Skip To Content

Mythbusting Software Validation, GxP, and 21 CFR Part 11 Compliance

October 21, 2021
by Sanji Bhal, Director, Marketing & Communications, ACD/Labs

Every year, we speak with hundreds of scientists worldwide working in validated environments. And over and over, we’ve seen some compliance misconceptions arise.

When it comes to 21 CFR Part 11, many scientists’ experience with software deployment falls into two categories:

  1. Software was installed alongside new hardware (e.g., a new LC/MS instrument comes with a CDS)
  2. Informatics systems were integrated into the entire development workflow to directly submit regulatory reports and data (e.g., LIMS)

From experiences with these specific types of software, certain myths develop. We at ACD/Labs often advise clients about compliance as it relates to our software, so let’s use this post to bust some myths once and for all.

Facts-Myths-2021-Blog

Myth #1—the vendor supplies validated software out-of-the-box

Validation is environment-specific. Hear it from the FDA: validation is “confirmation by examination and provision of objective evidence that software specifications conform to user needs and intended uses in their environment” (italics ours).

Thus, software cannot be validated by the vendor. Instead, it must be validated:

  • In the user’s environment
  • Within their intended workflow
  • As outlined in their organization’s standard operation procedures (SOPs)

Further, the entire system must be validated—not just each individual piece of software, but also interactions between software packages. The validation process includes:

  • Installation qualification (IQ)
  • Operational qualification (OQ)
  • Performance qualification (PQ)

All these processes are documented to ensure that the software specifications conform to the user’s needs. The user may also audit the software vendor to confirm that they have a quality management system (QMS) and process.

Some vendors advertise “validated” or “pre-validated systems” on the basis that the customer can validate the system “as-is.” But this only works if the system is not specially configured or customized. Even then, the equipment must still be validated in the user’s environment and workflow. Thus, pre-validation mostly streamlines the process with readily available documentation.

Myth #2—software validation is performed by the vendor

This is an extension of Myth #1. Just as software cannot be validated outside of its use case, it cannot be validated without its users.

Vendors can certainly assist in validation by providing documentation and technical assistance for IQ, OQ, and PQ. They may also offer validation services like consultations, documentation, or more active involvement. Still, it is the ultimate responsibility of the user to validate that the system meets their requirements.

Like many vendors, we offer services to smooth the validation process. We partner with our customers, who remain a crucial part of the work. Read more about how we help you with software validation.

Myth #3—software used in a GxP environment must be 21 CFR Part 11 compliant

Software used in Good Laboratory Practices (GLP), Good Manufacturing Practices (GMP), and Good Clinical Practices (GCP) must have:

  • An audit trail at the point in time when a record is first saved to durable media
    • The audit trail must contain the date and time stamp of the change, the description of the change, the reason for the change, and the name of the person making the change
    • The audit trail must not obscure previous values. Both the old and new values of a parameter must be recorded.
  • Specific user accounts
  • Forward compatibility for all files generated by the software
  • Tamper protection for all records, including audit trail records

GxP compliance of software requires validation as discussed earlier, and 21 CFR Part 11 requires compliance with the established rules (i.e., GxP).

But not all software must be compliant. 21 CFR Part 11 compliance is only necessary for software that generates data submitted electronically in regulatory (e.g., FDA) filings. Such software must also include electronic signatures.

Software not directly involved in generation and submission of such data doesn’t require the same validation procedures. By distinguishing between necessary and unnecessary validation, you can save time while still producing compliant data and rigorous science.

Better understanding compliance

Compliance can be complicated. We hope we’ve dispelled some myths in this blog post, and helped you get a clearer idea of what you need the next time you deploy software in your laboratory.

How We Can Support Your Compliance Efforts

We provide compliance-ready software for use in both GxP (good laboratory practice—GLP, good manufacturing practice—GMP) and 21 CFR Part 11 compliant environments. We have supported many customers through the complicated process of validation and managed successful software audits.

Compliance for laboratory software systems means consistent and reliable results to assure quality, traceability, integrity, and validity.

We can help you with installation of our software and solutions in regulated environments and are happy to provide an advisory level of support based on our experience.

Validation of Software on Spectrus® & Percepta® Platforms

  • A quality management system (QMS) and processes are in place for self-directed validation of our software
  • We can assist with the creation of installation qualification (IQ), operational qualification (OQ), and performance qualification (PQ) scripts

GxP Compliance Features in Spectrus Applications

  • Audit trail with date and time stamp, description of the change, and the name of the person making the change
  • Specific user accounts
  • Forward compatibility of files generated by the software
  • Data storage in a secure database environment with protection against tampering

21 CFR Part 11 Compliance Features in Spectrus Applications

21 CFR Part 11 compliance is only necessary when you are sending electronic information directly from ACD/Labs software to regulatory authorities. The following feature is present and necessary to do so, from our software:

  • Electronic signatures

Have questions or expertise to share? Leave us a message in the comments. ⬇


Join our newsletter!

Keep up-to-date with our quarterly newsletter that brings you the latest educational webinars, resources, tips, and tricks.

This field is for validation purposes and should be left unchanged.

7 Replies to “Mythbusting Software Validation, GxP, and 21 CFR Part 11 Compliance”

  1. I am trying to find out how to determine IF a software product must comply with these rules in the first place. What I don’t seem to see anywhere is any documentation to indicate the determination of compliance.
    I suspect the product my company maintains is not relevant to these rules. Is there any documentation on this?
    Who decides if a software product must comply with these rules?

  2. Hi William, software must meet GxP requirements if it is to be used in a GxP compliant environment or connected to GxP validated instrumentation, as may be the case for pharmaceutical development and manufacturing. Your customers will tell you if their labs are GxP validated —chances are if you sell into discovery or don’t know, then it’s not a concern for you. CFR21 Part 11 compliance is necessary if results from the software are sent directly, electronically to the FDA or regulatory bodies as part of submissions.

  3. is GxP validation efforts needed for a file share of sorts that will be temporary (2-3 yrs) repository for various clinical trial documentation (containing CSI information) It is not a system that will be used for working on documents.

  4. Apologies for the long-waited response Janet. Clinical trials are one area where our tools are not deployed so I’m afraid we can’t help you there. I’d recommend speaking to a vendor in the space or reviewing the FDA guidelines specifically around this.

  5. I have to disagree with your basic premise. The regulation states in the scope section:
    “This part applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted, under any records requirements set forth in agency regulations. ”
    This is a broader scope that just the submitted records as for a PMA for example. This above inlcude any records that are created under a predicate rule–not just ones used as part of a submission. I suggest you look into this further and update your post.

    It then goes on to state your assertion that only records submitted as you note in your post.
    “This part also applies to electronic records submitted to the agency under requirements of the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act, even if such records are not specifically identified in agency regulations.”

    Respectfully
    Leslie Dow

  6. Leslie, thank you for reaching out. A member of the ACD/Labs team will reach out to you directly for some clarity regarding your comment before we make any updates or changes to this post.

Comments

Your email address will not be published. Required fields are marked *

Join our newsletter!

Keep up-to-date with our quarterly newsletter that brings you the latest educational webinars, resources, tips, and tricks.

This field is for validation purposes and should be left unchanged.