What a Periodic Review Actually Confirms

After your system is GMP released — VSR approved, system in production use — the validation clock does not stop. Every change made since release, every deviation raised, every calibration that has drifted, every account that has not been disabled when someone left: all of it accumulates. The periodic review is the formal mechanism that looks back across the entire operation period and asks a single question: is this system still in its validated state?

The regulatory basis is EU GMP Annex 11 §11 (Periodic Evaluation), which requires computerised systems to be periodically evaluated to confirm they remain in a validated state. GAMP 5 translates this requirement into a structured review process — documented, multi-disciplinary, and concluded with a formal sign-off.

Critically, the periodic review is not a re-validation. It is a review of evidence accumulated since the last review. It does not repeat OQ test cases unless specific findings require it. What it does do is examine the change control log, the deviation ledger, the audit trail, calibration status, training records, and process performance data — and draw a documented conclusion about whether the validated state has been maintained.

The Regulatory Requirement

EU GMP Annex 11 §11: "Computerised systems should be periodically evaluated to confirm that they remain in a valid state and are compliant with GMP." This is a mandatory requirement, not guidance. The absence of a periodic review record for a GMP system is a direct Annex 11 non-compliance finding.

When It Triggers — Four Scenarios

There are two types of periodic review: the scheduled review that happens on a fixed calendar cadence, and triggered reviews that are required by specific events. Both are governed by SOP-PR-SYS-001.

Scheduled
Regular Cycle
Every 24 months from VSR approval
The baseline review cadence. First review date is recorded in VSR-SYS-001 Section 8.2 at the time of system release. Preparation begins 4 weeks before the due date — assign review author, gather source documents, schedule review meetings.
Triggered — Major Change
Post-Change Review
Within 90 days of Type 1 change
Any Type 1 (Major) change — software version, hardware replacement, new network device — requires a partial periodic review of the affected functions within 90 days of implementation. Full review if the change was significant in scope.
Triggered — Inspection Finding
Post-Inspection Review
Within 60 days of finding
Any observation or finding from a regulatory inspection (FDA, MHRA, EMA) related to this system triggers a full review. The review demonstrates the system owner has investigated the finding and confirmed the broader validated state.
Triggered — Prolonged Shutdown
Return to Service
Before return if shutdown >30 days
Any shutdown exceeding 30 days requires a full review before return to GMP production use. This includes re-execution of selected OQ test cases to confirm the system is still functioning as expected after a period of inactivity.
VALIDATED SYSTEM LIFECYCLE — PERIODIC REVIEW CADENCE VSR APPROVAL PR-1 12 MONTHS TYPE 1 CHANGE PARTIAL REVIEW ≤90 DAYS PR-2 +24 MONTHS PR-3 +24 MONTHS FIRST REVIEW AT 12 MONTHS (PER VSR SECTION 8.2). SUBSEQUENT REVIEWS EVERY 24 MONTHS. TRIGGERED REVIEWS DO NOT RESET THE SCHEDULED CALENDAR.
// PERIODIC REVIEW CADENCE — TRIGGERED REVIEWS DO NOT RESET THE SCHEDULED 24-MONTH CALENDAR. A PARTIAL REVIEW AFTER A MAJOR CHANGE IS ADDITIONAL, NOT A REPLACEMENT FOR THE SCHEDULED REVIEW.

The Seven Review Sections

The PRR-SYS-001 template structures the review across seven sections. Each requires specific source documents to be reviewed and specific checks to be performed. An auditor reading the approved PRR will look for evidence that each section was genuinely reviewed — not just ticked off.

S1 Change Control Log Review CRITICAL

Review every entry in CCL-SYS-001 since the last review (or since VSR approval for the first review). Confirm all Type 1 changes were re-tested, CAPA closed, and VSR amended where required. Confirm no unauthorised changes — shadow changes.

SHADOW HASH CHECK: Compare current PLC software hash against the validated archive baseline. Current hash ≠ baseline hash = shadow change = immediate Category A finding. This is the most impactful single check in the entire review.
S2 Deviation Log Review CRITICAL

Review all MDL entries from the operation period. Confirm all deviations are closed. If any Category A deviations were risk-accepted rather than corrected, confirm the risk-acceptance rationale is still valid and the residual risk is still acceptable.

CHECK: Any MDL entries in OPEN status? Any CAPA past their due date? Any recurring deviation pattern (same failure mode appearing multiple times) that suggests a systemic issue?
S3 Audit Trail and Data Integrity Analysis CRITICAL

Export a minimum of 50 audit trail events from the review period. Review for: all setpoint changes have reason entries, no shared accounts, no unexplained access denials suggesting attempted security bypass, NTP drift within ±30 seconds.

Perform the SQL write-once check: attempt an UPDATE command on one historical audit trail record directly in the database. The command must be blocked or produce an audit trail entry itself. This adversarial check is the one most inspectors ask for first.

MINIMUM: 50 audit events reviewed · All parameter changes have reason entries · No generic/shared accounts active · NTP events reviewed for drift · SQL UPDATE attempt: BLOCKED confirmed
S4 Maintenance, Calibration and Backup HIGH

Review EL-SYS-001 Sheet 9 (Calibration Register) — confirm no GMP-critical instruments are overdue. Calculate backup success rate from SCADA backup status historian tag. Verify UPS has been function-tested within the last 12 months. Confirm validated software archive is current and accessible.

CHECK: Any overdue calibration certificates? Backup success rate ≥99%? UPS test date within 12 months? Validated configuration archive matches current deployed state?
S5 Training and User Access Review HIGH

Confirm training records are complete for all current personnel with system access. Confirm all personnel who have left the organisation have had their accounts disabled (not deleted — disabled to preserve audit trail attribution). Review role assignments — all roles still appropriate to current job functions.

CHECK: Any active accounts for personnel no longer on site? Any users without current training records? Any role assignments that no longer reflect actual job responsibilities?
S6 Process Performance Review (PQ Phase III Data) MEDIUM

Review PQ Phase III ongoing monitoring data. Generate trend charts for each critical process parameter and each Point of Use. Identify any out-of-trend (OOT) results that are not yet OOS but show a worsening direction. Compare seasonal data if two or more annual cycles are available — seasonal patterns are expected in some systems and should be documented rather than treated as anomalies.

CHECK: Any OOT trends approaching action limits? Any confirmed OOS results — were these investigated and the system implicated or excluded? Does the data confirm the PQ acceptance criteria are still being met?
S7 Regulatory and Industry Changes MEDIUM

Review any updates to EU GMP Annex 11, 21 CFR Part 11, GAMP 5, and applicable pharmacopoeias (USP, EP) issued since the last review. Assess whether any changes create a gap with the current validated state. This section is frequently underperformed — regulatory updates are not always announced loudly and it is the system owner's responsibility to track them.

CHECK: Any new regulatory guidance issued? Any pharmacopoeial specification changes for the process? Any site policy updates that affect the validated system's compliance status?

The Three Possible Conclusions

The Periodic Review Report must state one of three conclusions. Each has different implications for what happens next.

Validated State Confirmed — No Action Required
All seven sections reviewed with no significant findings. System remains in its validated state. PRR-SYS-001 approved and filed. Next review date updated in VSR Section 8.2 or site review register.
⚠️
Validated — Minor Actions Required
System remains in its validated state but findings require remediation. An action plan (Section 8 of PRR-SYS-001) lists each action, owner, and due date. PRR approved subject to actions being completed on schedule. QA monitors closure.
🚨
Re-Qualification Required
System has drifted from its validated baseline. This conclusion requires escalation to QA management. The system may need to be restricted from GMP use pending re-qualification of affected functions. A re-validation plan is required within a defined timeframe.
The Shadow Hash Finding

A hash mismatch between the current deployed PLC software and the validated archive baseline is not a "minor action." It means an undocumented change has been made to the validated software — a shadow change. This is among the most serious findings in a GMP validation inspection. The system cannot be considered to be in its validated state. The change must be investigated, root cause documented, impact assessed, and the system formally re-tested and re-released before GMP production can resume.

Preparing for a Review — What to Gather

The SOP requires review preparation to begin at least 4 weeks before the scheduled date. The source documents needed are:

In the QLean Framework

SOP-PR-SYS-001 defines the full periodic review process — preparation timeline, execution steps for each of the seven sections, escalation criteria, and approval routing. PRR-SYS-001 is the pre-structured review report template with all seven sections, the shadow hash verification table, the SQL write-once check record, and the three-option conclusion checklist. Both documents are designed to work together — the SOP tells you what to do, the PRR gives you the format to record it.