Framework · Pharma & life sciences

FDA 21 CFR Part 11 — the rule for any AI in a GxP environment.

Final rule, March 1997. Updated guidance: "Computer Software Assurance for Production and Quality System Software" (2022 draft, finalised 2024). Sets the baseline trustworthiness criteria for electronic records and electronic signatures used in lieu of paper in FDA-regulated activities.

The five Part 11 control objectives

1. Validation of systems to ensure accuracy, reliability, consistent intended performance, and ability to discern altered or invalid records.
2. Ability to generate accurate and complete copies of records in human-readable and electronic form.
3. Protection of records to enable accurate and ready retrieval throughout the records-retention period.
4. Limiting system access to authorised individuals.
5. Use of secure, computer-generated, time-stamped audit trails.

What "CSA-aligned" means in practice

The CSA guidance reframes computer-system validation around critical thinking and risk-based testing. The shift: less generic protocol output, more focused testing on the parts of the system whose failure could affect product quality, patient safety, or data integrity.

For an AI system (e.g., LLM-assisted drafting in a GxP workflow), CSA means: identify the intended use, classify the risk, scope the validation effort proportionately, document the rationale, test the high-risk components rigorously, accept lighter testing on low-risk components.

Adding AI to a validated workflow

Five Part-11 control objectives mapped to AI integration:

• Validation — input/output testing, regression suites, performance baselines, retraining triggers, change-control hooks.
• Records — every AI output saved with model version, prompt, retrieved sources, timestamp, user ID.
• Retrieval — records accessible in human-readable form for the full retention period, including model-version archive.
• Access — role-based access tied to identity provider; segregation of duties for review and approval.
• Audit trail — append-only, time-stamped, tied to authenticated user, capturing all CRUD operations on AI-generated records.

Where Sia RegAI fits

Sia RegAI ingests Part 11, the CSA guidance, GAMP 5, ICH Q9 risk-management principles, and your existing SOPs. It produces a validation strategy that is proportionate to the AI system's risk classification, drafts the URS / FRS / DS / IQ / OQ / PQ documentation in your house style, and configures the audit-trail and access controls so the GxP workflow doesn't lose its validated state when AI is added in.

Related guides

• FDA 21 CFR Part 11 compliance with AI — records, signatures, audit trail
• EU MDR & IVDR — automating technical documentation
• Pharmacovigilance automation — cutting ICSR & PSUR cycle times

Industry pages

• Sia RegAI for pharma & life sciences