Best Practices for 21 CFR Part 11 and GxP Validation for Electronic Records

Introduction

Drug development has dramatically changed over the past ten years. A practice once dominated by pen-andpaper has since transitioned to computerized systems, cloud software, and artificial intelligence. In this dynamic environment, many biopharma companies struggle to adopt new technologies because of the uncertainty of how to comply with FDA regulations. Needless to say, developing a quality and compliance posture that meets the needs of both masters (business stakeholders and auditors) is a tall order. In this piece, we will chronicle recent technological trends, specific challenges these trends pose for Quality & CSV teams, and best practices for tackling resulting compliance issues.

The spirit of GxP validation

Unlike other types of compliance, adhering to 21 CFR Part 11 and GxP requirements for electronic records varies from institution to institution. As a self-reporting compliance that is the outcome of validation, we will avoid the debate of what features or technologies are or are not compliant. Instead, we believe it is best to first re-orient the discussion towards principles and ask, ‘What is the spirit of the law?’.

In our view, the spirit of these regulations is to:

1. Ensure we can trust the data

a. Make sure the systems that generate the data work properly

b. Make sure the data isn’t tampered with

2. Track & verify what people do

a. Make sure we know who did what

b. Make sure individuals are attesting to a change

The outcome of these concepts is the variety of validation requirements, processes, and protocols