Brief of 21 CFR part 11

1. 21 CFR Part 11:
An approach towards
Compliance
By
Deepak Mishra
DM
1

2. Points Captured
• History of 21 CFR Part 11
• 21 CFR Part 11 Meaning
• Key aspects of 21 CFR Part 11 Requirements
• Terminology and Definitions
• Electronic Data Lifecycle
• Applicability of Part 11
• Electronic Record and Electronic Signature
• 21 CFR Part 11 vs Annexure 11
• Regulatory Citations on Electronic records/Signatures
• GAMP 5 and 21 CFR Part 11
• Data integrity and 21 CFR Part 11
• Assess your compliance
DM
2

3. History of 21 CFR Part 11
Process Year
Initiation of Rule by US Pharmaceutical Manufacturing
Association (PMA now Pharmaceutical Research and
Manufacturing Association, PhRMA)
1990
Publication of Advance Notice of Proposed Rule
Making (ANPRM) for comments
1992
Proposed Rule 1994
Rule Became Effective on August 20, 1997
Electronic Records 2000
Scope and Application Guidance 2003
Draft Computerized systems Used in Clinical Trail
Guidance
2004
Final Guidance Published 2007
DM
3

4. 21 CFR Part 11 Meaning
Title 21 – Food and Drugs
Chapter I – Food and Drug Administration, Department of
Health and Human Services
Subchapter A – General
Part 11 – Electronic Records, Electronic Signatures
Part 11 : A law that ensures the implementation of good
practices by defining the criteria under which the Electronic
records and signatures are considered as Accurate, Authentic,
Trustworthy, reliable, confidential, and equivalent to paper
records and handwritten signatures on papers.
DM
4

5. Why do we Need it
• A standard required to handle and maintain the electronic
records generated in industry moving towards the
Automation.
• To streamline business processes
• To reduce the risk of human errors significantly.
• Decreasing operational costs of the business.
• Decreasing time-to-market for pharmaceutical products.
DM
5

6. Key Aspects of 21 CFR Part 11
Requirements
• Validation of System
• Data availability in both printed and electronic form
• Data Protection
• Data Archival and Retrieval including Meta Data
• User Management with different access levels
• Audit Trail function availability with access control (read only)
with a retention defined in policy or as required.
• Training
• Written procedures availability for the individuals
• Controls over distribution, access and use of documentation
DM
6

7. Terminology and Definitions
• Electronic Records :
• Any combination of text, graphics, data, audio, pictorial or any
information representation in digital form that is created, modified,
maintained, archived, retrieved or distributed by a computer system
• Electronic Signature:
• A compilation of any symbol(s) executed, adopted or authorized by
an individual to be the legally binding equivalent to the individual’s
handwritten signature.
• Handwritten Signature:
• A scripted name or the legal mark of the individual handwritten by
that individual and executed or adopted with the intention to
authenticate a writing in a permanent form.
DM
7

8. Terminology and Definitions
• Computerized system
FDA Inspection Guide (Glossary of computer system software
development Terminology)
• Include Hardware, software, peripheral devices (), personnel,
documentation e.g. manuals and Standard Operating Procedure.
Annexure 11 : Computerized systems
• A set of software and hardware components which together fulfill
certain functionalities.
PIC/S Guidance on Good Practices for computerized systems in
Regulated GxP environments
• A computer system plus the controlled functions that it operates {it
include all outside influences that interface with the computer
system in its operating environment} (it includes all the monitoring
and network links (to/from other systems or instruments), manual
(keypad inputs), links to different media, manual procedures and
automation
DM
8

9. Terminology and Definitions
• Backup – a copy of a file/data made incase the original is lost
or damaged.
• Types of Data Backup
• Incremental Backup – Incremental backup back up only
changed files/data but only back up the data/files since the
last back up- whether full or incremental.
• Differential Backup – A differential backup backs up only files
that changed since the last full backup.
• Full Backup – It is the back up of the full or entire data set
selected for backup.
DM
9

10. Terminology and Definitions
• Archival – Data archival is the process of moving data that is
no longer actively used to a separate storage device for long
term retention.
• Retrieval – Data retrieval is the process of identifying and
extracting the data from the database based on the
requirement or as per defined frequency for the verification
purpose only.
• Audit Trail
• A secure, computer generated, time stamped record to
independently record the date and time of operator entries
and actions that create, modify or delete electronic records.
DM
10

11. Terminology and Definitions
• Validation
• Establishing the documented evidence which provides a high degree
of assurance that a specific process will consistently produce a
product meeting its pre0determined specification and Quality
attributes.
• Open System
• Where system access is not controlled by the people who are
responsible for the content of the electronic records in the system.
e.g. Internet or wikis.
• Closed System
• Systems where the system access is controlled by the people
responsible for the content of the electronic records in the system.
E.g. applications.
DM
11

12. Terminology and Definitions
• Device Checks
• Device checks are the tests to ensure the validity of data
inputs and operational instructions (automatically determining
the identification and location of a piece of equipment
hardware or another computer system).
• Operational System checks
• Operational system checks enforce sequencing of critical
system functionality. This is demonstrated by showing that
business defined workflows must be followed. E.g. data must
be entered before it can be reviewed.
DM
12

13. Terminology and Definitions
• Metadata
• Contextual information required to understand data.
• Hybrid System
• Combination of Electronic records and paper records. Raw
data are recorded electronically to reconstruct the analysis but
final results are printed and signed.
• Predicate Rules
• Predicate rules are the 21 CFR Food ,drug and cosmetic acts
(besides 21 CFR Part 11).
DM
13

14. Electronic Data Lifecycle
Source: Labcompliance.com
DM
14

15. Applicability of Part 11
• Applies to:
All GxP Records in the electronic form that are created,
modified, maintained, archived, retrieved or transmitted.
• Does not apply
• Any paper records even if they are sent electronically ( for
example, a scan of paper records transmitted by email or Fax).
However if a file in a pdf format generated out of a 21 CFR
Part 11 compliant system is transmitted by email is exception.
DM
15

16. Applicability of Part 11
DM
16

17. • When Part 11 Applies
No
Yes
No
Yes
No
GxP
Requirement
?
Use for
Regulatory
Purpose?
Maintain
E-Records?
Out of Scope
Out of Scope
Out of Scope
DM
17

18. ElectronicRecordsand ElectronicSignature
Subpart B- Electronic Records Subpart C- Electronic Signature
11.10 Controls for Closed Systems 11.100 General Requirements
(a) Validation of the system (a) Unique
(b) Accurate and complete copies (b) Verify the identity of the individual
(c) Records Protection for ready retrieval (c) Certification of Electronic Signature
(d) Limiting system Access 11.200 Electronic Signature Components and Controls
(e) Audit Trail (a) Non Biometrics
(f) Operational system checks (1) Code and Password
(g) Authority checks (i) All signature components & subsequent one component only
(h) Device (e.g. terminal) checks (ii) All components of signature once signed off
(i) Education, training and experience (2) Genuine owners
(j) Written procedures (3) Collaboration of two or more individuals other than Genuine owner
(k) Documentation (b) Biometrics
(1) Distribution of access (2) Revision and Change control 11.300 Controls for Identification Codes/passwords
11.30 Controls for open Systems (a) Uniqueness of User ID/Password
11.50 Signature Manifestations (b) Periodic check/change of Passwords
11.70 Signatures/Record Linking (c) Loss management
-- (d) Safeguards to prevent unauthorized access
-- (e) Initial and periodic check of devices
DM
18

19. 21 CFR Part 11 vs Annexure 11
•Annexure 11 21 CFR Part 11
Risk Based Security based
Approach Approach
COMPLIANCE
DM
19

20. S I M I L A R I T I E S
21 CFR part 11 ANNEXURE 11
Validation (11.10 (a)) Validation (Principle)
Personnel Training, Qualification (11.10(i)) Personnel (General)
Documentation (11.10(k) (1) (2)) Change control, deviations (Project (4.2))
Device Checks (11.10 (h)) Data transfer validation (Project (4.8))
Security and Accessible (11.10(c)(d)(e)(g)) Secured and accessible (Operation, 7.1)
Audit Trails (11.10 (e)) Audit Trails (9)
Accurate and Complete copies (11.10(b) Printouts (8.1)
Signature Manifestation (11.50) Electronic Signature (14 (b))
Certify equivalent to handwritten (11.100(c)) Same as hand-written (14(a))
Based on biometric, not biometric (11.2..(a)(b),
11.300(e))
Security, physical/logical (12.1)
Periodically checked (11.300(b)) Periodic Evaluation (11.)
Periodic checking, revision or recalled (11.300(b)(e)) Access authorization recording (12.3)
Operational System Checks(11.10 (f)) Data (5)
Protection of records (11.10 (c)) Data storage (7)
DM
20

21. G A P S
21 CFR part 11 ANNEXURE 11
Risk assessment Not covered Risk assessment is integral Part
Security for open and closed systems with Extra
security measures for Open system like
Encryption
Security controls based on Criticality of
Computerized systems
User accountability for actions initiated under e-
signature
User accountability is not in Scope
Uniqueness/not reused of Electronic signature Not in scope of Annexure 11
Controls for Supplier and Service Providers,
Formal agreements, supplier audits are not in
scope of 21 CFR Part 11
In Scope under General section
System inventory, User requirement
specification, Quality management system not in
Scope.
System inventory, User requirement
specification, Quality management system
covers under Project Phase Validation
Back up not in scope Backup – an integral part
Batch release out of scope Batch release in Scope
Incident Management Out of scope Incident Management in scope
Business Continuity plan out of scope Business Continuity plan in scope
DM
21

22. Regulatory Citations on Electronic
records/Signatures
• Computer systems are not validated or adequately validated.
• There is no control on user access management with the
analysts/supervisor having data deletion/modification rights
• Audit Trails found disabled for the computer systems with no
available history of the batch records.
• Generic user accounts are used by multiple personnel thus no
traceability who performed what.
• Electronic raw data is not saved.
• Insufficient data security with ability to overwrite data.
• Generated records are not accurate, complete and reliable.
• Individual passwords are shared.
DM
22

23. GAMP 5 and 21 CFR Part 11
• GAMP 5 used as a guidance with a risk based approach for
managing GxP computer systems. Higher the risk, the greater
the degree of validation and control is needed.
• In GAMP 5, each project is initiated as an assessment of
system to determine its risk level (based on system type and
intended use), as well as whether the system is GxP and if its
so, is subjected to 21 CFR Part 11.
• GAMP 5 - A Recommendation but 21 CFR Part 11 – A
Requirement.
DM
23

24. GAMP 5 and 21 CFR Part 11
DM
24
Risk Assessment of Computerized systems?
GxP or Non-GxP ?
21 CFR Part 11 APPLIES

25. Data Integrity and 21 CFR Part 11
• 21 CFR Part 11 ensures Data integrity of Electronic
records.
• Data integrity means – data records are complete, intact
and maintained within their original context including
their relationship with the other data.
• Metadata – crucial for trustworthiness of records and
compliance with 21 CFR Part 11 and data integrity.
DM
25

26. DM
26
- Raw data and results
- Link between raw data,
results and metadata.
Mitigation plan based
on the identified risks
Periodic review of
computerized systems
for Compliance
Identification of System
and records from Quality
and business perspective.
Evaluation of Analytical
Data systems w.r.t. 21
CFR Part 11
Assess the risks
affecting Data security
and Data integrity

27. GAMP 5, Annexure 11 , 21 CFR Part 11 and Data Integrity
GAMP 5
21 CFR Part 11 Annexure 11
DM
27
DATA
INTEGRITY

28. Assess
your
Compliance
DM
28

29. Is your system in validated state?
Is there User Management system based on the privileges assigned
to pre-defined user Groups based on the job role?
Is Drives used for the data backup or drives used for the archival of
the complete yearly back up are protected from deletion,
modification and creation?
Periodic verification of the archived data for its accuracy,
completeness and reliability?
 Does System allow selective data backup?
Is Administrator independent of the user department?
Is there periodic verification of the computerized systems?
Audit Trail functionality is available in computerized systems? Can
the Audit trail be available for review and print as required?
Is there Password Management procedure in place?
Is Electronic Signature and hand written signature are linked?
Are users of the computerized systems are trained for the execution
of activities assigned?
Is there Change management system for up gradation/modifications
in system?
DM
29

30. Discontinuation of any Client, Server or Computer system from any
Instrument /Equipment and software?
Does Signature indicates the meaning of the signature along with
the user details?
Is written procedure in place for the for the actions initiated using
Electronic signature by individuals for the responsibility assigned?
….………list continues………
DM
30

31. References
• FDA Guidance Title 21 –Food and Drugs, Part 11 Electronic Records ;
Electronic Signatures
• Guidance for Industry Part 11 Scope and Application August 2001
• Pharmaceutical Manufacturing : An Introduction to 21 CFR Part 11
• Risk Based approach to Part 11 and GxP compliance : Agilent Technologies
• Comparison of FDA’s Part 11 and EU Annexure 11:EduQuest
• Data integrity for Electronic records according to 21 CFR Part 11
(www.biopharminternational.com)
• FDA’s 483 and warning letters
• Labcompliance.com
DM
31

32. Thanks ……
Any Questions…???
Comments for any improvements….??
DM
32