21 CFR part 11 Overview

An Overview To
21 CFR Part 11
By: Zahid Munir Choudhry
Zahidmunir.ch@gmail.com

DECODING “21 CFR PART 11”
CFR = “Code of Federal Regulations”
• 21 = ―Title 21”
• Part 11 = Scope is specific to electronic records & electronic
signatures,including electronic submissions to the FDA
Details missing from the common title:
• Chapter I = Part 11 falls under ―Chapter I‖ of the CFR
• Subchapter A = Part 11 falls under ―SubchapterA – General‖ of
Chapter I of the CFR

Introduction to 21 CFR Part 11
- 21 CFR Part 11 is an important section of the Code of Federal Regulations
- 21 CFR Part 11 deals with rules for electronic records and electronic signatures
as set out by the FDA
- It needs to be understood that each title and part of the CFR denotes a certain
industry or activity
- In this instance, 21 CFR is the FDA title for PHARMA and medical devices, while
Part 11 relates to a specific activity, namely electronic signatures and record
- Under the broad umbrella of pharmaceuticals and medical devices, a host of
activities are included.
- In 1999, computerized systems that are used in clinical trials came under 21
CFR Part 11.

Why is Part 11 required?
The core function of Part 11 of CFR is to ensure:
• Authenticity
• Reliability
• Integrity
• Confidentiality
• Accuracy
• Trustworthiness of electronic records and signatures
In other words, this is a tool and method to ensure that companies have
to ensure that the electronic records and signatures used in their work
are as authentic as the physical records and signatures.
The primary intention of Part 11 is to help any electronic record replace
a paper record.

 FDA Guidance (Electronic Records; Electronic Signatures — (Scope and
Application) defines electronic records as:
–Records that are required to be maintained under predicate rule
requirements and that are maintained in electronic format in
place of paper format
–Records that are required to be maintained under predicate rules, that
are maintained in electronic format in addition to paper format, and
that are relied on to perform regulated activities
–Records submitted to FDA, under predicate rules (even if such
records are not specifically identified in Agency regulations) in
electronic format
–Electronic signatures that are intended to be the equivalent of
handwritten signatures, initials, and other general signings
required by predicate rules
What is an electronic record

1. Fully documented and validated systems including change
control
2. Ability to generate accurate and complete copies of records for
inspection and review by the system
3. Ability to protect and easily retrieve records through their
retention period
4. Ability to discern changes to records through the use of audit
trails
5. Proper security controls (authentication, user rights, Access
Management)
6. Trained and qualified individuals
7. SOPs in use in place
8. Encryption for open systems
9. e-Signature components and controls (i.e. System could Identify e-Signature)
10. Linking of electronic signatures to records
21 CFR Part 11 – 10 Steps to Compliance

A formal process to ensure that:
– systems consistently operate as they were intended
– user, business and regulatory system requirements are
met
– information is secure and properly managed by the
system
– procedures and processes are in place for the use
and management of the system
Requirement 1 – System Documentation / Validation
What is Computer Systems Validation?

 That full traceability of systems and processes be in place
 That procedures should be in place to ensure that systems used in
regulated activities are adequately validated
 That systems should be maintained in a validated state through
effective change control mechanisms
 That sponsors take a risk based approach to computer systems
validation (CSV)
 That individuals involved in CSV activities and the maintenance of validated
systems have adequate experience and training
Requirement 1 – System Documentation /
Validation
What is expected?

 There should be a clear plan and process for producing
 Documentation governed by SOP or MVP
 Documentation should be traceable and original
 ALCOA should be respected
 Version control and change control procedures should be in place
for system documentation
 It should be clear whether documentation is cumulative or iterative
Validation System Documentation Review
Continued next slide

 If documentation is paper based, adequate controls should be
in place to protect it (fire proof cabinets, offsite scans etc.)
 If documentation is electronic, it should be maintained in
accordance with 21 CFR Part 11
 If documentation is being provided by a third party, then it should be
clear who‟s SOPs are being used
 Clear documentation identifiers and titles should be provided
Validation System Documentation Review

 Validation plan and validation summary report reviewed
 Traceability matrix should clearly indicate which requirements were tested with
which test scripts
 Requirements can also be met through IQ or SOPs
 Traceability matrix can also reference Functional Specifications and Design Specification
documents for custom build systems
 Traceability Matrix is a living document and should be maintained as part of change
control
 Traceability Matrix is a key tool in understanding how a system has been tested and
ascertaining validated state
 It is also very useful when performing impact assessments for change control
 Significantly facilitates the management of the system as well as the inspection of
system documentation
Validation Traceability Review

 Indexing and search system to be able to easily find records
in the case of inspection
 Ability to print records or to provide an „Inspector‟ view to
final records and associated audit trail / e-Signature
information
 Document lifecycle status should be clear i.e. Final Record?
Version?
 You should be able to produce copies of records in a common
portable format (PDF, XML)
Requirement 2 - Ability to generate accurate and
complete copies of records

 Ensure that a full system backup is in place (preferably with an offsite
copy in case of disaster)
 Perform regular backup restoration tests
 Ensure system is part of the disaster recovery plan
 Store final records in public portable format (PDF, XML) if
possible to ensure system independence
 Apply retention policies in the system in line with records
retention SOP
Requirement 3 - Protect and easily retrieve
records through their retention period

 Audit trail should be applied to all records in the system (documents,
metadata,signatures)
 Audit trail elements include:
- Username
- Record Identifier
- Type of audit entry (new, modify, delete, view etc.)
- Date/time stamp (with time zone)
- Old/New value (can be in the document or in version history/audit
trail)
If working with a 3rd party, they should provide the audit trail with the
electronic records
Audit trails should be computer generated and non-modifiable
Requirement 4 – Ability to discern changes to
records through the use of audit trails

 Each user must have a unique logon and password to access the
system
 Passwords should be changed periodically
 The system should have the ability to detect security breaches
 The system should have a granular security system based on user
security profiles which can be applied up to the document level
 The system should be able to enforce sequencing of events based on
document status
 The system should ensure that final records are read only
Requirement 5 – Proper security controls

 There should be clear job descriptions for all roles required to
develop, install, validate, maintain and use the system
 There should be formal training on both the SOPs that govern the
system and the administration/use of the system
 Job descriptions should clearly describe the qualifications required for
each role
 A training matrix should clearly indicate which SOPs should be
trained on for each role
 CVs and training records should be maintained on file
Requirement 6 – Trained and Qualified Individuals

There should be formal SOPs in place for:
 Software development and validation
 System change control
 Physical and logical security / data protection
 System maintenance and administration
 Disaster recovery and business continuity
 Use of electronic and digital signatures
 Records management (including records retention and archiving)
 System management
 Any other regulated processes managed with the system….
Requirement 7 – SOPs

 Definition of an open system: environment in which system access is not
controlled by persons who are responsible for the content of electronic records
that are on the system
 If the system is hosted or being used by individuals outside of the
organization (and therefore transiting over the internet) then it may be
considered an open system
 Need to ensure record authenticity, integrity, and confidentiality
 Use of encryption such as SSL orVPN can be used to ensure
confidentiality
 Use of digital signatures can also help to show integrity and
authenticity
Requirement 8 – Encryption

 E-Signature should be unique to an individual
 There should be at least two elements of identification used to sign

 Signers must be trained on the use of e-Signatures and sign a non-repudiation form which
clearly identifies them
 E-Signatures should become invalid if a record changes after being signed

 Should be designed to require the collaboration of 2+ individuals to use someone else‟s e-Signature
 Implement a password policy to periodically require that passwords are changed (90 days…)
 Implement a loss management procedure in your SOP on e-Signatures / logical security
 Don’t forget to send the letter of certification…
Requirement 9 – e-Signature components and
controls General Requirements

Requirement 9 – e-Signature components &
controls Components

Requirement 9 – e-Signature components &
controls Electronic vs. Digital Signatures
Characteristic Electronic Digital
UsesToken No Yes
Encrypts document with token No Yes
Can be independently verified
outside of the system
No Yes
Link to record
Link resides in the
Database of the system
generating the signature
Link is usually contained within the
record that was signed
Maintenance
Needs to be maintained
in the system for
retention period
Can be retained independently from
the system in the record

Requirement 10 – Signature linking to records
Standard Acrobat embedded signature

 Just reproducing the signature information on the record is
not sufficient
 Database entries must be maintained as electronic records
i.e. audit trail etc.
 System must be maintained over time so as to maintain
the ability to discern changes to records and link to records
 Impossible to know if a record has changed if record lives outside of
the system
Requirement 10 – Signature linking to records
Electronic signature linking

 Ensure all users are fully trained in the use of the system and understand
what an electronic record is
 Implement a electronic records management policy
 Define an clear electronic signature policy
 Implement SOPs on how to manage and maintain the system
 Ensure that proper change control and configuration control is in place
 Implement a checklist which clearly describes how you meet 21 CFR Part
11
Best Practices - Controls

 EudralexVolume 4 Annex 11 – Computerized Systems
 Directive 1999/93/EC Community framework for electronic
signatures
 PIC/S PI 011-3 Good Practices for Computerized Systems in
Regulated GxP Environments (2007)
 FDA: Computerized Systems used in Clinical Investigations
 FDA: Electronic Source Documentation in Clinical Investigations -
DRAFT
Other regulations and Guidance

 Remember 21 CFR Part 11 compliance is both technical and
procedural
 Always develop clear rationale as to how you are meeting all of the
requirements
 Remember, you are always responsible as end user so make sure you do
proper due diligence
 Clearly identify what you consider to be electronic records
 Make sure everyone in the organization understands electronic records
and electronic signatures
 Perform regular follow up assessment to evaluate ongoing
compliance
Conclusion

21 CFR part 11 Overview

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à 21 CFR part 11 Overview

Similaire à 21 CFR part 11 Overview (20)

Dernier

Dernier (20)

21 CFR part 11 Overview