Documente Academic
Documente Profesional
Documente Cultură
21 CFR Part 11
By Orlando López
askaboutValidation.com
Connecting the Life Sciences
An Easy to Understand Guide
21 CFR Part 11
All rights reserved. No part of the content or the design of this book maybe
reproduced or transmitted in any form or by any means without the express
written permission of Premier Validation.
The advise and guidelines in this book are based on the experience of the
authors, after more than a decade in the Life Science industry, and as such is
either a direct reflection of the "predicate rules" (the legislation governing
the industry) or are best practices used within the industry. The author takes
no responsibility for how this advice is implemented.
ISBN 978-1-908084-01-9
Hey there,
If you've decided to invest some time in reading this book, I am making the
assumption that you are pretty tired of wading through the regulations
developed by the FDA that were designed to confuse the hell out of
everyone!
This may sound quite dramatic, but how many people out there can really
say that they fully understand the 21 CFR Part 11 regulations. I know many
people claim to know what they are talking about, but why trust someone
when you can use this book to bring clarity to the regulations in seconds.
We are confident that if you use this book, as a reference guide next time you
are testing a system for Part 11 compliance it will make the project so much
easier. Of course if you need to refer to the FDA website to check for each
regulation feel free, but if you need each one explained in plain English this is
the book for you.
So I think it's pretty clear, you've just purchased the 21 CFR Part 11 bible.
Enjoy!
Notes of Rights
All rights reserved. No part of this book may be reproduced, stored in a
retrieval system, or transmitted in any form or by any means, without the
prior written permission of the copyright holder, except in the case of brief
quotations embedded in critical articles or reviews.
Notes of Liability
The author and publisher have made every effort to ensure the accuracy of
the information herein. However, the information contained in this book is
sold without warranty, either express or implied. Neither the authors and
Premier Validation Ltd, nor its dealers or distributors will be held liable for
any damages to be caused either directly or indirectly by the instructions
contained in this book
ISBN 978-1-908084-01-9
E-Signatures
E-sig Written Policies 27
Authentication and non-repudiation 28
Methods of Authentication 29
E-sig Certification 30
Audit Trails
Audit Trails 41
Sample Regulatory Action 42
E-Records
Record Retention 44
Records Archiving 45
Record Copying 47
Sample regulatory action 47
1
An Easy to Understand Guide | 21 CFR Part 11
What is 21 CFR Part 11?
2
An Easy to Understand Guide | 21 CFR Part 11
History of 21 CFR Part 11
In August 2003, the FDA published FDA Guidance for Industry Part 11,
Electronic Records; Electronic Signatures — Scope and Application, which
describes how Part 11 should be implemented and how the FDA would
enforce the regulation. These guidelines acknowledged that the need for
security measures was not the same for every piece of electronic
information. It also introduced the concept of risk analysis and promoted
the formal process of risk assessment to determine appropriate security
measures.
The regulation has never been fully enforced, but in 2011 the FDA will
begin conducting audits to ensure understanding of and compliance with
Part 11 as an element of routine quality inspections.
3
An Easy to Understand Guide | 21 CFR Part 11
The FDA also intends to begin rulemaking to revise Part 11 to provide
further clarifications and adjustments consistent with the principles and
enforcement policies described in the August 2003 guidance document.
Benefits
In its quest to protect public health, Part 11 ensures that companies are
using good software and systems engineering practices as it pertains to the
use of electronic technology.
4
An Easy to Understand Guide | 21 CFR Part 11
E-Signatures and
E-Records Explained
The Regulation
E-Records
Sample Regulatory Action
E-Records not impacted by Part 11
E-Signatures
E-Signatures not impacted by Part 11
Enforcement
5
An Easy to Understand Guide | 21 CFR Part 11
THE REGULATION
Note: A legacy system is a computer system already in operation before the effective
date of Part 11 (August 1997). The term "grandfathering" means that, even the
regulation came into effect on August 1997, the regulation is applicable to
legacy systems. The actual interpretation of Part 11 by the FDA, means there is
no grandfathering to the legacy systems.
6
An Easy to Understand Guide | 21 CFR Part 11
Part 11 contents is as follows:
11.1 Scope.
11.2 Implementation.
11.3 Definitions.
Subpart B - Electronic Records
7
An Easy to Understand Guide | 21 CFR Part 11
E-Recs
8
An Easy to Understand Guide | 21 CFR Part 11
The FDA recommends that, for each record in your
organization required to be maintained under the applicable
regulation, you should determine in advance whether it will be
an e-rec or paper record and this should be documented in a
Standard Operating Procedure (SOP) or specification
document.
9
An Easy to Understand Guide | 21 CFR Part 11
E-Recs not impacted by Part 11
FDA considers Part 11 not to be applicable to:
10
An Easy to Understand Guide | 21 CFR Part 11
E-Sigs
· Handwritten signatures;
· Handwritten Initials;
· Other general signings required by the applicable regulations
impacting a computer system.
For example, CFR 820.30 (d) (Design Output) requires approval, via date
and signature, of the design output. If data in design output files are kept
electronically, the files can be signed electronically.
11
An Easy to Understand Guide | 21 CFR Part 11
Enforcement
12
An Easy to Understand Guide | 21 CFR Part 11
General Rules of System Access
System Access to Authorized Individuals
Sample Regulatory Action
Operational System Checks
Electronic Signatures
Multi-signing
Unauthorized use of user IDs and passwords
Automatic log out
Signature/record linkage
Validating Operational Checks
Authority Checks
Sample Regulatory Action
Device Checks
Qualifications of Electronic Systems
Developers and Users
13
An Easy to Understand Guide | 21 CFR Part 11
System Access
to Authorized Individuals
14
An Easy to Understand Guide | 21 CFR Part 11
· The system not allow an individual to log into the system to provide
another person access to the system;
· Passwords or other access keys be changed at established intervals
commensurate with a documented risk assessment;
· When leaving a workstation, users should log off the system.
Alternatively, an automatic log off may be appropriate for long idle
periods;
· For short periods of inactivity, an automatic protection (for
example, an automatic screen saver) be installed against
unauthorized data entry.
15
An Easy to Understand Guide | 21 CFR Part 11
Operational
System Checks
16
An Easy to Understand Guide | 21 CFR Part 11
E-sigs
· Signature;
· Printed name of the signer;
· Date and time of signing;
· Meaning associated with the signing.
17
An Easy to Understand Guide | 21 CFR Part 11
Multi-Signing
When someone signs one or more records but not during a single,
continuous period of controlled system access, each signing must be
executed as follows:
One signature can apply to multiple data entries on a screen as long the
items the signature applies to are indicated clearly.
18
An Easy to Understand Guide | 21 CFR Part 11
Unauthorized use of
user IDs and Passwords
19
An Easy to Understand Guide | 21 CFR Part 11
Automatic log out
The application must be able to detect when a workstation experiences
a long idle period and automatically log a user out.
Signature/record linkage
Signature/record linkage can be achieved by linking a user ID obtained
from a secure password file. Signatures must not be able to be removed,
copied, changed, or transferred. The signer's full name doesn't have to be
embedded in the record itself; the name field can point to a file containing
the full name of the signer.
The link must be retained for as long as the record is kept, just as a
handwritten signature stays with the paper. Although a user ID/password
can be removed from a current user database, it must still be retained in an
archive to maintain the signature and record linkage.
20
An Easy to Understand Guide | 21 CFR Part 11
Authority Checks
21
An Easy to Understand Guide | 21 CFR Part 11
Sample
Regulatory Action
22
An Easy to Understand Guide | 21 CFR Part 11
Device Checks
23
An Easy to Understand Guide | 21 CFR Part 11
Qualifications of
Electronic Systems
Developers and Users
24
An Easy to Understand Guide | 21 CFR Part 11
Training conducted online must be performed in a controlled (secure)
environment to ensure that production systems and data are not adversely
impacted. E-sigs
25
An Easy to Understand Guide | 21 CFR Part 11
E-Signatures
E-sig Written Policies
Authentication and non-repudiation
Methods of Authentication
E-sig Certification
26
An Easy to Understand Guide | 21 CFR Part 11
E-sigs Written Polies
27
An Easy to Understand Guide | 21 CFR Part 11
Authentication and
non-repudiation
Access control usually requires that the system be able to identify and
differentiate among users and is based on “least privilege,” which refers to
granting users only those functions required to perform their duties.
28
An Easy to Understand Guide | 21 CFR Part 11
Methods of
Authentication
29
An Easy to Understand Guide | 21 CFR Part 11
E-sig certification
The FDA requires organizations to certify that the e-sigs used (on or
after August 20, 1997) in its systems are a legally binding equivalent of
traditional handwritten signatures. Instead of individual certifications,
usually one certification is submitted by the organization representing all
employees. All employees must be trained regarding the meaning of this
certification to the FDA.
30
An Easy to Understand Guide | 21 CFR Part 11
Documentation
and Regulatory Controls
System Documentation Control
Sample Regulatory Action
31
An Easy to Understand Guide | 21 CFR Part 11
System Documentation
Control
· Printed material;
· E-recs such as computer files, storage media, or film.
32
An Easy to Understand Guide | 21 CFR Part 11
Sample Regulatory Action
An inspection for compliance at a device manufacturer revealed that
there was no documentation associated with the electronic data that
collected analytical results.
33
An Easy to Understand Guide | 21 CFR Part 11
The Difference
between Open and Closed Systems
Open System Controls
Closed System Controls
34
An Easy to Understand Guide | 21 CFR Part 11
Open System Controls
The FDA intends to enforce two controls for open system:
· Document encryption;
· Digital signature standards.
Because the authenticity, integrity, and confidentiality of records are
threatened not only by improper access but the interception of information
during electronic transmission, it’s recommended that encryption be
implemented for transmission of e-recs over open systems. Digital
signatures, if properly implemented and used, offer promising solutions to
the integrity of e-recs and open systems because they retain a high degree of
information security.
35
An Easy to Understand Guide | 21 CFR Part 11
Closed System Controls
According to the regulations, closed systems are environments in which
system access is controlled by persons who are responsible for the content
of electronic records that are on the system. Controls associated with closed
systems are defined in 21 CFR Part 11.10.
· Systems Validation;
· The ability to reproduce the e-rec in human readable form;
throughout the retention period;
· Permitting access to only authorized personnel;
· Audit trails are maintained showing date/time stamps against any
operations performed on the e-rec (such as creation, modification
or deletion of e-recs);
· Operational checks.
36
An Easy to Understand Guide | 21 CFR Part 11
Computer System Validation
37
An Easy to Understand Guide | 21 CFR Part 11
Computer Systems
Validation
The validation process must also take into account risk and the
potential of the system to affect product quality and safety.
38
An Easy to Understand Guide | 21 CFR Part 11
After demonstrating the system suitability to system requirements and
regulations, an on-going monitoring program maintains the system in a
“validated” state.
For example:
Medicines and Healthcare products Regulatory Agency
(MHRA) (UK)
IEEE.
- EU PIC/S PI 011-3.
- 21 CFR 211.68.
- 21 CFR 820.30(g).
- 21 CFR 820.70(i).
- 21 CFR §11.10(a)
- Q7A Good Manufacturing Practice Guidance for Active
Pharmaceutical Ingredients
39
An Easy to Understand Guide | 21 CFR Part 11
Elements to
Successful Validation
40
An Easy to Understand Guide | 21 CFR Part 11
Validation
Documentation
41
An Easy to Understand Guide | 21 CFR Part 11
Audit Trails
Audit Trails
Sample Regulatory Action
42
An Easy to Understand Guide | 21 CFR Part 11
Audit Trails
43
An Easy to Understand Guide | 21 CFR Part 11
Additionally, the date and time attached to the audit trail and to the e-
signature should be:
44
An Easy to Understand Guide | 21 CFR Part 11
E-Records
Record Retention
Records Archiving
Record Copying
Sample Regulatory Action
45
An Easy to Understand Guide | 21 CFR Part 11
Record Retention
46
An Easy to Understand Guide | 21 CFR Part 11
Records Archiving
· Older data that is still important and necessary for future reference;
· Data that must be retained for regulatory compliance;
· Content and meaning of the records.
47
An Easy to Understand Guide | 21 CFR Part 11
· Archived records should be checked for accessibility, accuracy, and
completeness by methods appropriate to the format;
· For e-recs, if changes are proposed to the computer equipment or
its programs, the above mentioned checks should be performed at
a frequency appropriate to the storage medium being used;
· Where e-recs are accurately and completely transcribed from the
obsolete system to another, it may not be necessary to maintain the
obsolete system. Documentation is to be maintained and available
for systems that were retired;
· Archived e-recs should be protected by backing them up at regular
intervals. Backups of archived e-recs should be stored as long as
required by the retention schedule at a separate and secure
location.
48
An Easy to Understand Guide | 21 CFR Part 11
Record Copying
The FDA recommends that the copying process used to produce copies
preserves the content and meaning of the e-rec. The copy process may use
common portable formats and, for consistency, consider automated
conversion or export methods.
49
An Easy to Understand Guide | 21 CFR Part 11
Hybrid & Legacy Systems
Hybrid System
Legacy System
Summary
Appendix A
Appendix B
50
An Easy to Understand Guide | 21 CFR Part 11
Hybrid Systems
Legacy Systems
A legacy system is a computer system already in operation before the
effective date of Part 11 (August 1997). A legacy system must:
51
An Easy to Understand Guide | 21 CFR Part 11
If a legacy system was modified after August 1997 and the
modifications excluded the system from meeting regulatory requirements
applicable to the system, Part 11 controls should be applied to Part 11
records and signatures pursuant to the enforcement policy expressed in the
August 2003 guidance document.
52
An Easy to Understand Guide | 21 CFR Part 11
Summary
After more than 13 years from its inception, the FDA is ready to fully
enforce Part 11. The most critical activity a company can do is to identify and
define the records and/or signatures impacted by the applicable regulation.
Risk assessment is fundamental in determining the impact of product
quality and safety in the implementation of these technologies.
53
An Easy to Understand Guide | 21 CFR Part 11
Appendix A; References
54
An Easy to Understand Guide | 21 CFR Part 11
· FDA, “Part 11, Electronic Records; Electronic Signatures — Scope
and Application,” August 2003,
(http://www.fda.gov/RegulatoryInformation/Guidances/ucm125
067.htm).
· FDA, “Pharmaceutical cGMPS for the 21st Century — A Risk-
Based Approach: Second Progress Report and Implementation
Plan,”
(http://www.fda.gov/Drugs/DevelopmentApprovalProcess/Manu
facturing/QuestionsandAnswersonCurrentGoodManufacturingPr
acticescGMPforDrugs/UCM071836).
· J. Andrew (Editor), “Validating Pharmaceutical Systems – Good
Computer Practice in Life Science Manufacturing,” Sue Horwood
Publishing, 2005, (www.crcpress.com).
· MetricStream, 21 CFR Part 11 Compliance Roadmap,
(http://www.metricstream.com/insights/21CFR_Part11.htm).
· O. López, “Implementing Applications Compliant with 21 CFR Part
11,” Pharmaceutical Technology, March 2000.
· O. López, 21 CFR Part 11 - A Complete Guide to International
Compliance,” published by Sue Horwood Publishing Limited,
(www.crcpress.com).
· O. López, “Computer Systems Validation,” Encyclopedia of
Pharmaceutical Technology, ISBN: 0-8247-2826-2, Marcel Dekker,
Inc.
55
An Easy to Understand Guide | 21 CFR Part 11
· O. López, “FDA Regulations of Computer Systems in Drugs
Manufacturing – 13 Years Later,” Pharmaceutical Engineering,
May/June 2001.
· O. López, “Overview of Technologies Supporting Security
Requirements in 21 CFR Part 11,” Pharmaceutical Technology,
February (Part I) and March (Part II) 2002.
· Pharmaceutical Inspection Convention PIC/S Guidance, “Good
Practices for Computerised Systems in Regulated “GxP”
Environments”, PI 011-3, September 2007.
56
An Easy to Understand Guide | 21 CFR Part 11
Appendix B;
Correlation between
Part 11 and Annex 11
57
An Easy to Understand Guide | 21 CFR Part 11
211.68 21 CFR Part 11 Annex 11
58
An Easy to Understand Guide | 21 CFR Part 11
21 CFR Part 11 Quiz
2. What are the two main components concerned with the 21 CFR Part 11
Ruling.
4. Computer systems are suitably equipped to deal with manage and store
electronic records and signatures, as long as this information is
retrievable it is sufficient in its native form. True or False?
59
An Easy to Understand Guide | 21 CFR Part 11
6. The FDA intends to enforce specific Part 11 provisions. List 3 of this
enforcement provisions.
8. What year was Title 21 CFR Part 11 first issued by FDA to Industry?
10. Why does 21 CFR Part 11 control record retention periods for electronic
records?
60
An Easy to Understand Guide | 21 CFR Part 11
Answer
1. Part 11, as it’s commonly called, defines the criteria under which
electronic records and electronic signatures are considered to be
accurate, authentic, trustworthy, reliable, confidential, and equivalent
to paper records and handwritten signatures on paper. Currently, the
scope of this regulation is all FDA program areas.
61
An Easy to Understand Guide | 21 CFR Part 11
6. Any of the following 3:
· System access to authorized individuals;
· Operational system checks;
· Authority checks;
· Device checks;
· Qualifications of electronic systems developers and users;
· E-sig written policies;
· System documentation control;
· Open system control;
· E-sig requirements.
10. Title 21 CFR Part 11 does not control record retention periods for
electronic records; record retention is controlled by the predicate rules.
62
An Easy to Understand Guide | 21 CFR Part 11
SCORE
True False
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Your score
63
An Easy to Understand Guide | 21 CFR Part 11
askaboutValidation
The Validation Specialists Connecting the Lifesciences