21 CFR PART 11
AGENDA 21 CFR Part 11 Sections in 21 CFR Part 11 Terminology About Part 11 Importance of Part 11 Scope of Part 11 Applications Advantages Validation Predicate rule requirements Security Procedures Qualification &Accountability Audit Trails How to build the final rule of 21 CFR Part 11 Documentation Complaince
what is called "21CFR11," or "FDA 21 CFR Part 11" FDA is the acronym for the Food and Drug Administration . FDA was established to serve and protect the interests of public health. CFR stands for Code of Federal Regulations and refers to a document listing United States Federal Regulations. The number "21" actually is short for "Title 21, Chapter I," and the number "11," for "Part 11" . Title 21 concerns the area of Food and Drugs, Chapter I is the section related to FDA, and Part 11 is the sub-section of this chapter, which focuses on a specific area (i.e., Electronic Records; Electronic Signatures). what is called "21CFR11," or "FDA 21 CFR Part 11"
So, the full title is truly : "Code of Federal Regulations: Food and Drug Administration Title 21, Chapter I, Part 11 - Electronic Records; Electronic Signatures" So, the full title is truly :
Sections of 21 CFR Part 11 ELECTRONIC RECORDS ELECTRONIC SIGNATURES Secure process values and audit trails (alarms, events, operator actions, log-in/log-out, operator notes, electronic signatures) All user actions can be configured to require signing or require signing and authorization Protection of data through binary, compressed and check-summed records User specific access according to authority level Accurate time stamps are ensured using automatic Time Synchronization to a known clock source Signature element controls unique user signature, password expiry, minimum password length, automatic log-off, automatic disabling and notification of failed login attempts Provision for electronically copying data for archive Ensuring unique users by retiring and not deleting accounts Export facility providing viewing of secure records in human readable form
TERMINOLOGY Electronic Records: Electronic records are "any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system". Closed system: A closed system is defined as an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system. Open system: An open system means an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system Electronic Signature: An electronic signature is "a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual's handwritten signature". Biometrics: “A method of verifying an individual’s identity based on measurement of the individual’s physical feature(s) or repeatable action(s) where those features and/or actions are both unique to that individual and measurable.”
Part 11 Origins to Present 1994 : Proposed Rule 1994: 1997 Industry responses 1997: 21 CFR Part 11, Electronic Records; Electronic Signatures, was originally issued in 1997. Its proposed to: “Provide criteria for acceptance by the FDA, under certain circumstances, of electronic records, electronic signatures, and handwritten signatures executed to electronic records as equivalent to paper records and handwritten signatures executed on paper.” 2001-2002: Guidance documents 2003: New scope and new guidance 2007: New Part 11
IMPORTANCE OF 21 CFR PART 11 Part 11 contains detailed guidelines on how to manage electronic records and electronic signatures in order to maintain accuracy and security. Part 11 is designed to help FDA-regulated companies obtain the benefits of electronic data management. Part 11 is designed to prevent fraud while permitting the widest possible use of electronic technology. Contains detailed guidelines that establish which electronic records and signatures can be considered equivalent to paper records and handwritten signatures. Part 11 requires (1) controlled access; (2) Computer generated audit trails; (3) electronic digital signatures
SCOPE OF CFR APPLICATIONS
APPLICATIONS Section 11.10 describes controls for closed systems, systems to which access is controlled by persons responsible for the content of electronic records on that system. These controls designed to ensure the integrity of system operations and information stored in the system Controls include : (1) Validation (2) the ability to generate accurate and complete copies of records (3) archival protection of records (4) use of computer-generated, time-stamped audit trails (5) use of appropriate controls over systems documentation (6) a determination that persons who develop, maintain, or use electronic records and signature systems have the education, training, and experience to perform their assigned tasks.
Section 11.30 Controls for Open Systems Must develop procedures and controls that ensure authenticity, integrity, and confidentiality of electronic records and comply with all other parts of Section 11.10 Must use additional measures (e.g. document encryption, digital signature standards) to ensure authenticity, integrity, and confidentiality. Section 11.70: Signature/Record Linking Electronic signature and handwritten signatures must be linked to ensure signatures cannot be excised, copied, transferred or falsified
Section 11.50 It requires signature manifestations to contain information associated with the signing of electronic records. Signed electronic records must include : printed name of the signer date and time of signature the purpose of the signature (e.g. review, approval etc.) Each of these must be readable by display or printout. Section 11.100 Must be unique to an individual and not reassigned Identity of individual must be verified by organization Must certify electronic signature system to the agency prior to or at the time of use of the system Certification must be submitted in paper form and, upon agency request, provide certification that signature is legally binding
SECTION 11.200 :Electronic Signature Components and Controls Non-Biometric signatures must: Contain at least two different identification components (e.g. User ID and Password) Single sign-on with multiple tasks: Use all identification components at first, with partial identification for each task thereafter Multiple sign-on without continuous access requires all identification components to be used each time Be used only by the owner Ensure use by other individuals is precluded and does not occur without collaboration by at least two other individuals Biometric signatures must ensure use by the owner
SECTION 11.300: Controls for Identification Codes/Passwords Persons using electronic signatures must use controls to ensure security and integrity should include: Assuring that no two individuals have the same combination of identification code and password Periodic check, recall, or revision of identification code and password Loss management and replacement procedures Testing of devices (i.e. tokens or cards) that produce or maintain identification codes or passwords to ensure proper function and unaltered state. Unauthorized use safeguards Report attempts in urgent & immediate manner Security unit Management, as appropriate
Electronic Batch records can eliminate mountains of paper work, speed processing and allow for statistical and trend analyses. NDA’s and other submissions can be submitted electronically in place of paper submission. Increases the speed of information exchange. Cost savings from reduced need for storage space. Manufacturing process streamlining. Job creation in industries involved in electronic record and electronic signature technologies. ADVANTAGES
The computerized system shall be validated in accordance with the Corporate Standards and regulatory requirements to ensure: Accuracy Reliability Consistent Intended Performance Ability to discern invalid or altered records Evidence of validation (e.g., validation plan, validation summary, installation/operational/performance qualifications) Validation
Predicate Rule Requirements Provide governance for most regulatory activities within a life sciences organization Predicate Rules include: ICH E6 Good Clinical Practices (parts 310,312, 314) Good Laboratory Practices (21 CFR Part 58) Good Manufacturing Practices (21 CFR Part 210 & 211) Quality System Practice (21 CFR Part 820)
Risk Based Approach to Part 11 The legal, regulatory and practical implications of electronic records. Good electronic records are solid in: authenticity reliability trustworthiness integrity accessibility as needed BENEFITS OF 21 CFR PART 11: Everything from faster time-to-market for new drugs to reduced cost of mandated recalls can result from the implementation of Part 11 systems. Risk Based Approach to Part 11
Security procedures and controls shall be designed and implemented to include: Physical system access shall be limited to authorized individuals. Operational system checks shall enforce the proper sequencing of steps in a process. Logically access the System. Electronically sign a record. Access the operation or computer system input or output device. Alter a record. Perform a specific operation. Device or terminal checks shall determine validity of the source of input or operation.
Qualification & Accountability Determination that the following persons have the education, training, and experience to perform their assigned tasks: Developer(s) of the computerized system Maintainer of the computerized system User(s) of the computerized system ACCOUNTABILITY: Establishment of, and adherence to,written policies and/or procedures that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter records and signatures falsification. Qualification & Accountability
Procedures and controls shall be designed and implemented for audit trails to: Be Sure Be Computer Generated Be time- and date-stamped Record creation of electronic records Record modification of electronic records Record deletion of electronic records Ensure that changes to electronic records shall not obscure previously recorded information Ensure that audit trail records shall be maintained for at least as long as the retention of the underlying Ensure that audit trail records shall be available for FDA review and copying Audit Trails
How to build 21 CFR Part 11 System Understand system requirements Design good data model Define security roles Enforce password change Build Audit Trail for all tables: Create history table for all tables Use database insert, update, delete triggers to build history records Record user, server date and time Define your Electronic Record Define approval process of Electronic Record Build a mechanism to record versioning for your Electronic Records Select your framework Automate your development Performance tuning How to build 21 CFR Part 11 System
Establishment and use of appropriate controls over the documentation for system operation and maintenance, to include: Distribution of documentation Access to documentation Use of documentation Revision and change control procedures to maintain an audit trail that documents the time-sequences development and modification of the systems documentation Documentation
Part 11 compliance begins with the company having an understand CFR Part 11 and becoming educated about the specific regulations and requirements. The initial steps towards CFR Part 11 compliance includes : Defining a set of objectives for achieving compliance Communicating the implications of Part 11 for people involved and ensure the commitment to resolve non- compliance Creating an interpretation of Part 11 These basic steps create an awareness of CFR Part 11 compliance within an organization and prepare the organization for changes expected due to CFR Part 11. Compliance with Part 11
THANK YOU