An Easy to Understand Guide 21 CFR Part 11

Transcription

1 An Easy to Understand Guide 21 CFR Part 11 The Validation Specialists askaboutvalidation Connecting the Lifesciences

2 An Easy to Understand Guide 21 CFR Part 11 Published by Premier Validation

3 21 CFR Part 11 First Edition Copyright 2011 Premier Validation All rights reserved. No part of the content or the design of this book maybe reproduced or transmitted in any form or by any means without the express written permission of Premier Validation. The advise and guidelines in this book are based on the experience of the authors, after more than a decade in the Life Science industry, and as such is either a direct reflection of the "predicate rules" (the legislation governing the industry) or are best practices used within the industry. The author takes no responsibility for how this advice is implemented. Visit Premier Validation on the web at or visit or forum at ISBN

4 So what's this book all about? Hey there, If you've decided to invest some time in reading this book, I am making the assumption that you are pretty tired of wading through the regulations developed by the FDA that were designed to confuse the hell out of everyone! This may sound quite dramatic, but how many people out there can really say that they fully understand the 21 CFR Part 11 regulations. I know many people claim to know what they are talking about, but why trust someone when you can use this book to bring clarity to the regulations in seconds. We are confident that if you use this book, as a reference guide next time you are testing a system for Part 11 compliance it will make the project so much easier. Of course if you need to refer to the FDA website to check for each regulation feel free, but if you need each one explained in plain English this is the book for you. Understanding the Part 11 regulations is an invaluable weapon in your arsenal. Next time you are validating or trying to explain a certain aspect of Part 11 to an auditor refer to this book and all will be revealed very quickly. So I think it's pretty clear, you've just purchased the 21 CFR Part 11 bible. Enjoy!

5 The brains behind the operation! Program Director: Graham O'Keeffe Content Author: Orlando Lopez Technical Editor: Mark Richardson Editor: Anne-Marie Smith Printing History: First Edition: February 2011 Cover and Graphic Design: Louis Je Tonno Notes of Rights All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the copyright holder, except in the case of brief quotations embedded in critical articles or reviews. Notes of Liability The author and publisher have made every effort to ensure the accuracy of the information herein. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors and Premier Validation Ltd, nor its dealers or distributors will be held liable for any damages to be caused either directly or indirectly by the instructions contained in this book The Validation Specialists Published by Premier Validation Ltd Web: Forum: query@premiervalidation.com ISBN Print and bound in the United Kingdom

6 Table of Contents The Starting Point What is 21 CFR Part 11? 2 History of 21 CFR Part 11 3 Benefits 4 Why you should read this Book? 4 E-Signatures and E-Records Explained The Regulation 6 E-Records 8 Sample Regulatory Action 9 E-Records not impacted by Part E-Signatures 11 E-Signatures not impacted by Part Enforcement 12 General Rules of System Access System Access to Authorized Individuals 14 Sample Regulatory Action 15 Operational System Checks 16 Electronic Signatures 17 Multi-signing 18

7 Unauthorized use of user IDs and Passwords 19 Automatic log out 20 Signature/record linkage 20 Validating Operational Checks 20 Authority Checks 21 Sample Regulatory Action 22 Device Checks 23 Qualifications of Electronic Systems Developers and Users 24 E-Signatures E-sig Written Policies 27 Authentication and non-repudiation 28 Methods of Authentication 29 E-sig Certification 30 Documentation and Regulation Controls System Documentation Control 32 Sample Regulatory Action 33 The Difference between Open and Closed Systems Open System Controls 35 Closed System Controls 36

8 Computer System Validation Computer Systems Validation 38 Elements to Successful Validation 40 Validation Documentation 39 SampleRegulatory Action 39 Audit Trails Audit Trails 41 Sample Regulatory Action 42 E-Records Record Retention 44 Records Archiving 45 Record Copying 47 Sample regulatory action 47 Hybrid & Legacy Systems Hybrid Systems 49 Legacy Systems 49 Summary 51 Appendix A: References 52 Correlation between Part 11 and Annex 11 55

9 The Starting Point What is Part 11? History of Part 11 Benefits Why you should read this Book 1

10 What is 21 CFR Part 11? 21 CFR Part 11 is a section in the Code of Federal Regulations (CFR) that sets forth the United States Food and Drug Administration's (FDA) guidelines on using electronic records (e-recs) and electronic signatures (e-sigs). Part 11, as it's commonly called, defines the criteria under which electronic records and electronic signatures are considered to be accurate, authentic, trustworthy, reliable, confidential, and equivalent to paper records and handwritten signatures on paper. Currently, the scope of this regulation is all FDA program areas. 2

11 History of 21 CFR Part 11 In the late 1980s, drug and medical device manufacturers, biotech companies, and other FDA-regulated industries requested FDA guidelines for the use of e-sigs in paperless batch record systems. Part 11 was published in After it was published, however, its enforcement was put on hold as the result of discussions among industry, contractors, and the FDA concerning the interpretation and implementation of the regulation. In August 2003, the FDA published FDA Guidance for Industry Part 11, Electronic Records; Electronic Signatures Scope and Application, which describes how Part 11 should be implemented and how the FDA would enforce the regulation. These guidelines acknowledged that the need for security measures was not the same for every piece of electronic information. It also introduced the concept of risk analysis and promoted the formal process of risk assessment to determine appropriate security measures. The regulation has never been fully enforced, but in 2011 the FDA will begin conducting audits to ensure understanding of and compliance with Part 11 as an element of routine quality inspections. 3