Professional Documents
Culture Documents
ESR CFR 21 FDA
ESR CFR 21 FDA
John E. Lincoln
INTRODUCTION
As the medical device industry moves toward electronic records (ER) and signatures by in-house systems and/or cloud/web-based systems, and away from
paper documentation, 21 Code of Federal Regulations
(CFR) Part 11, Electronic Records; Electronic Signatures
(ES) verification and validation (V&V) activities and
documentation become mandatory. These issues are
not only a regulatory/Part 11 concern but also a user/
customer concern.
These requirements should not be viewed as unnecessary bureaucratic red tape. All industries, not just
gxpandjvt.com/bios
gxpandjv t.com
magenta
cyan
yellow
black
information,
go to
Journal
of
15
ADV
ELECTRONIC RECORDS/SIGNATURES
AREAS REQUIRING V&V
The following are the type of electronic records and/or
e-signatures that require validation under 21 CFR Part
11. These may be exclusive cGMP records or records
used for cGMP decision-making (regardless of the
company written policy):
Any cGMP document that an SOP states is documented by a controlled hard/paper copy with
manually entered signatures (this includes personnel actually not using these hard copies but
referring to their computers in order to make
quality control [QC]/cGMP decisions [i.e., it is
16
magenta
cyan
yellow
black
Journal
of
ADV
John E. Lincoln.
Expected Outcome
Meet Outcome
Yes/No
Attachment #
Yes/No
Attachment #
Yes/No
Attachment #
Yes/No
Verified By
Initial & Date
Comments: __________________________________________________________________________________
QA Reviewed by: _____________________________________ Date: _________________________________
Expected Outcome
Meet Outcome
System creates/maintains a
secure, time stamped audit trail.
Yes/No
Attachment #
Yes/No
Attachment #
Yes/No
Attachment #
Yes/No
Attachment #
Verified By
Initial & Date
Comments: __________________________________________________________________________________
QA Reviewed by: _____________________________________ Date: _________________________________
ERP software used to control movement and storage of inventory, as per above
Any other cGMP/QA/QC approval action and/
or status record.
gxpandjv t.com
magenta
cyan
yellow
black
of
17
ADV
Expected Outcome
Meet Outcome
Yes/No
Attachment #
Yes/No
Attachment #
Yes/No
Attachment #
Yes/No
Verified By
Initial & Date
Comments: __________________________________________________________________________________
QA Reviewed by: _____________________________________ Date: _________________________________
Expected Outcome
Meet Outcome
Yes/No
Attachment #
Yes/No
Attachment #
Verified By
Initial & Date
Comments: __________________________________________________________________________________
QA Reviewed by: _____________________________________ Date: _________________________________
magenta
cyan
yellow
black
Journal
of
ADV
John E. Lincoln.
Expected Outcome
Meet Outcome
Is systems operation/maintenance
documentation controlled
(user and password limits)?
Systems operation/maintenance
documentation is controlled
(reference method[s]).
Yes/No
Attachment #
Yes/No
Attachment #
Verified By
Initial & Date
Comments: __________________________________________________________________________________
QA Reviewed by: _____________________________________ Date: _________________________________
Expected Outcome
Meet Outcome
N/A
N/A
Verified By
Initial & Date
Comments: __________________________________________________________________________________
QA Reviewed by: _____________________________________ Date: _________________________________
magenta
cyan
yellow
black
SOFTWARE VERIFICATION/VALIDATION
PROTOCOL FORMAT EXAMPLES
The following should be considered as very basic templates. Applicable test cases or test case elements should
be expanded depending upon the applications being
verified/validated. These present one possible method
among many that could be acceptable in validating electronic records and electronic signatures to 21 CFR Part 11.
Journal
of
19
ADV
Expected Outcome
Meet Outcome
Do electronic signature
manifestations include the printed
name, date/time of signing, and
meaning of signing (approval,
review, responsibility, and feature
is available generally by level of
password-protected /defined level
of access)?
Yes/No
Attachment #
Yes/No
Attachment #
Yes/No
Attachment #
Verified By
Initial & Date
Comments: __________________________________________________________________________________
QA Reviewed by: _____________________________________ Date: _________________________________
Expected Outcome
Meet Outcome
Yes/No
Attachment #
Yes/No
Attachment #
Yes/No
Attachment #
Verified By
Initial & Date
Comments: __________________________________________________________________________________
QA Reviewed by: _____________________________________ Date: _________________________________
20
magenta
cyan
yellow
black
Journal
of
iv tnetwork.com
ADV
John E. Lincoln.
Expected Outcome
Meet Outcome
Yes/No
Attachment #
Yes/No
Attachment #
Yes/No
Attachment #
Yes/No
Attachment #
Yes/No
Yes/No
Yes/No
Verified By
Initial & Date
Comments: __________________________________________________________________________________
QA Reviewed by: _____________________________________ Date: _________________________________
Expected Outcome
Meet Outcome
Purposeful falsification of an
ES requires two or more willing
individuals
Yes/No
Yes/No
Attachment #
Verified By
Initial & Date
Comments: __________________________________________________________________________________
QA Reviewed by: _____________________________________ Date: _________________________________
gxpandjv t.com
magenta
cyan
yellow
black
Journal
of
21
ADV
Expected Outcome
Meet Outcome
Yes/No
Attachment #
Yes/No
Attachment #
Yes/No
Attachment #
Yes/No
Attachment #
Is there a procedure to
electronically disable any ID code/
password that has been potentially
compromised/lost?
Yes/No
Verified By
Initial & Date
Comments: __________________________________________________________________________________
QA Reviewed by: _____________________________________ Date: _________________________________
Expected Outcome
Meet Outcome
Yes/No
Attachment #
Yes/No
Attachment #
Verified By
Initial & Date
Comments: __________________________________________________________________________________
QA Reviewed by: _____________________________________ Date: _________________________________
22
magenta
cyan
yellow
black
Journal
of
iv tnetwork.com
ADV
John E. Lincoln.
Expected Outcome
Meet Outcome
Yes/No
Attachment #
Is there a procedure to
electronically disable a device if
its lost/stolen/compromised (by
password access/user alternative)?
Yes/No
Attachment #
Yes/No
Attachment #
Describe or N/A
N/A
Describe or N/A
N/A
Verified By
Initial & Date
Comments: __________________________________________________________________________________
QA Reviewed by: _____________________________________ Date: _________________________________
AN IMPORTANT CAVEAT
CONCLUSION
The use of electronic records and electronic signatures is increasingnot just in regulated industries.
These types of issues will be seen in all industries that
require legally binding documentation. Most professionals already deal with encrypted transactions on
the Internet and hope that companies have similar
systems in place to ensure integrity versus the growing danger of identity theft. The type of information
and verification/validation required in 21 CFR Part
11 will be replicated and expanded upon worldwide,
not only in medical products, but in finance, legal,
and all business entities desiring a viable global business model. JVT
gxpandjv t.com
magenta
cyan
yellow
black
Journal
of
23
ADV
GLOSSARY
Black box
CDRH
cGMPs
CFR
COTS
CSO
ERP
FDA
24
magenta
cyan
yellow
black
Journal
of
Review/verification of software algorithm/coding by observing the softwares operation of the hardware, without access to the actual software code,
as opposed to white box or glass
box testing (see white box below)
Center for Devices and Radiological
Health
Current good manufacturing practices
(for devices it is 21 CFR Part 820)
Code of Federal Regulation
Commercial off-the-shelf software
Consumer safety officer (i.e., the FDA
compliance auditor)
Enterprise resource planning
The United States Food and Drug
Administration
ISO
IT
IQ
OS
OQ
PQ
iv tnetwork.com
ADV
Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.