21 CFR Part 11 Assessment (Fully Compliant or Not)

[diogo19]

Hey there,

Happy new year to all,

I have a buring question about 21 CFR Part 11 which I'm trying to get answers to from books and the web but proving to be unssuccessful,

When assessing a computer system for compliance to the regulation, if an ER does not use ES can it still be assessesd as compliant providing it meets all the other requirments ?

The ER does include a digital signature to verify with a timestamp (no meaning) which is generated from the initial user login by username/password.

Thanks.

 

[Ed Panek]

This is the memo we created to self certify to Part 11

Guidance Ref. No.
Requirement
Answer
Compliant?​

11.10
Controls for closed systems
XXX is designed to be a closed system and uses username and password credentials to authenticate each user.
Yes
11.10a
Validation of Systems
Validation reporting within QMS
Yes
11.10b
FDA Copies
All quality relevant data is available electronically as well as in a human readable format.
Yes
11.10c.
Protection and recoverability
XXX is running on at least two distributed servers in parallel. This ensures high availability and duplication of the data (fail-over). Furthermore, we regularly backup the data for added protection.
Yes
11.10.d
Limiting system to authorized individuals
Access to the data is given only to authorized persons with individual usernames and passwords.
Yes
11.10e
Audit Trails
Modifications to database so that the reported temperature data is stored with a calculated hash value that can be used to verify the data authenticity. Also, access permissions have been updated to prevent any updates through the application and out-of-application access to GCP is audited.
Yes
11.10f
Operation Sequences
Whenever actions must be performed in a specific sequence the system enforces this sequence and therefore prevents accidental
changes to data.
Yes
11.10g
Authority checks
XXX has a role based authority concept which meets the requirements of 21 CFR Part 11.
Yes
11.10h
Device Checks
The system has validated input and output interfaces. The webservice based interfaces accept and provide data securely in the so called JSON format.
Yes
11.10i
Training
All experts which are involved in the creation and maintenance of XXX are trained in computer system validation and 21 CFR Part 11 compliance.
Yes – Upon hire and annualy thereafter.
11.10j
Establishment and adherence to written policies
XXX has established, and adheres to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.
Yes
11.10k
Control over Documentation
Our software documentation is validated through a strict review and versioning process.
Yes
11.30
Controls for Open Systems
This point does not apply since XXX is designed to be a closed system.
N/A
11.50 a/b
Signature Manifestations
This point does not apply since XXX does not make use of electronic/digital signatures.
N/A
11.70
Signature/record linking
This point does not apply since XXX does not make use of electronic/digital signatures.
N/A
11.1001 a,b, c
Electronic Signatures
This point does not apply since XXX does not make use of electronic/digital signatures.
N/A
11.200 a, b
Electronic signature components
This point does not apply since XXX does not make use of electronic/digital signatures
N/A
11.300a
Uniqueness of each combined identification code and password
The system ensures that the login credentials are always unique.
Yes
11.300b
Changing and aging of credentials
The system enforces passwords to be changed after a certain period. Furthermore, authorized personnel can lock and unlock certain users if necessary.
Yes
11.300c
Loss Management Procedures
This point does not apply since XXX does not make use of any hardware to identify individual. The username/password credentials are the only way to get access to the system.
N/A
11.300d
Safeguards to prevent unauthorized access
Two factor authentication is in place.
Yes
11.300e
Initial and periodic testing of authentication devices
This point does not apply since XXX does not make use of any hardware to identify individual. The username/password credentials are the only way to get access to the system
N/A

 

[yodon]

First off, is the record required by any regulation? I think a lot of people hear "record" and think it means every electronic file under the sun. Not so. If you read the scope section, you see part 11 is only applicable to record requirements "set forth in agency regulation."

Assuming it is in scope, be also aware that not all records need to be signed (digitally or otherwise). Double-check the regulation to see if the record is required to be signed. So...

if an ER does not use ES can it still be assessesd as compliant

The answer is 'yes' here - a record being managed / maintained electronically may well fall under the Part 11 scope without requiring a digital signature.

The ER does include a digital signature to verify with a timestamp (no meaning) which is generated from the initial user login by username/password.

You lost me here. An initial login is not a digital signature. That would not meet the intent of the regulation in several ways. And when you say it has a timestamp with no meaning, that also would not meet the regulation. A timestamp has meaning and must be considered along with the audit trail.

As far as I know, the FDA is still on the 'enforcement discretion' train. If your (electronic) systems do not support data integrity, they may well issue a finding against Part 11. If your records are well-maintained, well-controlled, and there's no loss of data integrity, they may not pull on every Part 11 thread. (No guarantee!!)

 

[diogo19]

Thanks for the feedback, very much appreciated,

@yodon , The ER is a shipping record from a vendors SaaS system which could be asked as proof of shipment (clinical trials) by a regualtory body,
I've carried out a detailed assessment of all the scopes and the system meets the requirments of 21 CFR part 11 except ES,

Just to clarify about the digital signature bit, I'm aware that it doesn't meet the ES requirments, the vendor has added a bit on the ER where you verify cleaning which ends up on the printed record.

I may have missed it but I haven't seen anything on the regulation about records needing to be signed but happy to listen to your knowledge and guidance.

 

[yodon]

could be asked as proof of shipment (clinical trials) by a regualtory body

What regulation is this fulfilling (I'm not much on clinical trial regulations). For example, 21 CFR 820.40 says:

Change records shall include a description of the change, identification of the affected documents, the signature of the approving individual(s), the approval date, and when the change becomes effective.

(my highlighting) That establishes requirements for BOTH a record and a signature.

820.50 says:

Establish and maintain records of acceptable suppliers, contractors, and consultants.

No signature required, only a record.

And to complete the trifecta, 820.130 says:

Each manufacturer shall ensure that device packaging and shipping containers are designed and constructed to protect the device from alteration or damage during the customary conditions of processing, storage, handling, and distribution.

No records required.

So before anything, be sure you are talking about a record required by a law and, if so, whether it requires a signature. Is there really a regulatory requirement for a record to demonstrate proof of shipment?

 

[pziemlewicz]

The ER does include a digital signature to verify with a timestamp (no meaning) which is generated from the initial user login by username/password.

Part 11 requires the user to re-enter password at time of signature.

 

[diogo19]

Part 11 requires the user to re-enter password at time of signature.

Thanks, turns out the ES is not required by any law, this particular ER has a digital name entry that popualtes a field when you say 'Yes'.

 

[BCQuality76]

We are preparing to validate a system (custom software with a fixture) that downloads data from a device to a *.csv file. The data in the spreadsheet may be used to support complaint investigation. It is essentially a data dump that product support would then take what they need for their investigation. Would that spreadsheet be considered an electronic record? IMO...it's an automated tool and the output should be validated, but itself is not an electronic "record".
Thank you, in advance.

 

[yodon]

Well, my take would be that it's "original data" supporting decisions made in the complaint handling process. While it may not be an "electronic record" that is in scope of 21 CFR Part 11, it would seem the complaint handling folks would want to keep this data with the complaint investigation and manage it in a manner to ensure it's properly protected.

 

[BCQuality76]

Well, my take would be that it's "original data" supporting decisions made in the complaint handling process. While it may not be an "electronic record" that is in scope of 21 CFR Part 11, it would seem the complaint handling folks would want to keep this data with the complaint investigation and manage it in a manner to ensure it's properly protected.

Thank you for the quick response! I completely agree, that it should be included as "raw data" to the complaint record. I just wanted to get some outside input on my thoughts about it not being ER-applicable. These assessments are still fairly new to us, and I've been working on a LOT of them, and they haven't been reviewed much by external auditors...yet. At least I'm making sure we get the rationale documented. They can always disagree, but at least I can show we're considering it.
Thank you again.