21 CFR Part 11_Final.pdf

Full Transcript

TRANNING MODULE

Module Name : 21 CFR part 11 Compliance

Module No. : QS-024 Version No.: 02

Effective Date : ___________________

______________________ ______________________ ______________________

Prepared By Checked By Approved By

(Concerned Dept.) (Head of Concerned Dept.) (Quality Head)

Date: _________________ Date: _________________ Date: _________________

1
 AGENDA
 Introduction
 Background
 21 CFR Part 11
 Comparison of Annex 11 And Part 11
 Section in 21 CFR Part 11
 Terminology
 Overall Approach to Part 11 Requirements
 Details Of Approach – Scope Of Part 11
 Approach to Specific Part 11 Requirements
 Cross-Reference from Annex 11 to Part 11
 Conclusions

2
 INTRODUCTION
 The relationship between FDA’s Part 11 (21 CFR Part 11) and the European Union’s Annex 11
(EUDRALEX Rules Governing Medicinal Products in the European Union, Volume 4, Good
Manufacturing Practice, Medicinal Products for Human and Veterinary Use) diverges in philosophy. Both
documents cover the same topic, the use of computerized systems in regulated activities. However, the
approach of Part 11 is to make clear there are requirements to be met in order to conform to regulations. The
emphasis is on activities and reporting.
 In contrast, the approach of Annex 11 is to make clear how to conform to its rules. Annex 11 is a detailed
guide to the areas of compliance that need documentation. A significant difference is the approach to risk
management. Annex 11 points to risk assessment as the start of compliance activities. Part 11 differentiates
security for open and closed systems, with extra security measures for open systems but without reference
to risk or criticality.

3
 BACKGROUND
 In March of 1997, FDA issued final part 11 regulations that provide criteria for acceptance by FDA, under
certain circumstances, of electronic records, electronic signatures, and handwritten signatures executed to
electronic records as equivalent to paper records and handwritten signatures executed on paper. These
regulations, which apply to all FDA program areas, were intended to permit the widest possible use of
electronic technology, compatible with FDA‘s responsibility to protect the public health.
 After part 11 became effective in August 1997, significant discussions ensued among industry, contractors,
and the Agency concerning the interpretation and implementation of the regulations. FDA has (1) spoken
about part 11 at many conferences and met numerous times with an industry coalition and other interested
parties in an effort to hear more about potential part 11 issues; (2) published a compliance policy guide,
CPG 7153.17: Enforcement Policy: 21 CFR Part 11; Electronic Records; Electronic Signatures; and (3)
published numerous draft guidance documents including the following:
 21 CFR Part 11; Electronic Records; Electronic Signatures, Validation
4
 BACKGROUND
 21 CFR Part 11; Electronic Records; Electronic Signatures, Glossary of Terms
 21 CFR Part 11; Electronic Records; Electronic Signatures, Time Stamps
 21 CFR Part 11; Electronic Records; Electronic Signatures, Maintenance of Electronic Records
 21 CFR Part 11; Electronic Records; Electronic Signatures, Electronic Copies of Electronic Records
 Throughout all of these communications, concerns have been raised that some interpretations of the part 11
requirements would (1) unnecessarily restrict the use of electronic technology in a manner that is
inconsistent with FDA's stated intent in issuing the rule, (2) significantly increase the costs of compliance to
an extent that was not contemplated at the time the rule was drafted, and (3) discourage innovation and
technological advances without providing a significant public health benefit. These concerns have been
raised particularly in the areas of part 11 requirements for validation, audit trails, record retention, record
copying, and legacy systems.

5
 What is called “21 CFR 11,” or “FDA 21 CFR Part 11”
 FDA is the acronym for the food and Drug Administration.
 FDA was established to serve and protect the interests of public health.
 CFR stands for Code of Federal Regulations and refers to a document listing United States Federal
Regulations.
 The number "21" actually is short for "Title 21, Chapter I,“ and the number "11," for "Part 11".
 Title 21 concerns the area of Food and Drugs, Chapter I is the section related to FDA, and Part 11 is the
sub-section of this chapter, which focuses on a specific area (i.e., Electronic Records; Electronic
Signatures).
 “Code of Federal Regulations: Food and Drug Administration Title 21, Chapter I, Part 11 - Electronic
Records; Electronic Signatures”.

6
 COMPARISON OF ANNEX 11 AND PART 11
ANNEX 11 PART 11

Computerized systems as part of GMP
Electronic records and electronic
regulated activities.
Scope/Principle signatures as used for all FDA
Application should be validated.
regulated activities.
IT infrastructure should be qualified.

Risk- based quality management of Using electronic records and signatures
Focus
computerized systems. in open and closed computer systems.

Using a computerized system should
Electronic records and signatures should
ensure the same product quality and
Objective be as trustworthy and reliable as paper
quality assurance as manual systems
records and handwritten signatures.
with no increase in the overall risk.

7
 SECTION IN 21 CFR PART 11
ELECTRONIC RECORDS ELECTRONIC SIGNATURE
Secure process values and audit trails (alarms,
All user actions can be configured to require
events, operator actions, log-in/log-out, operator
signing or require signing and authorization
notes, electronic signatures)

Protection of data through binary, compressed and
User specific access according to authority level
check-summed records
Signature element controls unique user signature,
Accurate time stamps are ensured using automatic password expiry, minimum password length,
Time Synchronization to a Known clock source automatic log-off, automatic disabling and
notification of failed login attempts.

Provision for electronically copying data for Ensuring unique users by retiring and not deleting
archive accounts.

Export facility providing viewing of Secure
records in human Readable form.
8
 TERMINOLOGY
 Electronic Records:
Electronic records are "any combination of text, graphics, data, audio, pictorial, or other information
representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a
computer system".
 Closed system:
A closed system is defined as an environment in which system access is controlled by persons who are
responsible for the content of electronic records that are on the system.
 Open system:
An open system means an environment in which system access is not controlled by persons who are
responsible for the content of electronic records that are on the system
 Electronic Signature:
An electronic signature is "a computer data compilation of any symbol or series, of symbols executed,
adopted, or authorized by an individual to be the legally binding equivalent of the individual's handwritten
signature".
 Biometric:
"A method of verifying an individual's identity based on measurement of the individual 's physical feature(s)
or repeatable action(s) where those features and/or actions are both unique to that individual and
measurable.”
9
 TERMINOLOGY
 Handwritten Signature:
The scripted name or legal mark of an individual handwritten by that individual and executed or adopted
with the present intention to authenticate a writing in a permanent form. The act of signing with a writing or
marking instrument such as a pen or stylus is preserved.
The scripted name or legal mark, while conventionally applied to paper, may also be applied to other devices
that capture the name or mark.
 Digital Signature:
An electronic signature based upon cryptographic methods of originator authentication, computed by using a
set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be
verified.
 Hybrid systems:
Hybrid systems are a combination of electronic records and paper records. They are common systems in
analytical laboratories today. Raw data are recorded electronically to reconstruct the analysis but the final
results are printed and signed on paper. The FDA does not prohibit hybrid systems but has expressed some
concerns about their acceptability

10
 Overall Approach to Part 11 Requirements
 Described in more detail below, the approach outlined in this guidance is based on three main elements:
 Part 11 will be interpreted narrowly; we are now clarifying that fewer records will be considered subject
to part 11.
 For those records that remain subject to part 11, we intend to exercise enforcement discretion with regard
to part 11 requirements for validation, audit trails, record retention, and record copying in the manner
described in this guidance and with regard to all part 11 requirements for systems that were operational
before the effective date of part 11 (also known as legacy systems).
 We will enforce all predicate rule requirements, including predicate rule record and record keeping
requirements.

11
 Overall Approach to Part 11 Requirements
 It is important to note that FDA's exercise of enforcement discretion as described in this guidance is
limited to specified part 11 requirements (setting aside legacy systems, as to which the extent of
enforcement discretion, under certain circumstances, will be more broad). We intend to enforce all other
provisions of part 11 including, but not limited to, certain controls for closed systems in § 11.10. For
example, we intend to enforce provisions related to the following controls and requirements:
 limiting system access to authorized individuals.
 use of operational system checks
 use of authority checks
 use of device checks
 Determination that persons who develop, maintain, or use electronic systems have the education,
training, and experience to perform their assigned tasks.

12
 Overall Approach to Part 11 Requirements
 Establishment of and adherence to written policies that hold individuals accountable for actions initiated
under their electronic signatures
 Appropriate controls over systems documentation
 Controls for open systems corresponding to controls for closed systems bulleted above (§ 11.30).
 Requirements related to electronic signatures (e.g., §§ 11.50, 11.70, 11.100, 11.200, and 11.300).

13
 Details of Approach – Scope of Part 11
1. Narrow Interpretation of Scope
We Understand that there is some confusion about the scope of part 11. Some have understood the scope
of part 11 to be very broad. We believe that some of those broad interpretations could lead to unnecessary
controls and costs and could discourage innovation and technological advances without providing added
benefit to the public health. As a result, we want to clarify that the Agency intends to interpret the scope of
part 11 narrowly.
Under the narrow interpretation of the scope of part 11, with respect to records required to be maintained
under predicate rules or submitted to FDA, when persons choose to use records in electronic format in
place of paper format, part 11 would apply.

14
 Details of Approach – Scope of Part 11
On the other hand, when persons use computers to generate paper printouts of electronic records, and
those paper records meet all the requirements of the applicable predicate rules and persons rely on the
paper records to perform their regulated activities, FDA would generally not consider persons to be
"using electronic records in lieu of paper records" under §§ 11.2(a) and 11.2(b). In these instances, the use
of computer systems in the generation of paper records would not trigger part 11.
2. Definition of Part 11 Records
 Under this narrow interpretation, FDA considers part 11 to be applicable to the following records
or signatures in electronic format (part 11 records or signatures):
Records that are required to be maintained under predicate rule requirements and that are maintained
in electronic format in place of paper format. On the other hand, records (and any associated
signatures) that are not required to be retained under predicate rules, but that are nonetheless
maintained in electronic format, are not part 11 records.
15
 Details of Approach – Scope of Part 11
We recommend that you determine, based on the predicate rules, whether specific records are part 11
records. We recommend that you document such decisions.
Records that are required to be maintained under predicate rules, that are maintained in electronic format in
addition to paper format, and that are relied on to perform regulated activities.
In some cases, actual business practices may dictate whether you are using electronic records instead of
paper records under § 11.2(a). For example, if a record is required to be maintained under a predicate rule
and you use a computer to generate a paper printout of the electronic records, but you nonetheless rely on
the electronic record to perform regulated activities, the Agency may consider you to be using the electronic
record instead of the paper record. That is, the Agency may take your business practices into account in
determining whether part 11 applies. Accordingly, we recommend that, for each record required to be
maintained under predicate rules, you determine in advance whether you plan to rely on the electronic
record or paper record to perform regulated activities.
16
 Details of Approach – Scope of Part 11
Records submitted to FDA, under predicate rules (even if such records are not specifically identified in
Agency regulations) in electronic format (assuming the records have been identified in docket number 92S-
0251 as the types of submissions the Agency accepts in electronic format). However, a record that is not
itself submitted, but is used in generating a submission, is not a part 11 record unless it is otherwise required
to be maintained under a predicate rule and it is maintained in electronic format.
Electronic signatures that are intended to be the equivalent of handwritten signatures, initials, and other
general signings required by predicate rules. Part 11 signatures include electronic signatures that are used,
for example, to document the fact that certain events or actions occurred in accordance with the predicate
rule (e.g. approved, reviewed, and verified).

17
 Approach to Specific Part 11 Requirements
1. Validation
The Agency intends to exercise enforcement discretion regarding specific part 11 requirements or validation
of computerized systems (§ 11.10(a) and corresponding requirements in § 11.30). Although persons must
still comply with all applicable predicate rule requirements for validation (e.g., 21 CFR 820.70(i)), this
guidance should not be read to impose any additional requirements for validation.
We suggest that your decision to validate computerized systems, and the extent of the validation, take into
account the impact the systems have on your ability to meet predicate rule requirements. You should also
consider the impact those systems might have on the accuracy, reliability, integrity, availability, and
authenticity of required records and signatures. Even if there is no predicate rule requirement to validate a
system, in some instances it may still be important to validate the system.

18
 Approach to Specific Part 11 Requirements
We recommend that you base your approach on a justified and documented risk assessment and a
determination of the potential of the system to affect product quality and safety, and record integrity. For
instance, validation would not be important for a word processor used only to generate SOPs.
For further guidance on validation of computerized systems, see FDA’s guidance for industry and FDA staff
General Principles of Software Validation and also industry guidance such as the GAMP 4 Guide (See
References).
2. Audit Trail
The Agency intends to exercise enforcement discretion regarding specific part 11 requirements related to
computer- generated, time-stamped audit trails (§ 11.10 (e), (k)(2) and any corresponding requirement in
§11.30). Persons must still comply with all applicable predicate rule requirements related to documentation
of, for example, date (e.g., § 58.130(e)), time, or sequencing of events, as well as any requirements for
ensuring that changes to records do not obscure previous entries.
19
 Approach to Specific Part 11 Requirements
Even if there are no predicate rule requirements to document, for example, date, time, or sequence of events
in a particular instance, it may nonetheless be important to have audit trails or other physical, logical, or
procedural security measures in place to ensure the trustworthiness and reliability of the records.6 We
recommend that you base your decision on whether to apply audit trails, or other appropriate measures, on
the need to comply with predicate rule requirements, a justified and documented risk assessment, and a
determination of the potential effect on product quality and safety and record integrity. We suggest that you
apply appropriate controls based on such an assessment. Audit trails can be particularly appropriate when
users are expected to create, modify, or delete regulated records during normal operation.
3. Legacy Systems
The Agency intends to exercise enforcement discretion with respect to all part 11 requirements for systems
that otherwise were operational prior to August 20, 1997, the effective date of part 11, under the
circumstances specified below:
20
 Approach to Specific Part 11 Requirements
The system was operational before the effective date.
The system met all applicable predicate rule requirements before the effective date.
The system currently meets all applicable predicate rule requirements.
You have documented evidence and justification that the system is fit for its intended use (including having
an acceptable level of record security and integrity, if applicable).
If a system has been changed since August 20, 1997, and if the changes would prevent the system from
meeting predicate rule requirements, Part 11 controls should be applied to Part 11 records and signatures
pursuant to the enforcement policy expressed in this guidance.
4. Copies of Records
The Agency intends to exercise enforcement discretion with regard to specific part 11 requirements for
generating copies of records (§ 11.10 (b) and any corresponding requirement in §11.30). You should provide
an investigator with reasonable and useful access to records during an inspection. All records held by you are
subject to inspection in accordance with predicate rules (e.g., §§ 211.180(c), (d), and 108.35(c)(3)(ii)).

21
 Approach to Specific Part 11 Requirements
We recommend that you supply copies of electronic records by:
Producing copies of records held in common portable formats when records are maintained in these formats.
Using established automated conversion or export methods, where available, to make copies in a more
common format (examples of such formats include, but are not limited to, PDF, XML, or SGML).
In each case, we recommend that the copying process used produces copies that preserve the content and
meaning of the record. If you have the ability to search, sort, or trend part 11 records, copies given to the
Agency should provide the same capability if it is reasonable and technically feasible. You should allow
inspection, review, and copying of records in a human readable form at your site using your hardware and
following your established procedures and techniques for accessing records.

22
 Approach to Specific Part 11 Requirements
5. Record Retention
The Agency intends to exercise enforcement discretion with regard to the part 11 requirements for the
protection of records to enable their accurate and ready retrieval throughout the records retention period (§
11.10 (c) and any corresponding requirement in §11.30). Persons must still comply with all applicable
predicate rule requirements for record retention and availability (e.g., §§ 211.180(c),(d), 108.25(g), and
108.35(h))
We suggest that your decision on how to maintain records be based on predicate rule requirements and that
you base your decision on a justified and documented risk assessment and a determination of the value of the
records over time.

23
 Approach to Specific Part 11 Requirements
FDA does not intend to object if you decide to archive required records in electronic format to non electronic
media such as microfilm, microfiche, and paper, or to a standard electronic file format (examples of such
formats include, but are not limited to, PDF, XML, or SGML).
Persons must still comply with all predicate rule requirements, and the records themselves and any copies of
the required records should preserve their content and meaning. As long as predicate rule requirements are
fully satisfied and the content and meaning of the records are preserved and archived, you can delete the
electronic version of the records. In addition, paper and electronic record and signature components can co-
exist (i.e., a hybrid8 situation) as long as predicate rule requirements are met and the content and meaning of
those records are preserved.

24
 Cross-Reference from Annex 11 to Part 11
Annex 11 Part 11 Cross Reference
Annex 11 Title
Section No. (substantially equivalent)
11.2(b)- Implementation
Principle
11.10(a)- Validation
General
1 Risk Management Not covered
2 Personnel 11.10(i)- Personnel
3 Suppliers and Service Providers Not covered
3.1 Formal agreements Not covered
3.2 Audit supplier Not covered
3.3 Review documentation for COTS Not covered
3.4 Supplier audit available on request Not covered
Project Phase
4 Validation 11.10(a)- Validation
4.1 Cover life cycle Not covered
4.2 Change control and deviations 11.10(k)- Documentation control
25
 Cross-Reference from Annex 11 to Part 11
Annex 11 Part 11 Cross Reference
Annex 11 Title
Section No. (substantially equivalent)
4.3 Systems inventory Not covered
4.4 User requirement specifications Not covered
4.5 Quality management system Not covered
4.6 Process for customized systems Not covered
4.7 Evidence of appropriate test methods Not covered
4.8 Data transfer validation 11.10(h)- Device checks
Operational Phase
11.10(f)- Operational system checks
5 Data
11.30- Controls for open systems
6 Accuracy Checks 11.10(f)- Operational system checks
7 Data Storage 11.10(c)- Protection of records
11.10(d)Limiting system access
7.1 Secured and accessible 11.10(e)-Secure Records
11.10(g)-Authority checks
26
 Cross-Reference from Annex 11 to Part 11
Annex 11 Part 11 Cross Reference
Annex 11 Title
Section No. (substantially equivalent)
7.2 Back-up Not covered
8 Printouts
11.10(b)- Generate accurate and
8.1 Clear printed copies
complete copies
8.2 Batch release/changed since original Not covered
11.10(e)- Electronic audit trail,
9 Audit Trails
11.10(k)(2)- Documentation control
Change and Configuration 11.10(d)- Limiting system access
10
Management 11.10(e)- Electronic audit trail
11.300(b) and (e)- periodically checked
11 Periodic evaluation
11.10(k)- Documentation control
12 Security 11.10(c)- Protection of records
27
 Cross-Reference from Annex 11 to Part 11
Annex 11 Part 11 Cross Reference
Annex 11 Title
Section No. (substantially equivalent)

11.10(d)- Limiting system access
11.10(g)- Authority checks
12.1 Physical/Logical 11.200(a) and (b)biometrics
11.300(a) Unique
11.300(d)- prevent unauthorized use

12.2 Criticality Not covered
11.300(b)and (c)-Controls for
12.3 Security-record events
Identification Codes/Passwords
12.4 Data management/operators entries 11.10(e)-Controls for Closed Systems
13 Incident Management Not covered
14 Electronic Signature 11.50-Signature manifestations
28
 Cross-Reference from Annex 11 to Part 11
Annex 11 Part 11 Cross Reference
Annex 11 Title
Section No. (substantially equivalent)
11.1(a) Scope, 11.3(b)(7) Definitions
14(a) Same as hand-written
11.100(c) Certify equivalent to handwritten
14(b) Permanent link 11.70- Signature/record linking

14(c) Time and date 11.10(e)- Electronic audit trail

15 Batch release Not covered

16 Business Continuity Not covered
11.10(c)- Protection of records for
17 Archiving
accurate retrieval
Subpart B--Electronic Records

11.10 Controls for closed systems

29
 Cross-Reference from Annex 11 to Part 11
Annex 11 Part 11 Cross Reference
Annex 11 Title
Section No. (substantially equivalent)
11.10(a) Validation 4-Validation

11.10(b) Generate accurate and complete copies 8.1-Printouts

11.10(c) Protection of records for accurate retrieval 17-Archiving, 12-Security, 7-Data Storage
7.1- secured and accessible
Limiting system access to authorized 10- Change and Configuration
11.10(d)
individuals Management, 12.1-Security,
physical/logical
7.1- secured and accessible, 9-Audit Trails
10-Change and Configuration Management
11.10(e) Record of operator entries (audit trail)
12.4- data management/operators entries
14(c)-Electronic Signature
11.10(f) Operational system checks 5-Data, 6- Accuracy Checks

30
 Cross-Reference from Annex 11 to Part 11
Annex 11 Part 11 Cross Reference
Annex 11 Title
Section No. (substantially equivalent)
7.1- secured and accessible
11.10(g) Authority checks
12.1-Security, physical/logical

11.10(h) Device checks 4.8-Validation

Personnel (who develop, users and maintain
11.10(i) 2-Personnel
systems)
User accountability for actions initiated under
11.10(j) Not covered
e-signatures
9-Audit Trails, 4.2- change control and
11.10(k) Documentation control Deviations, 10-Change and Configuration
Management, 11- Periodic evaluation
Principle (all systems)
11.30 Controls for open systems
5. Data
31
 Cross-Reference from Annex 11 to Part 11
Annex 11 Part 11 Cross Reference
Annex 11 Title
Section No. (substantially equivalent)
11.50 Signature manifestations 14-Electronic Signature
11.70 Signature/record linking 14(b)-Electronic Signature
Subpart C--Electronic Signatures
11.100 General requirements
11.100(a) Unique/not reused Not covered
11.100(b) Verify identity Not covered
11.100(c) Certify equivalent to handwritten 14(a) same as hand-written
11.200 Electronic signature components and controls.
11.200(a) Not based on biometrics 12.1-Security, physical/logical
12.1-Security, physical/logical
11.200(b) Based on biometrics
32
 Cross-Reference from Annex 11 to Part 11
Annex 11 Part 11 Cross Reference
Annex 11 Title
Section No. (substantially equivalent)
11.300(a) Unique 12.1-Security, physical/logical
11. Periodic Evaluation
11.300(b) periodically checked
12.3-Security- record events
11.300(c) procedures to deauthorize 12.3-Security, record events
11.300(d) prevent unauthorized use 12.1-Security
11.300(e) proper function 11-Periodic evaluation

33
 Conclusions
Annex 11 for computerized systems impacts manufacturers who export to the EU and those who
manufacture products in the EU. Close scrutiny of the parallel FDA and EU rules shows the authorities
share a mutual intent to have safe, validated computer systems and qualified networks for drug and
device manufacturing.
Limited areas of Part 11 are dissimilar to Annex 11; these, for the most part, are limited to the
verification of identity and accountability of actions by authorized individuals, as well as to the reporting
to authorities. Part 11 applies to e-submissions to the FDA. Annex 11 is different from Part 11 in that it
takes a risk management approach to criticality and emphasises a systems approach to periodic
evaluations. Annex 11 is ‘how to’ while Part 11 is ‘thou shalt’ in tone. Together they form a robust and
usable guide for computer validation professionals leading their companies and clients to compliance.

34
Thank You

35