By definition, electronic records (and data maintained electronically) are at least managed by a computer system.
The minimum of these would be the computer file system (which likely is insufficient to comply with required controls).
Remember: computer systems include:
- Spreadsheets
- Document & record control systems
- Training systems
- Calibration systems
- Home-grown systems
- ERP systems
- And everything in between
There are a couple of additional regulations that need to be noted before we take a deeper dive into validation:
- 21 CFR Part 11.10 (a) – Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.
- Annex 11 (Principle) – The application should be validated and IT infrastructure should be qualified.
- Annex 11 (1) – As part of a risk management system, decisions on the extent of validation and data integrity controls should be based on a justified and documented risk assessment of the computerized system.
The extent and level of controls should be risk-based decisions.
ISO 13485:2016
ISO 13485:2016 also emphasizes this point (although in a more generic manner, applicable to all computer systems used in the quality management system):
“The specific approach and activities associated with software validation and revalidation shall be proportionate to the risk associated with the use of the software.”
