21 CFR Part 58

This glossary term is part of the SG Systems Global regulatory & operations guide library.

Updated January 2026 • 21 CFR Part 58, Good Laboratory Practice (GLP), nonclinical laboratory studies, study director, quality assurance unit (QAU), protocol control, raw data, test and control articles, chain of custody, archives, computerized systems, Part 11 overlap, audit trails, ALCOA+ • FDA-regulated products (Pharma, Biotech, Med Device, Food Additives, Cosmetics)

21 CFR Part 58 is the FDA’s Good Laboratory Practice (GLP) regulation for nonclinical laboratory studies used to support research or marketing applications for FDA-regulated products. It is not a “documentation vibe.” It is an evidence discipline: Part 58 defines the minimum governance needed so regulators can trust that the study was planned, executed, monitored, recorded, and reported without convenient story editing.

GLP exists because nonclinical studies are uniquely vulnerable to quiet distortion: selective reporting, undocumented method changes, missing raw data, sample mix-ups, instrument settings “adjusted” after the fact, and conclusions that outpace the evidence. Part 58 forces structure around these failure modes: controlled protocols, defined roles (especially the Study Director and the Quality Assurance Unit), and retention of complete, reconstructable records.

In modern labs, Part 58 runs through LIMS, ELN, instruments, and data pipelines. If electronic records can be revised without traceable audit trails, governed access, and validated behavior, GLP collapses into “trust me.” That’s why Part 58 is tightly linked to Data Integrity and overlaps with 21 CFR Part 11 when signatures/records are electronic.

Operationally, Part 58 is a control model built on lab realities: calibration drift, method updates, sample mix-ups, instrument printouts, and high-throughput analysts under time pressure. If you cannot prove protocol control, chain of custody, raw data integrity, and independent QA oversight, your study might be scientifically interesting—but it is not defensible evidence.

“GLP isn’t about generating more paperwork. It’s about making it hard to quietly bend the data.”

1) What Part 58 actually is (and why it exists)

Part 58 is the FDA’s minimum integrity architecture for nonclinical study evidence. It governs how studies are planned (protocol), how they are executed (standard methods and controlled changes), how they are monitored (QAU inspections), how results are recorded (raw data), and how they are reported (final report with traceability). The objective is simple: results must be trustworthy without reconstruction or selective memory.

GLP is also about repeatability. If a study is challenged—scientifically, legally, or regulatory—your organization must be able to show exactly what happened, why it happened, who approved deviations, and how conclusions were derived from raw data. If you can’t reconstruct the story from controlled records, the story isn’t defensible.

Part 58 does not guarantee good science. It guarantees controlled science. GLP cannot prevent a flawed hypothesis, but it can prevent “moving the goalposts” after results appear. That’s the point: prevent post-hoc manufacturing of a narrative.

2) What Part 58 is not: the myths that create findings

3) Scope: when GLP applies and what triggers Part 58

Part 58 applies to nonclinical laboratory studies intended to support FDA research or marketing applications. Practical rule: if the study influences a regulatory safety/performance decision, treat it as GLP unless you have a documented rationale not to.

Scope by evidence, not by org chart. Identify submission‑critical endpoints, map where raw data is generated, and map every system/instrument that can change results—including “shadow systems” like spreadsheets and local files.

Also be clear on what GLP is not: it does not govern clinical trials (GCP applies), and it does not automatically cover exploratory R&D unless the outputs are used as regulatory evidence. The trigger is intended use.

Finally, don’t confuse GLP with other “GxP” regimes. GMP/cGMP governs manufacturing; GLP governs nonclinical evidence. The data integrity behaviors overlap, but the regimes are not interchangeable.

4) Study structure: protocol, amendments, and master schedule control

The protocol is the study’s constitution. It defines objectives, design, methods, acceptance criteria, and reporting structure. Part 58 expects the protocol to be approved, controlled, and available to the people running the work. If analysts are improvising because the protocol is vague or outdated, you have created a compliance and science risk.

Protocol changes matter because they can change outcomes. Amendments must be controlled and justified. Deviations must be documented, evaluated, and traceable. The goal is not to punish reality; it is to ensure reality is visible and assessed.

Most GLP programs operationalize protocol governance through Document Control and structured Revision Control. The master schedule is also a control anchor: it tracks studies, phases, and status so the lab can demonstrate what was run, when, and under what governance.

5) Key roles: Study Director, management, and sponsor accountability

Part 58 is explicit: GLP requires defined responsibility. Two roles drive most inspection outcomes:

The Study Director is not a ceremonial title. It is an accountability mechanism. Inspectors will ask: who had control, who authorized changes, who reviewed anomalies, and who certified the final report is accurate and complete. If the answer is “everyone,” the answer is “no one.”

When work is outsourced (contract labs), sponsors still own the regulatory consequences. Sponsor oversight and clear expectations (often formalized in quality agreements) reduce the classic failure mode: “the CRO did it that way, so we assumed it was fine.”

6) Quality Assurance Unit (QAU): independent oversight that matters

The QAU is the GLP control function. It is not “quality help.” It is independent oversight with authority to inspect, report, and escalate. Part 58 expects the QAU to monitor study conduct, inspect critical phases, and audit the final report against raw data and protocols.

QAU independence is non-negotiable. If the QAU reports to the Study Director or is staffed by the same people who run the studies, you have a conflict of interest disguised as a department name. The QAU must be able to say “no” without career penalty.

In practice, effective QAU operations depend on mature quality governance patterns like Internal Audit, Audit Finding Management, and documented Quality Assurance Auditing.

7) Facilities & organization: separating science from chaos

Part 58 expects facilities that support study integrity: adequate space, controlled environments (as needed), and clear separation of activities that could contaminate or confuse results. “Facilities” isn’t only the building—it’s the operating discipline that prevents cross-study mix-ups and missing context.

Common facility-driven integrity failures include unlabeled sample storage, shared freezers with no segregation, uncontrolled access to study areas, and poor environmental awareness. If specimens move without documented control, the data chain becomes breakable.

Facility and organization controls often intersect with operational systems such as Temperature-Controlled Storage, Temperature Excursions, and traceable location governance (inventory discipline applies even in labs).

8) Test & control articles: identity, handling, and accountability

GLP studies live or die on test article integrity. If the identity, strength, purity, stability, and handling of the test article are unclear, the study’s conclusions are unstable. Part 58 expects controls that make it obvious what was used, how it was stored, how it was prepared, and when it was used.

Control articles (placebos, comparators) are equally important. Uncontrolled control articles create false baselines—meaning your “difference” may be an artifact of inconsistent materials rather than biology or chemistry.

Operationally, test/control article governance intersects with concepts like Certificate of Analysis (CoA) verification, controlled labeling, lot tracking, and stability-driven storage rules (including cold chain controls when required).

9) SOP discipline: making methods stable and defensible

Part 58 expects studies to be performed according to written procedures. SOPs are how you prevent “method drift” where analysts quietly do things differently as staff turn over or as throughput pressure rises. Stable methods create stable data.

SOPs must be controlled and training must be real. A binder full of signatures is not training if the work still depends on tribal knowledge. Strong labs treat SOP changes as controlled events and tie competency to role authorization (see Training Matrix).

Weak SOP posture shows up as inconsistent sample prep, inconsistent instrument setup, and undocumented “shortcuts” that conveniently reduce variability or increase yield. In GLP, shortcuts are not efficiency—they are uncontrolled variables.

10) Equipment: calibration, qualification, and maintenance control

Equipment is a source of hidden bias. If instruments drift, calibrations are overdue, or maintenance is undocumented, your data is compromised even if the reporting looks polished. Part 58 expects equipment to be suitable for its intended use and to be maintained and calibrated on a controlled schedule.

In practice, labs implement equipment integrity through:

• Calibration status control and visibility (see Asset Calibration Status).
• Qualification evidence where appropriate (see IQ/OQ/PQ).
• Maintenance records tied to the study record when relevant.
• Out-of-service controls so broken equipment can’t quietly produce data.

11) Specimens & samples: chain of custody without hand-waving

Chain of custody is how you prove that the sample tested is the sample you think it is, and that it was handled in a way that preserves meaning. In GLP, sample identity and sample integrity are inseparable from data integrity.

A defensible chain-of-custody model typically includes:

• Unique sample IDs and clear labeling that survives real-world handling.
• Time-stamped transfers between people, rooms, and instruments (see Chain of Custody).
• Storage condition evidence (temperature logs, excursion handling, and appropriate segregation).
• Disposition controls (what was consumed, retained, discarded, and why).

Tell-it-like-it-is: if your chain of custody is “we usually do it right,” it’s not a chain—it’s a story. Inspectors test stories by asking for proof.

12) Raw data integrity: ALCOA+, corrections, and reconstruction

Part 58’s most important concept is also the most abused: raw data. Raw data is not the final number. It is the original observations and activities needed to reconstruct the study: worksheets, instrument outputs, electronic records, run sequences, and calculations. Lose the source context and you lose defensibility.

GLP raw data must align with ALCOA+ in practice:

• Attributable: linked to a unique individual.
• Legible: readable now and later.
• Contemporaneous: recorded when the work happens.
• Original: preserve the true source (or a validated, complete copy).
• Accurate: correct, with controlled corrections.

Corrections are allowed; silent rewrites are not. Preserve the original, record who changed it, when, and why, and make before/after visible to reviewers. Overwrite‑until‑it‑looks‑right is a data integrity failure.

13) Computerized systems: Part 58 meets Part 11 reality

Part 58 was written for paper, but GLP is digital now. Digital tools remove paper’s “tamper friction,” so you must replace it with controls: governed access, time integrity, secure audit trails, and validated system behavior.

This is where 21 CFR Part 11 matters. Part 58 defines what must be governed; Part 11 defines the control bar when GLP records and signatures are electronic.

In practice, GLP computerized systems should be treated like any other GxP system:

• Validated for intended use with evidence (see CSV).
• Role‑based access and unique identities (see User Access Management).
• Secure, time‑stamped audit trails with meaningful before/after capture (see Audit Trail).
• Controlled exports so evidence remains traceable to the system of record.
• Integration discipline so external systems cannot mutate GLP truth without equivalent controls.

14) Records, reporting, archiving: multi-year evidence that still works

GLP compliance dies in the archive. Year one looks fine. Year five, the lab can’t retrieve raw data, the software was upgraded without migration evidence, or the “archive” is a shared drive with broken links. Part 58 expects records to be secured, indexed, and retrievable for required periods—including raw data, protocols, SOPs, specimens, and the final report.

Retention is not “forever.” The rule is to retain GLP records for the shortest applicable period driven by how the study supports FDA decisions:

Wet specimens and samples are retained only as long as their quality permits evaluation, and never longer than the applicable record retention period. The archive function should also retain the master schedule, protocol copies, and QA inspection records for the same period.

A defensible archive includes controlled access, documented retrieval procedures, indexing (no “tribal knowledge”), backup/restore testing, and disciplined migration when systems change. If retrieval requires a historian who remembers legacy configurations, it isn’t a control—it’s a vulnerability.

15) Inspection readiness: what FDA probes in GLP studies

FDA GLP inspections rarely start with “show me your GLP binder.” They start with a study that matters and then follow the evidence chain: protocol control → study conduct → raw data → changes/corrections → QA oversight → final report → archives.

Inspectors probe the seams: where could results be altered without visibility? Where could samples be misidentified? Where could an analyst operate without accountable identity? Where could the lab “smooth the story” during reporting?

A practical readiness routine is to run controlled demonstrations that force failure conditions. Don’t show dashboards. Show controls. This mirrors broader readiness practices in Audit Readiness and data integrity governance expectations.

16) Common GLP failure modes: where Part 58 collapses

• Protocol drift: the protocol exists, but actual conduct diverges without visibility.
• Weak raw data traceability: results can’t be reconstructed from original records.
• Spreadsheet anarchy: uncontrolled formulas and versions create unprovable endpoints.
• Identity gaps: shared logins or ambiguous attribution for critical actions.
• QAU theater: QAU exists but doesn’t inspect critical phases or audit reports.
• Undocumented method changes: analytical conditions “optimized” after initial runs.
• Calibration neglect: instrument drift and overdue calibration undermines confidence.
• Archive failure: records exist but can’t be retrieved or interpreted years later.
• Computer system drift: upgrades and configuration changes break the validated state.

17) How this maps to V5 by SG Systems Global

V5 supports Part 58-aligned operations by enforcing the behaviors GLP depends on: controlled workflows, attributable actions, governed change, secure audit trails, and retention-ready records. The objective is not prettier reports; it is evidence that is hard to dispute because the system makes weak behaviors difficult.

• Quality oversight workflows: V5 Quality Management System (QMS) supports audit planning, findings, CAPA, and governance patterns that align with QAU execution.
• Execution and traceability discipline: V5 platform controls support role-based authority and evidence capture principles that map cleanly to GLP data integrity needs.
• Integration without bypass: V5 Connect API supports structured connectivity so external systems cannot quietly mutate the authoritative record.

Part 58 is most defensible when it is implemented as an integrity stack across procedures, people, and systems—not as a binder. That posture aligns with the same control philosophy used across regulated industries in V5 deployments.

18) Extended FAQ

Q1. What is 21 CFR Part 58?
21 CFR Part 58 is the FDA’s Good Laboratory Practice (GLP) regulation for nonclinical laboratory studies, requiring controlled conduct, documentation, and archiving so study data can be trusted as regulatory evidence.

Q2. When does Part 58 apply?
Part 58 applies when nonclinical study results support (or are intended to support) FDA research or marketing applications for regulated products. Scope is driven by intended regulatory use, not by what the lab calls the study.

Q3. What’s the single biggest GLP red flag?
Weak raw data integrity—especially uncontrolled spreadsheets and shared instrument logins. If attribution and traceability fail, everything downstream is disputable.

Q4. How is GLP different from GMP?
GLP (Part 58) governs nonclinical study evidence; GMP governs controlled manufacturing and release (e.g., 21 CFR Part 211). The control themes overlap, but the lifecycle and failure modes differ.

Q5. How does Part 58 relate to 21 CFR Part 11?
Part 58 sets GLP expectations; Part 11 becomes relevant when GLP records and signatures are electronic. If the record lives in software, Part 11-grade identity, audit trails, validation, and retention are part of GLP defensibility.

Q6. What’s the fastest way to test GLP readiness?
Trace one reported endpoint back to raw data, show protocol/version control and QAU inspections, test correction behavior, and retrieve the full study package from archive without “tribal knowledge.”

Related Reading
• Glossary Crosslinks: Data Integrity | Audit Trail (GxP) | ALCOA / ALCOA+ | Chain of Custody | Record Retention – Data Integrity & Archival | Computer System Validation (CSV) | 21 CFR Part 11 | Document Control
• Implementation Guides: System Validation | Audit Trail Software | Good Documentation Practices | Record Retention Policy | Audit Readiness