Dealing with new GMP requirements, validation strategy and digital transformation
| |
Summary
The European pharmaceutical industry is currently undergoing the most significant regulatory and technological change in over a decade. The updates to the EU GMP guidelines for 2025-2026 - in particular Annex 11 (Computerized Systems), Chapter 4 (Documentation) and the new Annex 22 (Artificial Intelligence) - signal a decisive shift towards data-centric, lifecycle-oriented and digitally integrated compliance frameworks.
|
For company management, this means both risks and opportunities:
-
Risks, as outdated ERP systems and siloed implementations could quickly become non-compliant
-
Opportunities, as a modern ERP transformation - if implemented correctly - can become a strategic enabler for compliance, efficiency and scalability
This publication deals with:
-
The latest regulatory developments in the EU that impact validation and ERP systems
-
Why a process-oriented ERP implementation is now essential (and no longer optional)
-
A validated roadmap for ERP implementation with milestones
-
How to manage continuous ERP updates in a validated environment
-
Strategic recommendations for C-level decision makers
1. The new regulatory reality: EU Pharma Validation in 2025-2026
1.1 A structural change in GMP requirements
The EU Commission's draft for the update of the GMP guidelines in 2025 represents a paradigm shift in validation and digital compliance:
- Annex 11 has been extended from 5 to ~19 pages, significantly increasing its scope and binding nature(ECA Academy)
- Introduction of Annex 22 (AI systems in GMP) - a unique regulatory framework of its kind(Pharmaceutical Online)
- Comprehensive revision of Chapter 4 (Documentation) with a focus on data governance and life cycle control(GMP Insiders)
Together, these updates represent the biggest modernization of digital GMP compliance in the EU in ~14 years(PQE Group Blog)
EXPANDED
Annex 11
Computerized Systems — extended from 5 to ~19 pages. Major scope and binding-nature increase.
NEW
Annex 22
AI systems in GMP — first regulatory framework of its kind worldwide.
REVISED
Chapter 4
Documentation — comprehensive revision, focus on data governance and lifecycle control.
Together the biggest modernization of digital GMP compliance in the EU in ~14 years.
1.2 From "validation as a project" to "validation as a lifecycle"
BEFORE
Validation as a project
○ One-off IQ/OQ/PQ qualification
○ Validation done at go-live, then "frozen"
○ Updates trigger full re-validation
○ Documentation lives in static files
2025–2026
Validation as a lifecycle
● Continuous, risk-based assurance
● Updates governed by change-control
● Automated regression testing
● Living validation base, audit-ready
Key regulatory expectations now include:
- Risk-based validation (QRM-driven)
- Continuous system monitoring
- Regular review of system performance
- Data integrity over the entire life cycle (ALCOA++)
- Transparency and traceability of audit trails
1.3 Data integrity becomes the central pillar of compliance
The updated framework elevates data governance and integrity to central compliance pillars:
- Full control of the data lifecycle (including metadata)(GMP Insiders)
- Mandatory tamper-proof audit trails
- Strengthened identity and access management
- Increased focus on cybersecurity and system security(ECA Academy)
Impact:
ERP systems are no longer "support systems" - they are GMP-critical assets
1.4 AI, cloud and SaaS: regulation is catching up with reality
The new regulatory landscape explicitly addresses:
- Cloud infrastructure and SaaS ERP systems
- AI/ML-based decision support systems
- Third party providers and supplier qualification
Annex 22 introduces requirements such as:
- Validation and explainability of AI models
- Human oversight
- Controlled change management for AI systems(adesso)
Important insight for managers
Regulation is no longer lagging behind technology - it is now actively shaping the digital transformation strategy.
30-minute process sparring with Dr. Dreher
No sales pitch. A focused review of your current situation — directly with Dr. Harald Dreher.
Book directly →
2. Why traditional ERP implementations fail in the Pharma industry
2.1 The 'Silo problem': departmental thinking vs. regulatory reality
Most ERP failures in the pharmaceutical industry are due to
- Department-oriented implementations (quality assurance, production, finance, etc.)
- Fragmented processes and inconsistent data flows
However, GMP requirements now demand:
- End-to-end traceability across all processes
- Integrated data lifecycle management
Regulatory implication:
A silo-based ERP system is structurally at odds with EU GMP requirements.
2.2 The complexity of validation multiplies in fragmented systems
Challenges in silo-based ERP environments:
Result:
- Higher compliance costs
- Reduced operational efficiency
- Increased number of complaints during inspections
2.3 Process-driven vs. system-driven transformation
Approach Result:
-
System-driven (technology first) Fragmentation, rework
-
Department-driven Silos, compliance gaps
-
Process-driven (recommended) Integrated, compliant, scalable
Strategic conclusion
A process-driven ERP implementation is no longer just best practice - it is a regulatory necessity.
|
3 ERP in a validated environment: What "good" means
3.1 Core principles of a compliant ERP system
A validated ERP system must demonstrate the following:
1
End-to-end process integrity
Order → Production → Quality → Release → Sales as one validated chain.
2
Complete data traceability
Who did what, when and why — captured automatically, audit-ready by default.
3
Controlled system lifecycle
Change control embedded in system governance, not bolted on.
4
Risk-based validation
Focus validation effort on critical processes and data, not on everything equally.
5
Integration into the PQS
ERP as part of the Pharmaceutical Quality System — not a parallel data island.
The five principles a validated ERP system must demonstrate.
3.2 ERP as a central GMP system
Under the new regulatory framework:
ERP systems are:
4. a process-oriented ERP implementation model
4.1 Step 1: Definition of the Target Operating Model (TOM)
Focus areas:
- End-to-end process mapping
- Definition of data responsibility
- Regulatory touchpoints
Results:
- Process mapping
- Data model
- Matrix of compliance requirements
4.2 Step 2: Design of the validation strategy
Key elements:
- Risk-based validation approach (in accordance with Annex 11 & 15)
- Supplier qualification strategy
- Validation Master Plan (VMP)
4.3 Step 3: System selection (Fit-to-Process, not Fit-to-Department)
Selection criteria:
- Process alignment
- Compliance capabilities (audit trails, access control)
- Cloud compliance readiness
- Integration capability
4.4 Step 4: Configuration instead of customization
Regulatory best practice:
- Avoid excessive customization
- Use standard system functionalities where possible
Why:
- Reduces the validation effort
- Simplifies future updates
4.5 Step 5: Integrated validation execution
Validation must:
- Be embedded in the implementation
- Not be a separate "phase"
Include:
- URS (User Requirements Specification)
- FS/DS (Functional/Design Specs)
- IQ/OQ/PQ
- Traceability matrix
30-minute process sparring with Dr. Dreher
No sales pitch. A focused review of your current situation — directly with Dr. Harald Dreher.
Book directly →
5. milestones of the ERP implementation (validated environment)
Below you will find a recommended milestone framework that is aligned with EU GMP requirements:
PHASE 1
Strategy & Mobilization
Business case approval, target operating model defined, validation strategy agreed
PHASE 2
Design
URS approved, process design completed, supplier qualification completed
PHASE 3
Setup & Configuration
System configuration completed, integration design finalized, test scripts prepared
PHASE 4
Validation
IQ performed, OQ performed, PQ performed, validation report approved
PHASE 5
Commissioning
Training completed, data migration validated, go-live approval
PHASE 6
Operation & Monitoring
Regular review set up, KPI monitoring, continuous assurance of compliance
Validated ERP rollout aligned with EU GMP Annex 11 requirements.
6. management of ERP updates in a validated environment
6.1 The central challenge
Modern ERP systems (especially SaaS):
- Require frequent updates
- Lead to continuous changes
Regulatory expectation:
- Every change must be controlled and evaluated
6.2 Change management in accordance with Annex 11
Requirements include:
- Formal change control process
- Impact analysis
- Risk-based revalidation
6.3 Practical approach for ERP updates
CHANGE TYPE
EXAMPLE
RE-VALIDATION REQUIRED?
Minor
Cosmetic UI updates, non-GxP report tweaks, security patches without functional change
No — documented impact assessment only
Moderate
Workflow refinements, new non-critical interfaces, configuration adjustments
Targeted regression testing
Major
Changes to GxP-critical modules, new master-data structures, batch-release logic, AI components under Annex 22
Full re-validation with formal change control
Risk-based change-control as required under EU GMP Annex 11.
6.4 Regular testing becomes mandatory
New expectation:
Regular system checks, including:
- Data integrity
- Security status
- System effectiveness(GMP Insiders)
7 Critical success factors
Senior management support
ERP is not an IT project — it is a business transformation. Without C-level ownership, validation discipline collapses under operational pressure.
Coordination across QA & IT
Quality assurance and IT must share responsibility for the system. Siloed ownership is the most common reason validation fails at audit.
Supplier & partner strategy
Supplier qualification is critical. SaaS providers must demonstrably comply with GMP requirements — including their own update and security practices.
Data governance first
Define responsibilities, lifecycle and controls early. Late data governance work is the single biggest source of revalidation cost in pharma ERP rollouts.
8. Risks and risk mitigation
-
Risk Impact Risk mitigation
-
Silo-based implementation Compliance gaps Process-oriented design
-
Excessive customization High validation costs Standard configuration
-
Poor data governance Audit findings Data lifecycle framework
-
Weak change control Regulatory risk Structured change management
-
Non-compliance by the vendor Inspection risk Vendor qualification
9 Strategic recommendations for C-level executives
1
Treat ERP as a compliance platform
Not just a business tool — the ERP is now central to your audit posture.
2
Invest in process design first
Technology follows the process, not the other way around.
3
Align the digital strategy with regulatory trends
In particular:
AI governance Data integrity Cloud compliance
4
Move to continuous validation
Introduce lifecycle-based compliance models — replace project-style validation.
Four strategic moves for C-level executives navigating the 2025–2026 regulatory shift.
10 Why this is important now
The confluence of:
- New EU GMP regulations
- Digital transformation
- AI introduction
... creates a narrow window of opportunity for strategic advantage.
Companies that act now will:
- Reduce compliance risks
- Improve operational efficiency
- Enable scalable growth
Conclusion
The EU pharmaceutical industry is entering a new era where:
- Validation is continuous
- Data takes center stage
- ERP systems are strategic assets
Successful ERP implementation in this environment requires:
- Process-oriented thinking
- Adaptation to regulatory requirements
- Strong governance
How Dreher Consulting supports you
At Dreher Consulting we support pharmaceutical companies with:
- Process-driven ERP transformation
- Validation strategy and execution (Appendix 11, Appendix 15)
- Digital compliance and data governance
- ERP selection and implementation in GxP environments
If you:
are planning an ERP transformation
are facing upcoming GMP inspections
are dealing with Annex 11 or AI-related compliance
we recommend a targeted assessment of your current system landscape and validation approach. Or contact us directly via our contact channels to discuss your specific challenges
Contact Dreher
Key findings / recommendations
- Updates to EU GMP (Annex 11, Chapter 4, Annex 22) fundamentally change the validation requirements
- ERP systems must be treated as GMP-critical, lifecycle-managed platforms
- Process-driven implementation is essential to meet regulatory requirements
- Continuous validation and structured update management are now mandatory
- Early coordination between IT, quality assurance and management is the strongest success factor
