Introduction to 21 CFR 11

Q: What computer systems must be compliant with 21 CFR 11?
A: All computer systems which store data which is used to make Quality decisions or data which will be reported to the FDA must be compliant with 21 CFR 11. In laboratory situations, this includes any laboratory results used to determine quality, safety, strength, efficacy or purity. In Clinical environments, this includes all data to be reported as part of the clinical trial used to determine the quality, safety efficacy of the trial. In Manufacturing environments, this includes all decisions related to product release and product quality.

Q: What are the requirements of 21 CFR 11?
A: 21 CFR 11 Requires that closed computer systems must have a collection of technological and procedural controls to protect data within the system. These controls include:

• Validation
• Accurate Record Generation
• Protection of Records
• Limited System Access
• Audit Trails
• Operational System Checks
• Device Checks
• Training
• Establishment of written policies of responsibility.
• Control of System Documentation.

Open Computer Systems must also include controls to ensure that all records are authentic, incorruptible and (where applicable) confidential.

Q: What is Computer System Validation?
A: Validation is a systematic documentation of system requirements, combined with documented testing, demonstrating that the computer system meets the documented requirements. It is the first requirement identified in 21 CFR 11 for compliance. Validation requires that the System Owner maintain the collection of validation documents, including Requirement Specifications and Testing Protocols.

Q: What is Accurate Record Generation?
A: Accurate record generation states that records which are entered into the system
This is generally tested by verifying that records that are entered into the system must be accurately displayed and accurately exported from the system.

Q: How must records be protected?
A: Electronic records must be not be corrupted and must be readily accessible throughout the record retention period. This is usually performed through a combination of technological and procedural controls.

Q: What is Limited System Access?
A: System owners must demonstrate that they know who is accessing and altering their system data. When controlled technologically, this is commonly demonstrated by requiring all users have unique userIDs and passwords to enter the system.

Q: What is an Audit Trail?
A: An audit trail is an internal log in a program that records all changes to system data. This is tested by demonstrating that all changes made to data are recorded to the audit trail.

Q: What are Operational System Checks?
A: Operation System Checks enforce sequencing of critical system functionality. This is demonstrated by showing that business defined workflows must be followed. For example, data must be entered before it can be reviewed.

Q: What are Device Checks?
A: Device Checks are tests to ensure the validity of data inputs and operational instructions. Generally speaking, Ofni System does not suggest testing keyboards, mice, etc, because these input devices are implicitly tested throughout other testing. However, if particular input devices (optical scanners, laboratory equipment, etc.) these devices should be tested to ensure the accuracy of system inputs.

Q: What training requirements are required for 21 CFR 11 compliant programs?
A: Users must be documented to have the education, training and experience to use the computer system. Typically training can be covered by your company's training procedures.

Q: What is a writing policy of responsibility?
A: Users must state that they are aware that they are responsible for all data they enter or edit in a system. This can be accomplished technologically through accepting conditions upon signing into the system or procedurally by documenting this responsibility as part of training.

Q: What documentation requirements are required for 21 CFR 11 compliant programs?
A: Documentation must exist which defines system operations and maintenance. Typically these requirements are met by the company's document control procedures.

Q: What are the requirements for Electronic Signatures?
A: All Electronic signatures must:

• Include the printed name of the signer, the date/time the signature was applied and the meaning of the electronic signature.
• Be included in human readable form of the record. Electronic signatures must not able to be separated from their record.
• Must be unique to a single user and not used by anyone else.
• Can use biometrics to uniquely identify the user. If biometrics are not used, they need at least two distinct identifiers (for example, the UserID and a secret password).

Q: Does 21 CFR 11 have any requirements for passwords or identification codes?
A: Yes. Procedural controls should exists to ensure that:

• No two individuals have the same UserID and password.
• Passwords are periodically checked and expire.
• Loss management procedures exists to deauthorize lost, stolen or missing passwords.

Downloads

21 CFR 11 Help - An executable help file with the complete text of 21 CFR 11.

Related Links

Ofni Systems Tools for Compliance ExcelSafe Makes existing MS Excel spreadsheets compliant with all the technical requirements of 21 CFR Part 11. Part 11 Toolkit Transform MS Access programs into powerful, secure systems that meet all requirements of Part 11. Part 11 Advisor Implement and manage every aspect of a Part 11 Remediation Plan. FastVal Produce validation documents, manage validation projects and execute testing protocols electronically. Consulting and Services Part 11 Assessments Determine the compliance status of your computer systems. Computer Validation Validate new or updated software, spreadsheets, databases, web pages and  computer systems. Compliance Training Training your employees on all aspects of 21 CFR Part 11, including building fully compliant electronic record systems. Custom Programs Develop a compliant computer system specific to your requirements.

Glossary

Closed Systems are computer systems where system access is controlled by people who are responsible for the content of electronic records in the system. Most applications are considered to be closed systems.

Open Systems are computer systems where system access is not controlled by people responsible for the content of electronic records in the system. The internet or Wikis are examples of Open Systems.

Procedural Controls are documented SOPs which ensure that a system is only used in a particular manner.

Technological Controls are program enforced compliance rules, like requiring that a user have a password to log into a computer system. Technological controls are generally considered to be more secure than procedural controls.

Biometrics are a method of identifying a person's identify based on physical measurements of an individual's physical characteristics or repeatable actions. Some examples of biometrics include identifying a user based on a physical signature, fingerprints, etc.

Questions

Questions? Contact Ofni Systems at (919) 844 2494 or at .