Simple part 11 compliance for one system


Cool site:)

I am an intern at a small research lab and I was given the
task to get a simple x-ray system Part 11 compliant. I have read up on
the FDA rules and feel like I have a good understanding of them. I also
know computers well but its not my field of study(ME major). Basically,
I’m looking for a simple inexpensive software program that will get
this system Part 11 compliant (provide data protection, audit trails,
secure logins, and e-signatures). Nothing fancy for large labs. This is
just going to be for one computer hooked up to one machine. I know
there are tons online but most seem way too advanced for my
application. If anyone knows of any product that can help me with this,
it would be much appreciated.

Thank you.


I am sure you will get many more replies to this. (In fact, this is such a busy
group, I am surprised you have not received any already.)

While everything depends on the details of the system your are working with,
in my experience, getting to a state of compliance is not so much a matter of
adding more software, and even if it were, nothing in the area of compliance
could be considered “inexpensive”.

Data protection, for instance, should not be covered by software alone. The
use of UPS and RAID systems are minimum for data protection. As well as SOPs on
back-up procedures. Also, most schemes to validate systems include the creation
of multiple, identical instances of the system, one for production and one or
more for testing.

The ability to create and retain an audit trail should be built into the
program. All systems designed for compliance have this feature. The creation of
e-Signatures is another area that should be built into the system.

Finally, for any program you do find to cover the all your needs, there is
always long period of documentation and testing of the system.

In reality, and I do not mean this to offend, but the job of validating a
system for compliance is probably not the task for a summer intern. While I am
sure you are quite capable, I know of consultants that are paid extremely well
to do this work, even for small systems.

To clear some things up, you could answer some questions, is the system COTS
or designed in-house, or somewhere in between? (I know GAMP has guidelines for

Is it a closed or open system?

Have user requirements and functional specifications been established?

Has a vendor audit been performed?

Does the company have SOPs on validating systems? Data backup? electronic
signatures? retiring systems?

Is the system subject to cGLP? (I am assuming, since you mentioned research
lab. If that is incorrect, feel free to substitute cGXP).

Most questions should be answered by in house SOPs and guidelines for
validating systems. If those don’t exist, as I understand it, nothing done
really counts, since the FDA will look to those during an audit to ensure
everything was done correctly.

I hope this helps.

As an intern - you have plenty of time to learn, help the company where you are
working, and most inportantly - get them started in their path towards

Start by reading and viewing the online tutorials. I would focus on what is
called the ‘risk based approach’. There are checklists geared towards this.
Read each requirement and do the research to understand the content of each.
Mat is correct - but you will add value by learning and transfering knowledge to

Schedue some meetings with your company sponsor and share what you are seeing.
You will not finish - but hopefully you will see the administrative and
technical controls that are lacking and can maybe raise these.

Some will shoot me for this - but much of this is good common sense.

Good luck to you

I’ve read through the responses so far to your post and some good
observations and suggestions have been made. However there is one key
issue that I personally think is the most important, and most
under-scrutinized aspect of part 11 compliance. And that is, do you
actually have Part 11 records on your system? Are the electronic
records you maintain required by the FDA? Unless you or someone else
(and don’t take their word for it) can point to a specific regulation
that explicitly states that you must maintain these x-rays, you may
not need to worry about Part 11 at all. And even if your records are
required, your workflow may mean that the electronic records are not
part 11 records. Are there printed copies that are used? Or otherwise
exported to PDF for example? As an intern you have an opportunity to
break what may be a weird but all too common make-work scenario with
respect to Part 11.

This is well described in the FDA’s guidance on the scope and
application of Part 11. I suggest you study it carefully before doing
anything else.

The second most important piece of advice I can give you, equally
overlooked or glossed over, is that Part 11 compliance does not
de-facto imply or require validation. This is confusing because the
regulation on part 11 says you do have to validate, however the
guidance describes in some detail when and why and to what extent you
need to validate if at all.

In the other replies I saw something to the effect: “validating for
part 11 compliance is not the job for a summer intern…” This may be
true if an extensive validation is required, but In reality, if even
if some or all part 11 controls are required for your records, you may
not need to validate unless explicitly required to by regulation. And
even if you are required to, the extent of that validation may be low
due to the risks associated with your data. By risk, the FDA is not
concerned with your business risks. They are concerned with patients
dying or getting sick. If there is no chance that erroneous data could
cause a patient death or a miss-diagnosis, then the risks overall are low.

Again, this is discussed at some length in the guidance.

Good luck!

Hi guys,
Thanks for the input. I really appreciate all the advice I can get
while working through this task. I am starting to realize that this
is something I can’t quickly solve over the weekend.

Anyways, I was hoping I could share with you the current details of
the system I am working on. I apologize in advance if I give too
much/little info. I am still new to compliance and don’t know what
you guys need to know.

First off, I just started working for a small diffractometry lab that
does mostly consulting work. One diffractometer instrument however is
currently being used for research and is apparently subject to FDA
compliance. The company had just been audited by the FDA and received
a warning letter concerning this one machine.

The report said, “Audit trails are not maintained and properly
secured for the use of the X-Ray Diffraction instrument. This
instrument has been in use for analysis. However, there is no record
of operator entries and actions that create, modify, or delete
electronic records.” This was the only observation having to do with
Part 11 compliance that the company received.

Here is how the system is currently set up. The diffractometer shoots
an x-ray at a sample at a certain angle and measures the intensity of
the reflected wave. This information is stored on a controller. A
laptop (running windows 2000) connects to the controller through a
serial port retrieves the information through a DOS program a guy
that used to work in the lab wrote. The DOS program then creates a
single column text file that contains all the relevant info (starting
angle, ending angle, intensity). As far as I know, the lab practices

Now I realize that becoming compliant is a tough time consuming
process. All my employer wants from me is to find a good technical
base to start off with. Apparently, we will tackle the validation and
other compliance issues later. So what I am looking for is a
relatively easy way to at least get the software aspect of Part 11
compliance out of the way. I looked into LIMS but feel that that is
too expensive and may be overkill for my application. I am also
looking into electronic lab notebooks but still feel a little uneasy
about those as well. I think this may be something I have to build
from the ground up.

This is the current approach I am considering taking (thanks to JohnC)

  1. Create a database
  2. Get lots of hard disk space to accommodate the log files and audit
  3. Find a file/folder monitor program
  4. Find a program that stores log files into the database
  5. Find a program that audits log files and presents the audit trail
    and the files themselves on demand.

Does this seem like a good approach to take? Is there anything else I
can do?
Also, am I still compliant if I manually transfer the data into the
database or will I need them to go straight there from the
diffractometer controller to the DOS program to the database without
my intervention? Do i even need the DOS program anymore or will i
need something else to grab the raw data?

Any advice or comments would be greatly appreciated.

Part 11 only applies to specific electronic records, so the
particulars of the instrument are not very helpful. How the data
is handled is key.

What do you do with the data after it is recorded into the colunmar file?
How is it reviewed and approved? Does it get printed out?

What are the specific regulations that apply to this system? Is the
data part of an electronic submission to the FDA?

How often do you run samples? It is used 24x7 or is it an occasional

Personally I would consider just printing out the data and signing it if
it is not a high-throughput, long term project. Automation is great
when you’re doing the same thing over and over again for years, but
the value deminishes as the size and duration of the project shrinks.

If your records are in paper, they are probably not part 11 records.

Before you do anything, you should get the answers to these questions
(and more) and start developing a part 11 assessment and a risk
assessment for the system to focus your efforts where the critical need is.
It may not be in the audit trail for example. In many cases you can
replace an audit trail with an assessment justifying why you do not need
an audit trail. Don’t expect the FDA to do that part for you.

Good luck.

ps: Don’t forget to read the scope and app. guidance if you haven’t already.
it is your best friend.

Dear all

Some one please clarify me about the different types of Controls mentioned in 21CFR 11, like Administrative Control, Technological control & Procedural control.

With regards-

Well said but little out of place. :- I

I wish I knew any specific software name which I could suggest. i am waiting for a specific answer to this question too.

  • provides a lists of companies that provide Part 11 solutions to specific situaitons.

ComplianceBuilder, Stelex (
) - This is the only non-application specific product that I have come across.

If you provide a little more detail as to what you are looking for or what your problem is, I’ll see if I can think of some.