Predicate Rule – Underpinning FDA Requirement

This topic is part of the SG Systems Global regulatory & operations glossary.

Updated October 2025 • FDA Part 11, QMSR/cGMP, Data Integrity • QA, IT/CSV, Manufacturing

Predicate rule is FDA shorthand for the underlying legal requirement that tells you what records, signatures, data, or actions are required for your product class. 21 CFR Part 11 doesn’t create new obligations by itself—it governs how you handle electronic records and signatures when another FDA regulation already requires them. For drugs, that predicate is usually Parts 210/211; for devices, the QMSR (modernized Part 820) and device‑specific rules like 803/806/807/830. For GLP studies, it’s Part 58; for foods, Part 117; for combination products, Part 4. Your job is to map those required records and controls into validated, data‑integrity‑sound systems.

“Predicate rules are the musts. Part 11 is how you prove the musts when the record is digital.”

1) What Predicate Rule Covers—and What It Does Not

Covers: the source regulation that mandates records, signatures, controls, and reporting (e.g., 211 for batch records, 803 for device adverse events, 117 for preventive controls). It anchors which records you must create, when, and how long to retain them.

Does not cover: software mechanics by itself. That’s Part 11, Annex 11, and good CSV/data integrity practice. Predicate rules say “record it”; Part 11 says “make the e‑record trustworthy.”

2) Legal, System, and Data Integrity Anchors

Build from the law up. Identify applicable predicate rules by product and role; align to cGMP/QMSR/GLP/FSMA obligations. Implement electronic controls that satisfy Part 11 and ALCOA(+): validated systems, unique users, time‑stamped audit trails, and durable retention per Record Retention.

3) The Evidence Pack for Predicate Rule Compliance

Maintain a “predicate matrix” that maps each required record to the system of record and its controls: creation method, approvals/e‑signatures, audit trail behavior, CSV status, access and roles, retention, and change control. Include links to SOPs, training, and representative records (e.g., eBMR, DHR, DHF, complaints, CAPAs, MDRs).

4) From Requirement to Record—A Standard Path

1) Determine Applicability. Classify product and scope the predicate set (drug/device/food/biologic/combination).
2) Author Controls. Under Document Control, write SOPs that specify where and how records are created and approved.
3) Execute in Validated Systems. Operate under CSV; enforce access, audit trails, and e‑signatures; lock releases behind QA review.
4) Retain & Retrieve. Preserve records for the required period with tamper‑evident archiving and rapid retrieval for inspection.

If a system, role, or SOP is out of status, stop the process, document a Deviation, and re‑establish compliance before resuming.

5) Translating Predicate Rules into System Requirements

Start with verbs in the regulation: “establish,” “maintain,” “review,” “approve,” “retain.” For each, define data objects, workflows, and signers. Specify e‑signature meaning, link signatures to record versions, and require reason codes for critical changes. Prove suitability with risk‑based V&V, including negative tests for unauthorized change and audit‑trail tampering.

6) Data Integrity & Retention

Treat data integrity as non‑negotiable. Ensure records are attributable, legible, contemporaneous, original, and accurate with defensible metadata (ALCOA(+)). Design retention and archival to preserve readability and context across migrations per retention and labeling requirements.

7) What Auditors Expect—No Spreadsheet Archaeology

Inspectors ask to see the predicate requirement, the SOP that implements it, the validated workflow that executes it, and the record that proves it—without exporting and re‑processing in spreadsheets. Show audit trails, role‑based permissions, and time‑ordered approvals inside the system of record. If you must transform data, validate the transformation and keep the original intact.

8) Laboratory & Quality Records

Link method validation, instrument status, and result approvals to predicate obligations in GLP/cGMP. Tie Lab Analyses & Review to batch disposition; prevent release if required lab or stability records are missing; ensure second‑person review and secure metadata for calculations and reporting.

9) Complaints, MDRs, Corrections & Removals

Device manufacturers must create and retain complaint investigations, MDRs (803), and correction/removal records (806). Ensure traceability from complaint to CAPA to field action, with immutable timelines and evidence of medical/QA review prior to submission and closure.

10) Labeling, UDI & Registration

Where predicate rules require labeling control and identification, make label data and print histories part of the record. Use Label Verification and UDI processes aligned to 830; retain registration/listing evidence per 807, and block shipment if labeling controls fail.

11) Release & Disposition

Predicates require documented acceptance and release decisions. Align system holds and releases with QA authority using Release Status. Enforce that only complete records (manufacturing, testing, deviations, changes) can move to releasable inventory.

12) Governance in Daily Control

Run to plan: current SOPs, trained users, controlled templates, and enforced segregation of duties. Use Internal Audits and metrics (on‑time reviews, right‑first‑time records, audit‑trail exceptions) to confirm the predicate matrix is operating—not just on paper.

13) Metrics That Prove Predicate Compliance

• Record Completeness at release (all required elements present by predicate).
• Audit‑Trail Review Rate and closure timing for significant events.
• Training Currency vs. predicate‑covered SOPs and forms.
• CSV Defect Leakage impacting regulated records.
• Complaint/MDR Timeliness and field action documentation quality.
• Retention Health (expiring media, failed restores, migration proof).

These KPIs tie statutory duties to operational discipline and expose weak links before an inspector does.

14) Common Pitfalls & How to Avoid Them

• Confusing Part 11 with the predicate. Know what is required, then automate it correctly.
• Shadow systems. Spreadsheets and email weaken provenance; replace with validated workflows.
• Weak role models. Fix access per UAM; no shared logins, no generic accounts.
• Poor retention. Unreadable archives equal missing records; test restores routinely.
• Unmapped changes. Route changes through Change Control with predicate impact assessment.
• Late deviations. Capture and close under Deviation/CAPA before disposition.

15) What Belongs in the Predicate Rule Dossier

The predicate matrix, list of applicable CFR parts, SOP cross‑references, data‑flow diagrams, system inventory and CSV status, e‑signature configuration, audit‑trail model, retention strategy, training plans, sample records, and recent inspection responses—maintained under Document Control.

16) How This Fits with V5 by SG Systems Global

Predicate Matrix as Master Data. In the V5 platform, each SKU, device family, or product type can carry its predicate map: which records are required, where they are generated, and what approvals are needed. These references and workflows are versioned with approvals in the audit trail and governed by Document Control.

Execution & Interlocks. V5 enforces predicate‑driven holds: no eBMR release without required tests; no DHR without complaint review if triggers fire; no label print without current artwork/UDI. Out‑of‑status conditions open guided remediation before continuation.

Analytics & Retrieval. Dashboards expose gaps against the predicate matrix (missing signatures, late reviews, audit‑trail anomalies). Rapid search returns complete records with provenance for inspection and recalls.

Bottom line: V5 operationalizes predicate compliance—what must exist, who must sign, how it’s protected, and when it can ship—no guessing, no spreadsheet archaeology.

17) FAQ

Q1. Is a predicate rule the same as Part 11?
No. The predicate defines what records and actions are required; Part 11 defines how electronic records and signatures must behave to be trustworthy.

Q2. How do I identify my predicate rules?
Classify the product, then enumerate applicable CFR parts (e.g., 211, QMSR, 58, 117) and map required records to systems.

Q3. Do predicate rules apply to paper?
Yes. Predicates are media‑agnostic; if you keep it electronically, then Part 11 applies too. Paper must still be complete, controlled, and retained.

Q4. What’s the quickest fail I’ll get called on?
Missing audit trails, shared logins, orphan signatures, or inability to retrieve a complete, unaltered record with its approvals and metadata.

Q5. How do changes interact with predicate rules?
Use formal Change Control with impact assessment on required records, linked Deviations/CAPAs, and updated training before go‑live.

Q6. Do cloud/SaaS systems change anything?
No. You still owe predicate records, Part 11 controls, and retention. Validate the service, control access, and make sure you can export complete records on demand.

Related Reading
• Regulatory Foundations: 21 CFR Part 11 | QMSR | 21 CFR 211 | 21 CFR 58
• Systems & Records: eBMR | DHR | DHF | Label Verification
• Governance & Integrity: CSV | Audit Trail | Data Integrity | Record Retention