Addressing Common Misconceptions

About 21 CFR Part 11by

Robert J. FinamoreDirector, IT Compliance and Validation

2

What is 21 CFR Part 11?Establishes requirements to

ensure Electronic Records and Electronic Signatures have equivalent controls for authenticity, integrity, accountability, and confidentiality as for hardcopy records and signatures.

I heard the FDA isno longer enforcing

21 CFR Part 11.

4

1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

Part 11 Guidance onScope and Application

Chart Title

5

• Predicate Rules• Risk Management

Narrow Scope

• Validation• Audit Trails• Record Retention• Copies of Records

Enforcement Discretion

• “Note that part 11 remains in effect”

Clarification

6

•Any change in automated data entries shall be made so as not to obscure the original entry, shall indicate the reason for change, shall be dated, and the responsible individual shall be identified.

Part 58.130(

e)

•In such instances a written record of the program shall be maintained along with appropriate validation data.

Part 211.68(

b)

•A sponsor shall retain the records and reports required by this part for 2 years after a marketing application is approved for the drug...

Part 312.57(

c)

7

February 17, 2012 – Biochem Laboratories Inc.Your firm has failed to exercise appropriate controls over

computer or related systems to assure that changes in master production and control records, or other records, are instituted only by authorized personnel [21 CFR 211.68(b)]. For example: a. Your firm did not put in place requirements for appropriate

usernames and passwords to allow appropriate control over data collected by your firm's computerized systems including UV, IR, HPLC, and GC instruments. All employees in your firm used the same username and password. In addition, you did not document the changes made to the software or data stored by the instrument systems. Without proper documentation, you have no assurance of the integrity of the data or the functionality of the software used to determine test results.

Example Citation

8

February 17, 2012 – Biochem Laboratories Inc. b. Your firm had no system in place to ensure appropriate

backup of electronic raw data and no standard procedure for naming and saving data for retrieval at a later date.

In your response, you state that you will maintain backup of electronic raw data and all technicians will have their own user identification (ID) and password. Your response, however, is inadequate because you do not describe how your firm intends to save and back-up the electronic raw data, nor whether your firm will implement audit trails on your computerized systems.

Example Citation (cont’d)

Part 11 does not apply to my computerized system.

10

RECORDS

SIGNATURES

11

§11.1 - Scope

This part applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted, under any records requirements set forth in agency regulations.

This part also applies to electronic records submitted to the agency under requirements of the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act, even if such records are not specifically identified in agency regulations.

12

21 CFR Part 312.62(b)Case histories. An investigator is required to prepare and

maintain adequate and accurate case histories that record all observations and other data pertinent to the investigation on each individual administered the investigational drug or employed as a control in the investigation. Case histories include the case report forms and supporting data including, for example, signed and dated consent forms and medical records including, for example, progress notes of the physician, the individual's hospital chart(s), and the nurses' notes. The case history for each individual shall document that informed consent was obtained prior to participation in the study.

Example Predicate Regulation

LIFECYCLE

13

Follow the records!

Part 11 does not apply because we use paper as

our official records.

Guidance – Scope and Application

15

Part 11 Impact

E-Records used in lieu of Paper

E-Records used in addition to

Paper

No Part 11 ImpactE-records

incidental to creation of Paper

Only use Paper records

16

Considerations for using Paper as the Official recordIs E-record really incidental to

creation of paper?Still responsible for data integrity

from creation through printingDecision of paper vs. e-record

should be documentedCannot use paper as a back up

The system records my User ID and a time stamp when I click the Approve

button; that’s an Electronic Signature.

18

Audit Trail

• Provides history of a record• Creation• Modification• Deletion

• Automatically generated for all regulated records

Signature

• Intent to Authenticate a Record

• Legally binding• Requires

application of a signature

• Used to meet signing requirements of predicate regulations

19

21 CFR Part 50.27(a) Except as provided in 56.109(c), informed

consent shall be documented by the use of a written consent form approved by the IRB and signed and dated by the subject or the subject's legally authorized representative at the time of consent. A copy shall be given to the person signing the form.

Example Predicate Regulation

20

Signature Types

• Writing with a stylus is preserved• Handwritten signatures executed to electronic records

• Scanned image of a wet signature• Signing on a digitizing pad• Hybrid systems – e-record + wet signature

Handwritten

• Multi-component signature entry• E.g. User ID/Password

Non-Biometric

• Measurement of unique attributes of the signer

Biometric

The vendor sold me aPart 11 compliant system.

22

Compliance

Technology

Process• Intended Use• People• Procedures

Example Part 11 Requirements

23

Part 11 Requirement

Technical

Procedural

§11.10(f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.

§11.10(i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks.

§11.10(d) Limiting system access to authorized individuals.

The Vendor hosting thesystem is responsible

for compliance.

25

Record Owner• Ultimately Responsible for

Compliance

Vendor• Leverage Compliance for:

• Products• Services

Due Diligence

Due Diligence Activities

26

Onsite Assessment of Vendor – SDLC, QMS, and CSP procedures and controls

Development of Robust Service Level Agreement

Scheduling of Follow-up Assessments

Due Diligence Topics

SDLC/QMS

Development Practices

Testing Practices

Configuration Management

System Documentation

Release Management

Personnel Management

Vendor Management

Quality Improvement

Service Provider

Regulatory Knowledge

Security Management

Infrastructure Management

Support and Maintenance

Disaster Recovery

Core System Validation

Change Management

Resources

FDA Regulations(21 CFR Part 11

+ Predicate Regulations)

28

FDA Guidance Documents(Part 11 Scope & Application,

Computerized System in CI, and Electronic Source Documents)

GAMP 5 + GoodPractice Guides

(SDLC, QMS, Validation and Supplier Assessment Topics)

Questions

29

Thank you for your time!

Robert J. FinamoreDirector, IT Compliance and Validation

QPharma, Inc.

(973) 656-0011, Ex. 2081robert.finamore@qpharmacorp.com

30