21 CFR Part 11

From LIMSWiki
Jump to navigationJump to search

The Title 21 Code of Federal Regulations Part 11 (21 CFR Part 11) provides compliance information regarding the U.S. Food and Drug Administration's (FDA) guidelines on electronic records and electronic signatures. Within this part, requirements are created to help ensure security, integrity, and confidentially of electronic records and to ensure electronic signatures are as legally binding as hand-written signatures.[1]

Practically speaking, Part 11 requires drug makers, medical device manufacturers, biotech and biologics companies, contract research organizations, and other FDA-regulated industries, with some specific exceptions, to implement controls, including audits, system validations, audit trails, electronic signatures, and documentation for closed and open software and systems involved in processing specific electronic data. This primarily includes data to be maintained by the FDA predicate rules and data used to demonstrate compliance to a predicate rule. A predicate rule is any requirement set forth in the Federal Food, Drug and Cosmetic Act, the Public Health Service Act, or any FDA regulation other than Part 11.[2] The rule also applies to submissions made to the FDA in electronic format, but not to paper submissions by electronic methods, though paper submissions may eventually be prohibited by the FDA.[3]

History

By the early 1990s, food and drug manufacturers approached the U.S. Food and Drug Administration (FDA) about the possibility of electronic submissions with electronic signatures. However, at that time the government did not allow for digital signatures. In July 1992, the FDA began soliciting comments about the process of using electronic signatures.[4]

In March 1997, the FDA issued Part 11 regulations which, in the words of the FDA, were "intended to permit the widest possible use of electronic technology, compatible with FDA's responsibility to protect the public health."[2] Various keynote speeches by FDA insiders early in the 21st century (in addition to compliance guides and draft guidance documents)[2] as well as strong efforts by the FDA to motivate industry to move to e-filing[5] resulted in many companies like Eli Lilly[6], Agilent Technologies[7], and other businesses rapidly being forced to change their methods and systems to adapt to the new standards.[2][8]

However, many entities expressed concerns about the Title 11 conditions, including concerns the regulations would "unnecessarily restrict" the use of technology, add significant compliance costs beyond what was intended, and stifle technological innovation while reducing public health benefit.[2] In November 2002, the FDA released the guidance document "Guidance for Industry 21 CFR Part 11; Electronic Records; Electronic Signatures, Electronic Copies of Electronic Records" to the public for commenting.[9] On February 3, 2003, the FDA withdrew that document, stating "we wanted to minimize industry time spent reviewing and commenting on the draft guidance when that draft guidance may no longer represent our approach under the [current good manufacturing practice] initiative," adding it would afterwards "intend to exercise enforcement discretion with regard to certain Part 11 requirements."[2] Further guidance documents were withdrawn later that month, culminating in a final guidance document in August 2003 stating the government body would re-examine Part 11 and make necessary changes.[2][10] However, the FDA reiterated despite its retraction of the guidance documents "21 CFR Part 11 is not going away, and neither is the agency's demand for electronic record integrity."[11] The retraction of guidance and change in policy, however, led many IT members in the pharmaceutical and life sciences industry in late-2004 to state one of the key problems they face as the lack of clear guidelines from the FDA about what is required for compliance.[12]

The FDA had indicated it would produce a revised version of Part 11 by the end of 2006, after its Third Annual FDA Information Management Summit had concluded.[13] Those revisions never arrived, and little in the way of updates on the topic arrived.[14] On July 8, 2010, the FDA announced it would begin to audit facilities working with drugs "in an effort to evaluate industry's compliance and understanding of Part 11 in light of the enforcement discretion,"[15] leaving some to wonder if this was an indicator the regulation and/or its guidance would finally see a revision.[16][17]

Structure

The structure of Part 11 is as follows:

Subpart A — General Provisions

§ 11.1 Scope
§ 11.2 Implementation
§ 11.3 Definitions

Subpart B — Electronic Records

§ 11.10 Controls for closed systems
§ 11.30 Controls for open systems
§ 11.50 Signature manifestations
§ 11.70 Signature/record linking

Subpart C — Electronic Signatures

§ 11.100 General requirements
§ 11.200 Electronic signature components and controls
§ 11.300 Controls for identification codes/passwords

Audit guidelines and checklist

The following guidelines and checklist items provide a frame of reference for vendors and auditors to better determine potential compliance issues.

All items in the checklist for general IT controls should also be checked for individual systems - especially where those systems use different control measures (e.g., they have an independent authentication system).

If this checklist is used by software vendors, then certain elements may or may not apply depending on the circumstances. For instance, validation is technically the responsibility of the entity acquiring the software. However, in the case of SaaS, a greater practical responsibility to validate the system may lie with the vendor. In all cases, the vendor should assume responsibility for ensuring that their software operates as intended within the targeted environments. Failure to do so may result in a lack of willingness of potential customers to obtain the system.

References will be provided for each checklist item to indicate where the requirement comes from. These references are either to the regulation itself, Agency responses in the Final Rule, or from the guidance document "General Principles of Software Validation; Final Guidance for Industry and FDA Staff" (GPSV).

General IT

Following is a list of questions that either apply to the larger IT environment, or to both the larger environment and to individual systems. The auditor must be sure to evaluate both where necessary. For instance, an organization may have a robust password policy which is managed by a centralized identity management tool. This is important evaluate in terms of general security around the systems in scope. At the same time, the specific system may or may not leverage the corporate IDM and thus it’s identity management should be evaluated on its own merits.

Computer Systems Validation - 21 CFR 11.10(a)

  • Does a defined computer system validation policy exist? - 21 CFR 11.10(a)
  • Are all computer systems involved in activities covered by predicate regulations validated? - 21 CFR 11.10(a), 21 CFR 211.68(b), 21 CFR 820.30(g)
  • Does the computer system validation cover the current deployed version of the system? - GPSV 4.7
  • Validation Assessment
    • Does the software developer have a defined SDLC? - GPSV 4.4
    • Does the SDLC reflect a generally recognized life cycle approach? [18]
    • Is the SDLC followed?
    • Is the software well documented from a design/implementation perspective?
    • Is there evidence of design review activities (what this entails will depend on the nature of the SDLC - for instance, Agile methodologies will involve daily standup meetings,while a waterfall approach may reflect formal design review steps)?
    • Does the level of validation coverage reflect the risk from system failure?
    • Is there sufficient level of independence in the validation/verification activities?
    • Are sufficient resources and personnel provided for software development and validation?
    • Are records maintained of defects and failures identified in the development process?
    • For any software system, is there a set of approved requirements which drove the design (note: the name can vary based on the SDLC in use).
    • For iterative development approaches, are previous versions of deliverables (such as requirements lists) archived in some fashion?
    • Is there an audit trail for modifications to system documentation?
    • For COTS (Commercial Off The Shelf), has the vendor been evaluated for its quality systems?
    • Is there some form of traceability that permits tracking of test results and verification activities to specific requirements?
    • Are adequate user documents available for the system?
    • Are adequate change control systems in place during the development and implementation processes?
    • For each of the other elements of this checklist that apply directly to an electronic record system, has appropriate validation work been undertaken to establish that the system complies with the checklist item?

Identity Management Systems

  • Do any identity management systems have minimum password complexity/strength requirements? Do these minimums seem reasonable?
  • Do these id systems have policies regarding password change frequency?
  • Do identity management systems prevent the creation of duplicate user ID’s?

Access Controls

  • Do formal procedures exist governing user account creation for electronic records systems.
  • Do formal procedures exist governing access to network and server resources that are used to operate electronic records systems?

Cloud Computing Policies

  • Are policies in place governing the selection and use of cloud vendors for electronic record systems?
  • Do policies governing record retention specifically apply to cloud vendors?
  • Are systems for transmitting electronic records configured to do so in a secure manner?

Training Programs

  • Is there a defined training program around authentication practices? Electronic signatures?
  • Are system administrators and developers trained in part 11 and related regulations?
  • Are users trained on the use of electronic records systems?

Change Control Systems

  • Is there a formal change control system for modifications to the production electronic records system?
  • Is there a formal change control system for changes to requirements and design elements of the system during the development process?
  • Does the change control system require an assessment of impact, risk, and require authorization before proceeding?
  • Do change control systems in use for Agile development models require product owner and development team approvals?

Electronic Signature Certification

  • If the organization is using electronic signatures, have they filed a certification with the FDA indicating so?

Records Retention Policy

  • Does the organization have a records retention policy covering records per the predicate regulations?

System Specific

Fraud Detection

  • Is the system designed to either prevent record alteration or make such alteration apparent?

Audit Trails

  • Does the system maintain an audit trail that tracks changes to electronic records?
  • Are the audit trail records time stamped?
  • Are the audit trail records system generated, such that human intervention is not required?
  • Are audit trail records secured such that they cannot be modified by users of the system?
  • Is the audit trail data available for export (printing or electronic) to support agency review?

Access Controls

  • Does the identity management systems have minimum password complexity/strength requirements? Do these minimums seem reasonable?
  • Do these id systems have policies regarding password change frequency?
  • Do identity management systems prevent the creation of duplicate user ID’s?

Open Systems Controls

  • Are records transmitted by the system sent in a secure manner, such that their authenticity, integrity and confidentiality are ensured?
  • Is access to the system appropriately managed to prevent unauthorized external access?
  • Has the system been evaluated for susceptibility to intrusion?
  • Is there a system in place to evaluate current IT security threats that have been identified (by the National Cyber Awareness System via NIST, or other appropriate organization)?

Electronic Signatures

  • Is the electronic signature system engineered in such a way as to ensure that the signatures cannot be attached to other records, or cannot be removed from the records they are attached to?
  • Is the system engineered such that in order to apply someone else’s signature to a file that collaboration is required between two or more individuals? (this is largely covered by the identity management controls).
  • If a signature event only requires one signature element, is it only in the case of being part of a continuous period of system access?
  • Are their suitable loss management procedures in place to address compromised passwords, or lost/stolen authentication devices (such as RSA ID tokens)?
  • Is the system designed to alert security and/or management in the event of an apparent attempt at unauthorized use of electronic signatures? Does the system automatically take steps to lock out users associated with these attempts?
  • Is there a system for the periodic testing of tokens and cards to ensure that they are still operating as expected and have not been altered? If not, is there something in the nature of the tokens/cards that would render them unusable should alteration be attempted?
  • Is there a password reset method that does not require system administrators to know a user’s password?
  • Are user passwords suitably encrypted in any persistent data store, such that elucidating the original password would require extraordinary means?
  • Are controls in place to ensure that password reset instructions are sent to the correct individual?

Export of Records for Agency Review

  • Does the system support exporting records in a format that is readable by the agency?
  • If the agency hasn’t been specifically consulted with regard to acceptable formats, does the system support export into common formats such as XML or JSON?

Records Retention Support

  • Does the system have sufficient controls to ensure that the records stored within it will be available throughout the period specified in the records retention policy?

Process Controls

  • Does the system have a mechanism to establish differing levels of authority to perform tasks in the system?
  • Does the system have a mechanism for preventing steps being taken out of sequence (e.g., signing a record before data has been entered, or releasing a record before the review step was completed)?

Further reading




References

  1. "Electronic Code of Federal Regulations - Title 21: Food and Drugs - Part 11: Electronic Records; Electronic Signatures". U.S. Government Printing Office. http://www.ecfr.gov/cgi-bin/retrieveECFR?gp=&SID=04a3cb63d1d72ce40e56ee2e7513cca3&r=PART&n=21y1.0.1.1.8. Retrieved 02 March 2012. 
  2. 2.0 2.1 2.2 2.3 2.4 2.5 2.6 "Part 11, Electronic Records; Electronic Signatures — Scope and Application". U.S. Food and Drug Administration. August 2003. http://www.fda.gov/regulatoryinformation/guidances/ucm125067.htm. Retrieved 06 April 2013. 
  3. Huber, Ludwig (15 November 2012). "Tutorial: 21 CFR Part 11 - Electronic Records and Electronic Signatures". LabCompliance. http://www.labcompliance.com/tutorial/part11/. Retrieved 10 April 2013. 
  4. Jackson, William (1 June 2000). "FDA offers electronic option". GCN. http://gcn.com/Articles/2000/06/01/FDA-offers-electronic-option.aspx?Page=2. Retrieved 06 April 2013. 
  5. Greenemeier, Larry (25 February 2002). "FDA Moving To E-Filing". InformationWeek. http://www.informationweek.com/fda-moving-to-e-filing/6500937. Retrieved 06 April 2013. 
  6. Greenemeier, Larry (18 February 2002). "Lilly Cures Inefficiency With IT". InformationWeek. http://www.informationweek.com/lilly-cures-inefficiency-with-it/6501017. Retrieved 06 April 2013. 
  7. "Agilent Introduces Security Pack for Analytical Laboratories". Laboratory Network. 20 June 2000. http://www.laboratorynetwork.com/doc/Agilent-Introduces-Security-Pack-for-Analytic-0001. Retrieved 06 April 2013. 
  8. Harrold, Dave (1 April 2002). "'I'm from the Government, and I'm Here to Help You!'". Control Engineering. http://www.controleng.com/single-article/i-m-from-the-government-and-i-m-here-to-help-you/61fedbc69297fc6965c6d8840871e085.html. Retrieved 06 April 2013. 
  9. "FDA releases 21 CFR Part 11 guidance document". Control Engineering. 3 January 2003. http://www.controleng.com/search/search-single-display/fda-releases-21-cfr-part-11-guidance-document/5edbb001e1.html. Retrieved 06 April 2013. 
  10. "FDA plans to amend 21 CFR Part 11 rules". in-Pharma Technologist. 5 September 2003. http://www.in-pharmatechnologist.com/Drug-Delivery/FDA-plans-to-amend-21-CFR-Part-11-rules. Retrieved 06 April 2013. 
  11. June, Tamar M. (July 2003). "Quality Assurance, Safety and 21 CFR Part 11: These three old friends are here to stay". Quality Digest. http://www.qualitydigest.com/july03/articles/04_article.shtml. Retrieved 10 April 2013. 
  12. "Complying with US Food and Drug Administration(FDA) data regulations is proving a struggle for IT departments in pharmaceutical and life science companies". Storage Networking Solutions. 17 November 2004. http://snseurope.info/article/12833/Complying-with-US-Food-and-Drug-Administration(FDA)-data-regulations-is-proving-a-struggle-for-IT-departments-in-pharmaceutical-and-life-science-companies. Retrieved 06 April 2013. 
  13. Reymond, Emilie (24 October 2006). "FDA to review electronic signature regulation". in-Pharma Technologist. http://www.in-pharmatechnologist.com/Regulatory-Safety/FDA-to-review-electronic-signature-regulation. Retrieved 06 April 2013. 
  14. Miller, George (13 November 2009). "Don't sweat the Part 11 stuff". FierceBiotechIT. http://www.fiercebiotechit.com/story/dont-sweat-part-11-stuff/2009-11-13. Retrieved 06 April 2013. 
  15. "FDA To Conduct Inspections Focusing on 21 CFR 11 (Part 11) requirements relating to human drugs". U.S. FDA. 8 July 2010. http://www.fda.gov/AboutFDA/CentersOffices/OfficeofMedicalProductsandTobacco/CDER/ucm204012.htm. Retrieved 06 April 2013. 
  16. Barsky, Emma; Grunbaum, Len (25 July 2010). "Part 11: How Will FDA Enforce?". GxP Perspectives. http://gxpperspectives.com/2010/07/25/part-11-how-will-fda-enforce/. Retrieved 06 April 2013. 
  17. Appel, Ken (28 July 2010). "Audit Alert! - Clarity on e-Records: FDA to Re-Evaluate 21 CFR 11". Pharmaceutical Processing. http://www.pharmpro.com/blogs/2010/07/audit-alert-clarity-e-records-fda-re-evaluate-21-cfr-11. Retrieved 06 April 2013. 
  18. While the Agency specifically does not recommend an SDLC, and rightfully so, established SDLC approaches become established typically due to the quality of product that comes from them. An SDLC that is either unique or a blend of disparate approaches may merit additional attention on the part of the auditor