There is often some confusion in companies about 21 CFR Part 11 and related compliance. Many companies think they meet the requirements but in reality they are not.
If you think it’s all about validation, audit trails, records and retention, and that your business is safe because it has paper master files, maybe you should review your idea. The question is more complex.
Let’s clarify and give some advice, especially to companies that deal with medical devices.
What Is 21 CFR Part 11?
What Is 21 CFR Part 11 .CFR Part 11 is a regulation that defines the criteria required by the FDA for electronic data to be truthful, robust and equivalent to the corresponding paper data.
The first part of 21 CFR Part 11 deals with electronic records and data retention, while the second part is inherent to electronic signatures.
One thing to remember is that 21 CFR dates back to 1997, so it is obvious that in the last 20 years our knowledge of electronic systems and their potential have changed a lot.Who Should Apply 21 CFR Part 11? Any company where electronic data is used must apply the regulation.
Dato elettronico: “any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.” (11.3)
Purpose Of 21 CFR Part 11
Know how to use computer systems and software and when they are not working properly.
Keep data securely to prevent it from being modified or lost
Track changes to the data
Identify data falsification and prevent it
Controls for closed systems
Anyone who uses closed systems to create, modify, store or transmit electronic data must have procedures and controls to ensure the authenticity, integrity, and confidentiality of the data through:
System validation
Ability to generate certified and controlled copies of data
Data protection
Limited and controlled access to the system
Use of audit trail
Operating system checks
Access controls
Adherence to the SOPs
Checks on documentation
Password and access management
Passwords are one of the most secure components of a system. With passwords it is possible to know the role, permissions and limitations of each user.
It is good practice to apply password management best practices, but in this case the document is vague. Here are some general indications to improve security and choose a good password:
Minimum 8 characters
Do not use common words
Use alphanumeric characters
Change the password every 90 days
Do not reuse the last 6 passwords
Do not show the text as you type the password
Do not allow the browser to save the password
The password must be personal and non-transferable
Do not write the password on paper or post-its
Access to electronic data must be controlled by unique IDs and with personalized logins that provide access via username and password.
After a period of inactivity (about 10 minutes) you should be expected to log out of the system. Any login attempts should be suspended after 3 unsuccessful entries of your credentials.
If an account has been inactive for a long period of time, it must be locked out. This period is usually quantified in 30 days.
Audit trail and electronic signature
The purpose of the audit trail is to know what each user did and when they did it. The audit trail tracks 21 CFR Part 11 when data is created, changed, deleted and when all these changes have occurred.
All the events that occur concerning a datum must be recorded with the name of the person who made the modification, the date and the time.The purpose of 21 CFR Part 11 also includes detecting fraud and knowing when each change occurs helps with this task.
The audit trail is the complete history of electronic data management
In 21 CFR Part 11 there is also talk of electronic signature for the review and approval of information.The electronic signature must be associated with a unique and personal username and password and must be completed with date and time.It is essential that once a data is signed for approval, it becomes impossible to modify.
Remember that:
Compliance with 21 CFR Part 11 is always the responsibility of the company. No softward and / or validation company will take responsibility for you.
Consulting firms will be able to test and validate your platform, support you in filling out the necessary documentation and help you achieve compliance but the ultimate responsibility remains with the company.
What is FDA CFR21 part 11 for the pharma world?
Luca Rizzardi 17. January 2019
In the pharmaceutical world, one of the most important regulations to comply with is FDA CFR21 part 11. What is this regulation, so important, to which Yokogawa fully responds with its data logging & recording systems?
Well… let’s imagine a pharmaceutical manufacturing facility that makes some drugs for heart disease. You can well imagine that any errors in production, incorrect measurements or incorrect device settings (and human errors) could lead to tragic events, dramatically affecting people’s health.
Based on the above, it is therefore mandatory to find some rules to follow in order to be able to trace and detect any errors and / or anomalies before these can lead to serious consequences.
The above is the purpose of FDA CFR21 part 11.
The basic core of the rules of the aforementioned legislation is as follows:
Track and record any settings or changes in device settings
who did it
guarantee the quality and incorruptibility 21 CFR Part 11 of the recorded data
set up user profiles in terms of complete control, partial control and “user” to ensure the right delegation of responsibilities at the right level.
The coding of the data must guarantee the incorruptibility of the recorded data; in short, it must be impossible to manually change the data. This is done by special algorithms that encode the data so that any changes are immediately detected and reported (thus ensuring compliance with point 3).