21 CFR Part 11 Compliance
The following guide is an explanation of the term 21 CFR Part 11 Compliance. It is designed to provide some background into the tools/features that Comark includes in its 21 CFR Part 11 Compliance products to aid compliance with this standard.
We must clarify however, that buying a product from Comark that has features to aid compliance with 21 CFR Part 11, does not guarantee that the customer will be compliant. It is always the responsibility of the customer to integrate the product into their Standard Operating Procedures (SOPs) and perform satisfactory Validation of the new system to ensure that when audited, it complies.
This cannot be stressed clearly enough, but at no time will Comark ever promise to provide 21 CFR Part 11 compliance.
The FDA (Food and Drug Administration) in the USA, issued regulations, Title 21 CFR (Code of Federal Regulations) Part 11 that provide criteria for acceptance by FDA, or an approved regulatory body, for the acceptance of electronic records, electronic signatures, and handwritten signatures executed to electronic records, as equivalent to paper records and handwritten signatures executed on paper.
These regulations, which apply to all FDA program areas, are intended to permit the widest possible use of electronic technology, compatible with the FDA’s responsibility to promote and protect public health.
Part 11 applies to any record governed by an existing FDA predicate rule that is created, modified, maintained, archived, retrieved, or transmitted using computers and/or saved on durable storage media.
In other words, 21 CFR Part 11 can be applied to any record from a Data Logger for example, that is at some stage stored on a PC, or where a PC is used to retrieve the data.
21 CFR Part 11 compliance is crucial to all US pharmaceutical and health care companies and any such company outside the USA that wants to export to the USA. Unless the indigenous and exporting companies adopt the guidelines in the regulation they are prohibited from supplying products.
Although the regulations originate from the USA and are not mandatory elsewhere, many companies throughout the world have adopted, or are adopting, 21 CFR Part 11 even though they are not subject to the FDA regulations. These companies are not just limited to the pharmaceutical sector and they accept the regulations as a recognised contribution to good business practice.
Any company seeking to improve the accuracy and authenticity of its record keeping by adopting 21 CFR Part 11 and which currently uses, or plans to use, data loggers or monitoring systems can benefit from instruments with software that aids 21 CFR Part 11 compliance. The regulation covers any record that is at some stage stored on a PC or where a PC is used to retrieve the data.
Any combination of text, graphics, data, audio, pictorial or other info represented in digital form that is created, modified, maintained, archived, retrieved or distributed by a computer system.
A computer data compilation of any symbol or series of symbols, executed, adopted or authorised by an individual to be legally binding equivalent of the individual’s handwritten signature.
An electronic signature based upon cryptographic methods or originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.
An environment in which system access is controlled by persons who are responsible for the content of electronic records on the system.
Standard Operating Procedures – SOPs
Guidelines and rules defined by the organisation implementing 21 CFR compliance to instruct users what they are and are not permitted to do and how they are to perform the relevant tasks.
The FDA requires by implication, that electronic systems used in a 21 CFR environment, comply with a number of basic requirements. In simple terms this means that each product must have a pre-defined list of tools/features.
Comark includes this minimum list of features in each of its 21 CFR products. Of course these tools are very useful in the product, whether it is used in 21 CFR part 11 compliance environments or not.
These tools are listed below with a short explanation of their role…
Users and Administrators (Password protected)
All Comark 21 CFR products require users to log-in via a unique username and password. Usernames may not be repeated, but there is no restriction to the use of the same password for different users. All passwords must be at least 6 characters in length. However, the nature of the password, and the character combinations are a matter for the customer SOP.
Comark does not restrict the use of more basic passwords for customers not working under 21 CFR. All administrator passwords for RF500 do not expire. Again this is to avoid past situations of customers not renewing their password, and then finding that no-one can log-in. Therefore, it is advised that administrators are kept to a minimum number, and that no administrator performs day to day activities on the system, when used under 21 CFR. However this is a matter for the customer to decide.
Within RF500, ‘Historic’ data that has come from a task that is closed can be ‘signed’ electronically. In this way a user/administrator is making it clear that the data associated with the task is good and meets minimum requirements as laid down by the customer. All data when signed must be done so with a reason for and authority to sign, and cannot be completed without such authorization. All actions are recorded in the Audit trail.
A user can only add an electronic signature if this specific function is enabled in their user profile. The signature function includes all the 21CFR Part 11 required elements:
Reason for signing
Authority to sign
Users must supply authentication credentials each and every time a document is signed. Once an electronic signature has been added the document cannot be changed. The software will allow data to be printed/exported without it being signed. However, all printed records should be signed before printing if they are going to be used as evidence as to the performance of the system.
The design of the storage mechanism in which all results are stored includes –
Unique identity for results with date/time and user identity
Facility to track into results to see all aspects of how they were achieved e.g. method and equipment used including version or serial number
Identification of invalid results – alarms etc
All results stored are fixed and cannot be edited
The software packages include a full audit trail, as required by 21CFR Part 11. The audit trail shows the history of all changes to system parameters made by any user who logs into the software. Only users with the required access levels are able to view the audit trail.
The Audit Trail includes: –
Auto generation of trail with date/time and user identity
Changes to records, configuration methods or results are logged with the reason for the change
Availability for review or copy by FDA
Exportability as text or PDF
Search and filter functions to find and extract data quickly
Validation and IQ OQ PQ – Comark can provide background information for completion of IQ OQ PQ in the form of documents that can form the basis of any customer ‘project’ to complete IQ OQ PQ, and Validation of RF500. However at no time does access to or merely holding these documents provide the customer with certified Validation of the equipment.
It is always the responsibility of the customer to ensure that adequate Validation of the system has taken place and this must be authorized by a responsible person in the customers’ organization. If this is not undertaken then 21 CFR compliance is unlikely. Any testing and validation undertaken by Comark and passed on to the customer is not sufficient for the customer to claim that the system is validated. Individual customers must perform their own Validation to ensure compliance.
21 CFR Part 11 Compliance Policy Statement
Comark takes the view, from many discussions with leading pharmaceutical companies, that it is always the responsibility of the customer along with their auditors to confirm compliance. And as such Comark does not, at any time, imply that the use of any Comark 21 CFR product will automatically give the customer protection to and therefore compliance with 21 CFR Part 11. The reason for this is simple, it is not allowed by the FDA. All21 CFR systems must therefore be independently audited.
In conclusion, any Comark product designated as 21 CFR Part 11 is simply designed to be integrated into the customers’ SOPs as part of a 21 CFR Part 11 system. Each 21 CFR product has a range of tools (see above) that provide an excellent basis for complying with the requirements of 21 CFR Part 11. If the SOPs are updated to include the use of the product then compliance is far from guaranteed, but it will be more likely.