Comments Concerning the Implementation of 21 CFR Part 11

Similar documents
Full Compliance Contents

Agilent MicroLab Software with Spectroscopy Configuration Manager and Spectroscopy Database Administrator (SCM/SDA)

21 CFR PART 11 ELECTRONIC RECORDS, ELECTRONIC SIGNATURES CFR Part 11 Compliance PLA 2.1

Self-Assessment of eresearch Compliance with 21 CFR Part 11, Electronic Record; Electronic Signatures

FDA Title 21 CFR Part 11:Electronic Records; Electronic Signatures; Final Rule (1997)

Electronic records and electronic signatures in the regulated environment of the pharmaceutical and medical device industries

FILEHOLD DOCUMENT MANAGEMENT SYSTEM 21 CFR PART 11 COMPLIANCE WHITE PAPER

InfinityQS SPC Quality System & FDA s 21 CFR Part 11 Requirements

Implementation of 21CFR11 Features in Micromeritics Software Software ID

Tools to Aid in 21 CFR Part 11 Compliance with EZChrom Elite Chromatography Data System. White Paper. By Frank Tontala

21 CFR Part 11 Compliance Using STATISTICA

POLICY ISSUES IN E-COMMERCE APPLICATIONS: ELECTRONIC RECORD AND SIGNATURE COMPLIANCE FDA 21 CFR 11 ALPHATRUST PRONTO ENTERPRISE PLATFORM

The Impact of 21 CFR Part 11 on Product Development

Empower TM 2 Software

21 CFR Part 11 Electronic Records & Signatures

TIBCO Spotfire and S+ Product Family

Implement best practices by using FileMaker Pro 7 as the backbone of your 21 CFR 11 compliant system.

Assessment of Vaisala Veriteq vlog Validation System Compliance to 21 CFR Part 11 Requirements

21 CFR Part 11 Implementation Spectrum ES

Oracle WebCenter Content

How To Control A Record System

Declaration of Conformity 21 CFR Part 11 SIMATIC WinCC flexible 2007

rsdm and 21 CFR Part 11

DeltaV Capabilities for Electronic Records Management

Compliance Matrix for 21 CFR Part 11: Electronic Records

DeltaV Capabilities for Electronic Records Management

21 CFR Part 11 White Paper

A ChemoMetec A/S White Paper September 2013

AutoSave. Achieving Part 11 Compliance. A White Paper

Electronic Document and Record Compliance for the Life Sciences

Intland s Medical Template

InfoCenter Suite and the FDA s 21 CFR part 11 Electronic Records; Electronic Signatures

Guidance for Industry. 21 CFR Part 11; Electronic. Records; Electronic Signatures. Time Stamps

This interpretation of the revised Annex

Risk-Based Approach to 21 CFR Part 11

21 CFR Part 11 Checklist

Compliance Response Edition 07/2009. SIMATIC WinCC V7.0 Compliance Response Electronic Records / Electronic Signatures. simatic wincc DOKUMENTATION

FDA 21 CFR Part 11 Electronic records and signatures solutions for the Life Sciences Industry

Implementing Title 21 CFR Part 11 (Electronic Records ; Electronic Signatures) in Manufacturing Presented by: Steve Malyszko, P.E.

Nova Southeastern University Standard Operating Procedure for GCP. Title: Electronic Source Documents for Clinical Research Study Version # 1

Enabling SharePoint for 21 CFR Part 11 Compliance - Electronic Signature Use Case

Supplement to the Guidance for Electronic Data Capture in Clinical Trials

Eclipsys Sunrise Clinical Manager Enterprise Electronic Medical Record (SCM) and Title 21 Code of Federal Regulations Part 11 (21CFR11)

Guidance for Industry. 21 CFR Part 11; Electronic Records; Electronic Signatures. Electronic Copies of Electronic Records

SolidWorks Enterprise PDM and FDA 21CFR Part 11

REGULATIONS COMPLIANCE ASSESSMENT

Manual 074 Electronic Records and Electronic Signatures 1. Purpose

ScreenMaster RVG200 Paperless recorder FDA-approved record keeping. Measurement made easy

Guidance for Industry Computerized Systems Used in Clinical Investigations

Software Manual Part IV: FDA 21 CFR part 11. Version 2.20

Guidance for Industry Part 11, Electronic Records; Electronic Signatures Scope and Application

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS

INFORMATION TECHNOLOGY CONTROLS

Software. For the 21 CFR Part 11 Environment. The Science and Technology of Small Particles

Compliance Response SIMATIC SIMATIC PCS 7 V8.1. Electronic Records / Electronic Signatures (ERES) Edition 03/2015. Answers for industry.

PART 10 COMPUTER SYSTEMS

For technical assistance, please contact: Thermo Nicolet Corporation 5225 Verona Road Madison WI

Guidance for Industry COMPUTERIZED SYSTEMS USED IN CLINICAL TRIALS

Shiny Server Pro: Regulatory Compliance and Validation Issues

Waters Empower 2 Software Seamlessly Manages Regulated Data to Aid in 21 CFR Part 11 Compliance

Waters Empower Software Seamlessly Manages Regulated Data to Aid in 21 CFR Part 11 Compliance

21 CFR Part 11 Deployment Guide for Wonderware System Platform 3.1, InTouch 10.1 and Historian 9.0

CoSign for 21CFR Part 11 Compliance

Implementing CitectSCADA to meet the requirements of FDA 21 CFR Part 11

ooo- I542 (314 Brlngrng tnnovation to patient care worldwide April 23,2003

1/30/2013. Agenda. Electronic Signatures/ Informed Consent

LabChip GX/GXII with LabChip GxP Software

Sympatec GmbH System-Partikel-Technik WINDOX 4. Electronic Records/ Electronic Signatures Compliance Assessment Worksheet for 21 CFR Part 11

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)

Computerized Systems Used in Medical Device Clinical Investigations

Thermal Analysis. Subpart A General Provisions 11.1 Scope Implementation Definitions.

Guidance for Industry

FDA Regulation of Electronic Source Data in Clinical Investigations

The biggest challenges of Life Sciences companies today. Comply or Perish: Maintaining 21 CFR Part 11 Compliance

REQUEST FOR BOARD ACTION

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

OLEY VALLEY SCHOOL DISTRICT

Spectroscopy Configuration Manager (SCM) Software. 21 CFR Part 11 Compliance Booklet

Research and the HIPAA Security Rule Prepared for the Association of American Medical Colleges by Daniel Masys, M.D. Professor and Chairman,

Clinical database/ecrf validation: effective processes and procedures

Data Management PACT Workshop: Design & Operation of GMP Cell Therapy Facilities April 10 th -11 th, 2007

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

Authorized. User Agreement

Department of Health and Human Services

GLP Records Storage and Retrieval

Issues to Address: The Privacy Concerns of Individuals

Authentication of Documents/Use of Professional Stamps

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

Data Management Unit Research Institute for Health Sciences, Chiang Mai University

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

Compliance in the BioPharma Industry. White Paper v1.0

HIPAA BUSINESS ASSOCIATE AGREEMENT

Data Management and Good Clinical Practice Patrick Murphy, Research Informatics, Family Health International

Recent Developments Affecting the Disclosure of Test Data and Materials: Comments Regarding the 1996 Statement on the Disclosure of Test Data 1

Results Oriented Change Management

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

HESI: Fetal Imaging Workshop 21 CFR Part 11 Electronic Records & Signatures. Presented by: Jonathan S. Helfgott

Client Advisory October Data Security Law MGL Chapter 93H and 201 CMR 17.00

Implementing an Audit Trail within a Clinical Reporting Tool Paul Gilbert, Troy A. Ruth, Gregory T. Weber DataCeutics, Inc.

NIST A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich

Transcription:

Introduction There currently is considerable controversy surrounding 21 CFR Part 11 with respect to the informal interpretations that have been presented by FDA personnel at industry conferences. The lack of a clear and consistent position by the FDA with respect to the regulation has placed many manufacturers in a difficult position with respect to compliance. Of particular concern on the part of these manufacturers is that compliance with the strict interpretation presented by individuals within the Agency may incur a considerable cost without commensurate benefit in terms of increased safety or enhanced product quality. These prescriptive interpretations are in conflict with the Part 11 Compliance Policy Guide (section 160.850) that defines a results based policy that stresses the nature and extent of the deviation and effect on product quality and data integrity. We have addressed some of these controversial questions in this correspondence. Electronic Records and Part 11 Applicability The definition of an electronic record includes any electronic data, however, when that data is subject to compliance with electronic record requirements can be interpreted in several ways. This interpretation is significant with respect to defining when audit trails and additional Part 11 controls are required. To be consistent with predicate regulations, the definition of an electronic record must be based on the intended use of the application and not based on definitions such as the method, media, or duration of storage or transmission techniques. Interpretations that attempt to individually prescribe solutions for differing scenarios of use will make the regulation impractical to implement. Failure to interpret Part 11 based on intended use by introducing new definitions such as storage to durable medium, hybrid records, typewriter excuse, transient views, etc., serves only to complicate the requirements of the regulation and subject them to rapid obsolescence. The following references from Part 11 provide the manufacturer with the responsibility to define the applicability of Part 11 to their quality system. a. Part 11 section 11.1 states: 11.1 (a) The regulations in this part set forth the criteria under which the agency considers electronic records, electronic signatures, and handwritten signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper. The regulation states how the manufacturer may elect to use electronic records and does not mandate compliance with all elements of Part 11 in every instance where computerized systems are used. Part 11 does not provide authority to the agency to redefine document control requirements of the predicate regulations (21 CFR 820, 21 Page 1 of 5

CFR 211, etc.) that have required document review and approval and change control but not audit trails of all changes made during document revisions. b. In addition, in the preamble of the Federal Register Volume 62, Number 54, of Thursday March 20, 1997, section III Comments on the Proposed rule, subelement I Effective Date/Grandfathering, fourth paragraph states the following: The agency emphasizes that these regulations do not require, but rather permit, the use of electronic records and electronic signatures. Firms not confident that their electronic systems meet the minimal requirements of these regulations are free to continue to use traditional signatures and paper documents to meet record keeping requirements. In accordance with this statement, the firm has the ability to control document drafts without audit trails for all changes and then to allow access to the same documents once approved in a controlled electronic environment that ensures the integrity of the document in an adequately validated system. c) The Compliance Policy Guide section 160.850 (Enforcement Policy: 21 CFR Part 11) states: Part 11 applies to all FDA program areas, but does not mandate electronic record keeping. Part 11 describes the technical and procedural requirements that must be met if a person chooses to maintain records electronically and use electronic signatures. Once again the emphasis is on the use of electronic records in place of paper records and not on the redefinition of record keeping requirements based on Part 11 interpretation. The ability to support changes to documents without maintaining the audit trail of all changes is certainly allowed under the predicate regulations as long as the change history is established. Electronic Record Definition The following are suggested clarifications to the definition of electronic records and the scope of when automated audit trails are required. 1. Manufacturers can define how electronic equipment is used to support the predicate regulations and therefore whether the data must be retained as an electronic record in support of the quality system or paper based record. All electronic equipment used in manufacturing need not be controlled in accordance with Part 11. 2. Raw data from an instrument that cannot be modified based on security and procedural controls need not have secure, computer-generated time-stamped audit trail (11.10(e)) functions implemented. Audit trails for these instruments can be established based on demonstrating the effectiveness of the security and procedural controls that prevent access to modification of run data. Audit trails for these systems can be established by demonstrating that each run generates a unique record that is archived as read-only data. Page 2 of 5

3. Even when a manufacturer is using electronic records, the applicability of audit trails requires clarification. Audit trails should be defined in two different categories: a) The first category is raw data that is captured by equipment or manually entered based on observed information and can be changed on-line requires all changes to the data to be tracked as secure, computer-generated time-stamped audit trails (11.10(e)). b) The second category is documents that are developed in word processing systems are subject to review and approval in accordance with document controls established in quality system regulations (21 CFR part 820, 21 CFR part 210/211, etc.). A revision history is required for these documents but not an audit trail for all changes made by any personnel throughout the life of the document such as for drafts and preliminary document versions. These documents have been formally reviewed prior to release. As such, these documents, when used as an electronic record, should include read only access to the documents on-line and manual controls to ensure that the versions provided on-line are accurate. 4. Data collected for assessment of machine performance and other quality system data not explicitly required by regulation, need not be controlled as electronic records if the data is only used to define potential corrective and/or preventive actions that are later subject to validation. 5. Monitoring systems that are used as the basis for real-time process adjustments must be validated. 6. Where automated systems have been validated and the results are controlled, incoming machine data and results of intermediate processing from the automated system need not be controlled as an electronic record. 7. Paper based output of a computer system is acceptable given validation has been conducted. If the process definition requires only summary data from the process, then only this data need be transferred (electronically or hard copy) to the target quality record. Issues Regarding Specific Articles of the Part 11 Regulation 11.10(b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. ASCII files that can be exported must be acceptable for copying electronically or else potential copyright problems may arise. Unless the FDA standardizes on select applications that they use and therefore the format of data they need, it will be impossible to provide copies of all applications to the FDA. 11.10(c) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Page 3 of 5

This portion of the regulation is the one that has generated the most controversy. Where raw data is required by predicate regulations (21 CFR Part 58 Good Laboratory Practices) an audit trail is clearly necessary. Where documents are reviewed and approved separately (such as for on-line procedures), the electronic version need not include an audit trail for all changes made. The current regulatory requirement to provide a description of changes made to documents has been recognized as an acceptable practice and is compliant with the predicate regulation. (See previous discussion items regarding audit trails.) 11.30 Controls for open systems - Procedures and controls to ensure authenticity, integrity, and as appropriate, confidentiality. Include additional measures beyond 11.10 requirements such as document encryption and use of digital signature standards The prescribed controls for open systems are certainly reasonable. What is unreasonable is the interpretation that any system that provides access via the Internet is considered to be an open system. This interpretation is not consistent with the definition as provided in section 11.3 of the regulation. Access to an electronic record system via e-mail does not constitute an open system and is acceptable provided security controls are in place to restrict external access by unauthorized personnel. 11.50 Signature manifestations - Signed electronic records contain the following information associated with the signing: (1) Name (2) Date and time (3) Meaning (author, review, approval) This is certainly reasonable requirement; however, more prescriptive requirements such as that the time is local and that the time is to the nearest second are not appropriate or beneficial. 11.100 General requirements - Electronic signatures shall be unique and not reused or reassigned Not reused or reassigned should include a time period such as defined for record retention. Two years would seem to be adequate time to ensure that all operations associated with an ID can be conclusively identified to a unique owner. 11.300 Controls for identification codes/ passwords - Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management. Amplifying guidance is needed to clarify these requirements. Is a function that log-offs a user after three unsuccessful log-on attempts acceptable? When are reports to be sent to Page 4 of 5

organizational management? Are there any other safeguards that would be expected from the agency? Summary The FDA s publishing of new regulations in the recent past has been accompanied by significant amplifying guidance documents. These guidance documents have very effectively served to specify the implementation requirements. Part 11 requirements have been promulgated without accompanying guidance documents and industry is left to interpret according to inconsistent statements of a few FDA individuals. Guidance on Part 11 is essential to facilitate industry compliance. ASQ Biomedical Division as a professional society would like to assist in providing better information to industry and establishing consistent and reasonable guidance for implementation of this regulation. Please let us know how this service may be accomplished in conjunction with agency programs. We look forward to your feedback. Page 5 of 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information