EU Annex 22: AI Guidelines for Pharma Compliance

1.0. AI Enters Regulated Territory

As artificial intelligence transforms pharmaceutical manufacturing, regulators are beginning to respond — and their intentions are becoming increasingly evident. The EU Annex 22: Artificial Intelligence (Draft) represents the first formal regulatory guidance specifically aimed at overseeing AI systems within GMP-regulated environments.

This document, released as an extension to Annex 11, outlines stringent requirements for AI application design, validation, testing, and lifecycle management. These requirements are particularly crucial for applications used in critical pharmaceutical operations that impact patient safety, product quality, and data integrity.

2.0. Industry Expert Perspectives on Annex 22 AI Compliance

The Annex 22 draft has sparked extensive discussions across pharmaceutical, technology, and regulatory compliance circles. Leading industry voices share their insights:

Dr. Elina Mertens, Head of GxP Digital Compliance, PharmaTech Europe: “Annex 22 is a turning point. It finally draws a line between acceptable and risky AI practices in regulated environments.”

Prof. Sandeep Kulkarni, AI Governance Consultant: “Regulators are making a clear distinction: not all AI is suitable for GMP. The focus on deterministic applications and explainability is smart and necessary.”

Jonas Ribeiro, Director of QA Innovation, BiotechNord: “This guidance forces vendors and users to treat AI not as a ‘black box’ but as a transparent, testable, and traceable component of GMP operations.”

Priya Shah, Regulatory AI Auditor, APAC Life Sciences: “I expect Annex 22 to become the gold standard globally. Its insistence on test data independence and input drift monitoring reflects lessons learned from early AI failures.”

3.0. Where Annex 22 Applies — and Where It Doesn’t

Annex 22 is applicable to static, deterministic AI applications utilized in critical GMP applications. It excludes dynamic applications, generative AI, and large language applications (LLMs) from these roles; however, these technologies may be employed in non-critical applications under human oversight.

4.0. How xLM’s AI Apps Aligns with Annex 22 Compliance

At xLM, adhering to emerging AI-GMP regulations is essential. Our AI Apps is meticulously aligned with the European Medicines Agency’s Annex 22, ensuring that AI systems used in pharmaceutical manufacturing are validate, transparent, and auditable.

4.1. Scope Compliance (Section 1)

xLM solutions utilize static, deterministic AI applications for crucial GMP applications, guaranteeing that outputs are consistent and repeatable. These applications are strictly confined to their defined use cases, deliberately excluding dynamic, adaptive, or probabilistic AI, in full compliance with the limitations outlined in Annex 22.

4.2. Principles (Section 2)

All relevant personnel—including QA, data scientists, IT, and SMEs—receive training and qualifications to collaborate effectively on application selection, training, testing, and deployment (Item 2.1). Roles and access are clearly defined. Documentation of every stage in the application lifecycle is meticulously maintained and reviewed (Item 2.2). A risk-based prioritization approach ensures that AI is applied where it has the most significant impact on patient safety, product quality, and data integrity (Item 2.3).

4.3. Intended Use (Section 3)

Each application is accompanied by a documented and clearly defined intended use (Item 3.1), detailing input types, expected outputs, and potential edge cases. Subgroups are characterized based on operational variables (Item 3.2). In instances where human oversight is involved, operator responsibilities are explicitly defined, and performance is regularly monitored (Item 3.3).

4.4. Acceptance Criteria (Section 4)

Application performance is evaluated against pre-defined metrics. Acceptance thresholds are documented and approved prior to the commencement of testing (Item 4.2), with applications required to meet or exceed the performance standards of the processes they replace (Item 4.3).

4.5. Test Data (Section 5)

Test datasets are comprehensive, encompassing the entire input sample space (Item 5.1) and sized to ensure statistical reliability (Item 5.2). Label accuracy is guaranteed through expert review or validated systems (Item 5.3). All preprocessing steps and data exclusions are justified and documented (Items 5.4–5.5). The use of synthetic data is avoided unless fully justified (Item 5.6).

4.6. Test Data Independency (Section 6)

xLM enforces a complete separation between training, validation, and testing data (Item 6.1). Access to test data is restricted and logged (Item 6.2), with no duplication occurring outside controlled environments. Staff roles are segregated across lifecycle stages (Item 6.5) to ensure unbiased evaluation and reproducibility.

4.7. Test Execution (Section 7)

Formal test plans are prepared and approved prior to execution (Item 7.2), including detailed test scripts and metric definitions. Testing verifies application generalization and identifies issues of underfitting or overfitting (Item 7.1). Any deviations are logged and justified (Item 7.3), and all test records are retained with an audit trail capability (Item 7.4).

4.8. Explainability (Section 8)

Applications incorporate mechanisms to trace which features contributed to each decision (Item 8.1). These factors are reviewed by SMEs to ensure their appropriateness and relevance to risk (Item 8.2).

4.9. Confidence (Section 9)

Predictions are logged alongside their associated confidence scores (Item 9.1). Applications are configured to withhold predictions that fall below a defined confidence threshold, flagging uncertain outputs as undecided to prevent misleading recommendations (Item 9.2).

4.10. Operation (Section 10)

All applications are deployed under strict change (Item 10.1) and configuration control (Item 10.2). System performance is continuously monitored (Iten 10.3). Human-in-the-loop activities are consistently logged and reviewed (Item 10.5).

xLM’s platform is meticulously designed to adhere to Annex 22 throughout all stages of application development, validation, deployment, and monitoring. Our dedication to explainability, traceability, human oversight, and data integrity positions us as a reliable partner for regulated AI in pharmaceutical manufacturing.

5.0. Final Thoughts: Don’t Just Automate — Validate

Annex 22 is not about limiting innovation — it’s about responsible automation. If AI is to augment or replace GMP decisions, it must adhere to the same rigor, control, and traceability expected of any validated system.

“It is essential to emphasize that xLM does not rely on trained models. Instead, all our AI services are meticulously crafted to comply with Annex 22 draft requirements. This commitment ensures transparency, explainability, and thorough validation throughout the entire AI lifecycle”

XLM is where machine intelligence meets manufacturing integrity through intelligent compliance!