach does not fail because people are careless. It fails because the structure makes consistency nearly impossible at scale. Each manual step is a gap waiting to surface under inspection.

Eupry's system offers a highly user-friendly day-to-day interface. Eupry delivers a turnkey service enabling us to be more efficient in our work with compliance so we can deliver quality products to our customers.

Eric Clausen, Distribution Manager at Freja

Getting your monitoring setup aligned with Annex 11 requirements does not require a full-scale project. It requires working through the right steps in the right order. Here is a practical sequence for quality teams assessing or updating their monitoring setup.

1. Assess your current system against the draft scope. Map your monitoring software against the updated audit trail, access control, and validation review requirements. Identify where your documentation has gaps relative to the 2025 draft language.
2. Confirm audit trail coverage for data creation events. Check whether your system logs the creation of temperature records, not only modifications or deletions. This is the most common gap under the updated standard.
3. Document a periodic validation review schedule. Set a defined frequency - monthly for high-risk applications, quarterly for routine - and assign ownership. The review itself matters less than the documented evidence it occurred.
4. Link calibration certificates to sensor records. Your audit trail is only as credible as the calibration evidence behind it. Certificates must be traceable to the individual sensor and the data it produced.

These steps apply regardless of which monitoring system you use. The logic is consistent with the ISPE Good Practice Guide and with how EU GDP guidelines approach risk-based qualification.

Eupry is built as a closed system - which matters for Annex 11 because closed system architecture simplifies accountability and limits the surface area for access control failures. Every user action is logged. Every record is immutable. Every calibration certificate is linked to the sensor that produced the data.

The platform provides ALCOA+-compliant records, automated audit trail exports, role-based access controls, and real-time excursion alerts with documented response workflows. For organizations subject to FDA oversight as well, a dedicated FDA 21 CFR Part 11 compliance module is available - covering digital signatures, complete traceability, and immutable audit logs for cross-jurisdictional requirements.

The 2025 Annex 11 update raises expectations around periodic validation review and cybersecurity. Eupry's validation documentation supports structured periodic review, and the platform is built to GAMP5 standards. You get a system designed for the regulatory environment you are operating in - not one you have to retrofit after the fact.

Because compliance shouldn't be hard.