GMP 21 CFR Part 11 Electronic Records Compliance Project Help

Hello World,

I work in QA at a small biologics manufacturer and have been assigned to lead a 21 CFR Part 11 compliance project. I was told that I would need to create User Requirement Specification documents for our LIMS, QMS, analytical equipment and spreadsheets.

Do I write the URSs per the intended system functionality and/or Part 11 requirements? These are not new systems and I'm confused as to which requirements to list.

Any insight would be greatly appreciated!

Thank you!


Staff member
Super Moderator
There are a couple of 'concepts' in play here.

First, you imply the system manages electronic records and/or electronic signatures and have determined that Part 11 applies. So, indeed, applicable Part 11 requirements should be part of your system requirements.

Second, Part 11 also requires that the software system be validated. To do that, you have to specify the intended use requirements. Validation is performed against those requirements.

Do bear in mind that validation is more than just testing. The whole software lifecycle needs to be considered. Also, it's not a 1-time event. Actions are required to maintain the software in a validated state - which may include re-validation.
Thanks Yodon, I really appreciate it!

My plan is to document a systems and records inventory, assess which require part 11 compliance, do an initial risk assessment, then the validation plan and then write the URSs.

Do you or anyone know if that would be acceptable with the FDA?



Staff member
Super Moderator
Well, it's always hard to say what would be patently acceptable with FDA. :) But you're definitely on the right track, I think. I would recommend a Master Validation Plan where you establish your risk assessment criteria (consider both risk to patient and risk to regulatory compliance - of course with the former carrying more weight). The Master Validation Plan also can address how you keep the systems in a validated state across changes that could impact validation - which include not only changes to the software itself (patches, rev updates, etc.) but also changes to the environment (servers, number of users, etc.). You'll want to establish some mechanism to assess these things - possibly in Management Review.
Lol, darn FDA!

Anyway, thanks for the guidance Yodon. This is my first part 11 validation project so I'm sure I'll have more questions in the future! = )

Does anyone know if storing GMP records on networked shared drives would be acceptable to the FDA concerning data integrity?

I believe it is acceptable, provided you can show sufficient control over the files, who can access the files and drives, what access rights they have, etc.
Does anyone know if storing GMP records on networked shared drives would be acceptable to the FDA concerning data integrity?
that is an wide scope of activities to be considered;
going by words.,
if its just 'storing' equivalent to 'backup' or 'archival' then with associated controls it might fly.
if you mean to store them for functional / maintaining the life-cycle of activities from creation-modifying-versioning etc., then we need to understand the details for 'controls' without which its not possible to comment on acceptability.

generally network shared drives are not acceptable, because they do not provide the adequate access controls for operational purposes. on the other hand, its generally accepted for 'accessibility/reading' wrt network drives. (read-only access)

Top Bottom