EU GMP Chapter 4 (2025 Draft): Data Governance, Documentation, and ALCOA++

Is your PQS ready for the data-governance chapter your seed-to-sale system sits inside?

The 2025 draft turns EU GMP Chapter 4 from a documentation chapter into a data-governance chapter. Here is what cannabis LPs have to change, clause by clause.

What is EU GMP Chapter 4 and what is changing in the 2025 draft?

EU GMP Chapter 4 is the chapter of the EU Good Manufacturing Practice Guide that governs documentation in regulated medicinal-product manufacturing. The 2025 draft expands EU GMP Chapter 4 from 9 pages into a 17-page data-governance chapter covering documentation, the data lifecycle, hybrid systems, electronic signatures, ALCOA++, and retention (§4.1 to §4.85). Consultation closed 7 October 2025; enforcement is expected 2027 to 2028. See the full EU GMP 2025 draft overview for the full package.

What’s actually different in EU GMP Chapter 4

Five new headings appear: Data governance systems, Risk management, Signatures, Data Integrity, and Hybrid Systems. §4.24 fixes accountability on the regulated user regardless of whether data was produced by a person, a validation script, or an AI model. §4.23 couples EU GMP Chapter 4 to Annex 11 and Annex 22 explicitly.

What it means for your LP

The old chapter was about documents. The new one is about data. That shift changes who is accountable (§4.24), what the PQS must cover (§4.12), and how vendors are governed (§4.18). Expect SOP rewrites, a new PQS data-governance section, and a vendor-oversight programme.

How GrowerIQ covers it

GrowerIQ is a computerised system under Annex 11 and a data source under EU GMP Chapter 4. The LP writes the charter; GrowerIQ provides the artefacts it references: read-only activity log, role-based access with unique accounts, a documented data model, and third-party GxP validation evidence from RQC (December 2025) to support §4.18 periodic vendor review.

Red flags

• PQS still references “Chapter 4 (2011)” with no data-governance element, §4.10 observation
• AI tools run outside the PQS with no accountability assignment, §4.24 plus Annex 22 exposure
• Electronic records printed to paper with no validation of the conversion, §4.26 violation

What is a data-governance system and why is it now part of the PQS?

A data-governance system is a formal PQS element that defines and communicates the LP’s data-integrity risk-management activities across the full data lifecycle. §4.10 makes it mandatory; §4.11 requires a documented risk assessment.

What’s changing (§4.10 to §4.18)

Four things must now sit inside the PQS: (1) a documented data-governance system (§4.10); (2) a risk-based rationale addressing data criticality and data risk (§4.13); (3) assigned data ownership across the full lifecycle (§4.15); (4) periodic review of service providers (§4.18).

What it means for your LP

QA authors the charter; inputs come from IT, production, and the QP. You need a documented charter, a data inventory per GMP-critical flow, assigned owners, a review cadence for service-provider controls, and evidence that mitigation effectiveness gets reviewed (§4.17). Auditors will ask for the charter on day one.

How GrowerIQ covers it

GrowerIQ provides the artefacts your data-governance charter references: a documented data model, the activity-log configuration, the role matrix, electronic-signature manifestations, and an RQC-validated software version your QA team can attach to the charter as third-party validation evidence for §4.18. The platform is designed and controlled to SOC 2 standards for §4.18 vendor oversight. A vendor that cannot produce these forces the LP to reverse-engineer them, which inspectors treat as a gap.

Red flags

• No PQS element named “data governance”, §4.10 observation
• Data-governance document lacks a risk-based rationale, §4.11 violation
• No periodic review of the seed-to-sale vendor’s data-management policy, §4.18 violation, often a CAPA at certification

GROWERIQ DATA GOVERNANCE

GrowerIQ maps cleanly to EU GMP Chapter 4

Immutable audit trail, role-based access, electronic signatures, retention anchoring, and service-provider documentation, ready for the evidence your data-governance charter needs.

EXPLORE EU GMP

Why does EU GMP Chapter 4 say ALCOA++ while Annex 11 still says ALCOA+?

EU GMP Chapter 4 §4.63 Table 1 codifies ALCOA++ with ten attributes including a new Traceable attribute, while the parallel Annex 11 draft §2.4 keeps the older nine-attribute ALCOA+ set. Both drafts sit in the same 2025 consultation package. Write your SOPs to ALCOA++ and footnote the drift. See ALCOA++ data integrity for cannabis manufacturing for the cannabis-specific walkthrough.

The evolution of ALCOA

What this means for your data-integrity SOP

When referencing EU GMP Chapter 4, quote ALCOA++ (ten). When referencing Annex 11, quote ALCOA+ (nine). Do not silently merge them. Footnote the inconsistency so an inspector does not mark it as an error.

Why Traceable matters in cannabis

Traceable is new in EU GMP Chapter 4 but already a baseline for cannabis. Every split batch reconciles back to its parent lot, every derived weight back to its raw weight, every potency result back to its source lot. §4.75 ties signatures to the same set: signed records “should fulfil the ALCOA++ principles.”

Red flags

• SOP references ALCOA (five attributes) from the pre-2025 era, §4.63 violation
• SOP uses ALCOA+ when EU GMP Chapter 4 is cited, attribute mismatch
• Traceable not demonstrable (split batches cannot be traced back to parent lot), §4.63 Table 1 violation

The six-stage data lifecycle you now must document (§4.12)

§4.12 requires the data-governance system to cover the entire data lifecycle across six stages: (i) creation, (ii) processing into derived data, (iii) verification, (iv) decision-making, (v) retention and archiving, (vi) controlled destruction. For every GMP-critical flow, you need a diagram that walks through all six.

What it means for your LP

For a batch-release decision: scanner weighs a harvest lot; dried weight converts via a validated formula; QA reviewer confirms the math; QP certifies release; record locks and the retention clock starts (§4.77); controlled disposal at end of retention. One diagram per GMP-critical flow becomes your inspection exhibit.

How GrowerIQ covers it

GrowerIQ supports the operational stages of §4.12: scanner capture with timestamped activity entries, calculated values recorded in the activity log, QA review with electronic signature (see the new audit-trail rule), and QP release bundled into the Master Batch Record. For stages (v) archival and (vi) controlled destruction, GrowerIQ provides role-based access controls that your LP operates; your data-governance charter defines who can trigger destruction at retention end. An LP running stages (i) to (iv) on GrowerIQ but archiving to a shared drive breaks the lifecycle at §4.12 v.

Red flags

• No data-lifecycle diagram for any GMP-critical flow, §4.12 observation
• Derived data (moisture-normalised potency, yield percentages) cannot be reconstructed back to raw inputs, §4.12 iii violation
• Admin can delete records before retention expires, §4.12 vi plus §4.79 violation

Hybrid systems: paper-plus-electronic is now a named risk (§4.82 to §4.85)

EU GMP Chapter 4 introduces hybrid systems (combinations of paper and electronic means) as a formally-regulated category. §4.82 to §4.85 require each hybrid flow to have a written description, individually-validated components, procedural control of the paper-to-electronic interface, and a documented review process for both halves.

What’s changing

§4.82: each contributing element must be “clearly defined and identified” and individually validated. §4.83: a written description of components and “procedures and records… to manage and appropriately control the interface between manual and computerised systems.” §4.85: procedures for “the evaluation, approval and archiving of electronic and paper-based data.”

What it means for your LP

Most cannabis LPs run hybrid flows without calling them hybrid: paper deviation forms scanned into electronic records, paper cleaning logs in binders, paper batch-review sheets used before QP release. Each needs a written description. A blank answer is a CAPA on day one.

How GrowerIQ covers it

The cleanest response is to reduce hybrid exposure. GrowerIQ supports electronic deviation records, cleaning logs tied to equipment, batch-review workflows, and QP release in one audit-trailed record. For paper workflows that cannot be retired immediately, you need a written description covering the paper form’s identifier, the transition point, validation of the transcription step, and the §4.85 review procedure.

Red flags

• Paper batch-review checklist signed on the floor, never referenced in the electronic record, §4.83 violation
• No written inventory of which operations are hybrid, §4.82 plus §4.10 observations
• Vendor claims “we are paperless” while the LP runs paper deviation forms, exposure is not reduced by the vendor’s claim

Signatures (§4.64 to §4.75): electronic by default, hybrid signatures to avoid

EU GMP Chapter 4 §4.70 sets a clear default: if records exist electronically, sign them electronically. A written signature policy (§4.67) is mandatory, naming every authorised signatory. Where paper and electronic signatures run in parallel, the regulated user must declare in writing which is regulatory-relevant.

What’s changing

§4.67 requires a written signature policy naming signatories. §4.69 requires signatures to be “indisputable and traceable to the signatory and the signed document or record.” §4.70 treats hybrid signatures as an anti-pattern. §4.75 ties signed records to the full ALCOA++ set.

What it means for your LP

If your batch record is electronic but the QP signs a printed cover sheet in ink, you are running a hybrid-signature workflow the draft tells you to avoid. §4.70 requires a written decision of which signature governs. Your policy should enumerate every record type, declare the regulatory-relevant format, name signatories, and cross-reference Annex 11 §13.

How GrowerIQ covers it

GrowerIQ supports electronic signatures on batch-release, deviation approval, QA review, and QP certification. Each signature captures user identity, records the meaning, applies a server-side timestamp, and stores immutably alongside the record.

Red flags

• No written signature policy, §4.67 observation, usually cited with §4.10
• QP signs a paper cover sheet on top of an electronic batch record with no written policy, §4.70 violation
• Signature captured but the underlying record can still be edited without invalidating it, §4.75 plus Annex 11 §13.8 unbreakable-link violation

Retention: the longer of one year post-expiry or five years post-QP-certification (§4.77)

§4.77 sets batch-documentation retention at the longer of one year after batch expiry or five years after QP certification. For most medicinal cannabis with a two-year shelf life, that resolves to five years after QP certification. §4.76 adds that records must stay human-readable throughout retention; §4.79 restricts who can trigger destruction.

What it means for your LP

Your retention clock starts at QP certification, not at manufacture; counting from manufacture risks early destruction. §4.76 kills the “archived to a format requiring a 2019 software version we no longer license” failure mode. §4.79 means retention is a permission-matrix question: delete rights must be gated. For clinical-trial batches the five-year clock runs from the end of the last trial.

How GrowerIQ covers it

GrowerIQ records the QP-certification timestamp as part of the Master Batch Record and activity log, which gives your QA team a fixed anchor for the §4.77 retention clock. Role-based access restricts who can trigger record destruction (§4.79), and records remain live and human-readable through retention (§4.76) for the current platform version, which is RQC-validated as GxP-compliant. An LP running GrowerIQ plus paper archives must apply §4.77 to both halves.

Red flags

• Retention clock counted from manufacture date instead of QP certification, §4.77 miscalculation
• Records archived to a format no longer readable (deprecated scanner format, DVD-R), §4.76 violation
• Any user can trigger record destruction through the application, §4.79 violation

Frequently Asked Questions

Last updated: April 2026

Prepare for EU GMP Chapter 4 before your next audit

You have 18 to 24 months before EU GMP Chapter 4 is enforced. GrowerIQ customers run on a platform whose audit trail, role-based access, electronic signatures, retention anchoring, and service-provider documentation map to the 2025 draft. See the full EU GMP feature set or book a demo to see the Chapter 4 artefacts live.

REQUEST DEMO