1 / 24

21 CFR Part 11, FDA Guidance for Electronic Records and Signatures

The Webinar will ensure that the electronic record/electronic signature (ER/ES) capability built into FDA-regulated computer systems meets compliance with 21 CFR Part 11. This includes developing a company philosophy and approach, incorporating it into the overall computer system validation program, and plans for individual systems with this capability. This webinar will help you understand in detail the application of FDAu2019s 21 CFR Part 11 guidance on electronic records. Register Now, https://conferencepanel.com/conference/21-cfr-part-11-fda-guidance-for-electronic-records-and-signatures

conferencepanel2
Download Presentation

21 CFR Part 11, FDA Guidance for Electronic Records and Signatures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 21 CFR Part 11 (Electronic Records/Signatures) Compliance for Computer Systems Regulated by FDA Carolyn Troiano 1

  2. AGENDA • “GxP Computer Systems • Regulatory Oversight • 21 CFR Part 11 Overview • 21 CFR Part 11 Compliance • Data Integrity • Computer System Validation (CSV) • Computer Software Assurance (CSA) • CSV vs. CSA • Validation Planning 2

  3. AGENDA (continued) • Requirements • Testing • Requirements Traceability Matrix (RTM) • Other Documentation • Maintenance and Support • Operational Readiness • Vendor Audit • Industry Best Practices • Q&A 3

  4. “GxP” Computer Systems (continued) “GxP” is defined as “Good-variable-Practice,” based on FDA “Predicate Rules” ➢ GMP = Good Manufacturing Practices ➢ GLP = Good Laboratory Practices ➢ GCP = Good Clinical Practices 4

  5. Regulatory Oversight The FDA operates on two key premises: 1. If you didn’t document it, you didn’t do it 2. If you could have committed fraud, you did commit fraud 5

  6. Part 11 Overview Definitions: • Electronic Record: Any combination of text, graphics, data, audio, or pictorial information represented in digital form that is created, modified, maintained, archived, retrieved or distributed by a computer • Electronic Signature: A compilation of any symbol(s) executed to be the legally binding equivalent of an individual’s handwritten signature 6

  7. Part 11 Overview (continued) • Handwritten Signature: Scripted name/ legal mark of individual handwritten and executed/ adopted with intent to authenticate writing in permanent form • Digital Signature: Electronic signature based upon cryptographic methods of originator authentication, (e.g., set of rules, set of parameters) such that identity of signer and integrity of data can be verified 7

  8. Part 11 Overview (continued) • Part 11 is a law that ensures organizations define the criteria under which ER/ ES are considered to be: • Accurate • Secure • Authentic • Trustworthy • Reliable • Confidential, and • Equivalent to paper records and handwritten signatures on paper 8

  9. Part 11 Compliance (continued) Key Takeaways: • Quality and Compliance built into everyday programs leads to inspection readiness • Think about how you treat compliance with paper systems before taking action with ER/ES ◼ Software & instrumentation/ equipment vendors cannot sell “Part 11 Compliant” products 9

  10. Data Integrity • Areas at most risk during the inspection include • Security and Access • Testing and Validation • Training and Expertise • Documentation 10

  11. Data Integrity (continued) • Security and Access • Recent FDA findings have pointed to more lax practices in companies when it comes to security and access: • Sharing of user names, passwords, & accounts • Lack of rigor in ER/ES security • Users given greater access than needed/ appropriate • Change control/ audit trails compromised • Segregation of duties not ensured or clear 11

  12. Data Integrity (continued) • Testing and Validation • Lack of validation for GxP systems • Insufficient validation for GxP systems • Documentation lacking • Testing insufficient (no negative scenarios, no challenge of boundaries or stresses) • Inability to trace requirements to design & test scripts; Requirements Traceability Matrix (RTM) • Standard operating procedures (SOPs) not updated 12

  13. Data Integrity (continued) • Training and Expertise • Training not mandatory/ requirement not enforced • Support staff not trained in compliance • Users lack training & may use old systems, resulting in confusion as to system of record & data for decision making • Internal auditors not fluent in validation process or the systems; cannot serve organization effectively • Training records and/or CVs not maintained as current, or do not reflect skills/ expertise required 13

  14. Data Integrity (continued) • Documentation • No documented risk assessment • No list of systems/ applications prioritized by risk) • Insufficient testing documentation • Not following GxP requirements for documentation of CSV activities • Incomplete or inadequate training records 14

  15. Data Integrity (continued) What is Data Integrity? • Data integrity ‒ requirements for complete, consistent, and accurate data • The concept of data integrity underpins GxPs • Applies to CGMP and Good Clinical Practice (ICH E6) • Data should be “ALCOA+” 15

  16. Data Integrity (continued) Must address the ALCOA components for Data Integrity: • ATTRIBUTABLE • LEGIBLE • CONTEMPORANEOUS • ORIGINAL or “TRUE COPY” • ACCURATE 16

  17. Data Integrity (continued) Must address the ALCOA + components for Data Integrity: • ATTRIBUTABLE PLUS: • LEGIBLE • Complete • Consistent • Enduring • Available • CONTEMPORANEOUS • ORIGINAL or “TRUE COPY” • ACCURATE 17

  18. Computer System Validation (CSV) The FDA Guidance for Computer System Validation (CSV), also known as the FDA “Blue Book,” was issued in 1983 CSV is: • is the process of assuring that a system does what it purports to do, and has been thoroughly tested and validated in order to prove this • is based on the standard System Development Life Cycle (SDLC) methodology for computer systems Key Takeaway: CSV ensures the system remains in a validated state 18

  19. Computer Software Assurance (CSA) • The document-centric waterfall methodology of CSV proved a hindrance to efficient software development, test and release requirements • Many companies have been reluctant to pivot from the document heavy approach, which works for them, but prevents forward progress in terms of using modern technology • FDA promotes a shift from Computer System Validation (CSV) to Computer Software Assurance (CSA) 19

  20. Validation Plan A strategic approach should be applied: • Is there an overall company approach? • What rationale will be used to prove the system is fully tested? • Who will be involved in the validation process? • How will the documentation/ approvals be completed? • How will training be incorporated into the project? • How will organizational change management be done? • Who will create/update Policies/ Procedures? • How will system be maintained in a validated state through its life? 20

  21. Validation Plan (continued) Develop a Validation Approach/Rationale to address the type and level of testing that will be required: 1. System Size 2. System Complexity 3. System Business Criticality 4. GAMP®5 System Category 5. System Risk Assessment Document in the Computer System Validation (CSV) Plan 21

  22. Testing Testing is one of the most critical steps required before placing a system in production: • Installation Qualification (IQ) should be performed on hardware, operating software and applications • Operational Qualification (OQ) should be performed on any code (unit and integration testing) • Performance Qualification (PQ) should be specific to the way the system will be used and must be executed by users 22

  23. Industry Best Practices • Laboratory with results approved online, but decision based on notebook data/record is fraud; all decisions should be made from the defined system of record • Sharingof user id’s and passwords should be controlled technically and/or procedurally, along with appropriate training • Use of mobile devices should be controlled from security and asset tracking perspectives • Sites located globally with time differences/issues should be managed properly and time synchronized to Meridian or standard time 23

  24. Register Now 24

More Related