What is FDA 21CFR Part 11
The United States Food and Drug Administration (FDA) has a legal responsibility to ensure that medical devices are safe and effective. Therefore, in FDA-regulated industries, quality and accountability standards are much higher. One of the ways the FDA assures quality in the industry is to require that records concerning important aspects of the design, development or manufacturing process be kept. These regulations originally dealt with paper records and hand-written signatures. However, with the rise of computer technology used in medical device development, it became apparent that regulations were needed to address the issues related to electronic records and signatures. A joint FDA/industry task force was formed to develop the
requirements for electronic records and signatures, resulting in Title 21 of the Code of Federal Regulations; specifically Part 11 – Electronic Records; Electronic Signatures (21 CFR Part 11) regulation that became law in August of 1997. The objective of 21CFR Part 11 is to allow the industry to take advantage of electronic record keeping while making sure that electronic records and signatures are equivalent to paper records and signatures. The regulation defines what the FDA requires to ensure that electronic records are reliable, trustworthy, and authentic and that they can be considered equivalent to paper records and handwritten signatures for FDA purposes. This rule does not mandate the use of electronic records; however, if electronic records are used to keep FDA-required information, then the electronic records must comply with 21 CFR Part 11..
Three main type of FDA 21CFR Part 11 requirements
21 CFR Part 11 requirements can be classified into three types: policy, procedural, and technical. All three types of regulations rely on each other, and all must be implemented to have a truly compliant system. The policy and procedure regulations
provide the foundation for compliance, and define both the intent and criteria for system use. Whilst we can specify the functions that make Visure Requirements comply with the technical requirements, it’s also about the policies you put in place and how your employees interact with the software.
Policy requirements within an organization cover the company’s interpretation of the regulation, how the company will verify the identity of individuals, and how the validity of electronic signatures will be ensured. These include determining policy for:
- Protection of records to enable their accurate and ready retrieval throughout the record retention process
- Limiting system access to authorized individuals
- Use of operational system checks to enforce permitted sequencing of steps and events
- Determination that the people who develop, maintain and use the system have the proper education, training and experience
- Written policies to hold individuals accountable for things they agreed to do to deter record and signature fraud from within the company and that hold individuals accountable for actions initiated under their electronic signatures.
Procedural requirements are the company’s Standard Operating Procedures (SOPs) for a system – the how-to documents. There will need to be SOPs relating to the IT infrastructure, addressing areas such as Data Backup, Data Security, Computer
System Validation, notifications, training and other aspects of computer systems that support electronic records and signatures.
Once the using company has incorporated regulatory policy and fully implemented the required procedural controls, it can then install and release a software application to handle the technical controls. Part 11 allows any paper record to be replaced with an electronic record provided the computer system has appropriate features and is validated. CFR 21 Part 11 requires that electronic signatures come with a detailed history of the document—an audit trail. The purpose is to show accountability and to have the history to go back at any point in time to see what the state of that record was. Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine.
Using a Requirement management tool to comply with FDA 21CFR Part 11
This whitepaper describes Visure Requirements solution for meeting FDA 21CFR Part 11 requirements in requirements management applications using a configurable off-
the-shelf (COTS) solution. Visure Requirements is one of the most versatile, powerful Requirements Engineering
support tools, developed by Visure Solutions. Visure Requirements is not only a requirements management tool, but also provides complete support for the Requirements Engineering process, through a series of features that allow the basic activities related to that process to be carried out. It also provides the necessary support for other complementary activities, such as:
- Change impact analysis.
- Report generation.
- Configuration management.
- Reuse of the requirement specification.
Visure Requirements is perfect for companies and organizations in medical, medical-device, pharmaceutical, high-process, complex-technology, manufacturing, and other industries highly-regulated by the FDA.