By definition, electronic records (and data maintained electronically) are at least managed by a computer system.

The minimum of these would be the computer file system (which likely is insufficient to comply with required controls).

Remember: computer systems include:

  • Spreadsheets
  • Document & record control systems
  • Training systems
  • Calibration systems
  • Home-grown systems
  • ERP systems
  • And everything in between

There are a couple of additional regulations that need to be noted before we take a deeper dive into validation:

  • 21 CFR Part 11.10 (a) – Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.
  • Annex 11 (Principle) – The application should be validated and IT infrastructure should be qualified.
  • Annex 11 (1) – As part of a risk management system, decisions on the extent of validation and data integrity controls should be based on a justified and documented risk assessment of the computerized system.

The extent and level of controls should be risk-based decisions.

ISO 13485:2016

ISO 13485:2016 also emphasizes this point (although in a more generic manner, applicable to all computer systems used in the quality management system):

“The specific approach and activities associated with software validation and revalidation shall be proportionate to the risk associated with the use of the software.”

Online course
9 modules
Managing and Ensuring Data Integrity of E-Records within a Regulated Environment


Find out more about this course