Computerized system validation – 21 CFR Part 11 MCQs With Answer

Introduction: Computerized System Validation – 21 CFR Part 11 MCQs With Answer is designed for M.Pharm students to strengthen practical and regulatory understanding of electronic records and signatures in the pharmaceutical industry. This set focuses on key requirements of 21 CFR Part 11 and how they integrate with validation lifecycle activities, risk-based approaches, audit trails, access controls, electronic signatures, and compliance with predicate rules. Questions emphasize real-world application—system classification (open vs closed), documentation, vendor assessment, change control, backup/retention, and inspection expectations—helping students prepare for regulatory audits and design, execution, and maintenance of compliant computerized systems.

Q1. Which of the following best defines a ‘closed system’ under 21 CFR Part 11?

• A system in which system access by individuals can be controlled by persons responsible for the content of electronic records
• A system that is physically isolated from any network connection and cannot transmit data
• A software application that is validated but uses open-source components
• A system used only for development and testing, not for production

Correct Answer: A system in which system access by individuals can be controlled by persons responsible for the content of electronic records

Q2. Which primary feature of computerized systems provides non-repudiation and links an electronic signature to its record?

• Access control lists
• Audit trails
• Data encryption at rest
• Electronic signature manifestation

Correct Answer: Electronic signature manifestation

Q3. Under Part 11, which activity is essential to demonstrate that a computerized system consistently produces results meeting predetermined specifications?

• Vendor marketing evaluation
• Computerized System Validation (CSV)
• Periodic staff training only
• Post-market surveillance

Correct Answer: Computerized System Validation (CSV)

Q4. Which document is most critical to begin the validation lifecycle for a computerized system?

• Vendor brochure and datasheet
• Validation Master Plan (VMP)
• Standard operating procedure for cleaning
• Training log for users

Correct Answer: Validation Master Plan (VMP)

Q5. What is the main regulatory purpose of an audit trail in a computerized system?

• To store backup copies of data for disaster recovery
• To provide a chronological record of system changes and user actions affecting electronic records
• To encrypt records during transmission
• To limit the number of concurrent logins

Correct Answer: To provide a chronological record of system changes and user actions affecting electronic records

Q6. Which strategy aligns with a risk-based approach for computerized system validation?

• Validating all system components to the same extent regardless of impact
• Focusing validation effort on functions that impact patient safety, product quality, and data integrity
• Outsourcing validation entirely and relying on vendor certificates
• Performing validation only after a regulatory inspection request

Correct Answer: Focusing validation effort on functions that impact patient safety, product quality, and data integrity

Q7. Which of the following is a required element for electronic signatures under 21 CFR Part 11?

• Use of biometric data only, without user ID
• Linkage to their respective electronic records to prevent falsification
• Signatures must be printed and attached to paper copies
• Signatures can be shared among authorized users

Correct Answer: Linkage to their respective electronic records to prevent falsification

Q8. For an ‘open system’ under Part 11, which additional controls are typically expected compared to a closed system?

• No additional controls; open systems are exempt
• Enhanced controls for document retention only
• Enhanced controls for user authentication, data integrity, and encryption during transmission
• Only physical security controls around servers

Correct Answer: Enhanced controls for user authentication, data integrity, and encryption during transmission

Q9. What is the role of vendor qualification in CSV for regulated computerized systems?

• It replaces system validation and is sufficient evidence for compliance
• It documents that the supplier can provide a product meeting user requirements and supports ongoing compliance
• It is only needed for hardware vendors, not software
• It is optional and performed only if the vendor requests it

Correct Answer: It documents that the supplier can provide a product meeting user requirements and supports ongoing compliance

Q10. Which of the following best describes ‘predicate rules’ in the context of Part 11?

• Internal company policies unrelated to FDA regulations
• FDA regulations other than Part 11 that require records to be maintained and that may be satisfied by electronic records
• International standards that replace FDA requirements
• Legacy software requirements that are no longer enforced

Correct Answer: FDA regulations other than Part 11 that require records to be maintained and that may be satisfied by electronic records

Q11. Which activity is essential to ensure ongoing compliance after initial system validation?

• One-time IQ/OQ/PQ and no further review
• Periodic review, change control, revalidation for significant changes, and continuous monitoring
• Removing user accounts after validation complete
• Only backing up data to removable media

Correct Answer: Periodic review, change control, revalidation for significant changes, and continuous monitoring

Q12. In CSV, what does IQ/OQ/PQ stand for and which phase verifies operation under simulated real-world conditions?

• Installation Qualification / Operational Qualification / Performance Qualification; PQ verifies operation under simulated real-world conditions
• Installation Quality / Operational Quality / Product Quality; OQ verifies simulated conditions
• Initial Qualification / Ongoing Qualification / Process Qualification; IQ verifies simulated conditions
• Installation Qualification / Operational Qualification / Performance Qualification; IQ verifies simulated conditions

Correct Answer: Installation Qualification / Operational Qualification / Performance Qualification; PQ verifies operation under simulated real-world conditions

Q13. Which type of test verifies that software functions meet specified user requirements?

• System integration testing
• Unit testing
• User Acceptance Testing (UAT)
• Security penetration testing only

Correct Answer: User Acceptance Testing (UAT)

Q14. What is an appropriate approach to handling legacy systems that were implemented before Part 11 became applicable?

• Ignore Part 11 since the system predates the regulation
• Perform a risk-based assessment, apply remediation or compensatory controls, and document the justification
• Replace the system immediately without assessment
• Convert all electronic records to paper and discard the system

Correct Answer: Perform a risk-based assessment, apply remediation or compensatory controls, and document the justification

Q15. Which control is most appropriate to ensure accountability for actions taken within a computerized system?

• Shared generic user IDs for convenience
• Individual unique user IDs with strong authentication and role-based access
• No authentication to simplify workflows
• Periodic password resets without unique IDs

Correct Answer: Individual unique user IDs with strong authentication and role-based access

Q16. Which of these is a primary expectation from FDA when inspecting computerized systems related to data integrity?

• Proof that all data are stored in the cloud
• Evidence of ALCOA+ principles: Attributable, Legible, Contemporaneous, Original, Accurate (and complete, consistent, enduring, available)
• Evidence that systems are used by only one person
• Documentation that passwords are never changed

Correct Answer: Evidence of ALCOA+ principles: Attributable, Legible, Contemporaneous, Original, Accurate (and complete, consistent, enduring, available)

Q17. Which backup and retention practice supports Part 11 compliance for electronic records?

• Backing up data infrequently with no testing of restore procedures
• Regular, documented backups with tested restoration procedures and retention consistent with predicate rules
• Storing backups only on local workstations without central control
• Retention only until the next software upgrade

Correct Answer: Regular, documented backups with tested restoration procedures and retention consistent with predicate rules

Q18. During system change control, which action determines whether revalidation is necessary?

• The aesthetic changes to the user interface only
• Impact assessment on functionality, data integrity, and regulatory compliance
• Whether the vendor recommends a version number change
• Whether the IT department performed the change outside business hours

Correct Answer: Impact assessment on functionality, data integrity, and regulatory compliance

Q19. Which of the following characteristics is NOT acceptable for electronic signature use under Part 11?

• Unique to one individual, verifiable, and linked to records
• Based solely on a shared password without individual accountability
• Capable of being checked during audits or review
• Subject to controls that ensure authenticity and integrity

Correct Answer: Based solely on a shared password without individual accountability

Q20. What documentation should be available to demonstrate that computerized system validation was performed appropriately?

• Only vendor user manuals and marketing materials
• Requirements specifications, traceability matrix, validation protocols and reports, test scripts, change control records, and SOPs
• Only a one-line statement saying “system validated”
• Only emails between IT staff and the vendor

Correct Answer: Requirements specifications, traceability matrix, validation protocols and reports, test scripts, change control records, and SOPs

Download