Book Paid Powai Call Girls Mumbai 𖠋 9930245274 𖠋Low Budget Full Independent H...
21 CFR part 11 Overview
1. An Overview To
21 CFR Part 11
By: Zahid Munir Choudhry
Zahidmunir.ch@gmail.com
2. DECODING “21 CFR PART 11”
CFR = “Code of Federal Regulations”
• 21 = ―Title 21”
• Part 11 = Scope is specific to electronic records & electronic
signatures,including electronic submissions to the FDA
Details missing from the common title:
• Chapter I = Part 11 falls under ―Chapter I‖ of the CFR
• Subchapter A = Part 11 falls under ―SubchapterA – General‖ of
Chapter I of the CFR
3. Introduction to 21 CFR Part 11
- 21 CFR Part 11 is an important section of the Code of Federal Regulations
- 21 CFR Part 11 deals with rules for electronic records and electronic signatures
as set out by the FDA
- It needs to be understood that each title and part of the CFR denotes a certain
industry or activity
- In this instance, 21 CFR is the FDA title for PHARMA and medical devices, while
Part 11 relates to a specific activity, namely electronic signatures and record
- Under the broad umbrella of pharmaceuticals and medical devices, a host of
activities are included.
- In 1999, computerized systems that are used in clinical trials came under 21
CFR Part 11.
4. Why is Part 11 required?
The core function of Part 11 of CFR is to ensure:
• Authenticity
• Reliability
• Integrity
• Confidentiality
• Accuracy
• Trustworthiness of electronic records and signatures
In other words, this is a tool and method to ensure that companies have
to ensure that the electronic records and signatures used in their work
are as authentic as the physical records and signatures.
The primary intention of Part 11 is to help any electronic record replace
a paper record.
5. FDA Guidance (Electronic Records; Electronic Signatures — (Scope and
Application) defines electronic records as:
–Records that are required to be maintained under predicate rule
requirements and that are maintained in electronic format in
place of paper format
–Records that are required to be maintained under predicate rules, that
are maintained in electronic format in addition to paper format, and
that are relied on to perform regulated activities
–Records submitted to FDA, under predicate rules (even if such
records are not specifically identified in Agency regulations) in
electronic format
–Electronic signatures that are intended to be the equivalent of
handwritten signatures, initials, and other general signings
required by predicate rules
What is an electronic record
6. 1. Fully documented and validated systems including change
control
2. Ability to generate accurate and complete copies of records for
inspection and review by the system
3. Ability to protect and easily retrieve records through their
retention period
4. Ability to discern changes to records through the use of audit
trails
5. Proper security controls (authentication, user rights, Access
Management)
6. Trained and qualified individuals
7. SOPs in use in place
8. Encryption for open systems
9. e-Signature components and controls (i.e. System could Identify e-Signature)
10. Linking of electronic signatures to records
21 CFR Part 11 – 10 Steps to Compliance
7. A formal process to ensure that:
– systems consistently operate as they were intended
– user, business and regulatory system requirements are
met
– information is secure and properly managed by the
system
– procedures and processes are in place for the use
and management of the system
Requirement 1 – System Documentation / Validation
What is Computer Systems Validation?
8. That full traceability of systems and processes be in place
That procedures should be in place to ensure that systems used in
regulated activities are adequately validated
That systems should be maintained in a validated state through
effective change control mechanisms
That sponsors take a risk based approach to computer systems
validation (CSV)
That individuals involved in CSV activities and the maintenance of validated
systems have adequate experience and training
Requirement 1 – System Documentation /
Validation
What is expected?
9. There should be a clear plan and process for producing
Documentation governed by SOP or MVP
Documentation should be traceable and original
ALCOA should be respected
Version control and change control procedures should be in place
for system documentation
It should be clear whether documentation is cumulative or iterative
Requirement 1 – System Documentation /
Validation System Documentation Review
Continued next slide
10. If documentation is paper based, adequate controls should be
in place to protect it (fire proof cabinets, offsite scans etc.)
If documentation is electronic, it should be maintained in
accordance with 21 CFR Part 11
If documentation is being provided by a third party, then it should be
clear who‟s SOPs are being used
Clear documentation identifiers and titles should be provided
Requirement 1 – System Documentation /
Validation System Documentation Review
11. Validation plan and validation summary report reviewed
Traceability matrix should clearly indicate which requirements were tested with
which test scripts
Requirements can also be met through IQ or SOPs
Traceability matrix can also reference Functional Specifications and Design Specification
documents for custom build systems
Traceability Matrix is a living document and should be maintained as part of change
control
Traceability Matrix is a key tool in understanding how a system has been tested and
ascertaining validated state
It is also very useful when performing impact assessments for change control
Significantly facilitates the management of the system as well as the inspection of
system documentation
Requirement 1 – System Documentation /
Validation Traceability Review
12. Indexing and search system to be able to easily find records
in the case of inspection
Ability to print records or to provide an „Inspector‟ view to
final records and associated audit trail / e-Signature
information
Document lifecycle status should be clear i.e. Final Record?
Version?
You should be able to produce copies of records in a common
portable format (PDF, XML)
Requirement 2 - Ability to generate accurate and
complete copies of records
13. Ensure that a full system backup is in place (preferably with an offsite
copy in case of disaster)
Perform regular backup restoration tests
Ensure system is part of the disaster recovery plan
Store final records in public portable format (PDF, XML) if
possible to ensure system independence
Apply retention policies in the system in line with records
retention SOP
Requirement 3 - Protect and easily retrieve
records through their retention period
14. Audit trail should be applied to all records in the system (documents,
metadata,signatures)
Audit trail elements include:
- Username
- Record Identifier
- Type of audit entry (new, modify, delete, view etc.)
- Date/time stamp (with time zone)
- Old/New value (can be in the document or in version history/audit
trail)
If working with a 3rd party, they should provide the audit trail with the
electronic records
Audit trails should be computer generated and non-modifiable
Requirement 4 – Ability to discern changes to
records through the use of audit trails
15. Each user must have a unique logon and password to access the
system
Passwords should be changed periodically
The system should have the ability to detect security breaches
The system should have a granular security system based on user
security profiles which can be applied up to the document level
The system should be able to enforce sequencing of events based on
document status
The system should ensure that final records are read only
Requirement 5 – Proper security controls
16. There should be clear job descriptions for all roles required to
develop, install, validate, maintain and use the system
There should be formal training on both the SOPs that govern the
system and the administration/use of the system
Job descriptions should clearly describe the qualifications required for
each role
A training matrix should clearly indicate which SOPs should be
trained on for each role
CVs and training records should be maintained on file
Requirement 6 – Trained and Qualified Individuals
17. There should be formal SOPs in place for:
Software development and validation
System change control
Physical and logical security / data protection
System maintenance and administration
Disaster recovery and business continuity
Use of electronic and digital signatures
Records management (including records retention and archiving)
System management
Any other regulated processes managed with the system….
Requirement 7 – SOPs
18. Definition of an open system: environment in which system access is not
controlled by persons who are responsible for the content of electronic records
that are on the system
If the system is hosted or being used by individuals outside of the
organization (and therefore transiting over the internet) then it may be
considered an open system
Need to ensure record authenticity, integrity, and confidentiality
Use of encryption such as SSL orVPN can be used to ensure
confidentiality
Use of digital signatures can also help to show integrity and
authenticity
Requirement 8 – Encryption
19. E-Signature should be unique to an individual
There should be at least two elements of identification used to sign
Signers must be trained on the use of e-Signatures and sign a non-repudiation form which
clearly identifies them
E-Signatures should become invalid if a record changes after being signed
Should be designed to require the collaboration of 2+ individuals to use someone else‟s e-Signature
Implement a password policy to periodically require that passwords are changed (90 days…)
Implement a loss management procedure in your SOP on e-Signatures / logical security
Don’t forget to send the letter of certification…
Requirement 9 – e-Signature components and
controls General Requirements
21. Requirement 9 – e-Signature components &
controls Electronic vs. Digital Signatures
Characteristic Electronic Digital
UsesToken No Yes
Encrypts document with token No Yes
Can be independently verified
outside of the system
No Yes
Link to record
Link resides in the
Database of the system
generating the signature
Link is usually contained within the
record that was signed
Maintenance
Needs to be maintained
in the system for
retention period
Can be retained independently from
the system in the record
22. Requirement 10 – Signature linking to records
Standard Acrobat embedded signature
23. Just reproducing the signature information on the record is
not sufficient
Database entries must be maintained as electronic records
i.e. audit trail etc.
System must be maintained over time so as to maintain
the ability to discern changes to records and link to records
Impossible to know if a record has changed if record lives outside of
the system
Requirement 10 – Signature linking to records
Electronic signature linking
24. Ensure all users are fully trained in the use of the system and understand
what an electronic record is
Implement a electronic records management policy
Define an clear electronic signature policy
Implement SOPs on how to manage and maintain the system
Ensure that proper change control and configuration control is in place
Implement a checklist which clearly describes how you meet 21 CFR Part
11
Best Practices - Controls
25. EudralexVolume 4 Annex 11 – Computerized Systems
Directive 1999/93/EC Community framework for electronic
signatures
PIC/S PI 011-3 Good Practices for Computerized Systems in
Regulated GxP Environments (2007)
FDA: Computerized Systems used in Clinical Investigations
FDA: Electronic Source Documentation in Clinical Investigations -
DRAFT
Other regulations and Guidance
26. Remember 21 CFR Part 11 compliance is both technical and
procedural
Always develop clear rationale as to how you are meeting all of the
requirements
Remember, you are always responsible as end user so make sure you do
proper due diligence
Clearly identify what you consider to be electronic records
Make sure everyone in the organization understands electronic records
and electronic signatures
Perform regular follow up assessment to evaluate ongoing
compliance
Conclusion