FDA 21 CFR Part 11 Compliance...

Medical Devices, Pharmaceuticals and API

There are a range of benefits to be gained by adhering to the FDA 21 CFR Part 11 compliance requirements. In addition to meeting essential regulatory requirements, it allows an organization to take advantage of the latest technology, facilitates the elimination of paper, permits changes to be effected to processes more easily & efficiently. We can automate some of the most mundane & repetitive tasks in our day to day jobs. Compliance permits faster access to the “intellectual capital” of a business.

When considering electronic signatures, we normally consider two types, namely
– Electronic
– Biometric

FDA approach to Medical Device Classification >>>
Medical Device Risk Management >>>

What is an electronic / biometric signature?

• It is a compilation of symbols adopted by an individual to be the legally binding equivalent of the individual’s handwritten signature. Affixing an electronic signature to electronic data is equivalent to an individual’s traditional handwritten signature or initials. Example of a non-biometric electronic signature, is a user identification code and password.

When considering a biometric signature we are considering a proof of identity which is unique to the individual and is measurable. Examples of biometric signatures are finger prints, retina scans and voice prints.


Questions and Answers related to the FDA’s 21 CFR Part 11 compliance:

Electronic Signature
Q: Many companies today have the user ID entered as the person’s full name. Is this an appropriate ID, since it could be guessed relatively easily?
Q: Will users need to have a user ID that is not easily guessed?

A: You are confusing an ID with a password. The ID doesn’t have to be confidential. You may need it for a mail system. What has to be unique is the combination of ID code and password. No two people should have the same combination. The ID portion doesn’t have to be confidential. [Motise/Chapman Q&A]

Q: Is a non-biometric E-signature security process acceptable if the user name is automatically displayed, prompting the need for a unique password to complete the security check?
A: Yes. What gets entered is both the ID and password. It is by default. If you have your system power up in the morning, and the name comes up by default, that is fine. [Motise/Chapman Q&A]

Process Revalidation requirements >>>
How Medical Devices are regulated in Europe >>>
TQM Program Implementation >>>

Product and Process Validation Full Details
Understand Product and Process Validation.
  • Inform yourself about Product and Process Validation.
  • Information and training presentation.
  • Step through at your own pace from the convenience of your desktop, laptop, tablet, mobile.
  • Use as a support if providing training.
  • 590 pages of information, provided in a visual, easy to understand format.
  • Details >>>

Q: What about having individual certification for different divisions within an organization? Should firms delay sending the certifications until all of their personnel have been trained in Part 11?
A: That is not necessary. I would encourage you to keep the certification at a global level. If you do that (individual certifications), you are setting a precedent for yourself. Have the actual certification statement signed by as high a person in the organization as possible. That signature says that an organization considers an electronic signature the same as a hand-written one. Training can be provided after the certification has been issued. [Motise/Chapman Q&A]

Electronic Signature Requirements
In summary to ensure compliance, the signature must be:
– Unique to an individual.
– Date/Time stamped.
– Associated to their meaning (e.g. review, approval, authorship).
– Bounded to the master document with protection against unauthorized copying or alteration. (unequivocally “linked” to the records being signed)
– Appearing in full on printed copies of electronic records.

Electronic Records. What is an Electronic Record:
Any information (text, graphics, data, audio, pictorial) created, modified, maintained, archived, retrieved, distributed, or reported in electronic form within a computer system.

What is a Closed System?
• Closed System means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system.

Medical Device Design Control >>>
Process Cycle Time Analysis >>>
Change Management Model >>>

There is a requirement for compliant audit trails. What is necessary for trail compliance?

The computer system must be able to demonstrate
• Who did what, wrote what, and when (date/time).
• Can not be paper-based.
• Can be part of the e-record or a record by itself.
• Use of time-stamped audit trails, 21 CFR 11.10(e), must be computer-generated and saved in chronological order.
• Created when the operator creates, modifies, or deletes electronic records
• An audit trail shall not be modified by the person whose action creates it.

    • Medical Device Validation, Regulation, Classification, Risk Evaluation, ….
    • Information and training presentation.
    • Use to develop your personal understanding.
    • View, when and where suits, from the convenience of your desktop, laptop, tablet, mobile.
    • Use as a support if providing training.
    • Details >>>



Questions and answers related to the FDA’s 21 CFR Part 11 compliance, continued:

Q: Can an audit trail be paper?
A: No, it must be a computer generated e-record. [Motise/Chapman Q&A]

Q: Can a firm that creates batch production records in electronic form archive them as paper only?
A: No. Part 11 requires that electronic records be archived in electronic form. The electronic records must be protected to enable their accurate and ready retrieval throughout the relevant retention period set by the rule that applies to those records. In this case, 21 CFR 211.180 requires batch records to be kept for at least one year past the batch expiration date, or, for certain OTC products, three years after batch distribution. Part 11 also requires that firms be able to generate accurate and complete copies of electronic records in electronic as well as human readable form suitable for agency review, inspection, and copying. [Motise/Chapman Q&A]

Medical Device Manufacturing Validation >>>
The Quality Assurance Auditor >>>
Quality Records Management >>>

Q: Does Title 21 Part 11 apply to the following situation: In our HPLC usage we use computer software to analyze data. We take the printout as a permanent record. We do not save the file, but all the data including peaks and calculations are available in the form of a printout for the investigator to see. Is this acceptable? (We consider the computer as transient storage).

A: Part 11 applies to the electronic file used to generate the printout. It would not be acceptable to discard the electronic file and retain only the printout because the printout is not an accurate and complete copy of the electronic record. The reliability and trustworthiness of the paper derives from controls applied to the electronic record; information such as comments, audit trails and time stamps would not necessarily convey in the paper. See comment para 22 to the Part 11 final rule preamble, as well as the rule itself at section 11.10(b) and (c). [Motise/Chapman Q&A]

Q: If analytical instruments are computerized, such as the Hitachi Chemistry Autoanalyzer, will the E-signature rule apply when GLP data are created and maintained electronically?
A: Yes, it does if a particular instrument is generating data. One approach is to attach the instrument to the broad lab instrument system. This would be easier to comply to Part 11. The idea is to have the record that is created on a system under your control. An LIMS system doesn’t necessarily have to be really elaborate. [Motise/Chapman Q&A]

FDA GMP QSR Buildings and Facilities >>>
The Quality Manual >>>
FDA GMP QSR Design Control >>>

Q: Explain further “the retention of computer systems for reading electronic records”?
(Many companies may think that the only reason they would be retaining an older computer system to read electronic records would be to satisfy the FDA.)
A: In the proposed rule, people read into “true copy” the concept of file format. In the final rule, we changed “true copy” to “accurate and complete”. No, you do not necessarily have to keep the old hardware and software to make an electronic copy that we could walk away with. For archiving purposes, it is a different issue. The answer for the short-term speaks to transcription. Whenever you have a change to a new technology, make sure you can make a complete transcription. [Motise/Chapman Q&A]

Hybrid Systems
• Hybrid Systems are semi-automated systems that contain both electronic and paper-based records.
• At present many batch records and laboratory chromatography systems are hybrids.

Compliance Policy Guide• Represent the agency’s current thinking on how to comply with the regulations for electronic records and electronic signatures.
• Regulatory actions will be based on a case-by-case evaluation.

“Legacy Systems”
As explained in the preamble to the final rule, Part 11 does not grandfather legacy systems and FDA expects that firms using legacy systems will have taken steps to achieve full compliance.

Product & Process Validation – Information and training presentation.

MDD 93 42 EEC explained >>>
GMP Training powerpoint >>>
Equipment Validation >>>