This checklist tracks the controls expected by the draft EU GMP Annex 22 (`Use of Artificial Intelligence in Manufacturing of Medicinal Products and Investigational Medicinal Products`). Use it alongside your existing computerised system validation (Annex 11) controls -- Annex 22 layers AI-specific obligations on top.
Status of Annex 22: draft as of Q2 2026. Final text expected during 2026. Treat any check below as the floor; final wording may add detail.
1. Scope + governance
1
AI use is risk-classified per intended GxP use (criticality, patient impact, decision autonomy)
YesPartialNoN/A
2
Roles + responsibilities documented for AI lifecycle (data steward, model owner, QA, IT)
YesPartialNoN/A
3
Decision-making authority documented for go/no-go gates and material model changes
YesPartialNoN/A
2. Data governance
4
Training, evaluation, and operational data sources are catalogued, owned, and signed off
YesPartialNoN/A
5
Data quality criteria defined; anomaly detection in place upstream of any model use
YesPartialNoN/A
6
Bias assessment performed; relevant subgroups identified per intended use
YesPartialNoN/A
7
Personal-data handling aligned to GDPR (lawful basis, minimisation, retention, DPIA)
YesPartialNoN/A
3. Model lifecycle + validation
8
URS / FRS / IQ / OQ / PQ exist for each AI workflow (or equivalent V-model evidence)
YesPartialNoN/A
9
Acceptance criteria are objective, measurable, and signed off prior to go-live
YesPartialNoN/A
10
Pre-production testing covers happy-path + edge-cases + adversarial / drift inputs
YesPartialNoN/A
11
Periodic revalidation cadence defined; trigger-based + calendar-based
YesPartialNoN/A
4. Human oversight (4-eyes principle)
12
A qualified human approves every AI output before it changes a regulated record
YesPartialNoN/A
13
Reviewer can override AI output; rationale captured under controlled vocabulary
YesPartialNoN/A
14
No production decision is made solely by the AI for any GxP-critical workflow
YesPartialNoN/A
5. Audit trail + ALCOA+
15
Every AI invocation logged: model id, version, prompt version, input hash, output hash, user, timestamp
YesPartialNoN/A
16
Audit trail tamper-evident (hash chain, write-once storage, or equivalent)
YesPartialNoN/A
17
ALCOA+ principles satisfied across all AI-touched records (Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, Available)
YesPartialNoN/A
6. Change management
18
Model upgrades (vendor or internal) follow change-control with QA review
YesPartialNoN/A
19
Prompt edits in production frozen; changes go through versioned review
YesPartialNoN/A
20
Vendor model deprecations have documented fallback / migration plans
YesPartialNoN/A
7. Ongoing monitoring
21
Drift detection in production with alert thresholds
YesPartialNoN/A
22
Post-market quality metrics collected + trended (false-positive / false-negative rates)
YesPartialNoN/A
23
Vendor security + availability incidents triaged for in-scope GxP workflows
YesPartialNoN/A
8. Inspection readiness
24
Compliance Pack (or equivalent evidence bundle) producible on demand within 1 business day
YesPartialNoN/A
Where Praxara helps
Items 4-6, 12-17, 19, 21, 24 are produced or enforced by the platform: catalogued model registry, frozen prompt versioning, e-signature on every approval, reject-with-reason, SHA-256 audit chain, ALCOA+ row design, drift worker, on-demand Compliance Pack export. Items 1-3, 7-11, 18, 20, 22-23 are organisational controls Praxara documents and evidences but does not run for you.