Title: 21 CFR Part 11, FDA Guidance for Electronic Records and Signatures Using a Computer System Regulated by FDA
121 CFR Part 11 (Electronic Records/Signatures)
Compliance for Computer Systems Regulated by FDA
Carolyn Troiano
2AGENDA
- GxP Computer Systems
- Regulatory Oversight
- 21 CFR Part 11 Overview
- 21 CFR Part 11 Compliance
- Data Integrity
- Computer System Validation (CSV)
- Computer Software Assurance (CSA)
- CSV vs. CSA
- Validation Planning
3AGENDA (continued)
- Requirements
- Testing
- Requirements Traceability Matrix (RTM)
- Other Documentation
- Maintenance and Support
- Operational Readiness
- Vendor Audit
- Industry Best Practices
- QA
4GxP Computer Systems (continued)
- GxP is defined as Good-variable-Practice,
based on FDA Predicate Rules - GMP Good Manufacturing Practices
- GLP Good Laboratory Practices
- GCP Good Clinical Practices
5Regulatory Oversight
- The FDA operates on two key premises
- If you didnt document it, you didnt do it
- If you could have committed fraud, you did commit
fraud
6Part 11 Overview
- Definitions
- Electronic Record Any combination of text,
graphics, data, audio, or pictorial information
represented in digital form that is created,
modified, maintained, archived, retrieved or
distributed by a computer - Electronic Signature A compilation of any
symbol(s) executed to be the legally binding
equivalent of an individuals handwritten
signature
7Part 11 Overview (continued)
- Handwritten Signature Scripted name/ legal
mark of individual handwritten and executed/
adopted with intent to authenticate writing
in permanent form - Digital Signature Electronic signature based
upon cryptographic methods of originator
authentication, (e.g., set of rules, set of
parameters) such that identity of signer and integ
rity of data can be verified
8Part 11 Overview (continued)
- Part 11 is a law that ensures organizations
define the criteria under which ER/ ES are
considered to be - Accurate
- Secure
- Authentic
- Trustworthy
- Reliable
- Confidential, and
- Equivalent to paper records and handwritten
signatures on paper
9Part 11 Compliance (continued)
- Key Takeaways
- Quality and Compliance built into everyday
programs leads to inspection readiness - Think about how you treat compliance with paper
systems before taking action with ER/ES - Software instrumentation/ equipment vendors
cannot sell Part 11 Compliant products
10Data Integrity
- Areas at most risk during the inspection include
- Security and Access
- Testing and Validation
- Training and Expertise
- Documentation
11Data Integrity (continued)
- Security and Access
- Recent FDA findings have pointed to more lax
practices in companies when it comes to security
and access - Sharing of user names, passwords, accounts
- Lack of rigor in ER/ES security
- Users given greater access than needed/
appropriate - Change control/ audit trails compromised
- Segregation of duties not ensured or clear
12Data Integrity (continued)
- Testing and Validation
- Lack of validation for GxP systems
- Insufficient validation for GxP systems
- Documentation lacking
- Testing insufficient (no negative scenarios, no
challenge of boundaries or stresses) - Inability to trace requirements to design test
scripts Requirements Traceability Matrix (RTM) - Standard operating procedures (SOPs) not updated
13Data Integrity (continued)
- Training and Expertise
- Training not mandatory/ requirement not enforced
- Support staff not trained in compliance
- Users lack training may use old systems,
resulting in confusion as to system of record
data for decision making - Internal auditors not fluent in validation
process or the systems cannot serve organization
effectively - Training records and/or CVs not maintained as
current, or do not reflect skills/ expertise
required
14Data Integrity (continued)
- Documentation
- No documented risk assessment
- No list of systems/ applications prioritized by
risk) - Insufficient testing documentation
- Not following GxP requirements for documentation
of CSV activities - Incomplete or inadequate training records
15Data Integrity (continued)
- What is Data Integrity?
- Data integrity - requirements for complete,
consistent, and accurate data - The concept of data integrity underpins GxPs
- Applies to CGMP and Good Clinical Practice (ICH
E6) - Data should be ALCOA
16Data Integrity (continued)
- Must address the ALCOA components for Data
Integrity - ATTRIBUTABLE
- LEGIBLE
- CONTEMPORANEOUS
- ORIGINAL or TRUE COPY
- ACCURATE
17Data Integrity (continued)
- Must address the ALCOA components for Data
Integrity - ATTRIBUTABLE
- LEGIBLE
- CONTEMPORANEOUS
- ORIGINAL or TRUE COPY
- ACCURATE
- PLUS
- Complete
- Consistent
- Enduring
- Available
18Computer System Validation (CSV)
- The FDA Guidance for Computer System Validation
(CSV), also known as the FDA Blue Book, was
issued in 1983 - CSV is
- is the process of assuring that a system does
what it purports to do, and has been thoroughly
tested and validated in order to prove this - is based on the standard System Development Life
Cycle (SDLC) methodology for computer systems
Key Takeaway CSV ensures the system remains in a
validated state
19Computer Software Assurance (CSA)
- The document-centric waterfall methodology of CSV
proved a hindrance to efficient software
development, test and release requirements - Many companies have been reluctant to pivot from
the document heavy approach, which works for
them, but prevents forward progress in terms of
using modern technology - FDA promotes a shift from Computer System
Validation (CSV) to Computer Software Assurance
(CSA)
20Validation Plan
- A strategic approach should be applied
- Is there an overall company approach?
- What rationale will be used to prove the system
is fully tested? - Who will be involved in the validation process?
- How will the documentation/ approvals be
completed? - How will training be incorporated into the
project? - How will organizational change management be
done? - Who will create/update Policies/ Procedures?
- How will system be maintained in a validated
state through its life?
21Validation Plan (continued)
- Develop a Validation Approach/Rationale to
address the type and level of testing that will
be required - System Size
- System Complexity
- System Business Criticality
- GAMP5 System Category
- System Risk Assessment
Document in the Computer System Validation (CSV)
Plan
22Testing
- Testing is one of the most critical steps
required before placing a system in production - Installation Qualification (IQ) should be
performed on hardware, operating software and
applications - Operational Qualification (OQ) should be
performed on any code (unit and integration
testing) - Performance Qualification (PQ) should be specific
to the way the system will be used and must be
executed by users
23Industry Best Practices
- Laboratory with results approved online, but
decision based on notebook data/record is fraud
all decisions should be made from the defined
system of record - Sharing of user ids and passwords should be
controlled technically and/or procedurally, along
with appropriate training - Use of mobile devices should be controlled from
security and asset tracking perspectives - Sites located globally with time
differences/issues should be managed properly and
time synchronized to Meridian or standard time
24Register Now