The Fdafin PDF

The FDA's New Enforcement of
21 CFR Part 11 Compliance

(An Overview)
June 2012
The FDAs New Enforcement of 21 CFR Part 11 Compliance (An Overview)

June 2012
Contents
About Validation ................................................................................ 3
Abbreviations .................................................................................... 4
FDA Regulation Along the Drug Life ................................................. 5
Other Challenges .............................................................................. 6
Modules/Steps Involved in the Validation Process ........................... 7
Module 1: Regulatory Requirements ................................................ 8
Module 2: Steps for Cost Effective Computer System Validation ... 11
Module 3: Initial and Ongoing Tests of Software and Computer
Systems........................................................................................... 14
Module 4: Minimum Validation Documentation Validation .............. 15
Module 5: Qualification of Network Infrastructure and Validation of
Network System .............................................................................. 16
Module 6: Understanding FDA Part 11 and the EU GMP Annex 11 ..... 17
Case Study ...................................................................................... 19
Conclusion....................................................................................... 20
Reference ........................................................................................ 21
Author Info ....................................................................................... 21
2012, HCL Technologies, Ltd. Reproduction prohibited. This document is protected under copyright by the author. All rights reserved.

June 2012
About Validation
Validation:
Validation is defined as the act of testing for compliance with a
standard.
Need for validation in computer systems:
Required by regulations US FDA, EMA, GMP, GCP, GLP
Ensures consistent data and product quality
Helps to protect intellectual property through scientifically

sound data
In 1997, the United States Food and Drug Administration (FDA)

issued a regulation that provides criteria for acceptance by the FDA
of electronic records, electronic signatures and handwritten
signatures. This was done in response to requests from the
industry. With this regulation, titled Rule 21 CFR Part 11 (henceforth
referred to as Part 11), electronic records can be equivalent to
paper records and handwritten signatures.
Title 21 is the portion of the Code of Federal Regulations that
governs food and drugs within the United States for the Food and
Drug Administration (FDA), the Drug Enforcement Administration
(DEA), and the Office of National Drug Control Policy (ONDCP).
Compliance is not as easy as it seems.
The premise may seem straightforward, but implementing these
regulations, adhering to them, and being able to document that the
organization is compliant is quite complex. This paper provides you
with information on HCL guidelines for Part 11.

June 2012
Abbreviations
Sl.
No.
Acronyms
1.
CFR
2.
EU
3.
GMP
4.
AGMP
5.
GLP
Good Laboratory Practices
6.
GCP
Good Clinical Practices
7.
GxP
GLP+GCP+GMP = Predicate Rules
8.
EMA
European Medicines Agency
9.
URS
User Requirement Specification
10.
PIC/S
Pharmaceutical Inspection Convention/Cooperation Scheme
11.
OQ
Operational Qualification
12.
DQ
Design Qualification
13.
PQ
Performance Qualification
14.
IQ
Installation Qualification
Full Form
Code of Federal Regulations
European Union
Good Manufacturing Practices
(Automated Good Manufacturing Practices)

June 2012
Application areas of
21 CFR Part 11
Part 11 applies to all
existing and newly
installed systems
FDA Regulation Along the Drug Life

Part 11 applies to all records that are defined in the underlying acts
and regulations which govern activities in the life sciences
industries. These underlying acts and regulations, which are
referred to as the predicate rules, are any requirements set forth in
the FDCA Act (Federal Food, Drug and Cosmetic Act), the PHS Act
(Public Health Service Act), or any FDA regulation (GLP, GMP, and
GCP). The predicate rules mandate what records are to be
maintained, the content of those records, whether signatures are
required, how long records must be maintained, and so on.
Part 11 requires drug makers, medical device manufacturers,
biotech companies, biologics developers, and other FDA-regulated
industries to implement controls, including audits, system
validations, audit trails, electronic signatures, and documentation for
software and systems involved in processing electronic data that are
either required to be maintained by the FDA predicate rules or used
to demonstrate compliance to a predicate rule. Part 11 applies to all
existing and all newly-installed systems.

June 2012
Challenges to adhere
to Part 11
Data integrity and

information security
Gap assessment
Revenue loss
Challenges
A wave of change is sweeping through the life sciences industry.
Electronic records and electronic signatures are replacing paper
records and hand-written signatures. The challenge is to comply
with the regulations while implementing the most efficient and
effective systems possible. Although companies initially may resist
moving toward compliance, the return on investment for accepting
the change is high. Likewise, the penalty for non-compliance can be
severe.
The regulation has been largely open to interpretation, resulting in
many different compliance approaches. While the FDA is dictating
what needs to be done, how it is to be done is left to individual
companies.
There are several problems or challenges associated with Part 11 in
life science firms:
Part 11 is a regulation to promote public safety through an

organizations ability to control data integrity with respect to
authorized and unauthorized modifications to records. Data
integrity and information security are the key objectives of
Part 11.
To begin the move to compliance, a Part 11 gap assessment

should be performed on all systems subject to records
requirements set forth in the FDA regulations.
Failure to comply can lead to denial of a New Drug

Application (NDA), potential delay in manufacturing, 483
warning letters, civil penalties, and even prosecution for
negligence. These penalties, and the resulting delay in
releasing new drugs, can cost life science firms millions of
dollars.
Steps for attaining initial compliance to Part 11 have been

documented, which can help the organization achieve FDA
compliance.

June 2012
Modules/Steps Involved in the Validation Process

There are six steps involved in the validation process, which are
listed below.
Regulatory requirements
Steps for cost-effective computer system validation
Initial and ongoing tests of software and computer systems
Minimum validation documentation inspectors want to see
Qualification of network infrastructure and validation of

network systems
Understanding the spirit and basics of the FDA Part 11 and

the EU GMP Annex 11

June 2012
Steps to achieve
regulatory
requirements
Computer system
validation
Regulation and quality

standards
Validation of master plan
Validation approach lifecycle models
Risk-based validation
for records generated
Module 1: Regulatory Requirements

Regulatory requirements require persons to employ procedures
and controls, designed to ensure the authenticity, integrity, and
confidentiality of electronic records, and to ensure that the signer
cannot readily repudiate the signed record as not genuine. Various
steps have been derived to satisfy these requirements.
Computer system validation
Regulation and quality standards
Validation master plan
Validation approach lifecycle models
Computer System Validation
Computer systems used to create, modify, and maintain electronic

records and to manage electronic signatures are also subject to the
validation requirements. Systems that maintain certain employee
training records may even be subject to validation. Such computer
systems must be validated to ensure accuracy, reliability, consistent
intended performance, and the ability to discern invalid or altered
records.
Validation is a systematic documentation of system requirements,
combined with documented testing, demonstrating that the
computer system meets the documented requirements. It is the first
requirement identified in Part 11 for compliance. Validation requires
that the system owner maintain the collection of validation
documents, including requirement specifications and testing
protocols.
Regulation and Quality Standards

The requirements in this part govern the methods, facilities and
controls used for the design, manufacture, packaging, labeling,
storage, installation, and servicing of all finished devices intended
for human use, so they should satisfy:

June 2012
GLP (Good Laboratory Practices)
GCP (Good Clinical Practices)
GMP (Good Manufacturing Practices)
AGMP (Automated Good Manufacturing Practices)
FDAs 21 CFR Part 11/EU Annex 11 (electronic records and

signatures)
(Automated) equipment should be suitable for its intended use
Equipment should be routinely checked
Validation Master Plan

A Validation Master Plan (VMP) is an integral part of a well
organized validation project. It documents the company's approach
to complex validation projects. The VMP has a broad scope. It
clarifies responsibilities, general objectives, procedures to be
followed for validation, and it prioritizes multiple validation tasks. It
may reference several protocols and procedures to be written in
order to conduct the qualification of several different pieces of
equipment and different processes. It may also specify schedules
for validation and the allocation of resources needed to perform the
validation. VMP provides a means of communication to everyone
associated with the project. It lets management know how the
companys resources are being allocated and when they will see the
results. It tells the validation team what they have to do, when they
have to do it, and gives them a means of tracking progress. Other
groups can find out what the validation team is doing and what their
roles are in support of the validation project. The FDA can look at
the VMP and see the validation project is well thought out and
organized; there is a logical reason for including or excluding every
system from the validation project based on a risk analysis.
Validation Approach Lifecycle Models

Validation is not a one-time event. Validation starts when you plan
and design a product (hardware, software) or a method. Validation
is finished when the product is retired and all data is successfully
moved to a new system. Validation follows one of the lifecycle
models.

June 2012
Risk-Based Validation
Specific requirements for computers and electronic records and
signatures are also defined in the FDAs regulations Part 11 on
electronic records and signatures. This regulation applies to all
FDA-regulated areas, and has specific requirements to ensure the
trustworthiness, integrity and reliability of records generated,
evaluated, transmitted and archived by computer systems. In 2003,
the FDA published guidance on scope and applications of Part 11.
10

June 2012
Steps to achieve cost

effective computer
system validation
Form a project team
Document the user

requirements
Develop a validation
project plan
Conduct risk
assessment
Assess supplier
Installation
qualification
Operational and
performance
qualification
Validation report
In this document, the FDA promoted the concept of risk-based

validation.
Defined Actions for Risk Categories:
Risk
Level
Business Continuity
Compliance/Health
High
Failure has a
significant impact on
delivery of products for
several days
Failure of the system may

cause harm to patients and
there is no correction
possible
Medium
Failure has potential

to impact the delivery
of products for 1 or 2
days
Failure of the system may

cause harm to patients and
there is a good potential to
correct the failure
Low
Failure has negligible

impact on product
delivery
Failure of the system will not

cause harm to patients
Module 2: Steps for Cost Effective Computer System

Validation
Form a Project Team which should include representatives from
these key areas:
IT
QA
User groups
Validation groups, if applicable
Regulatory affairs
Documentation
Purchasing
They should meet regularly to make critical decisions and

communicate to a wider user base.
11

June 2012
Document the User Requirements which should be based on

requirement specification, risk assessment and GMP impact. User
requirements should be traceable throughout the lifecycle. The
document should cover the below-mentioned points to address this
requirement.
Contents
Justification for system
Intended application, e.g. electronic documents management
Intended environment (computer and network, operating

environment, e.g. laboratory, manufacturing and office)
Process overview
Detailed user requirements
Signature and approval
When to write URS?
Who writes it, who approves it?
Develop a Validation Project Plan which should define the

activities, procedures and responsibilities for establishing the
adequacy of the system. It should be derived from the companys
validation master plan. There should be a specific strategy,
approach, risk assessment, resources, responsibilities, activities
and deliverables of the validation effort. It can be written in a table
template or a flow text form, as shown below.
Table
Purpose of the plan

Product description
Validation strategy
Responsibilities (position)
Supplier assessment
Risk assessment
Testing strategies and reporting
DQ
IQ
OQ
PQ
Traceability matrix
Procedures
Approval
Documents and control
12

June 2012
Conduct Risk Assessment

Risk assessment should be applied throughout the lifecycle of the
computerized system. As part of a risk management system,
decisions on the extent of validation and data integrity should be
based on a justified and documented risk assessment. The purpose
is to optimize resources toward high-risk systems. Various inputs for
risk assessment such as user experience with the same equipment
already installed, user experience with similar equipment already
installed, IT staff experience with the same or similar equipment,
experience with the equipment vendor, information from the vendor
on what can go wrong (during testing and ongoing use), etc.
Assess Supplier
The regulated user should take all responsible steps to ensure the
system has been developed in accordance with an appropriate
quality management system. The purpose is to determine the
adequacy of the supplier quality system.
Installation Qualification
Collect the suppliers environmental conditions, operating and
working instructions and maintenance requirements compare
systems, as received, with the purchase order. System installation is
according to vendor specifications such as servers, clients, licenses,
and installation protocol.
Install interfaces, e.g. an e-mail system with impact analysis. Design
an overview with system drawings, e.g. data flow, and testing for
successful installation. Check documentation for accuracy and
completeness. Document all components with asset and serial
numbers.
Operational and Performance Qualification

Ensure the system works in your environment and identify critical
functions for the computer systems as defined in the functional and
user environment specifications. Develop these as test cases for the
functions and define acceptance criteria, or take advantage of the
vendors OQ package. Perform the test and evaluate results,
compare with the acceptance criteria, and finally document the
results. Ensure smooth application-specific operation and suitable
performance of the complete system through the ongoing operation.
13

June 2012
Validation report
It should include a brief description of each project activity used to
review all preceding validation activities and indicate the status of
the system prior to implementation into the production environment.
Deviations from the project plan should be documented and a risk
assessment should be performed.
Module 3: Initial and Ongoing Tests of Software and

Computer Systems
A test should be developed, formally documented and used to
demonstrate that the system has been installed and is operating
and performing satisfactorily, and ensures that system requirements
are met. Keep the test evidence on justified and documented risk
assessment: keep hard copy screen prints for high impact functions.
Consider testing of native functions carefully. The extent of testing
should be based on risk, complexity and novelty.
14

June 2012
Module 4: Minimum Document Validation
List of documents for

validation
Documentation which inspectors want to see is listed below.
Documentation
Required SOPs (examples)
Supplier and service providers agreement
Suppliers and service providers assessment information
Supplier agreement
Data back-up
Back-up storage locations, validation, back-up frequency and

documentation
Periodic evaluation and review of computer systems
Internal audits of computer system
Business continuity plan
Disaster recovery plan preparation
System retirement
Maintenance support
Framework (corporate, site, department)
For individual projects processes
For individual products
Test records
15

June 2012
Necessity for
network
infrastructure
Regulations for
validation of network
infrastructure
Module 5: Qualification of Network Infrastructure

and Validation of Network System
Why Care About Network Infrastructure?
A well-qualified network infrastructure increases system uptime and
reduces maintenance costs. Ensure that the network is qualified at
least once, and not for each application. Network infrastructure is
subject to FDA/EU inspection.
Regulation/Guidelines for Qualification/Validation of Network

Infrastructure
The Gxps-system should be suitable for the intended use
21 CFR Part 11 E-signatures/Records - Defines

requirements for electronic records; electronic signatures in
FDA regulated industries
PIC/s Good Practice Guide - Has lots of good

recommendations on using computers in regulated
environments
16

June 2012
FDA Part 11 and the

EU GMP Annex 11
compliance
requirement
Module 6: Understanding FDA Part 11 and the EU

GMP Annex 11
FDA Part 11 and the EU GMP Annex 11 insist on the belowmentioned points:
Control of Closed System (11.10)
Validation
Accurate and complete copies
Protection and retrieval of records
Limited access to systems and data
Electronic audit trail
Authority checks
Device checks
Operational system checks
People qualification
Individual accountability
Controls over system documentation
Digital Signatures (11.30)
Use of digital signatures for open systems
Electronic Signatures (11.50, 11.70, 11.100, 11.13)
Requirements for signed electronic records
Linking records to signatures
Requirements for electronic signatures
Electronic signature components
FDA 21 CFR Part 11 & EU GMP Annex 11:

General Requirements for Electronic Signatures
E-signature must be unique. Ex: user ID and password,

biometric devices
Identity of individuals must be verified
Identification code must be periodically checked, recalled and

revised
Pass card must be periodically tested
Attempts at unauthorized access must be reported
17

June 2012
The use of an e-signature must be certified with the FDA
Annex 11 requires 1 and 2 along with the additional

requirements below:
Risk management
Supplier and service provider management
Data entry and processing
Data accuracy checks
Change management
Periodic evaluation
Incident management
Batch release
Business continuity
Regulation (Annex 11)

For electronic records, regulated users should define which data are
to be used as raw data. At least, all data on which quality decisions
are based should be defined as raw data (EU Annex 11).
Recommendation
For hybrid systems, clearly define if electronic data or printouts are
raw data. If printouts are defined as raw data, they should include all
required records.
18

June 2012
Case Study
The use of electronic records is expected to be more cost-effective
for the industry and the FDA. The approval process is expected to
be shorter and access to documentation will be faster and more
productive. HCL has provided 21CFR Part 11 compliant
assessment for many clients on various requirements. One of the
case studies is mentioned below for reference.
Client Requirement
To create a validation plan for a universal testing machine with 21
CFR Part 11 compliance assessments.
HCL Solution
HCL created the validation plan and a tracking system to monitor
the 21CFR Part 11 compliance requirement.
The validation plan defines:
Validation strategy for providing the documented evidence

necessary to demonstrate that the universal testing machine
functions according to requirements
Roles and responsibilities to implement and to be maintained

in validated state
Validation deliverables required to qualify the client process

and FDA requirement
Deliverables
Required deliverables for the universal testing machine (UTM)
validation plan are as follows:
Validation plan
Quality and regulatory assessment
21 CFR Part 11 coverage assessment
User requirements specification
Risk level and other risk documentation, e.g. PFMEA, if any.

DFMEA and PFMEA documents were not required as the risk
was medium, based on the risk assessment document.
Test cases for installation and user requirements
Requirement traceability matrix
Standard operating procedure
21 CFR Part 11 compliance assessment
19

June 2012
Conclusion
The ultimate goal of computer system validation is to produce
documentation that actually raises the quality instead of just
producing more paper.
Over the years, HCL has developed a step-by-step approach to
computer system validation - 21 CFR Part 11 compliance. This stepby-step procedure adheres to the FDA rules to meet Part 11
requirements and to ensure the electronic records and electronic
signatures are trustworthy, reliable and compatible with the FDAs
public health responsibilities.
20

June 2012
References
Code of Federal Regulations, Title 21, Food and Drugs, Part 11

Electronic Records; Electronic Signatures
L. Huber, Validation of Computerized Analytical and Networked

Systems
FDA Guidance for Industry Part 11, Electronic Records;

Electronic Signatures Scope and Applications
L. Huber, Risk-Based Validation of Commercial Off-the-Shelf

Computer Systems
Author Info
Kannan Palaniappan Kannan has over
10 years of experience in new product
design and development on electromechanical products, including three and
a half years of medical product design.
He has worked in cryoablation system
design
and
development,
and
orthopedics instrument and sterilization
unit system development.
Prasanna Kumar Thirunavukkarasu

Prasanna has over eight years of
experience in new product design and
development
on
electro-mechanical
products that includes over a year in
medical product design. He has worked
in design and development of energybased devices and orthopedic implants
and instruments.
21
Hello, Im from HCLs Engineering and R&D Services. We enable

technology led organizations to go to market with innovative products
and solutions. We partner with our customers in building world class
products and creating associated solution delivery ecosystems to help
bring market leadership. We develop engineering products, solutions
and platforms across Aerospace and Defense, Automotive, Consumer
Electronics, Software, Online, Industrial Manufacturing, Medical
Devices, Networking & Telecom, Office Automation, Semiconductor
and Servers & Storage for our customers.
For more details contact eootb@hcl.com
Follow us on twitter: http://twitter.com/hclers
Visit our blog: http://ers.hclblogs.com/
Visit our website: http://www.hcltech.com/engineering-services/
About HCL
About HCL Technologies
HCL Technologies is a leading global IT services company, working
with clients in the areas that impact and redefine the core of their
businesses. Since its inception into the global landscape after its IPO in
1999, HCL focuses on transformational outsourcing, underlined by
innovation and value creation, and offers integrated portfolio of services
including software-led IT solutions, remote infrastructure management,
engineering and R&D services and BPO. HCL leverages its extensive
global offshore infrastructure and network of offices in 26 countries to
provide holistic, multi-service delivery in key industry verticals including
Financial Services, Manufacturing, Consumer Services, Public Services
and Healthcare. HCL takes pride in its philosophy of 'Employees First,
Customers Second' which empowers our 83,076 transformers to create
a real value for the customers. HCL Technologies, along with its
subsidiaries, has reported consolidated revenues of US$ 4 billion (Rs.
19,412 crores), as on TTM ended Mar 31 '12.
For more information, please visit www.hcltech.com
About HCL Enterprise
HCL is a $6.2 billion leading global technology and IT enterprise
comprising two companies listed in India - HCL Technologies and HCL
Infosystems. Founded in 1976, HCL is one of India's original IT garage
start-ups. A pioneer of modern computing, HCL is a global
transformational enterprise today. Its range of offerings includes
product engineering, custom & package applications, BPO, IT
infrastructure services, IT hardware, systems integration, and
distribution of information and communications technology (ICT)
products across a wide range of focused industry verticals. The HCL
team consists of over 90,000 professionals of diverse nationalities, who
operate from 31 countries including over 500 points of presence in
India. HCL has partnerships with several leading global 1000 firms,
including leading IT and technology firms.
For more information, please visit www.hcl.com

The Fdafin PDF

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

The Fdafin PDF

Încărcat de

Drepturi de autor:

Formate disponibile

The FDA's New Enforcement of

21 CFR Part 11 Compliance

The FDAs New Enforcement of 21 CFR Part 11 Compliance (An Overview)

The FDAs New Enforcement of 21 CFR Part 11 Compliance (An Overview)

Required by regulations US FDA, EMA, GMP, GCP, GLP

Ensures consistent data and product quality

Helps to protect intellectual property through scientifically

In 1997, the United States Food and Drug Administration (FDA)

The FDAs New Enforcement of 21 CFR Part 11 Compliance (An Overview)

Good Laboratory Practices

Good Clinical Practices

GLP+GCP+GMP = Predicate Rules

European Medicines Agency

User Requirement Specification

Pharmaceutical Inspection Convention/Cooperation Scheme

Code of Federal Regulations

Good Manufacturing Practices

(Automated Good Manufacturing Practices)

The FDAs New Enforcement of 21 CFR Part 11 Compliance (An Overview)

FDA Regulation Along the Drug Life

The FDAs New Enforcement of 21 CFR Part 11 Compliance (An Overview)

Data integrity and

Part 11 is a regulation to promote public safety through an

To begin the move to compliance, a Part 11 gap assessment

Failure to comply can lead to denial of a New Drug

Steps for attaining initial compliance to Part 11 have been

The FDAs New Enforcement of 21 CFR Part 11 Compliance (An Overview)

Modules/Steps Involved in the Validation Process

Steps for cost-effective computer system validation

Initial and ongoing tests of software and computer systems

Minimum validation documentation inspectors want to see

Qualification of network infrastructure and validation of

Understanding the spirit and basics of the FDA Part 11 and

The FDAs New Enforcement of 21 CFR Part 11 Compliance (An Overview)

Regulation and quality

Validation of master plan

Validation approach lifecycle models

Module 1: Regulatory Requirements

Computer system validation

Regulation and quality standards

Validation master plan

Validation approach lifecycle models

Computer System Validation

Computer systems used to create, modify, and maintain electronic

Regulation and Quality Standards

The FDAs New Enforcement of 21 CFR Part 11 Compliance (An Overview)

GLP (Good Laboratory Practices)

GCP (Good Clinical Practices)

GMP (Good Manufacturing Practices)

AGMP (Automated Good Manufacturing Practices)

FDAs 21 CFR Part 11/EU Annex 11 (electronic records and

(Automated) equipment should be suitable for its intended use

Equipment should be routinely checked

Validation Master Plan

Validation Approach Lifecycle Models

The FDAs New Enforcement of 21 CFR Part 11 Compliance (An Overview)

The FDAs New Enforcement of 21 CFR Part 11 Compliance (An Overview)

Steps to achieve cost

Form a project team

Document the user

In this document, the FDA promoted the concept of risk-based

Defined Actions for Risk Categories: