SMASH 2018 in Pictures
What’s New in Version 2018.1 of ACD/Spectrus and ACD/Percepta

Mythbusting Software Validation, GxP, and CFR21 Part 11 Compliance

Updated Oct. 21, 2021

Sanji Bhal talks to Karim Kassam (Senior Director, Customer Success)

Every year, we speak with hundreds of scientists worldwide working in validated environments. And over and over, we’ve seen some compliance misconceptions arise.

When it comes to CFR 21 Part 11, many scientists’ experience with software deployment falls into two categories:

  1. Software was installed alongside new hardware (e.g., a new LC/MS instrument comes with a CDS)
  2. Informatics systems were integrated into the entire development workflow to directly submit regulatory reports and data (e.g., LIMS)

From experiences with these specific types of software, certain myths develop. We at ACD/Labs often advise clients about compliance as it relates to our software, so let’s use this post to bust some myths once and for all.

Facts-Myths-2021-Blog

Myth #1—the vendor supplies validated software out-of-the-box

Validation is environment-specific. Hear it from the FDA: validation is “confirmation by examination and provision of objective evidence that software specifications conform to user needs and intended uses in their environment” (italics ours).

Thus, software cannot be validated by the vendor. Instead, it must be validated:

  • In the user’s environment
  • Within their intended workflow
  • As outlined in their organization’s standard operation procedures (SOPs)

Further, the entire system must be validated—not just each individual piece of software, but also interactions between software packages. The validation process includes:

  • Installation qualification (IQ)
  • Operational qualification (OQ)
  • Performance qualification (PQ)

All these processes are documented to ensure that the software specifications conform to the user’s needs. The user may also audit the software vendor to confirm that they have a quality management system (QMS) and process.

Some vendors advertise “validated” or “pre-validated systems” on the basis that the customer can validate the system “as-is.” But this only works if the system is not specially configured or customized. Even then, the equipment must still be validated in the user’s environment and workflow. Thus, pre-validation mostly streamlines the process with readily available documentation.

Myth #2—software validation is performed by the vendor

This is an extension of Myth #1. Just as software cannot be validated outside of its use case, it cannot be validated without its users. 

Vendors can certainly assist in validation by providing documentation and technical assistance for IQ, OQ, and PQ. They may also offer validation services like consultations, documentation, or more active involvement. Still, it is the ultimate responsibility of the user to validate that the system meets their requirements.

Like many vendors, we offer services to smooth the validation process. We partner with our customers, who remain a crucial part of the work. Read more about how we help you with software validation.

Myth #3—software used in a GxP environment must be CFR21 Part 11 compliant

Software used in Good Laboratory Practices (GLP), Good Manufacturing Practices (GMP), and Good Clinical Practices (GCP) must have:

  • An audit trail at the point in time when a record is first saved to durable media
    • The audit trail must contain the date and time stamp of the change, the description of the change, the reason for the change, and the name of the person making the change
    • The audit trail must not obscure previous values. Both the old and new values of a parameter must be recorded.
  • Specific user accounts
  • Forward compatibility for all files generated by the software
  • Tamper protection for all records, including audit trail records

GxP compliance of software requires validation as discussed earlier, and CFR 21 Part 11 requires compliance with the established rules (i.e., GxP).

But not all software must be compliant. CFR 21 Part 11 compliance is only necessary for software that generates data submitted electronically in regulatory (e.g., FDA) filings. Such software must also include electronic signatures.

Software not directly involved in generation and submission of such data doesn’t require the same validation procedures. By distinguishing between necessary and unnecessary validation, you can save time while still producing compliant data and rigorous science.

Better understanding compliance

Compliance can be complicated. We hope we’ve dispelled some myths in this blog post, and helped you get a clearer idea of what you need the next time you deploy software in your laboratory.

How We Can Support Your Compliance Efforts

We provide compliance-ready software for use in both GxP (good laboratory practice—GLP, good manufacturing practice—GMP) and CFR21 Part 11 compliant environments. We have supported many customers through the complicated process of validation and managed successful software audits.

Compliance for laboratory software systems means consistent and reliable results to assure quality, traceability, integrity, and validity.

We can help you with installation of our software and solutions in regulated environments and are happy to provide an advisory level of support based on our experience.

Validation of Software on Spectrus® & Percepta® Platforms

  • A quality management system (QMS) and processes are in place for self-directed validation of our software
  • We can assist with the creation of installation qualification (IQ), operational qualification (OQ), and performance qualification (PQ) scripts

GxP Compliance Features in Spectrus Applications

  • Audit trail with date and time stamp, description of the change, and the name of the person making the change
  • Specific user accounts
  • Forward compatibility of files generated by the software
  • Data storage in a secure database environment with protection against tampering

CFR21 Part 11 Compliance Features in Spectrus Applications

CFR21 Part 11 compliance is only necessary when you are sending electronic information directly from ACD/Labs software to regulatory authorities. The following feature is present and necessary to do so, from our software:

  • Electronic signatures

Have questions or expertise to share? Leave us a message in the comments. ⬇

Comments

William

I am trying to find out how to determine IF a software product must comply with these rules in the first place. What I don't seem to see anywhere is any documentation to indicate the determination of compliance.

I suspect the product my company maintains is not relevant to these rules. Is there any documentation on this?

Who decides if a software product must comply with these rules?

Karim Kassam

Hi William, software must meet GxP requirements if it is to be used in a GxP compliant environment or connected to GxP validated instrumentation, as may be the case for pharmaceutical development and manufacturing. Your customers will tell you if their labs are GxP validated —chances are if you sell into discovery or don’t know, then it’s not a concern for you. CFR21 Part 11 compliance is necessary if results from the software are sent directly, electronically to the FDA or regulatory bodies as part of submissions.

Chaitra

hai william,this software used in only gxp requriments

Janet

is GxP validation efforts needed for a file share of sorts that will be temporary (2-3 yrs) repository for various clinical trial documentation (containing CSI information) It is not a system that will be used for working on documents.

ACD/Labs

Apologies for the long-waited response Janet. Clinical trials are one area where our tools are not deployed so I'm afraid we can't help you there. I'd recommend speaking to a vendor in the space or reviewing the FDA guidelines specifically around this.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)