Periodic Review

What periodic review actually is

Periodic review is the umbrella discipline of recurring, documented re-verification — performed at defined intervals to confirm that the object under review remains compliant, effective, and fit for intended use. It's the structural pattern that asks, on a schedule: is what we validated still valid? Is what we approved still current? Is what we trained on still what people actually do?

The discipline shows up across multiple object types in the quality system, with the same underlying shape and different specifics. System periodic review applies to computerised systems under EU GMP Annex 11 §11 and GAMP 5. Process periodic review (often called Product Quality Review or Annual Product Review in pharma) applies to manufacturing processes under EU GMP Chapter 1 §1.11 and 21 CFR §211.180(e). SOP periodic review applies to controlled documents. Supplier periodic review covers ongoing supplier suitability. Equipment periodic review covers qualification maintenance. Each has the same skeleton: defined scope, data inputs, documented review, conclusions, follow-up actions.

This entry covers the umbrella discipline — what makes a periodic review credible regardless of object type. For object-specific obligations, output formats, and regulatory anchors, see the specific entries.

The umbrella discipline is regulated under EU GMP Annex 11 §11, 21 CFR Parts 210 and 211, Part 820 (implied through ongoing control requirements), GAMP 5 (Second Edition, 2022), ISO 13485 §§4.1.5 and 5.6, ICH Q10 §4 (continuous improvement), and WHO TRS GMP guidance.

Why periodic review is a defining quality governance control

Periodic review is the principal mechanism for catching drift before it becomes a finding. Systems and processes that were valid when implemented degrade silently as their context changes — equipment is replaced, methods evolve, regulations update, integrations break, people who held tacit knowledge leave. Without periodic re-verification, the drift accumulates invisibly and surfaces during inspection. With periodic re-verification, drift is caught at the routine interval and addressed through normal change control.

The pattern that keeps showing up in enforcement is missed or rubber-stamped periodic review. Validated systems whose audit trails hadn't been reviewed for years (PIC/S PI 041-1 changed expectations sharply here). Processes whose actual practice had drifted from the validated state. SOPs whose periodic review was a signature on an unchanged document. Suppliers whose performance had degraded but whose periodic review checked only documentary compliance. The pattern is consistent enough that inspectors use periodic review samples as a maturity diagnostic.

Three specific shifts have raised the bar in the last few years. PIC/S PI 041-1 (July 2021) added explicit audit-trail-review expectations that feed system periodic review. EU GMP Annex 11 §11 is read more strictly now than it was a decade ago. FDA CSA (Final, September 2024) and GAMP 5 (Second Edition, 2022) both emphasise periodic review within the validated lifecycle.

Where periodic review is treated as compliance overhead, the dysfunction shows up in the review reports themselves: one-page sign-offs with no substantive findings. Where it's treated as an actual management tool — what have we learned about this system, process, SOP, or supplier in the last year? — the reports are longer, the findings are real, and the inspection conversation is short.

Inspector perspective: the most revealing test is to sample one periodic review report and ask for the underlying data the reviewer based the conclusion on. Deviations encountered during the period, audit trail review outcomes, change controls, complaints. If the report's conclusion aligns with what the data shows, the review is real. If the report says 'no issues' but the data shows three open deviations and a change control that touched the validated state, the review is performative and the inspection direction is set.

Where periodic review obligations come from

Periodic review obligations are explicit in some frameworks and implicit in many:

• EU GMP Annex 11 §11 (Periodic Evaluation): computerised systems should be periodically evaluated to confirm that they remain in a valid state and are compliant. The principal explicit requirement for system periodic review.
• EU GMP Annex 11 §9 (Audit Trails): audit trails periodically reviewed; feeds system periodic review.
• EU GMP Chapter 1 §1.10: ongoing process performance and product quality monitoring including periodic product quality review.
• EU GMP Chapter 1 §1.11 (Product Quality Review): regular periodic quality reviews of all licensed medicinal products with the objective of verifying the consistency of the existing process, the appropriateness of current specifications for both starting materials and finished products, to highlight any trends and to identify product and process improvements.
• 21 CFR §211.180(e): written records of evaluation of the quality standards of each drug product, at least annually, including review of records and complaints (the U.S. equivalent of PQR / APR).
• 21 CFR §211.100: implies maintenance of currency including periodic review.
• 21 CFR §211.166: implies ongoing verification including periodic review of stability program.
• 21 CFR §820.20(c): management with executive responsibility shall review the suitability and effectiveness of the quality system at defined intervals.
• 21 CFR §820.180: implies periodic verification of records and processes.
• 21 CFR Part 11 §11.10(d): validation and ongoing system controls implicitly include periodic re-evaluation.
• GAMP 5 (Second Edition, 2022): periodic review built into the validated lifecycle; risk-based frequency.
• ISO 13485 §5.6 (Management review): quality management system reviewed at planned intervals.
• ISO 13485 §4.1.5: validated processes monitored and revalidated when needed.
• ISO 9001:2015 §9.3: QMS reviewed at planned intervals.
• ICH Q10 §3.2.4 (Management Review): periodic review of process performance and product quality.
• ICH Q10 §4 (Continuous Improvement): periodic review feeds continuous improvement.
• ICH Q12 (Lifecycle Management): post-approval lifecycle activities including periodic review.
• FDA Computer Software Assurance (Final, September 2024): risk-based assurance including periodic re-evaluation of validated state.
• PIC/S PI 041-1 (July 2021): audit trail review and system periodic evaluation.
• PIC/S PE 009-17 (June 2023): GMP including periodic product quality review.
• WHO TRS 986 Annex 2, TRS 1019, TRS 1033: WHO GMP equivalent periodic review expectations.

What disciplined periodic review looks like

The practices that survive inspection:

• Periodic review SOP. Defines scope per object type (system, process, SOP, supplier, equipment), frequency (risk-based), data inputs required, review process, output format, follow-up discipline.
• Per-object schedule. Each object subject to periodic review has a defined next-review-due date; due dates surfaced before they pass.
• Defined scope per object. The periodic review for a given object covers a defined set of inputs, not improvised at review time.
• Data collection from sources. Deviations, CAPAs, audit trail reviews, change controls, complaints, performance metrics, incidents, training compliance, access reviews collected for the period being reviewed.
• Substantive review meeting or work. Reviewers actually examine the data; findings documented; conclusions drawn against criteria.
• Documented findings and conclusions. Report captures what was reviewed, what was found, what the conclusion is, what actions are needed.
• Actions through change control or CAPA. Findings requiring action route through formal change control or CAPA; not informal lists.
• Follow-up tracking. Actions tracked to closure; overdue actions escalated.
• Approval per governance. Review report approved per the configured authority; signature carries Part 11 §11.50 meaning where electronic.
• Trend across reviews. Patterns across multiple periodic reviews of similar objects feed MR under ICH Q10 §3.2.4.
• Periodic review of the periodic review SOP itself. Meta-review on the same cycle.
• Risk-based frequency adjustment. Demonstrated changes in object risk profile (more deviations, more changes, more incidents) trigger interval review.

What strong periodic review programs do

The controls that hold up at inspection:

• Periodic review SOP per object type. Distinct guidance for systems, processes, SOPs, suppliers.
• Per-object schedule tracked. Next-review-due visible; surfaced before passing.
• Scope defined per object. Not improvised.
• Data inputs identified. Required sources defined for each review type.
• Substantive review. Actually examines data, not just signs off.
• Documented findings + conclusions. Captured in a structured report.
• Actions through change control or CAPA. Formal workflow, not informal lists.
• Follow-up tracking to closure. Overdue actions escalated.
• Approval per governance. Authority + signature meaning.
• Trend feed to MR. Standing input under ICH Q10 §3.2.4.
• Periodic review of the SOP itself. Meta-review.
• Risk-based interval adjustment. Triggered by changes in object risk profile.
• Cross-functional input for significant systems and processes. Not single-perspective.

How Complere supports periodic review

Periodic review is the discipline that keeps your validated and controlled state from drifting silently. Your team decides the cadence, the scope, and the conclusions. What Complere gives you is the data your reviewers need at the moment they need it, and a record that holds up to the inspector who asks for the underlying evidence behind the conclusion.

For SOPs and other controlled documents, periodic review runs on the schedule you set per document type. Documents coming due surface for your reviewers; overdue ones get flagged so they don't slip silently. Reviewers record findings (no change with rationale, minor revision, major revision) on the document itself, and any revision routes through change control. The full review history travels with the document — so the "signed but unchanged" pattern stops looking like a periodic review and starts looking like what it actually is.

For quality processes, the review draws on the deviations, complaints, and OOS your team logged over the period; the CAPAs you opened and closed; the changes that touched the process; the audit findings related to it; and the training compliance for the people performing it. Your reviewer sits down with the actual data — not a checklist — and the conclusion they write reflects what the data shows.

For validated systems, the same aggregation supports the Annex 11-style review your validation lead runs against each system. The periodic evaluation itself is a controlled record with scope, data sources, findings, conclusions, and follow-up actions. Audit trail reviews live on the same record where you can reference them at review time.

When the review identifies something that needs action, the finding routes into change control or a CAPA with a link back to the originating review. The closure trail stays intact — so when an inspector asks "what did you do about this finding from last year's review?", the answer is one click away.

What stays with your team: the periodic review SOP itself (scope, frequency, data inputs per object), reviewer competence and substantive judgment over rubber-stamping, cross-functional input on the significant reviews, and the discipline of acting on findings rather than just documenting them. Complere supports the program; credible periodic review remains your quality decision.

Related governance and quality system terms

Periodic review intersects with most ongoing-state governance:

• Change Control — findings often route into change control
• SOP Management — periodic review applies to SOPs
• Document Lifecycle Management — SOP periodic review sits inside the document lifecycle
• Audit Trail Review — feeds system periodic review
• Management Review — periodic review outputs feed MR
• Risk Management — risk-based frequency
• CAPA — findings route into CAPA