We currently have an electronic data base for Document Control called QSI. Not real pleased with it and would not recommend it, but the company is pretty well stuck with it. We have expanded our business to include some medical and QSI (IBS company) claims that we must purchased the FDA package to be in compliant with 21 CFR 11.

As I read the CFR and its associated FDA guidance, I interpret the requirement as applicable to e-signatures on 'records' and not necessarily documents associated with our QMS (Quality Manual, SOPs and Instructions). Yet, the vendor claims that we must pay out $$$ or we will be in violation. The add-on would require an additional password and change the architecture of our entire system.

Is there a more defined interpretation of this? Looking for a sanctioned interpretation or authority that would clearly state that 21 CFR 11 electronic signatures apply to records or every document in a system.

Thanks

Can anyone here versed in 21 CFR 11 help out?

Is there a more defined interpretation of this? Looking for a sanctioned interpretation or authority that would clearly state that 21 CFR 11 electronic signatures apply to records or every document in a system.

Have a look at 21cfrpart11.com.

Is there a more defined interpretation of this? Looking for a sanctioned interpretation or authority that would clearly state that 21 CFR 11 electronic signatures apply to records or every document in a system.

Thanks

NOTE: I don't claim to be an expert in this area.:)

Good luck! :lol: Seriously, like many other CFR documents, 21 CFR 11 is subject to interpretation.

Attached is a fairly current interpretation from the FDA. It's a start; Doug's website suggestion is another good source.

The 21 CFR 11 was a "push" to the industry to develop sound electronic data. However, what happened was there were systems that generated data, but since paper format was submitted, it became overly burdensome. The intent is still decent; to increase the quality and confidence in electronic data/records.

As to your query, the CFR covers electronic records and electronic signatures. If your current system generates/uses either of those, then it is relevant. Also, I would think as part of the electronic document control and the like, you would want some of those things in place, however that would probably fall outside of the scope of your query.

If you have to validate the new "add on" and pay all that money, maybe it would be worth it to look at new software packages.

Hi,

The Scope of Part 11 includes:
"Sec. 11.1 Scope.

(a) The regulations in this part set forth the criteria under which the agency considers electronic records, electronic signatures, and handwritten signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper."

You probably had a look at that already.

From what I recall, part 11 applies to records as well, not only to e-signatures.
However, it doe not necessarily mean that your software has to be part11 compliant.


Do you rely completely on the electronic records or do you make printouts?

regards
t.

I'm also not an expert but I've been trying to keep up with things in that area. (FDA) enforcement has been spotty and inconsistent. The references & feedback you've been given so far are sound.

Regarding your specific question, I believe that if you keep your process documents (in this case, records = documents = Quality Plan, SOPs, etc.) in the database and you rely on that database for electronic approvals, then you would indeed need to be part 11 compliant (and validate the system to show that). Everything in Part 11 goes back to a predicate rule. If you say that your process documents are approved by certain individuals / functions then if you use the database to acquire those approvals, Part 11 applies.

As temujin points out, there are some 'escapes' - the most common is to print out the document and then apply a wet-ink signature. Even in this, I have seen testimonials that companies are still required to validate that what's in the database is, essentially, robust (ostensibly so that changes don't 'leak' in undetected for subsequent revisions).

Of course, as soon as you use computer software with anything involved in or about the quality system, the safe route is to validate that application for your needs / intended uses.

As you can probably tell by my response, nothing is very clear cut in this area. At a minimum, I would recommend you validate the software. Depending on how you use the software, you may indeed need to be Part 11 compliant. If you dig deeper into Part 11, you'll see pretty quickly that your efforts should be risk based. So use the risk analysis to help scope your efforts should you determine that you do need to be compliant.

Hope that helps.

http://ec.europa.eu/enterprise/pharmaceuticals/eudralex/vol-4/pdfs-en/anx11en.pdf

http://ec.europa.eu/enterprise/pharmaceuticals/eudralex/vol-4/pdfs-en/2008_02_12_gmp_annex20.pdf

http://www.fda.gov/cder/guidance/5505dft.PDF

Attached may be useful as well. Its the EU guidance on computer system validation and the other two relate to risk analysis . The risk based approach to validation has been highlighted as a good pathway to validation.