Annex 11 §12, the 2025 draft, and what your system now has to do the moment a user clicks Save.
Last updated: April 2026
Annex 11 §12 used to be a single paragraph. The 2025 draft turns it into ten prescriptive clauses, and one of them changes how every computerised system in a cannabis LP behaves the moment a user clicks Save. The gmp audit trail is no longer a passive log. It is an interrogation: the system prompts for the reason behind the change, captures it contemporaneously, and carries it to the QP at release.
Consultation closed 7 October 2025; publication is expected 2026; enforcement window 2027 to 2028. For wider context, see the full Annex 11 2025 draft summary. Operational piece, not legal.
§12.1 to §12.10 at a glance (scope is wider than your ERP)
§12.1 sets scope. Any system where a user can control processes, capture / hold / report data, create / modify / delete data or access privileges, acknowledge alarms, or sign electronically needs a gmp audit trail that automatically logs all manual user interactions. That scopes in the ERP, LIMS, EMS / SCADA, weighing equipment, batch records, mobile scanners, door-access in GMP areas, and reporting tools where users edit upstream data. “My scanner just moves a pallet” is not an exemption.
| Clause | Topic | 2025 Draft Requirement |
|---|---|---|
| §12.1 | Scope | Auto-log all manual user interactions across eight triggers |
| §12.2 | Content | Who (with role) / what (old + new) / when (with time zone) / why (prompted) |
| §12.3 | Immutability | Locked on, no user edits, admin segregated from GMP |
| §12.4 | Reviewability | Sort and search by all four fields, or structured export |
| §12.5 | Procedure | SOP per system or system-type |
| §12.6 | Independence | Peer review; reviewer cannot have performed the activity |
| §12.7 | Scope of review | Risk-based; full-log review called out as possibly ineffective |
| §12.8 | Timing | Pre-batch-release unless deferral is justified |
| §12.9 | Electronic copy | Search / sort preserved; flat and locked files not acceptable |
| §12.10 | QP availability | Review available to the QP at release |
What must a gmp audit trail now capture? §12.2 Who / What / When / Why
Every edit carries five fields: user, active role at edit, old value, new value, timestamp with time zone, and a reason the system demanded before save. §12.2: “systems should automatically prompt the user for, and register the reason, why the change was made.” The system prompts. Not the SOP.
Deviation investigations stop asking “why did this change?” The QP’s release view gets a new column: a dozen “corrected typo” reasons on critical PAT results signals process weakness, not a clean batch. Multi-role users need role-at-save capture. Reason prompts cannot be retrofitted through training. GrowerIQ’s activity log captures who made a change, what changed, when (with timestamp), and the operator’s role. For the §12.2 reason-capture requirement, GrowerIQ prompts for the context behind critical changes; your QA team should walk through which record types are configured for mandatory reason capture during validation scoping. The platform was independently validated as GxP-compliant by RQC in December 2025 under Annex 11.
Red flags
Users can Save without a reason prompt. Reason lives in an optional comments tab. End-of-shift batch commits (§12.2: “at the time of events, not at the end of a process”).
§12.3: No edit, no deactivation, no admin shortcut
§12.3: “Audit trail functionality should be enabled and locked at all times, and it should not be possible for any user to edit audit trail data.” Where settings or system time can be changed at all, the change itself must be logged, and the administrator holding those rights must be “not involved in any GMP activities.”
This blocks the super-user admin: one person who approves batches and holds the database key. Under §12.3 that person violates segregation of duties. Either they drop GMP privileges, or IT hands the admin role to someone operationally uninvolved. GrowerIQ’s activity log is read-only from the user interface, and role-based access separates the technical administrator who can change system configuration from the GMP operator roles that perform batch activities. The platform was independently validated as GxP-compliant by RQC in December 2025, and the audit-trail behaviour was part of what RQC reviewed.
Red flags
A DBA can UPDATE the audit table with no tripwire (483-equivalent). IT admin also signs deviations or approves batches (segregation failure). “Disable audit trail” exists in the admin console.
§12.4 and §12.5: Search, sort, and the per-system SOP
A compliant gmp audit trail lets any reviewer sort and search by who, what, when, and why (§12.4), in-app or via structured export. Every system or system-type needs its own documented review procedure naming who reviews, what, and when (§12.5).
Filtering by user, record, time window, and reason-text must be one click. Exports mean CSV, JSON, or read-only database access. Write one SOP per system type (ERP, LIMS, EMS, batch records, scanner, access control); a generic cross-system SOP fails §12.5. GrowerIQ’s activity-log view supports filtering across user, record, and time window, and exports preserve structured columns (not flat PDF), which addresses §12.4 and §12.9. The per-system SOP under §12.5 remains the customer’s responsibility.
Red flags
Search requires an IT-run database query. The only export is a flat PDF. One generic SOP covers every system.
§12.6: You cannot review your own work
§12.6: “Audit trail reviews should be conducted by personnel not directly involved in the activities covered by the review (a peer review).”
Breaks the small-LP pattern of one QA manager who approves batches and also reviews the gmp audit trail. Single-person QA needs a formal backup. §12.6 peer review is a procedural control; GrowerIQ’s role-based access lets your QA team assign reviewer roles separately from the operators who performed the batch activity. Configure reviewer and approver roles so the same user cannot hold both on a given batch; your SOP then enforces the peer-review principle through the role matrix.
Red flags
Same QA reviews the batch and its audit trail. Peer review is SOP-enforced but software lets the originator click Approve.
§12.7: Why “review every line” is called out as ineffective
§12.7: “Reviewing all entries in an audit trail record may not be effective. Reviews should be targeted, based on risk.” And: “A key element should be to verify the reason why a change is made.” The reason field is where review attention now lands.
Stop performative full-log reviews. Name risk factors in the SOP: edits to critical quality attributes (potency, moisture, microbial), edits close to release, repetitive reasons, expected entries missing. A review that tags 100% but asks no questions about “why” hands an inspector ammunition. For §12.7 risk-based review, GrowerIQ’s activity-log filters help your reviewer target edits to critical fields and specific time windows, which is where the 2025 draft directs review attention. Your SOP names the risk factors and the platform filters support the scope.
Red flags
SOP says “review 100% of entries.” Reviews never produce escalations. Review does not verify the reason against the change.
When does the gmp audit trail review happen? §12.8 and §12.10
Before the QP releases the batch, and must be visible to the QP at release. §12.8: “The audit trail review should be conducted prior to batch release, unless the risk of a later detection of any unwarranted changes can be justified.” §12.10: “Audit trail reviews with direct impact on the release of a product should be available to the QP at the time of batch release.”
The common pattern (QP releases on the batch record; review happens monthly as a QA-systems task) violates §12.8 unless a documented rationale supports deferral. The release package must carry reviewer identity, scope filter, flagged items with disposition, and pointers to the raw trail. For §12.8 and §12.10, GrowerIQ bundles the activity-log evidence into the Master Batch Record that the QP reviews at release. Your SOP and role matrix set whether batch release is gated on a signed audit-trail review; GrowerIQ’s role-based access supports the required hand-off, and the platform’s RQC-validated activity log is what the QP drills into.
Red flags
Review happens quarterly while batches release daily. QP signs release with no evidence of review. Workflow has no gating on review completion.
§12.9: Flat and locked files are out
§12.9: “Flat and locked files are not acceptable, it should be possible to search and sort data.” Printed binders, locked PDFs, and scanned images do not satisfy.
End of “print to PDF and upload to the data room.” Inspection-ready copies mean CSV, JSON, or read-only mirror access. Vendor exits matter too: §7.5 viii and §12.9 together say the LP walks away with searchable data. GrowerIQ’s gmp audit trail exports to structured CSV and JSON preserving all five fields; exports are not rasterised.
Red flags
Only export is a flat PDF. Exports strip the reason field. Vendor exit plan produces scanned TIFFs.
The ALCOA lens
Annex 11 §12 operationalises the Attributable and Traceable attributes of Chapter 4 §4.63: “it is important to know who made a change, when, and why.” Chapter 4 uses ALCOA++ (10 attributes); Annex 11 uses ALCOA+ (9). Pick one for your SOPs. See ALCOA++ data integrity for cannabis manufacturing. For how long a gmp audit trail must stay intact through vendor changes, cross-reference the ALCOA-Enduring preservation angle.
Inspector red-flag cheat sheet
Walk your gmp audit trail against this list. Every line is phrased the way an inspector would write it up.
- “Users can save field changes without the system demanding a reason.” (§12.2)
- “Role attribution is absent for users with multiple roles.” (§12.2)
- “Audit trail entries can be edited through the database console.” (§12.3)
- “System administrator with audit-trail configuration rights also performs QA batch approval.” (§12.3)
- “System clock changes are not themselves captured in the audit trail.” (§12.3)
- “Audit-trail search and export rely on an IT-run database query.” (§12.4)
- “A single generic SOP covers all computerised systems.” (§12.5)
- “Audit-trail reviewer is the same individual who performed the activities under review.” (§12.6)
- “Review procedure requires 100 percent review and produces no escalations.” (§12.7)
- “Audit-trail review runs monthly while batches release daily.” (§12.8)
- “The batch release record contains no evidence of an audit-trail review.” (§12.10)
- “The only data export is a flattened PDF.” (§12.9)
Three or more describing your stack means your next GMDP inspection or EU-GMP certification audit will surface them. For the §11 IAM and §15 security context behind these gmp audit trail gaps, see the broader Annex 11 computerised-systems rules.
GROWERIQ AUDIT TRAIL
The §12.2 reason prompt, out of the box
Activity logs RQC reviewed. Role-based reviewer assignment. Master Batch Record bundles evidence into the QP’s release view. The confirmed Annex 11 §12 controls, ready to demonstrate.
EXPLORE EU GMP
Key Takeaways
- §12.2 reason prompt is the spine: the system must demand the reason before Save, not the SOP.
- §12.3 immutability blocks the super-user admin: whoever can edit audit settings or system time must not perform GMP activities.
- §12.6 peer review, §12.8 pre-release timing, §12.10 QP availability: the review now gates batch release.
- §12.9 kills flat PDFs: inspection-ready copies must be search-and-sortable (CSV, JSON, or read-only access).
- Enforcement window 2027 to 2028: plan an 18-to-24-month programme from publication, expected 2026.
Frequently Asked Questions
Does the §12.2 reason prompt apply to my mobile scanner?
Yes. §12.1 lists data capture and alarm acknowledgement as triggers. If the scanner edits or corrects a scanned value, the system must prompt for a reason.
Can we keep a paper batch-review workflow if the gmp audit trail is electronic?
Not safely. Chapter 4 §4.82 to §4.85 treats hybrid paper-plus-electronic as a named risk, and §12.10 requires the electronic review to be available to the QP at release.
When does this become enforceable?
Consultation closed 7 October 2025. Publication is expected 2026. Enforcement window: 2027 to 2028. Plan an 18-to-24-month programme from publication.
Is “review 100% of entries” non-compliant, or just not recommended?
§12.7 says full-log review “may not be effective” and directs reviewers to risk-based scope. An SOP mandating 100% that produces no escalations reads as a rubber-stamp.
Can our IT administrator also approve batch records?
No. §12.3 requires the administrator who can change audit-trail settings or system time to be “not involved in any GMP activities.” Role-based, not configuration-based.
Is a signed PDF of the gmp audit trail enough for inspections?
No. §12.9 says flat and locked files are not acceptable; the copy must be search-and-sortable. Move to CSV or JSON, or read-only access to a filtered view.
Planning an EU-GMP audit?
See how the GrowerIQ gmp audit trail lines up against the 2025 Annex 11 draft, clause by clause. Explore our EU GMP compliance overview or book a live walkthrough.
EXPLORE EU GMP
Summarises publicly-available draft guidelines; not legal or regulatory advice.
Recommended For You
Portugal’s Cannabis Exports Triple: 42 Tonnes to Germany and Growing as Europe’s Processing Hub
April 22, 2026UK Medical Cannabis Prescriptions Surge 262%: 80,000 Patients and a GBP 500M Private Market
April 21, 2026Poland: Europe’s Quiet Cannabis Giant with 105,000 Patients and 5 Tonnes Dispensed in 2025
April 20, 2026About GrowerIQ
GrowerIQ is changing the way producers use software - transforming a regulatory requirement into a robust platform to learn, analyze, and improve performance.
To find out more about GrowerIQ and how we can help, fill out the form to the right, start a chat, or contact us.