Predicate Rule – Underpinning FDA Requirement

This topic is part of the SG Systems Global regulatory & operations glossary.

Updated November 2025 • FDA Part 11, QMSR/cGMP, Data Integrity • QA, RA, IT/CSV, Manufacturing

Predicate rule is FDA shorthand for the underlying legal requirement that defines what records, signatures, controls, and reports are required for a regulated activity. When manufacturers talk about “predicate rules” in the context of 21 CFR Part 11, they are talking about the other regulations that already require records and signatures—such as 21 CFR 210/211 for drugs, the modernized QMSR (successor to Part 820) for devices, Part 58 for GLP studies, Part 117 for food preventive controls, or Part 4 for combination products.

Part 11 does not invent new obligations. It says that if a predicate rule requires a record, a signature, or a certain action—and you keep that record electronically or sign electronically—then those electronic records and signatures must be trustworthy, reliable, and generally equivalent to paper. The “must” comes from the predicate rule; the “how” of electronic implementation comes from Part 11, EU Annex 11, and modern data integrity expectations.

“Predicate rules are the musts. Part 11 is how you prove the musts when the record lives in a computer instead of a binder.”

1) What FDA Means by “Predicate Rule”

The term predicate rule emerged in FDA’s Part 11 preamble and guidance to distinguish between:

• The substantive requirements in other regulations – e.g., “You must maintain a written record of each batch production” (21 CFR 211), “You must investigate each complaint” (QMSR/legacy 820), “You must prepare a hazard analysis and risk-based preventive controls” (117).
• The electronic controls that surround those records when you capture, process, or store them electronically, as addressed by Part 11 and Annex 11.

Put bluntly: if there is no predicate rule requiring a record, then Part 11 does not care whether you keep something electronically or not. If a predicate rule does require it, then the electronic version must meet Part 11 expectations—but the obligation itself still comes from the predicate.

Typical FDA predicate-rule families include:

• Drugs and biologics: 21 CFR 210/211, relevant sections of 58 (GLP), stability, and biologics-specific parts.
• Medical devices: the modern Quality Management System Regulation (QMSR), plus device-specific rules like 803 (MDRs), 806 (corrections/removals), 807 (registration/listing), and 830 (UDI).
• Foods, dietary supplements and cosmetics: 21 CFR 117, 111, 1 (recalls and records) and sector-specific provisions; plus global schemes like GFSI, BRCGS, SQF.
• GLP studies: 21 CFR 58 for nonclinical laboratory studies.
• Combination products: 21 CFR 4, which points back to both drug and device rules.

2) Predicate Rule vs. Part 11 vs. Annex 11 – How They Interlock

A practical way to visualize the relationship is as a triangle:

• Predicate rule: defines what must be documented – batch records, DHRs, complaint files, MDRs, validation evidence, hazard analyses, CAPAs, etc.
• Part 11 / Annex 11: define how electronic records and signatures must behave – validated systems, secure user accounts, e-signatures, audit trails, retention, and retrieval.
• Data integrity (ALCOA+): defines qualitative properties that records must have – Attributable, Legible, Contemporaneous, Original, Accurate, plus Complete, Consistent, Enduring, and Available.

For any given record, you can ask three questions:

1. Which predicate rule requires this record or action?
2. Is the record electronic, hybrid, or paper, and if electronic, does Part 11/Annex 11 fully apply?
3. Do our systems and processes ensure the record is ALCOA(+) over its full lifecycle?

When those answers line up, predicate rule compliance becomes demonstrable rather than debatable. When they don’t, you end up explaining to investigators why you cannot reliably show what happened, when, and who approved it.

3) Building a Predicate Rule Inventory – What Actually Applies to You?

Most sites are subject to dozens of regulations and standards, but only a subset directly drives electronic record and signature obligations for manufacturing and quality systems. A structured approach helps:

• Step 1 – Classify product types. For each SKU or family, classify whether it is a drug, biologic, device, food, dietary supplement, cosmetic, or combination product. This classification determines which parts of 21 CFR and which global schemes apply.
• Step 2 – Map the regulatory set. List the main CFR parts (e.g., 211, QMSR, 58, 117, 4) and global frameworks (e.g., ICH Q10, ISO 13485, ISO 9001, GFSI programs).
• Step 3 – Identify record-heavy clauses. Highlight clauses that explicitly require written procedures, records, reports, or documented decisions. Examples: batch production and control records, complaint investigation files, CAPAs, validation reports, supplier qualification files, stability data.
• Step 4 – Group by process. Re-organize these clauses by process area (e.g., incoming materials, manufacturing, packaging, lab control, complaints, pharmacovigilance, stability, equipment maintenance).
• Step 5 – Link to systems. For each process area, list the electronic systems in play (LIMS, MES, QMS, WMS, ERP, DMS, complaint systems).

The result is a predicate rule inventory: a list of records you must be able to show to inspectors, organized by process and tied to real systems, not theoretical ones.

4) The Predicate Rule Matrix – From Law to System of Record

Once you have your inventory, the next step is to construct a predicate rule matrix. At minimum, each row should answer:

• Which clause? (e.g., 21 CFR 211.188, QMSR complaint-handling clause, 117.305 for reanalysis).
• What record or decision does it require? (e.g., batch production record, complaint investigation report, hazard analysis, recall decision).
• What is the system of record? (eBMR in MES, DHR, complaint/PhV system, LIMS, DMS).
• Is the record electronic, paper, or hybrid?
• What e-signatures or approvals are required, and what do they mean?
• What audit trail applies, and how is it reviewed?
• What is the retention period, and where is archival handled?
• Which SOP(s) govern content, review, and periodic checks?

Good matrices also link to CSV status for each system (IQ/OQ/PQ complete; change control open; periodic review due) and to User Access Management documentation (role definitions, segregation of duties).

For complex operations, maintaining this matrix under Document Control gives you a single, defensible view of predicate rule coverage. When inspectors ask, “Show me where you meet clause X,” you can point to the matrix, the SOP, the validated system, and the record itself.

5) Examples by Product Class – How Predicate Rules Show Up in Real Life

5.1 Pharmaceuticals and Biologics

For drugs and biologics, 21 CFR 210/211 predicate rules include:

• Master and batch production records – MMR/MBR and individual batch records with complete manufacturing, control, and labeling information.
• Laboratory control records – analytical methods, raw data, calculations, chromatograms, OOS/OOT investigations.
• Stability data – evidence supporting expiry and storage conditions.
• Deviations, investigations and CAPA – linked to affected batches and trends.
• Cleaning, equipment, and calibration records – status of IQ/OQ/PQ, cleaning validation, and instrument qualification.

When these records are generated and stored electronically—e.g., through eBMR in MES, chromatographic systems, and LIMS—the predicate obligations are enforced through Part 11-compliant controls, not relaxed.

5.2 Medical Devices

For devices, the QMSR/legacy 21 CFR 820 and device-specific rules drive obligations such as:

• Device Master Records (DMR) – specifications, procedures, and drawings that define each device.
• Device History Records (DHR) – evidence that each unit was built and tested according to the DMR.
• Complaint files and MDRs – investigations, trend analyses, and regulatory reporting under 803.
• Corrections and removals – documentation required by 806.
• UDI, labeling, and traceability – unique identifiers and their linkage to production history under 830.

Here, predicate rules are the reason DMR/DHR, complaint, and UDI systems must be demonstrably controlled, validated, and auditable.

5.3 Food, Dietary Supplements and Cosmetics

For foods and supplements, predicate rules such as 21 CFR 117 and 111 drive records including:

• Hazard analyses and preventive control plans (Food Safety Plans).
• Monitoring, verification, and corrective action records at critical and preventive control points.
• Supplier approval, verification, and COA records.
• Traceability, mock recall and distribution records.

For cosmetics, emerging frameworks like MOCRA and ISO 22716 impose similar expectations for product information files, safety reports, and complaint handling—even if the vocabulary differs.

6) Translating Predicate Rules into System and Process Requirements

Once you know what records the law requires, you have to implement them in systems and workflows that actually work on the shop floor and in the lab. That means deriving user requirements directly from predicate clauses.

For each predicate requirement, you should be able to state:

• Which data elements must be captured (who, what, when, where, why, how much, how long).
• Which roles must approve or review (e.g., production supervisor, QA, medical reviewer, safety officer).
• What timeliness is expected (contemporaneous entries vs. delayed transcription, reporting deadlines for MDR/recalls).
• What linkages are required (record must be linked to lot, batch, device identifier, complaint number, or subject ID).
• What retention period and availability are mandated.

These expectations then flow into the design of MES, LIMS, QMS, WMS, ERP, and DMS solutions—screen layouts, mandatory fields, business rules, and interlocks. If this traceability is missing, you end up with systems that look slick but fail the basic test: “Show me how this satisfies clause X.”

7) Hybrid Systems – Where Predicate Rule Compliance Quietly Breaks

Many organizations operate in a hybrid state, with some records on paper, some in legacy applications, and some in modern platforms. Predicate rules do not care how you split the stack; they care whether the full, accurate record exists and can be retrieved.

Common faults include:

• Partial electronic capture. Only the final result is stored in an electronic system; raw data and calculations live in user spreadsheets or personal drives, undermining ALCOA(+).
• Uncontrolled transcriptions. Operators re-type data from equipment printouts into MES or LIMS without verification or audit trails, creating opportunities for “right” numbers that do not reflect reality.
• Disconnected signatures. QA signs paper printouts, but the electronic record used for trending or release is unapproved and mutable.

From a predicate rule perspective, regulators expect that the real record of manufacturing, testing, and decisions lives in controlled, validated systems—or that paper processes are equally controlled and resilient. Hybrid approaches must be justified, not just convenient.

8) Data Integrity and the Predicate Rule Lifecycle

Predicate rules often specify that records must be “complete,” “accurate,” “readily retrievable,” and retained for specified periods. These words map directly to modern data integrity expectations:

• Attributable: who performed the action or recorded the data?
• Contemporaneous: was the data recorded at the time of the activity?
• Original: is the record the first capture or a verified, controlled copy?
• Accurate & complete: are all required data present, correct, and unedited—or are there unexplained gaps?
• Enduring & available: will the record remain readable and retrievable for the entire retention period?

To support predicate rule compliance, systems must be designed to preserve these properties from creation through archival and eventual destruction. That means robust audit trails, access controls, retention/archival plans, and tested restore procedures, not just backups on paper.

9) Governance: Change Control, Training and Periodic Review

Predicate rule compliance is not a one-time configuration exercise; it is a governance problem. To keep the predicate matrix aligned with reality, organizations must:

• Route system and process changes through formal Change Control with explicit assessment of predicate impacts.
• Maintain training matrices and competency evidence for all roles involved in record creation, review, and approval.
• Execute scheduled internal audits and MOC reviews that explicitly test predicate rule coverage.
• Review audit trails routinely where critical records are created or changed.
• Monitor CSV status and system health as part of the quality system, not just IT housekeeping.

In inspections, the question is not just “Do you have a predicate matrix?” but “Can you show that your matrix, procedures, and systems have been kept in step as the business evolves?”

10) What Inspectors Actually Ask When They Say “Show Me the Predicate”

When regulators come on site, they do not ask philosophical questions about predicate rules. They ask concrete ones, often in the following pattern:

• “Which regulation requires this record?” (e.g., batch record, lab notebook, complaint file, recall decision).
• “Show me the procedure that explains how you create, review, and approve it.”
• “Open the system you use in daily practice and show me an example record with its approvals and audit trail.”
• “Prove that the system is validated and that changes have been controlled.”
• “Retrieve a record from [X] years ago and show that it is complete and readable.”

If you can move smoothly from predicate clause to SOP to system to record to audit trail, confidence goes up. If you have to export data into spreadsheets, manually compile evidence, or explain why a record exists in pieces across multiple uncontrolled locations, confidence drops quickly.

11) Cloud, SaaS and Outsourcing – Predicate Rules Do Not Go Away

Moving to cloud or SaaS solutions changes how you implement controls, but not whether predicate rules apply. You still owe FDA the same records, signatures, and retention regardless of where servers sit.

For cloud/SaaS systems, the predicate matrix should explicitly cover:

• Vendor responsibilities vs. your responsibilities (infrastructure vs. application vs. process configuration).
• How CSV is handled – what the vendor qualifies and what you must qualify.
• How record retention and export are assured if the relationship ends.
• How you perform supplier quality management and audits of the provider.

Predicate rules do not accept “the vendor would not give us the data” as an excuse. Contracts, technical architecture, and quality agreements must all support your ability to show complete records for as long as regulations require.

12) Metrics That Prove Predicate Rule Compliance Is Real

To avoid predicate rule compliance becoming purely documentary, leading organizations track metrics that surface weaknesses early, such as:

• Record completeness at release – percentage of eBMRs, DHRs, stability studies, and complaint files that are “right-first-time” (no missing fields, signatures, or attachments).
• Audit trail review coverage – proportion of high-risk processes where audit trails are reviewed and documented at defined intervals.
• Training currency – percentage of users current on SOPs that govern predicate-critical records.
• Deviation and CAPA timeliness – how quickly predicate-relevant failures are captured, investigated, and closed.
• Retention health – evidence of successful restore tests and format migrations for aging records.
• CSV defect leakage – number of discovered issues where system defects compromised record integrity or completeness.

Used properly, these metrics turn predicate rule obligations into routine management signals rather than occasional surprises during inspections.

13) Common Predicate Rule Pitfalls and How to Avoid Them

• Confusing Part 11 with the predicate. Teams invest heavily in e-signature controls but never verify that the content of the record matches predicate expectations. Fix: start from the predicate text, not from the software feature list.
• Shadow systems. Critical data lives in uncontrolled spreadsheets, email threads, or personal drives. Fix: pull high-risk data into validated systems and make shadow tools read-only or prohibited.
• Weak access control. Shared logins or generic accounts make it impossible to show who did what, when. Fix: implement strict UAM, with unique accounts, role-based permissions, and periodic review.
• Poor retention and archival. Media degradation, obsolete file formats, and failed restores turn “retained” into “lost.” Fix: incorporate long-term readability and restore tests into your retention strategy.
• Uncontrolled change. Systems and processes evolve without structured Change Control, leaving the predicate matrix out-of-date. Fix: require predicate impact assessments for changes to systems, forms, and procedures that touch regulated records.
• Late or superficial deviations. Failures are rationalized away instead of being captured and trended. Fix: strengthen Deviation and CAPA discipline; link to risk management and training.

14) What Belongs in a Predicate Rule Dossier

Many organizations now maintain a Predicate Rule Dossier or “Part 11 and predicate” package as part of their quality system. Typical contents include:

• The predicate rule inventory and detailed matrix, with links to CFR parts, global standards, and guidance.
• A register of systems of record (MES, LIMS, QMS, WMS, ERP, DMS, complaint systems) and their CSV status.
• Data flow diagrams showing how predicate-relevant data moves between systems.
• Key SOPs and work instructions that implement predicate requirements.
• Access control and audit trail models for each major system.
• The record retention and archival strategy, including media, migrational approach, and restore testing.
• Representative sample records (eBMRs, DHRs, lab results, complaints, MDRs, hazard analyses) with annotations showing how they satisfy predicate clauses.
• Recent inspection responses and regulatory intelligence that have shaped the predicate interpretation.

Maintaining this dossier under Document Control turns a scattered set of activities into a coherent program that can be explained in a few minutes to an inspector or partner.

15) How Predicate Rules Are Operationalized in V5 by SG Systems Global

V5 by SG Systems Global is designed to embed predicate rule thinking directly into everyday execution rather than bolting it on after the fact.

Predicate matrix as master data. Within the V5 solution, each product family or process can be associated with its predicate requirements: which records are required, where they are generated (MES, LIMS, QMS, WMS), what signatures are needed, and which interlocks must be active. These configurations are version-controlled, signed under approval workflows, and captured in the audit trail.

Execution & interlocks. V5 uses hard gating to enforce predicate-driven holds: no eBMR closure if required tests are missing; no DHR completion without mandated inspections; no label print if artwork or UDI data are out-of-status. WMS logic, Directed Picking, Dynamic Lot Allocation and Batch-to-Bin tracking ensure that only appropriately released material flows into and out of production.

Integrated lab and quality signals. Through LIMS and QMS integrations, V5 consumes QA dispositions and Hold/Release statuses as live predicates: failed lots are blocked from use; pending results keep batches on hold; open deviations tied to a batch prevent final release until closed.

Analytics & retrieval. Dashboards expose where predicate expectations are at risk: late approvals on eBMRs, missing investigations on complaints, audit-trail exceptions, or ageing records approaching retention limits without archival proof. Search tools surface complete, attributable records quickly when an inspector asks “Show me the batch record and associated lab data for this lot.”

The net effect is that predicate rule compliance is not a separate, manual layer on top of V5—it is embedded in the way work is dispatched, executed, reviewed, and released.

16) FAQ

Q1. Is a predicate rule the same as Part 11?
No. A predicate rule is the underlying regulation that specifies what records and actions are required (e.g., 211, QMSR, 58, 117). Part 11 governs how electronic records and signatures associated with those requirements must behave to be trustworthy, reliable, and generally equivalent to paper.

Q2. How do I identify my predicate rules?
Start by classifying your products (drug, biologic, device, food, dietary supplement, cosmetic, combination). Then list applicable CFR parts and global standards and highlight clauses that explicitly require written procedures, records, or reports. Finally, map each required record to a system of record and a controlled process in your organization.

Q3. Do predicate rules apply to paper records?
Yes. Predicate rules are media-agnostic; they apply whether you use paper, hybrid, or fully electronic systems. If you keep the record electronically, Part 11 (and often Annex 11) also applies in addition to the underlying predicate.

Q4. What are the quickest ways to fail on predicate rule expectations?
Typical early signals include shared user accounts, missing or unreadable records, incomplete batch/DHR files, lack of audit trails for critical data, an inability to retrieve historical records, and a weak link between predicate clauses and actual systems and procedures. These issues often feature prominently in warning letters.

Q5. How do changes interact with predicate requirements?
Changes to systems, forms, or procedures that touch regulated records must go through robust Change Control with explicit assessment of predicate impacts. That means identifying which records are affected, updating the predicate matrix and SOPs, revising CSV and training as needed, and only going live once all dependencies are in place.

Q6. Do cloud and SaaS systems change my predicate rule obligations?
No. You remain responsible for meeting predicate rule requirements, regardless of where systems are hosted. Cloud services must be selected, qualified, and monitored so that validation, access control, audit trails, retention, and record export still meet regulatory expectations.

Related Reading
• Regulatory Foundations: 21 CFR Part 11 | EU Annex 11 | 21 CFR 211 | QMSR | 21 CFR 58 | 21 CFR 117
• Systems & Records: eBMR | DHR | DHF | Label Verification | Traceability
• Governance & Integrity: CSV | Audit Trail (GxP) | Data Integrity | Record Retention & Archival | Deviations | CAPA