
OR WAIT null SECS
© 2026 MJH Life Sciences™ , Pharmaceutical Technology - Pharma News and Development Insights. All rights reserved.
Epista's Henrik Johanning revisits his 2026 predictions on QRM, Annex 1, AI governance, and regulatory convergence: What's tracking, what isn't.
PharmTech recently caught up with Henrik Johanning, senior vice president, Quality & Strategy, Epista Life Science, to follow up on predictions he made on major European regulatory and manufacturing trends transitioning in pharma back in December.
When PharmTech last spoke with Johanning about 2026, he focused on the operationalization of modern quality risk management (QRM) and tangible upgrades required for facilities to achieve sustained compliance with European Union (EU) good manufacturing practice (GMP) Annex 1. The conversation explored the rising expectations for digital Good Manufacturing Practice (GMP) driven by Annex 11 and Annex 22, the reconfiguration of supply chains due to geopolitical factors, and the ongoing convergence of global standards under International Council for Harmonisation (ICH), Pharmaceutical Inspection Co-operation Scheme (PIC/S), and EU GMP.
Now that 2026 is half over, Johanning offers his thoughts on what predictions he made came to fruition, which didn't, and why, as well as what's in store for the second half of the year.
Johanning: Yes, but unevenly. In sterile manufacturing, Annex 1 is clearly pushing more companies to link contamination-control strategy, QRM, and investment decisions. I see stronger focus on HVAC, water systems, clean utilities, environmental monitoring, barrier technology, and facility upgrades. However, many organizations are still in transition and trying to translate what regulatory requires. They have risk assessments and remediation roadmaps, but the link to capital prioritization is not always strong enough. The real maturity test is whether QRM changes decisions, not whether the risk assessment exists.
Directionally, yes. Operationally, not fully (at least not yet). The regulatory direction is increasingly becoming clearer: AI and digital tools must sit inside the pharmaceutical quality system, with defined intended use, risk assessment, validation or fit-for-use evidence, data governance, supplier oversight, human oversight, monitoring, and change control. But companies are still working out practical validation pathways, especially for probabilistic models and generative AI. Annex 22 does not yet have standalone inspection teeth, but the expectations are already partly inspectable.
Convergence has helped align the language around lifecycle management, QRM, data integrity, supplier oversight, and modern quality systems.
But it has not removed operational friction. Geopolitical pressure, tariffs, supply-security concerns, and regionalization are moving faster than regulatory convergence. Companies still face local release models, variation requirements, import rules, inspection differences, and site-transfer complexity. So convergence helps companies manage complexity, but it has not eliminated it.
Only in pockets. Many companies are investing in manufacturing execution systems, enterprise quality management systems, automation, data integrity, and digital upskilling, which is positive.
But the real gap is cross-functional capability. Quality, engineering, automation, IT, validation, and data science still too often operate in separate, deep lanes and pockets. The strongest organizations are building integrated teams around concrete use cases and assigning clear digital process ownership.
The constraint is not only headcount. It is the ability to make good GMP risk decisions across process, data, and technology.
For me, it is how quickly AI has moved from innovation discussion into practical GMP governance. The conversation has matured from “What can AI do?” to “Can the regulated process defend what AI helped create?” That is a significant shift. AI is now being discussed in terms of intended use, validation, lifecycle control, human oversight, data governance, supplier oversight, and inspection readiness.
The biggest challenge is turning risk-based intent into executable control strategies. This applies to Annex 1 remediation, AI governance, digital validation, data integrity, supply-chain resilience, and capital prioritization. Companies need to avoid both under-control and over-control. The answer is not simply to control more. It is to control right, based on intended use, consequence, complexity, and patient/product/data risk.