Skip To Content

GxP and 21 CFR Part 11 Compliance

March 28, 2024
by Sanji Bhal, Director, Marketing & Communications, ACD/Labs

Mythbusting Software Validation

Every year, we speak with hundreds of scientists working in validated environments. The world over, we see the same compliance misconceptions arise.

When it comes to 21 CFR Part 11, many scientists’ experience with software deployment falls into two categories:

  1. Software was installed alongside new hardware (e.g., a new LC/MS instrument comes with a CDS)
  2. Informatics systems were integrated into the entire development workflow to directly submit regulatory reports and data (e.g., LIMS)

From experiences with these specific types of software, certain myths develop. At ACD/Labs we often advise clients about compliance as it relates to our software. Here we bust some common myths about software validation in GxP environments, and 21 CFR Part 11 compliance.


Myth #1—the vendor supplies validated software out-of-the-box

Validation is environment-specific. The FDA states: validation is “confirmation by examination and provision of objective evidence that software specifications conform to user needs and intended uses in their environment” (italics ours).

Thus, software cannot be validated by the vendor. Instead, it must be validated:

  • In the user’s environment
  • Within their intended workflow
  • As outlined in their organization’s standard operation procedures (SOPs)

Further, the entire system must be validated—not just each individual piece of software, but also interactions between software packages. The validation process includes:

  • Installation qualification (IQ)
  • Operational qualification (OQ)
  • Performance qualification (PQ)

All these processes are documented to ensure that the software specifications conform to the user’s needs. The user may also audit the software vendor to confirm that they have a quality management system (QMS) and process.

Some vendors advertise “validated” or “pre-validated systems” on the basis that the customer can validate the system “as-is.” But this only works if the system is not specially configured or customized. Even then, the equipment must still be validated in the user’s environment and workflow. Thus, pre-validation mostly streamlines the process with readily available documentation.

Myth #2—software validation is performed by the vendor

This is an extension of Myth #1. Just as software cannot be validated outside of its use case, it cannot be validated without its users.

Vendors can certainly assist in validation by providing documentation and technical assistance for IQ, OQ, and PQ. They may also offer validation services like consultations, documentation, or more active involvement. Still, it is the ultimate responsibility of the user to validate that the system meets their requirements.

Like many vendors, we offer services to smooth the validation process. We partner with our customers, who are crucial to the work. Read more about how we help you with software validation.

Myth #3—software used in a GxP environment must be 21 CFR Part 11 compliant

Software used in Good Laboratory Practices (GLP), Good Manufacturing Practices (GMP), and Good Clinical Practices (GCP) must have:

  • An audit trail at the point in time when a record is first saved to durable media
    • The audit trail must contain the date and time stamp of the change, the description of the change, the reason for the change, and the name of the person making the change
    • The audit trail must not obscure previous values. Both the old and new values of a parameter must be recorded.
  • Specific user accounts
  • Forward compatibility for all files generated by the software
  • Tamper protection for all records, including audit trail records

GxP compliance of software requires validation and 21 CFR Part 11 requires compliance with these established rules (i.e., GxP).

Not all software must be compliant. 21 CFR Part 11 compliance is only necessary for software that generates data submitted electronically in regulatory (e.g., FDA) filings. Such software must also include electronic signatures.

Software that is not directly involved in the generation and submission of data in regulatory filings does not require the same validation procedures. By distinguishing between necessary and unnecessary validation, you can save time and resources.

How We Support GxP and 21 CFR Part 11 Compliance Efforts

ACD/Labs provides compliance-ready software for use in both GxP (good laboratory practice—GLP, good manufacturing practice—GMP) and 21 CFR Part 11 compliant environments. We have supported many customers through the complicated process of validation and managed successful software audits.

Compliance for laboratory software systems means consistent and reliable results to assure quality, traceability, integrity, and validity.

We can help you install our software and solutions in regulated environments and are happy to provide advisory level of support based on our experience.

Validation of Software on Spectrus® & Percepta® Platforms

  • A quality management system (QMS) and processes are in place for self-directed validation of our software
  • We can assist with the creation of installation qualification (IQ), operational qualification (OQ), and performance qualification (PQ) scripts

GxP Compliance Features in the Spectrus Platform

  • Audit trail with date and time stamp, description of the change, and the name of the person making the change
  • Specific user accounts
  • Forward compatibility of files generated by the software
  • Data storage in a secure database environment with protection against tampering

21 CFR Part 11 Compliance Features in the Spectrus Platform

If you electronically submit documents directly from ACD/Labs software to regulatory authorities, 21 CFR Part 11 compliance requires electronic signatures that meet the agency’s requirements. This capability is available within the Spectrus Platform.

Compliance and validation can be complicated. Sometimes a minor misunderstanding can lead to labs undertaking these tasks, necessarily. Validation requirements for third-party software used to interpret and understand analytical results and support decision-making, is not the same as for software that runs the instrument. We hope we’ve dispelled some myths in this blog post, and helped you get a clearer idea of what you need the next time you deploy software in your laboratory.

If you have and questions or expertise to share please leave us a message in the comments. ⬇

Send me more info!

Subscribe to receive more information about Luminata from ACD/Labs

This field is for validation purposes and should be left unchanged.

7 Replies to “GxP and 21 CFR Part 11 Compliance”

  1. I am trying to find out how to determine IF a software product must comply with these rules in the first place. What I don’t seem to see anywhere is any documentation to indicate the determination of compliance.
    I suspect the product my company maintains is not relevant to these rules. Is there any documentation on this?
    Who decides if a software product must comply with these rules?

  2. Hi William, software must meet GxP requirements if it is to be used in a GxP compliant environment or connected to GxP validated instrumentation, as may be the case for pharmaceutical development and manufacturing. Your customers will tell you if their labs are GxP validated —chances are if you sell into discovery or don’t know, then it’s not a concern for you. CFR21 Part 11 compliance is necessary if results from the software are sent directly, electronically to the FDA or regulatory bodies as part of submissions.

  3. is GxP validation efforts needed for a file share of sorts that will be temporary (2-3 yrs) repository for various clinical trial documentation (containing CSI information) It is not a system that will be used for working on documents.

  4. Apologies for the long-waited response Janet. Clinical trials are one area where our tools are not deployed so I’m afraid we can’t help you there. I’d recommend speaking to a vendor in the space or reviewing the FDA guidelines specifically around this.

  5. I have to disagree with your basic premise. The regulation states in the scope section:
    “This part applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted, under any records requirements set forth in agency regulations. ”
    This is a broader scope that just the submitted records as for a PMA for example. This above inlcude any records that are created under a predicate rule–not just ones used as part of a submission. I suggest you look into this further and update your post.

    It then goes on to state your assertion that only records submitted as you note in your post.
    “This part also applies to electronic records submitted to the agency under requirements of the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act, even if such records are not specifically identified in agency regulations.”

    Leslie Dow

  6. Leslie, thank you for reaching out. A member of the ACD/Labs team will reach out to you directly for some clarity regarding your comment before we make any updates or changes to this post.


Your email address will not be published. Required fields are marked *

Send me more info!

Subscribe to receive more information about Luminata from ACD/Labs

This field is for validation purposes and should be left unchanged.