21 CFR Part 11, FDA Guidance for Electronic Records and Signatures Using a Computer System Regulated by FDA

1
21 CFR Part 11 (Electronic Records/Signatures)
Compliance for Computer Systems Regulated by FDA
Carolyn Troiano
2
AGENDA

• GxP Computer Systems
• Regulatory Oversight
• 21 CFR Part 11 Overview
• 21 CFR Part 11 Compliance
• Data Integrity
• Computer System Validation (CSV)
• Computer Software Assurance (CSA)
• CSV vs. CSA
• Validation Planning

3
AGENDA (continued)

• Requirements
• Testing
• Requirements Traceability Matrix (RTM)
• Other Documentation
• Maintenance and Support
• Operational Readiness
• Vendor Audit
• Industry Best Practices
• QA

4
GxP Computer Systems (continued)

• GxP is defined as Good-variable-Practice,
  based on FDA Predicate Rules
• GMP Good Manufacturing Practices
• GLP Good Laboratory Practices
• GCP Good Clinical Practices

5
Regulatory Oversight

• The FDA operates on two key premises
• If you didnt document it, you didnt do it

1. If you could have committed fraud, you did commit
   fraud

6
Part 11 Overview

• Definitions
• Electronic Record Any combination of text,
  graphics, data, audio, or pictorial information
  represented in digital form that is created,
  modified, maintained, archived, retrieved or
  distributed by a computer
• Electronic Signature A compilation of any
  symbol(s) executed to be the legally binding
  equivalent of an individuals handwritten
  signature

7
Part 11 Overview (continued)

• Handwritten Signature Scripted name/ legal
  mark of individual handwritten and executed/
  adopted with intent to authenticate writing
  in permanent form
• Digital Signature Electronic signature based
  upon cryptographic methods of originator
  authentication, (e.g., set of rules, set of
  parameters) such that identity of signer and integ
  rity of data can be verified

8
Part 11 Overview (continued)

• Part 11 is a law that ensures organizations
  define the criteria under which ER/ ES are
  considered to be
• Accurate
• Secure
• Authentic
• Trustworthy
• Reliable
• Confidential, and
• Equivalent to paper records and handwritten
  signatures on paper

9
Part 11 Compliance (continued)

• Key Takeaways
• Quality and Compliance built into everyday
  programs leads to inspection readiness
• Think about how you treat compliance with paper
  systems before taking action with ER/ES
• Software instrumentation/ equipment vendors
  cannot sell Part 11 Compliant products

10
Data Integrity

• Areas at most risk during the inspection include
• Security and Access
• Testing and Validation
• Training and Expertise
• Documentation

11
Data Integrity (continued)

• Security and Access
• Recent FDA findings have pointed to more lax
  practices in companies when it comes to security
  and access
• Sharing of user names, passwords, accounts
• Lack of rigor in ER/ES security
• Users given greater access than needed/
  appropriate
• Change control/ audit trails compromised
• Segregation of duties not ensured or clear

12
Data Integrity (continued)

• Testing and Validation
• Lack of validation for GxP systems
• Insufficient validation for GxP systems
• Documentation lacking
• Testing insufficient (no negative scenarios, no
  challenge of boundaries or stresses)
• Inability to trace requirements to design test
  scripts Requirements Traceability Matrix (RTM)
• Standard operating procedures (SOPs) not updated

13
Data Integrity (continued)

• Training and Expertise
• Training not mandatory/ requirement not enforced
• Support staff not trained in compliance
• Users lack training may use old systems,
  resulting in confusion as to system of record
  data for decision making
• Internal auditors not fluent in validation
  process or the systems cannot serve organization
  effectively
• Training records and/or CVs not maintained as
  current, or do not reflect skills/ expertise
  required

14
Data Integrity (continued)

• Documentation
• No documented risk assessment
• No list of systems/ applications prioritized by
  risk)
• Insufficient testing documentation
• Not following GxP requirements for documentation
  of CSV activities
• Incomplete or inadequate training records

15
Data Integrity (continued)

• What is Data Integrity?
• Data integrity - requirements for complete,
  consistent, and accurate data
• The concept of data integrity underpins GxPs
• Applies to CGMP and Good Clinical Practice (ICH
  E6)
• Data should be ALCOA

16
Data Integrity (continued)

• Must address the ALCOA components for Data
  Integrity
• ATTRIBUTABLE
• LEGIBLE
• CONTEMPORANEOUS
• ORIGINAL or TRUE COPY
• ACCURATE

17
Data Integrity (continued)

• Must address the ALCOA components for Data
  Integrity
• ATTRIBUTABLE
• LEGIBLE
• CONTEMPORANEOUS
• ORIGINAL or TRUE COPY
• ACCURATE

• PLUS
• Complete
• Consistent
• Enduring
• Available

18
Computer System Validation (CSV)

• The FDA Guidance for Computer System Validation
  (CSV), also known as the FDA Blue Book, was
  issued in 1983
• CSV is
• is the process of assuring that a system does
  what it purports to do, and has been thoroughly
  tested and validated in order to prove this
• is based on the standard System Development Life
  Cycle (SDLC) methodology for computer systems

Key Takeaway CSV ensures the system remains in a
validated state
19
Computer Software Assurance (CSA)

• The document-centric waterfall methodology of CSV
  proved a hindrance to efficient software
  development, test and release requirements
• Many companies have been reluctant to pivot from
  the document heavy approach, which works for
  them, but prevents forward progress in terms of
  using modern technology
• FDA promotes a shift from Computer System
  Validation (CSV) to Computer Software Assurance
  (CSA)

20
Validation Plan

• A strategic approach should be applied
• Is there an overall company approach?
• What rationale will be used to prove the system
  is fully tested?
• Who will be involved in the validation process?
• How will the documentation/ approvals be
  completed?
• How will training be incorporated into the
  project?
• How will organizational change management be
  done?
• Who will create/update Policies/ Procedures?
• How will system be maintained in a validated
  state through its life?

21
Validation Plan (continued)

• Develop a Validation Approach/Rationale to
  address the type and level of testing that will
  be required
• System Size
• System Complexity
• System Business Criticality
• GAMP5 System Category
• System Risk Assessment

Document in the Computer System Validation (CSV)
Plan
22
Testing

• Testing is one of the most critical steps
  required before placing a system in production
• Installation Qualification (IQ) should be
  performed on hardware, operating software and
  applications
• Operational Qualification (OQ) should be
  performed on any code (unit and integration
  testing)
• Performance Qualification (PQ) should be specific
  to the way the system will be used and must be
  executed by users

23
Industry Best Practices

• Laboratory with results approved online, but
  decision based on notebook data/record is fraud
  all decisions should be made from the defined
  system of record
• Sharing of user ids and passwords should be
  controlled technically and/or procedurally, along
  with appropriate training
• Use of mobile devices should be controlled from
  security and asset tracking perspectives
• Sites located globally with time
  differences/issues should be managed properly and
  time synchronized to Meridian or standard time

24
Register Now