IntuitionLabs
Castor EDC validation and 21 CFR Part 11 compliance services for sponsors, biotechs and CROs

Castor EDC Validation & 21 CFR Part 11 Compliance

Risk-based Castor validation aligned to 21 CFR Part 11, EU Annex 11, ICH E6(R3) GCP and GAMP 5 Second Edition — with continuous validation, periodic review and FDA BIMO inspection readiness.

Castor Validation Services

Risk-proportionate validation that survives FDA BIMO, EMA, MHRA and PMDA inspections — covering the full Castor environment, integrations and AI workflows under a single, defensible framework.

Foundation
Initial Validation Pack
URS, configuration specifications, FMEA-based risk assessment, IQ/OQ/PQ protocols, traceability matrix, SOPs and supplier qualification — sized to your Castor configuration and study portfolio.
Plan validation
Operations
Continuous Validation
Risk-based regression suite that runs on every Castor SaaS release, release-impact assessment, change control execution and release sign-off — so Castor releases stop being a fire drill.
Discuss continuous validation
Inspections
Audit & Inspection Support
FDA BIMO, EMA, MHRA, PMDA and sponsor audit preparation and live support. Validation pack snapshots, audit trail extracts, signature history, deviation and CAPA evidence — packaged for inspector consumption.
Plan inspection support

Risk-Based Validation, Not Box-Ticking

The GAMP 5 Second Edition and the FDA Computer Software Assurance draft guidance both push the industry toward critical thinking and risk-proportionate validation. We apply that to Castor by sizing test depth to functional risk — heavy on signatures, audit trail, data lock and randomization handling; light on cosmetic configuration. The result is a leaner, faster validation pack than a traditional CSV approach without losing inspection defensibility under 21 CFR Part 11.

Risk-based Castor validation aligned to GAMP 5 Second Edition and FDA Computer Software Assurance

Continuous Validation for a SaaS Reality

Castor ships frequent SaaS releases — static validation strategies do not survive that cadence. We operate continuous validation: a risk-based regression suite that runs against each release in a sandbox before production promotion, release-impact assessments that classify GxP-relevant changes, and automated UI/API tests that exercise the validated configuration. Combined with ISO 13485 and GAMP 5 SaaS-validation patterns, this turns release-day into a routine event rather than a fire drill.

Continuous validation pipeline for Castor SaaS releases with automated regression tests

Inspection-Ready Across FDA, EMA, MHRA and PMDA

We do not write validation packs that look good on a shelf — we write them so an inspector can navigate them. Our deliverables map each FDA BIMO question to its evidence, mirror EU Annex 11 on the European side, and respond to MHRA, PMDA, Health Canada, TGA and ANVISA expectations. Inspection-day support includes a rehearsed system walk-through and an experienced subject-matter expert on call.

Castor validation pack ready for FDA BIMO, EMA, MHRA and PMDA inspections

Castor Compliance Coverage

A single validation framework covers the platform, configured studies, integrations and any AI workflows we build on top — under one defensible quality story for the inspector.

21 CFR Part 11

Full mapping of Castor controls to 21 CFR Part 11 Subpart B (controls for closed systems, audit trail, operational checks) and Subpart C (electronic signatures), with test evidence and SOPs for each element.

Part 11 services

EU Annex 11 & GDPR

EU Annex 11 risk management, validation, data, accuracy checks and periodic evaluation coverage, plus GDPR Article 30 records of processing and Article 35 DPIA for personal data flowing through Castor.

Discuss EU compliance

ICH E6(R3) Good Clinical Practice

Risk-based, quality-by-design uplift aligned to ICH E6(R3) — including elevated requirements for system validation, computerized systems, blinded data handling and data lineage.

Discuss E6(R3)

GAMP 5 Second Edition

Castor environment validated as a GAMP 5 Category 4 configured product; custom integrations and AI workflows scoped separately as Category 5 with appropriate critical-thinking driven test depth.

CSV services

ALCOA+ Data Integrity

Data integrity mapping against MHRA GxP data integrity, FDA data integrity guidance, WHO TRS 1033 Annex 4 and PIC/S PI 041 — covering manual entry, ePRO, eConsent and integration data flows.

Discuss data integrity

ISO 14155 & 21 CFR Part 812

Device and IVD trial extensions — UDI capture, deficiency reporting, post-market clinical follow-up data flow, complaint handling integration — for IDE, 510(k) clinical, De Novo and PMA programs.

Discuss device trials

Why IntuitionLabs for Castor Validation

We bring engineering DNA to a job that is too often treated as documentation. Our validation packs are built as traceable, version-controlled artifacts that integrate with the change control system, the regression suite, the periodic review and the inspection package — not as one-off PDFs that drift out of sync the day they are signed.

Engineering DNA

Validation built as version-controlled artifacts that integrate with change control, the regression suite and the inspection package.

Inspection Experience

Hands-on experience supporting FDA BIMO, EMA, MHRA and PMDA inspections — with practiced system walk-throughs and SME support.

AI-Era Validation

We extend the validation framework to cover AI workflows on Castor under GAMP 5 Category 5 with model registry and evaluation evidence.

Validation Deliverables We Produce

📘

Validation Master Plan

Scope, approach, roles, deliverables, risk-based testing strategy and release management — sized to your portfolio and aligned to the GAMP 5 Second Edition critical thinking model.

📐

URS & Configuration Specs

User requirements specification linked to protocol and SOPs, configuration specifications covering eCRFs, edit checks, ePRO, eConsent, signature workflows and retention — under change control.

⚖️

FMEA Risk Assessment

Failure Mode and Effects Analysis on the configured Castor environment, integrations and AI workflows — driving test depth, monitoring needs and SOP coverage proportional to actual patient and data risk.

🧪

IQ / OQ / PQ Protocols

Installation, operational and performance qualification protocols and executed evidence — including SaaS-vendor IQ leverage, customer-side identity provider hookup and integration end-to-end qualification.

🔁

Traceability Matrix

Bidirectional traceability from URS to configuration spec to test case to test evidence — the single artifact most consistently asked for in FDA BIMO inspections of EDC environments.

📊

Periodic Review & CAPA

Annual periodic review package: change log, access review, audit trail spot checks, incident history, regression suite history, supplier qualification refresh and a tracked CAPA list.

Castor Validation FAQ

A full Castor validation pack covers the configured study environment end-to-end: user requirements specification (URS) tied to the protocol and SOPs; configuration specifications covering eCRFs, edit checks, derivations, ePRO instruments, eConsent forms, role-based access, signature workflows and retention; FMEA-based risk assessment driving test depth; IQ for the SaaS service (vendor-supplied artifacts plus customer-side qualification of integrations and identity provider hookup); OQ on configured behavior; PQ in the live study workflow; traceability from URS to test evidence; and a release plan that covers the entire SDLC. The result is a Castor environment that meets 21 CFR Part 11, EU Annex 11 and ISPE GAMP 5 expectations.
Castor is a SaaS platform that customers configure rather than custom-code; under ISPE GAMP 5 (Second Edition) the configured Castor environment is typically a Category 4 — a configured product. Per-study eCRF builds, edit checks and ePRO instruments are treated as configuration items under change control, not as custom development. Any bespoke integrations, scripts or external AI workflows we build on top of the Castor REST API are scoped separately and validated as GAMP 5 Category 5 custom applications. This split-categorization approach is consistent with the GAMP 5 Second Edition emphasis on critical thinking and risk-proportionate validation rather than a single fixed category per platform.
Castor provides the technical controls that 21 CFR Part 11 requires for closed systems: identity-bound electronic signatures with printed name, date/time and meaning of signature (Subpart C §11.50, §11.70); per-field audit trails (Subpart B §11.10(e)); operational system checks (§11.10(f)); authority checks (§11.10(g)); device checks where used; and procedural controls expected by FDA. Our validation pack maps each Part 11 element to the specific Castor control, test evidence and SOP that implements it — exactly the matrix an FDA BIMO inspector will ask for. We also cover the FDA Electronic Systems Q&A guidance for clinical investigations.
EU Annex 11 is the European counterpart to Part 11 and applies to any computerized system used as part of GxP-regulated activities. We map EU Annex 11 elements (risk management, personnel, suppliers, validation, data, accuracy checks, periodic evaluation) onto the Castor environment in the same matrix as Part 11. ICH E6(R3) adds a risk-based, quality-by-design uplift and elevates the requirements for system validation, computerized systems, blinded data handling and data lineage — all of which we incorporate into the URS, risk assessment and periodic review. The MHRA GxP Data Integrity guidance and the FDA Data Integrity and Compliance guidance are the operational reference for ALCOA+ across the validated environment.
Castor is a SaaS supplier, so vendor qualification is part of the validation lifecycle rather than a one-time audit. We document supplier capability through the SOC 2 Type II report, ISO 27001 certification, HIPAA attestation, vendor questionnaire responses (modeled on the standard GxP supplier audit checklist), and a defined re-qualification cadence. For sponsors who require an on-site or remote vendor audit, we coordinate with Castor under their audit program. This is the supplier qualification posture expected under GAMP 5 and reinforced by ICH Q10 for the broader pharmaceutical quality system.
Castor ships frequent SaaS releases — a static, one-and-done validation strategy does not survive contact with the release cadence. We operate continuous validation: a risk-based regression suite that runs against each Castor release in a sandbox before promotion to production; a release-impact assessment that classifies whether a release touches GxP-relevant functionality; automated UI and API tests that exercise the validated configuration; and a release sign-off record that closes the loop. This is the pattern the broader industry has adopted under the GAMP 5 Second Edition and the ISO 13485 SaaS-validation playbooks.
Periodic review is the formal evidence that a validated system continues to operate within its validated state. For Castor we typically run an annual periodic review covering: change log against the change control register; access review (active users, role assignments, privileged access); audit trail spot checks; incident and deviation history; SOP currency; supplier qualification refresh (SOC 2, ISO 27001, vendor status); regression suite history across releases; and a deviation/CAPA list. Findings are documented and tracked to closure. The cadence aligns to your QMS and to the periodic-evaluation expectations in EU Annex 11 §11 and the operational reviews expected under ICH Q9(R1) Quality Risk Management.
ALCOA+ (Attributable, Legible, Contemporaneous, Original, Accurate, plus Complete, Consistent, Enduring and Available) is the operational standard for data integrity in GxP. We map every data flow in and out of Castor — manual entry, ePRO sync, eConsent, lab feeds, EDC-to-safety reconciliation, CTMS milestone push — against ALCOA+ and document where each principle is met technically vs procedurally. The mapping aligns to the MHRA GxP Data Integrity guidance, the FDA Data Integrity guidance for industry, the WHO data integrity TRS 1033 Annex 4 and the PIC/S PI 041 guidance.
Inspection support is part of our managed services offering. For an FDA BIMO inspection covering a Castor study we typically prepare: validation pack snapshot for the specific study; per-subject audit trail extracts; signature history; access history for the inspection window; deviation, CAPA and change log; data integrity evidence; and a rehearsed walk-through of the system for the inspection team. For EMA and MHRA inspections we add region-specific evidence (EU Annex 11 matrix, GDPR processing record, DPIA, EU CTR registration). The same approach scales to inspections by PMDA, Health Canada, ANVISA, TGA and other regulators worldwide.
The FDA Computer Software Assurance (CSA) draft guidance shifts validation effort toward critical thinking, risk-based testing and unscripted/exploratory testing where appropriate — particularly for production and quality-system software in device contexts. We apply CSA principles to Castor where they fit: high-risk functionality (signatures, audit trail, data lock, randomization handling) gets scripted, repeatable testing; lower-risk configuration changes get unscripted, evidence-recorded testing. This produces a leaner, faster validation pack than a pure traditional CSV approach while preserving inspection defensibility — particularly useful for medical device and IVD trials that fall under ISO 14155:2020 and 21 CFR Part 812.
Integrations are where most data integrity findings actually originate. Every Castor integration we build is validated end-to-end: URS captures the business and regulatory requirements; integration design captures the mapping, error handling and reconciliation logic; risk assessment identifies where data loss, duplication, transformation error or replay attack could occur; OQ tests exercise each transformation path; PQ tests confirm the integration in the live workflow; and ongoing monitoring catches drift. Patterns we cover include Castor ↔ Veeva Vault CTMS, Castor ↔ Oracle Argus, Castor ↔ Florence eHub, Castor ↔ Suvoda IRT and Castor ↔ central lab. All aligned to MHRA GxP data integrity.
Medical device clinical investigations and IVD performance studies are governed by ISO 14155:2020 globally, 21 CFR Part 812 in the US, and the EU MDR/IVDR in Europe, in addition to 21 CFR Part 11. We extend the standard Castor validation pack with device-specific elements — deficiency reporting, UDI capture, post-market clinical follow-up data flow, complaint handling integration — and align the documentation set to ISO 14155 and 21 CFR Part 11 jointly. This is the framework that supports IDE, 510(k) clinical, De Novo and PMA submissions out of Castor.
Ready to Validate Castor for Your Portfolio?
Ready to Validate Castor for Your Portfolio? image

Ready to Validate Castor for Your Portfolio?

Talk to our validation team about an inspection-ready Castor environment — sized to your studies, your QMS and your regulatory profile.

Book a Meeting

© 2026 IntuitionLabs. All rights reserved.

Privacy PolicyTerms of ServiceBook Meeting