The Fdafin PDF

The FDA's New Enforcement of
21 CFR Part 11 Compliance

(An Overview)
June 2012
The FDA‟s New Enforcement of 21 CFR Part 11 Compliance (An Overview)
June 2012
Contents
About Validation ................................................................................ 3
Abbreviations .................................................................................... 4
FDA Regulation Along the Drug Life ................................................. 5
Other Challenges .............................................................................. 6
Modules/Steps Involved in the Validation Process ........................... 7
Module 1: Regulatory Requirements ................................................ 8
Module 2: Steps for Cost Effective Computer System Validation ... 11
Module 3: Initial and Ongoing Tests of Software and Computer

Systems........................................................................................... 14
Module 4: Minimum Validation Documentation Validation .............. 15
Module 5: Qualification of Network Infrastructure and Validation of

Network System .............................................................................. 16
Module 6: Understanding FDA Part 11 and the EU GMP Annex 11 ..... 17
Case Study ...................................................................................... 19
Conclusion....................................................................................... 20
Reference ........................................................................................ 21
Author Info ....................................................................................... 21
© 2012, HCL Technologies, Ltd. Reproduction prohibited. This document is protected under copyright by the author. All rights reserved.
June 2012
About Validation
Validation:
Validation is defined as the act of testing for compliance with a
standard.
Need for validation in computer systems:
 Required by regulations – US FDA, EMA, GMP, GCP, GLP
 Ensures consistent data and product quality
 Helps to protect intellectual property through scientifically
sound data
In 1997, the United States Food and Drug Administration (FDA)
issued a regulation that provides criteria for acceptance by the FDA
of electronic records, electronic signatures and handwritten
signatures. This was done in response to requests from the
industry. With this regulation, titled Rule 21 CFR Part 11 (henceforth
referred to as Part 11), electronic records can be equivalent to
paper records and handwritten signatures.
Title 21 is the portion of the Code of Federal Regulations that
governs food and drugs within the United States for the Food and
Drug Administration (FDA), the Drug Enforcement Administration
(DEA), and the Office of National Drug Control Policy (ONDCP).
Compliance is not as easy as it seems.
The premise may seem straightforward, but implementing these
regulations, adhering to them, and being able to document that the
organization is compliant is quite complex. This paper provides you
with information on HCL guidelines for Part 11.
3
June 2012
Abbreviations
Sl.
Acronyms Full Form
No.
1. CFR Code of Federal Regulations
2. EU European Union
3. GMP Good Manufacturing Practices
4. AGMP (Automated Good Manufacturing Practices)
5. GLP Good Laboratory Practices
6. GCP Good Clinical Practices
7. GxP GLP+GCP+GMP = Predicate Rules
8. EMA European Medicines Agency
9. URS User Requirement Specification
10. PIC/S Pharmaceutical Inspection Convention/Cooperation Scheme
11. OQ Operational Qualification
12. DQ Design Qualification
13. PQ Performance Qualification
14. IQ Installation Qualification
4
June 2012
FDA Regulation Along the Drug Life

 Application areas of
21 CFR Part 11 Part 11 applies to all records that are defined in the underlying acts
and regulations which govern activities in the life sciences
 Part 11 applies to all industries. These underlying acts and regulations, which are
existing and newly referred to as the “predicate rules,” are any requirements set forth in
installed systems the FDCA Act (Federal Food, Drug and Cosmetic Act), the PHS Act
(Public Health Service Act), or any FDA regulation (GLP, GMP, and
GCP). The predicate rules mandate what records are to be
maintained, the content of those records, whether signatures are
required, how long records must be maintained, and so on.
Part 11 requires drug makers, medical device manufacturers,
biotech companies, biologics developers, and other FDA-regulated
industries to implement controls, including audits, system
validations, audit trails, electronic signatures, and documentation for
software and systems involved in processing electronic data that are
either required to be maintained by the FDA predicate rules or used
to demonstrate compliance to a predicate rule. Part 11 applies to all
existing and all newly-installed systems.
5
June 2012
Challenges
 Challenges to adhere
to Part 11 A wave of change is sweeping through the life sciences industry.
Electronic records and electronic signatures are replacing paper
 Data integrity and
records and hand-written signatures. The challenge is to comply
information security
with the regulations while implementing the most efficient and
 Gap assessment effective systems possible. Although companies initially may resist
moving toward compliance, the return on investment for accepting
 Revenue loss
the change is high. Likewise, the penalty for non-compliance can be
severe.
The regulation has been largely open to interpretation, resulting in
many different compliance approaches. While the FDA is dictating
what needs to be done, how it is to be done is left to individual
companies.
There are several problems or challenges associated with Part 11 in
life science firms:
 Part 11 is a regulation to promote public safety through an
organization‟s ability to control data integrity with respect to
authorized and unauthorized modifications to records. Data
integrity and information security are the key objectives of
Part 11.
 To begin the move to compliance, a Part 11 gap assessment
should be performed on all systems subject to records
requirements set forth in the FDA regulations.
 Failure to comply can lead to denial of a New Drug
Application (NDA), potential delay in manufacturing, “483”
warning letters, civil penalties, and even prosecution for
negligence. These penalties, and the resulting delay in
releasing new drugs, can cost life science firms millions of
dollars.
Steps for attaining initial compliance to Part 11 have been
documented, which can help the organization achieve FDA
compliance.
6
June 2012
Modules/Steps Involved in the Validation Process
There are six steps involved in the validation process, which are
listed below.
 Regulatory requirements
 Steps for cost-effective computer system validation
 Initial and ongoing tests of software and computer systems
 Minimum validation documentation inspectors want to see
 Qualification of network infrastructure and validation of
network systems
 Understanding the spirit and basics of the FDA Part 11 and
the EU GMP Annex 11
7
June 2012
Module 1: Regulatory Requirements

 Steps to achieve
regulatory Regulatory requirements require persons to “employ procedures
requirements and controls, designed to ensure the authenticity, integrity, and
confidentiality of electronic records, and to ensure that the signer
 Computer system cannot readily repudiate the signed record as not genuine.” Various
validation steps have been derived to satisfy these requirements.
 Regulation and quality  Computer system validation
standards
 Regulation and quality standards
 Validation of master plan
 Validation master plan
 Validation approach -
lifecycle models  Validation approach – lifecycle models
 Risk-based validation
for records generated Computer System Validation
Computer systems used to create, modify, and maintain electronic

records and to manage electronic signatures are also subject to the
validation requirements. Systems that maintain certain employee
training records may even be subject to validation. Such computer
systems must be validated to ensure accuracy, reliability, consistent
intended performance, and the ability to discern invalid or altered
records.
Validation is a systematic documentation of system requirements,
combined with documented testing, demonstrating that the
computer system meets the documented requirements. It is the first
requirement identified in Part 11 for compliance. Validation requires
that the system owner maintain the collection of validation
documents, including requirement specifications and testing
protocols.
Regulation and Quality Standards

The requirements in this part govern the methods, facilities and
controls used for the design, manufacture, packaging, labeling,
storage, installation, and servicing of all finished devices intended
for human use, so they should satisfy:
8
June 2012
 GLP (Good Laboratory Practices)

 GCP (Good Clinical Practices)
 GMP (Good Manufacturing Practices)
 AGMP (Automated Good Manufacturing Practices)
 FDA‟s 21 CFR Part 11/EU Annex 11 (electronic records and
signatures)
 (Automated) equipment should be suitable for its intended use
 Equipment should be routinely checked
Validation Master Plan

A Validation Master Plan (VMP) is an integral part of a well
organized validation project. It documents the company's approach
to complex validation projects. The VMP has a broad scope. It
clarifies responsibilities, general objectives, procedures to be
followed for validation, and it prioritizes multiple validation tasks. It
may reference several protocols and procedures to be written in
order to conduct the qualification of several different pieces of
equipment and different processes. It may also specify schedules
for validation and the allocation of resources needed to perform the
validation. VMP provides a means of communication to everyone
associated with the project. It lets management know how the
company‟s resources are being allocated and when they will see the
results. It tells the validation team what they have to do, when they
have to do it, and gives them a means of tracking progress. Other
groups can find out what the validation team is doing and what their
roles are in support of the validation project. The FDA can look at
the VMP and see the validation project is well thought out and
organized; there is a logical reason for including or excluding every
system from the validation project based on a risk analysis.
Validation Approach – Lifecycle Models

Validation is not a one-time event. Validation starts when you plan
and design a product (hardware, software) or a method. Validation
is finished when the product is retired and all data is successfully
moved to a new system. Validation follows one of the lifecycle
models.
9
June 2012
Risk-Based Validation
Specific requirements for computers and electronic records and
signatures are also defined in the FDA‟s regulations Part 11 on
electronic records and signatures. This regulation applies to all
FDA-regulated areas, and has specific requirements to ensure the
trustworthiness, integrity and reliability of records generated,
evaluated, transmitted and archived by computer systems. In 2003,
the FDA published guidance on scope and applications of Part 11.
10
June 2012
In this document, the FDA promoted the concept of risk-based

 Steps to achieve cost validation.
effective computer
system validation
Defined Actions for Risk Categories:
 Form a project team
 Document the user
requirements Risk
Business Continuity Compliance/Health
Level
 Develop a validation
project plan
Failure has a Failure of the system may
 Conduct risk
significant impact on cause harm to patients and
assessment High
delivery of products for there is no correction
 Assess supplier several days possible
 Installation
qualification Failure has potential Failure of the system may
to impact the delivery cause harm to patients and
 Operational and Medium
of products for 1 or 2 there is a good potential to
performance
days correct the failure
qualification
 Validation report
Failure has negligible
Failure of the system will not
Low impact on product
cause harm to patients
delivery
Module 2: Steps for Cost Effective Computer System

Validation
Form a Project Team which should include representatives from
these key areas:
 IT
 QA
 User groups
 Validation groups, if applicable
 Regulatory affairs
 Documentation
 Purchasing
They should meet regularly to make critical decisions and
communicate to a wider user base.
11
June 2012
Document the User Requirements which should be based on

requirement specification, risk assessment and GMP impact. User
requirements should be traceable throughout the lifecycle. The
document should cover the below-mentioned points to address this
requirement.
 Contents
 Justification for system
 Intended application, e.g. electronic documents management
 Intended environment (computer and network, operating
environment, e.g. laboratory, manufacturing and office)
 Process overview
 Detailed user requirements
 Signature and approval
 When to write URS?
 Who writes it, who approves it?
Develop a Validation Project Plan which should define the

activities, procedures and responsibilities for establishing the
adequacy of the system. It should be derived from the company‟s
validation master plan. There should be a specific strategy,
approach, risk assessment, resources, responsibilities, activities
and deliverables of the validation effort. It can be written in a table
template or a flow text form, as shown below.
Table
Purpose of the plan
Product description
Validation strategy
Responsibilities (position)
Supplier assessment
Risk assessment
Testing strategies and reporting
DQ
IQ
OQ
PQ
Traceability matrix
Procedures
Approval
Documents and control
12
June 2012
Conduct Risk Assessment

Risk assessment should be applied throughout the lifecycle of the
computerized system. As part of a risk management system,
decisions on the extent of validation and data integrity should be
based on a justified and documented risk assessment. The purpose
is to optimize resources toward high-risk systems. Various inputs for
risk assessment such as user experience with the same equipment
already installed, user experience with similar equipment already
installed, IT staff experience with the same or similar equipment,
experience with the equipment vendor, information from the vendor
on what can go wrong (during testing and ongoing use), etc.
Assess Supplier
The regulated user should take all responsible steps to ensure the
system has been developed in accordance with an appropriate
quality management system. The purpose is to determine the
adequacy of the supplier quality system.
Installation Qualification
Collect the supplier‟s environmental conditions, operating and
working instructions and maintenance requirements compare
systems, as received, with the purchase order. System installation is
according to vendor specifications such as servers, clients, licenses,
and installation protocol.
Install interfaces, e.g. an e-mail system with impact analysis. Design
an overview with system drawings, e.g. data flow, and testing for
successful installation. Check documentation for accuracy and
completeness. Document all components with asset and serial
numbers.
Operational and Performance Qualification

Ensure the system works in your environment and identify critical
functions for the computer systems as defined in the functional and
user environment specifications. Develop these as test cases for the
functions and define acceptance criteria, or take advantage of the
vendor‟s OQ package. Perform the test and evaluate results,
compare with the acceptance criteria, and finally document the
results. Ensure smooth application-specific operation and suitable
performance of the complete system through the ongoing operation.
13
June 2012
Validation report
It should include a brief description of each project activity used to
review all preceding validation activities and indicate the status of
the system prior to implementation into the production environment.
Deviations from the project plan should be documented and a risk
assessment should be performed.
Module 3: Initial and Ongoing Tests of Software and

Computer Systems
A test should be developed, formally documented and used to
demonstrate that the system has been installed and is operating
and performing satisfactorily, and ensures that system requirements
are met. Keep the test evidence on justified and documented risk
assessment: keep hard copy screen prints for high impact functions.
Consider testing of native functions carefully. The extent of testing
should be based on risk, complexity and novelty.
14
June 2012
Module 4: Minimum Document Validation

 List of documents for Documentation which inspectors want to see is listed below.
validation
 Documentation
 Required SOPs (examples)
 Supplier and service providers agreement
 Suppliers and service providers assessment information
 Supplier agreement
 Data back-up
 Back-up storage locations, validation, back-up frequency and
documentation
 Periodic evaluation and review of computer systems
 Internal audits of computer system
 Business continuity plan
 Disaster recovery plan preparation
 System retirement
 Maintenance support
Framework (corporate, site, department)
For individual projects processes
For individual products
Test records
15
June 2012
Module 5: Qualification of Network Infrastructure

 Necessity for and Validation of Network System
network
infrastructure Why Care About Network Infrastructure?
 Regulations for A well-qualified network infrastructure increases system uptime and

validation of network reduces maintenance costs. Ensure that the network is qualified at
infrastructure least once, and not for each application. Network infrastructure is
subject to FDA/EU inspection.
Regulation/Guidelines for Qualification/Validation of Network

Infrastructure
 The Gxps-system should be suitable for the intended use
 21 CFR Part 11 – E-signatures/Records - Defines
requirements for electronic records; electronic signatures in
FDA regulated industries
 PIC/s Good Practice Guide - Has lots of good
recommendations on using computers in regulated
environments
16
June 2012
Module 6: Understanding FDA Part 11 and the EU

 FDA Part 11 and the GMP Annex 11
EU GMP Annex 11 FDA Part 11 and the EU GMP Annex 11 insist on the below-
compliance mentioned points:
requirement
Control of Closed System (11.10)
 Validation
 Accurate and complete copies
 Protection and retrieval of records
 Limited access to systems and data
 Electronic audit trail
 Authority checks
 Device checks
 Operational system checks
 People qualification
 Individual accountability
 Controls over system documentation
Digital Signatures (11.30)

 Use of digital signatures for open systems
Electronic Signatures (11.50, 11.70, 11.100, 11.13)

 Requirements for signed electronic records
 Linking records to signatures
 Requirements for electronic signatures
 Electronic signature components
FDA 21 CFR Part 11 & EU GMP Annex 11:

General Requirements for Electronic Signatures
 E-signature must be unique. Ex: user ID and password,
biometric devices
 Identity of individuals must be verified
 Identification code must be periodically checked, recalled and
revised
 Pass card must be periodically tested
 Attempts at unauthorized access must be reported
17
June 2012
 The use of an e-signature must be certified with the FDA
Annex 11 requires 1 and 2 along with the additional

requirements below:
 Risk management
 Supplier and service provider management
 Data entry and processing
 Data accuracy checks
 Change management
 Periodic evaluation
 Incident management
 Batch release
 Business continuity
Regulation (Annex 11)

For electronic records, regulated users should define which data are
to be used as raw data. At least, all data on which quality decisions
are based should be defined as raw data (EU Annex 11).
Recommendation
For hybrid systems, clearly define if electronic data or printouts are
raw data. If printouts are defined as raw data, they should include all
required records.
18
June 2012
Case Study
The use of electronic records is expected to be more cost-effective
for the industry and the FDA. The approval process is expected to
be shorter and access to documentation will be faster and more
productive. HCL has provided 21CFR Part 11 compliant
assessment for many clients on various requirements. One of the
case studies is mentioned below for reference.
Client Requirement
To create a validation plan for a universal testing machine with 21
CFR Part 11 compliance assessments.
HCL Solution
HCL created the validation plan and a tracking system to monitor
the 21CFR Part 11 compliance requirement.
The validation plan defines:
 Validation strategy for providing the documented evidence
necessary to demonstrate that the universal testing machine
functions according to requirements
 Roles and responsibilities to implement and to be maintained
in validated state
 Validation deliverables required to qualify the client process
and FDA requirement
Deliverables
Required deliverables for the universal testing machine (UTM)
validation plan are as follows:
 Validation plan
 Quality and regulatory assessment
 21 CFR Part 11 coverage assessment
 User requirements specification
 Risk level and other risk documentation, e.g. PFMEA, if any.
DFMEA and PFMEA documents were not required as the risk
was medium, based on the risk assessment document.
 Test cases for installation and user requirements
 Requirement traceability matrix
 Standard operating procedure
 21 CFR Part 11 compliance assessment
19
June 2012
Conclusion
The ultimate goal of computer system validation is to produce
documentation that actually raises the quality instead of just
producing more paper.
Over the years, HCL has developed a step-by-step approach to
computer system validation - 21 CFR Part 11 compliance. This step-
by-step procedure adheres to the FDA rules to meet Part 11
requirements and to ensure the electronic records and electronic
signatures are trustworthy, reliable and compatible with the FDA‟s
public health responsibilities.
20
June 2012
References
 Code of Federal Regulations, Title 21, Food and Drugs, Part 11
Electronic Records; Electronic Signatures
 L. Huber, “Validation of Computerized Analytical and Networked
Systems”
 FDA Guidance for Industry Part 11, Electronic Records;
Electronic Signatures Scope and Applications
 L. Huber, “Risk-Based Validation of Commercial Off-the-Shelf
Computer Systems”
Author Info
Kannan Palaniappan – Kannan has over

10 years of experience in new product
design and development on electro-
mechanical products, including three and
a half years of medical product design.
He has worked in cryoablation system
design and development, and
orthopedics instrument and sterilization
unit system development.
Prasanna Kumar Thirunavukkarasu –

Prasanna has over eight years of
experience in new product design and
development on electro-mechanical
products that includes over a year in
medical product design. He has worked
in design and development of “energy-
based devices” and orthopedic implants
and instruments.
21
Hello, I’m from HCL’s Engineering and R&D Services. We enable
technology led organizations to go to market with innovative products
and solutions. We partner with our customers in building world class
products and creating associated solution delivery ecosystems to help
bring market leadership. We develop engineering products, solutions
and platforms across Aerospace and Defense, Automotive, Consumer
Electronics, Software, Online, Industrial Manufacturing, Medical
Devices, Networking & Telecom, Office Automation, Semiconductor
and Servers & Storage for our customers.
For more details contact eootb@hcl.com
Follow us on twitter: http://twitter.com/hclers
Visit our blog: http://ers.hclblogs.com/
Visit our website: http://www.hcltech.com/engineering-services/
About HCL
About HCL Technologies
HCL Technologies is a leading global IT services company, working
with clients in the areas that impact and redefine the core of their
businesses. Since its inception into the global landscape after its IPO in
1999, HCL focuses on „transformational outsourcing‟, underlined by
innovation and value creation, and offers integrated portfolio of services
including software-led IT solutions, remote infrastructure management,
engineering and R&D services and BPO. HCL leverages its extensive
global offshore infrastructure and network of offices in 26 countries to
provide holistic, multi-service delivery in key industry verticals including
Financial Services, Manufacturing, Consumer Services, Public Services
and Healthcare. HCL takes pride in its philosophy of 'Employees First,
Customers Second' which empowers our 83,076 transformers to create
a real value for the customers. HCL Technologies, along with its
subsidiaries, has reported consolidated revenues of US$ 4 billion (Rs.
19,412 crores), as on TTM ended Mar 31 '12.
For more information, please visit www.hcltech.com
About HCL Enterprise

HCL is a $6.2 billion leading global technology and IT enterprise
comprising two companies listed in India - HCL Technologies and HCL
Infosystems. Founded in 1976, HCL is one of India's original IT garage
start-ups. A pioneer of modern computing, HCL is a global
transformational enterprise today. Its range of offerings includes
product engineering, custom & package applications, BPO, IT
infrastructure services, IT hardware, systems integration, and
distribution of information and communications technology (ICT)
products across a wide range of focused industry verticals. The HCL
team consists of over 90,000 professionals of diverse nationalities, who
operate from 31 countries including over 500 points of presence in
India. HCL has partnerships with several leading global 1000 firms,
including leading IT and technology firms.
For more information, please visit www.hcl.com

The Fdafin PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

The Fdafin PDF

Uploaded by

Copyright:

Available Formats

The FDA's New Enforcement of

21 CFR Part 11 Compliance

FDA Regulation Along the Drug Life ................................................. 5

Other Challenges .............................................................................. 6

Modules/Steps Involved in the Validation Process ........................... 7

Module 1: Regulatory Requirements ................................................ 8

Module 2: Steps for Cost Effective Computer System Validation ... 11

Module 3: Initial and Ongoing Tests of Software and Computer

Module 4: Minimum Validation Documentation Validation .............. 15

Module 5: Qualification of Network Infrastructure and Validation of

Module 6: Understanding FDA Part 11 and the EU GMP Annex 11 ..... 17

Case Study ...................................................................................... 19

Author Info ....................................................................................... 21

1. CFR Code of Federal Regulations

3. GMP Good Manufacturing Practices

4. AGMP (Automated Good Manufacturing Practices)

5. GLP Good Laboratory Practices

6. GCP Good Clinical Practices

7. GxP GLP+GCP+GMP = Predicate Rules

8. EMA European Medicines Agency

9. URS User Requirement Specification

10. PIC/S Pharmaceutical Inspection Convention/Cooperation Scheme

11. OQ Operational Qualification

12. DQ Design Qualification

13. PQ Performance Qualification

14. IQ Installation Qualification

FDA Regulation Along the Drug Life

Modules/Steps Involved in the Validation Process

Module 1: Regulatory Requirements

Computer systems used to create, modify, and maintain electronic

Regulation and Quality Standards

 GLP (Good Laboratory Practices)

Validation Master Plan

Validation Approach – Lifecycle Models

In this document, the FDA promoted the concept of risk-based

Module 2: Steps for Cost Effective Computer System

Document the User Requirements which should be based on

Develop a Validation Project Plan which should define the

Conduct Risk Assessment

Operational and Performance Qualification

Module 3: Initial and Ongoing Tests of Software and

Module 4: Minimum Document Validation

Framework (corporate, site, department)

For individual projects processes

For individual products

Module 5: Qualification of Network Infrastructure

 Regulations for A well-qualified network infrastructure increases system uptime and

Regulation/Guidelines for Qualification/Validation of Network

Module 6: Understanding FDA Part 11 and the EU

Digital Signatures (11.30)

Electronic Signatures (11.50, 11.70, 11.100, 11.13)

FDA 21 CFR Part 11 & EU GMP Annex 11:

 The use of an e-signature must be certified with the FDA

Annex 11 requires 1 and 2 along with the additional

Regulation (Annex 11)

Kannan Palaniappan – Kannan has over

Prasanna Kumar Thirunavukkarasu –

For more information, please visit www.hcltech.com

About HCL Enterprise

For more information, please visit www.hcl.com

You might also like