INFO: 21 CFR Part 11: SDLC and Systems Validation

What is 21 CFR Part 11?

Go to KBase Article

What is an SDLC: Software Development Life Cycle?

The software development life cycle (SDLC) is a framework defining tasks performed at each step in the software development process. SDLC is a structure followed by a development team within the software organization. It consists of a detailed plan describing how to develop, maintain and replace specific software. The phases are:

  • Requirement gathering and analysis
  • Design
  • Implementation or coding
  • Testing
  • Deployment
  • Maintenance

Most SDLC documentation consist of:

  • Validation Plan
  • System Requirements
  • System Design
  • Implementation Strategy
  • Installation Qualification
  • System Testing
  • Requirements Matrix

What does systems validation mean?

Performing a software validation entails documenting that a system operates in an expected and predictable manner. This is done to document the system meets HIPAA/Part 11 requirements. The goal of HIPAA and Part 11 is to give patients control over who can access and use their Protected Health Information (PHI). As PHI is collected and stored by systems, it is important to document and test the system to demonstrate control over the data.

The level of documentation created during a validation effort will vary by project. Validation requires a subjective interpretation of HIPAA/Part 11 guidelines. Decisions on what documentation to create and what testing to perform are risk-based and each project team must determine their individual comfort level with the amount of documentation vs. how much they wish to verbally explain to an auditor. Typically, the functionality of the system is defined through a set of system requirements (things the system must do). These requirements are then tested to ensure the system operates as expected. What constitutes a "requirement" is one the largely subjective aspects of validation. Certainly, vital functions of systems such as the collection, storage and exporting of data would be considered requirements. Other functionality may or may not be based on environment, implementation, etc. Example: For those utilizing LDAP for authentication, that functionality is a requirement. For others, it is not.

Why must you perform systems validation?

Any healthcare provider, health plan or healthcare clearinghouse is almost certainly considered a "covered entity" and therefore subject to HIPAA/Part 11 guidelines. If you fall into one of those three groups, you should be performing some level of validation. In addition, it is difficult to collect meaningful data that does not contain PHI as even a phone number can be considered PHI.

It is important to note that not much validation is occurring industry-wide at the investigator-initiated research level and most data is stored in Microsoft Excel and REDCap. Validation documentation will make the FDA extremely pleased when they arrive for an audit. Consider this when planning your validation effort - an auditor should not say you have documented something incorrectly, just that you either did not document something and/or you did not follow your documented policies/procedures. There is no template or blueprint for validation. As stated above, what constitutes validation will vary with each project and system.

Go to KB0034171 in the IS Service Desk