21 CFR Part11_CSV Training_Katalyst HLS

1
21 CFR Part11 –
Computerized System Validation
Katalyst HealthCares & Life Sciences
www.KatalystHLS.com

AGENDA
2
• Meaning of 21 CFR Part 11
• Key concepts and terms
• Review of Regulations
• Case Study
• Q & A
www.KatalystHLS.com

DECODING OF “21 CFR PART 11”
3
• CFR = “Code of Federal Regulations”
• 21 = “Title 21”
• Part 11 = Specific to ERES, including electronic submissions to the FDA
• Part 11 falls under “Chapter I” of the CFR
• Part 11 falls under “Subchapter A-General” of Chapter I of the CFR
• Title 19: Customs Duties
• Title 20: Employees Benefits
• Title 21: Food and Drugs
• Title 22: Foreign Relations
• Title 23: Highways
www.KatalystHLS.com

21 CFR PART 11 CONTENT
4
Subpart A – General Provisions
ü 11.1 – Scope
ü 11.2 - Implementation
ü 11.3 - Definitions
Subpart B – Electronic Records
ü 11.10 - Controls for closed systems
ü 11.30 - Controls for open systems
ü 11.50 - Signature manifestations
ü 11.70 - Signature/record linking
Subpart C – Electronic Signatures
ü 11.100 - General requirements
ü 11.200 - Electronic signatures and controls
ü 11.300 - Controls for identification codes/passwords
www.KatalystHLS.com

5
www.KatalystHLS.com

Scope
SECTION 11.1(a)
6
The regulations in this part set forth the criteria under which the agency
considers electronic records, electronic signatures, and handwritten
signatures executed to electronic records to be trustworthy, reliable and
generally equivalent to paper records and handwritten signatures executed
on paper.
FDA considers
Electronic records the same as paper records
Ink signatures the same as electronic signatures
www.KatalystHLS.com

Scope
SECTION 11.1(b)
7
This part applies to records in electronic form that are created, modified,
maintained, archived, retrieved, or transmitted, under any records
requirements set forth in agency regulations. This part also applies to
electronic records submitted to the agency under requirements of the
Federal Food, Drug, and Cosmetic Act and the Public Health Service Act,
even if such records are not specifically identified in agency regulations.
However, this part does not apply to paper records that are, or have been,
transmitted by electronic means.
Part 11 applies
Part 11 does not apply (Email attachment)
www.KatalystHLS.com

Scope
SECTION 11.1(c)
8
Where electronic signatures and their associated electronic records meet
the requirements of this part, the agency will consider the electronic
signatures to be equivalent to full handwritten signatures, initials, and
other general signings as required by agency regulations, unless specifically
excepted by regulation(s) effective on or after August 20, 1997.
If an organization can prove that its electronic signatures and associated
electronic records comply with Part 11, then FDA will accept electronic
instead of ink.
However, an exception is noted – if another regulation specifically
requires ink signatures, the regulation supersedes Part 11.
www.KatalystHLS.com

Scope
SECTION 11.1(d)
9
Electronic records that meet the requirements of this part may be used in
lieu of paper records, in accordance with 11.2, unless paper records are
specifically required.
Same as Section 11.1(c)
www.KatalystHLS.com

Scope
SECTION 11.1(e)
10
Computer systems (including hardware and software), controls, and
attendant documentation maintained under this part shall be readily
available for, and subject to, FDA inspection.
Documented proof that a system complies with Part 11 must be
maintained in such a way that the FDA can inspect it.
www.KatalystHLS.com

Scope
SECTION 11.1(f)
11
This part does not apply to records required to be established or
maintained by 1.326 through 1.368 of this chapter. Records that satisfy the
requirements of part 1, subpart J of this chapter, but that also are required
under other applicable statutory provisions or regulations, remain subject
to this part.
21 CFR Part 11 does not applies to records pertaining to Food.
www.KatalystHLS.com

12
www.KatalystHLS.com

Implementation
SECTION 11.2(a)
13
For records required to be maintained but not submitted to the agency,
persons may use electronic records in lieu of paper records or electronic
signatures in lieu of traditional signatures, in whole or in part, provided
that the requirements of this part are met.
For regulated records that are not submitted to the FDA, organizations
may use electronic instead of paper as long as they can prove that their
electronic records comply with Part 11.
www.KatalystHLS.com

Implementation
SECTION 11.2 (b)(1)(2)
14
For records submitted to the agency, persons may use electronic records in
lieu of paper records or electronic signatures in lieu of traditional
signatures in whole or in part provided that the requirements of this part
are met and
The document or parts of a document to be submitted have been
identified in public docket No. 92S-0251 as being the type of submission
the agency accepts in electronic form. This docket will identify specifically
what types of documents or parts of documents are acceptable for
submission in electronic form without paper records and the agency
receiving unit(s) (e.g., specific center, office, division, branch) to which such
submissions may be made.
If records are to be submitted, they must not only meet Part 11 but also
be of the type of e-record permitted to be submitted.
The types of e-records that the FDA accepts are listed in public docket
No. 92S-0251
www.KatalystHLS.com

Implementation
SECTION 11.2 (b)(2)Cont.
15
Documents to agency receiving unit(s) not specified in the public docket
will not be considered as official if they are submitted in electronic form;
paper forms of such documents will be considered as official and must
accompany any electronic records. Persons are expected to consult with
the intended agency receiving unit for details on how (e.g., method of
transmission, media, file formats, and technical protocols) and whether to
proceed with the electronic submission.
Electronic documents submitted to the FDA that are not called out in
the public docket won’t be considered as official. In these cases, the
paper documents are considered as official and must also be sent along.
www.KatalystHLS.com

16
www.KatalystHLS.com

Definitions
SECTION 11.3(b)
17
The following definitions of terms also apply to this part:
Act (201-903)(21US 21U.S.C.321-393)
Agency
Biometrics means a method of verifying an individual's identity based on
measurement of the individual's physical feature(s) or repeatable action(s)
where those features and/or actions are both unique to that individual and
measurable.
Act: Food, Drug and Cosmetic Act
Agency: Food and Drug Administration (FDA)
Biometrics: Identity through a unique physical trait e.g., fingerprint).
www.KatalystHLS.com

Definitions
SECTION 11.3(b)
18
Closed system means an environment in which system access is controlled by
persons who are responsible for the content of electronic records that are on
the system.
A computer system where access is controlled by the same people
responsible for its content. Applies when :
• Network is completely controlled internally
• User accounts and security is controlled internally
• Electronic records are controlled internally
Open system means an environment in which system access is not controlled by
persons who are responsible for the content of electronic records that are on
the system.
A computer system that’s access is not controlled by the same people
responsible for its contents. Applies when:
• Network is completely not controlled internally (internet)
• User accounts and security is controlled internally (SaaS)
• Electronic records are controlled internally (External creation/Management
of Records) Katalyst HealthCares & Life Sciences
www.KatalystHLS.com

Definitions
SECTION 11.3(b)
19
Digital signature means an electronic signature based upon cryptographic
methods of originator authentication, computed by using a set of rules and a set
of parameters such that the identity of the signer and the integrity of the data
can be verified.
A type of electronic signature that includes a way of verifying the
identity of the signer and the integrity of the record they signed.
www.KatalystHLS.com

Definitions
SECTION 11.3(b)
20
Electronic record means any combination of text, graphics, data, audio, pictorial,
or other information representation in digital form that is created, modified,
maintained, archived, retrieved, or distributed by a computer system.
Information in digital form that is created or used in some way by a computer
system.
Electronic signature means a computer data compilation of any symbol or series
of symbols executed, adopted, or authorized by an individual to be the legally
binding equivalent of the individual‘s handwritten signature.
Compilation of electronic data that is as unique and legally binding as a
handwritten signature, but is used to sign records in a computer system.
www.KatalystHLS.com

Definitions
SECTION 11.3(b)
21
Handwritten signature means the scripted name or legal mark of an individual
handwritten by that individual and executed or adopted with the present
intention to authenticate a writing in a permanent form. The act of signing with
a writing or marking instrument such as a pen or stylus is preserved. The
scripted name or legal mark, while conventionally applied to paper, may also be
applied to other devices that capture the name or mark.
A scripted name or legal mark created by an individual that is unique to
that individual and is used to authenticate something in writing.
www.KatalystHLS.com

22
www.KatalystHLS.com

Controls for Closed Systems
SECTION 11.10
23
Persons who use closed systems to create, modify, maintain, or transmit
electronic records shall employ procedures and controls designed to ensure the
authenticity, integrity, and, when appropriate, the confidentiality of electronic
records, and to ensure that the signer cannot readily repudiate the signed
record as not genuine. Such procedures and controls shall include the following:
Organizations responsible for electronic records in a closed system must
document the procedures they follow and the controls they have in
place for ensuring that their electronic records have these qualities:
- Authenticity
- Integrity
- Confidentiality (as needed)
- Irrefutability
www.KatalystHLS.com

SECTION 11.10(a)
24
Validation of systems to ensure accuracy, reliability, consistent intended
performance, and the ability to discern invalid or altered records.
validate the system to prove that the records in the system can be
trusted.
• Risk based approach to CSV
• Individuals involved in CSV activity should have adequate experience
and training
• Systems consistently operate as per intended function
• User requirements are met
• Information is secured and properly managed
• Procedures and processes are in place for use of system
• Full traceability of system
• Maintain validated state through effective Change Control
mechanism
www.KatalystHLS.com

SECTION 11.10(b)
25
The ability to generate accurate and complete copies of records in both human
readable and electronic form suitable for inspection, review, and copying by the
agency. Persons should contact the agency if there are any questions regarding
the ability of the agency to perform such review and copying of the electronic
records.
validate the system to prove that the records in the system can be trusted.
• Provide inspectors access to records in human readable format
• If the record is in non human readable, then the system shall be capable to
convert to readable format such as xml, pdf or html
• Content and meaning should remain intact during conversion
• Provide inspectors with the ability to search for records using your hardware
• Able to produce audit trail and electronic signatures in human readable form
www.KatalystHLS.com

SECTION 11.10(c)
26
Protection of records to enable their accurate and ready retrieval throughout
the records retention period.
Organizations must retain records and keep them safe so they are
readily available for as long as they are required to be stored.
• Records retention shall be based on Risk Assessment
• Ensure proper backups, so that records can be retrieved
• Maintain records in standard formats such as pdf, xml for long term
retention.
• Computerized System shall be retired only if all the records including
audit trails, signatures etc. have been archived in a human readable
format.
www.KatalystHLS.com

SECTION 11.10(d)
27
Limiting system access to authorized individuals.
Organizations need to ensure that only authorized people have access to a
computer system.
User account management procedure shall be in place for:
• Access Request
• Roles and Privileges
• Mechanism to suspend, disable and modification of user accounts
www.KatalystHLS.com

SECTION 11.10(e)
28
Use of secure, computer-generated, time-stamped audit trails to independently
record the date and time of operator entries and actions that create, modify, or
delete electronic records. Record changes shall not obscure previously recorded
information. Such audit trail documentation shall be retained for a period at
least as long as that required for the subject electronic records and shall be
available for agency review and copying.
A secure and complete history (audit trail) of an electronic record should
be automatically generated by a closed system.
A change to an electronic record should not alter the record’s history.
Audit Trail documentation should be:
• Retained for the correct amount of time
• Available for viewing
• System should have automatic mechanism to generate audit trail
• Audit Trail should record the type of entry(add, modify or delete)
• User name with time and date stamp
• Audit trail should have link to the record concerned
• Mechanism to detect changes to Audit Trails
• Audit Trails shall not obscure previous entries.Katalyst HealthCares & Life Sciences
www.KatalystHLS.com

SUBPART B: SECTION 11.10 – Controls for
Closed Systems
29
(f) Use of operational system checks to enforce permitted sequencing of steps
and events, as appropriate.
Organizations should ensure that electronic workflows in a computer system
function correctly.
www.KatalystHLS.com

Closed Systems
30
(g) Use of authority checks to ensure that only authorized individuals can use
the system, electronically sign a record, access the operation or computer
system input or output device, alter a record, or perform the operation at hand.
Organizations should limit system access (at the system and record level) and
verify that the users performing functions in the system are authorized to do so.
www.KatalystHLS.com

Closed Systems
31
(h) Use of device (e.g., terminal) checks to determine, as appropriate, the
validity of the source of data input or operational instruction.
Organizations should ensure that devices used to enter data into a computer
system operate correctly and that the entered data is valid.
www.KatalystHLS.com

Closed Systems
32
(i) Determination that persons who develop, maintain, or use electronic
record/electronic signature systems have the education, training, and
experience to perform their assigned tasks.
Organizations should ensure that people who perform functions on or with in
the system are appropriately qualified.
www.KatalystHLS.com

Closed Systems
33
(j) The establishment of, and adherence to, written policies that hold individuals
accountable and responsible for actions initiated under their electronic
signatures, in order to deter record and signature falsification.
Organizations should establish policies to hold individuals accountable for the
integrity of their actions related to electronic records and electronic signatures.
www.KatalystHLS.com

Closed Systems
34
(k) Use of appropriate controls over systems documentation including:
(1) Adequate controls over the distribution of, access to, and use of
documentation for system operation and maintenance.
(2) Revision and change control procedures to maintain an audit trail that
documents time-sequenced development and modification of systems
documentation.
Organizations should control the documents related to system operation and
maintenance and preserve the complete history of changes made to these
documents.
www.KatalystHLS.com

35
www.KatalystHLS.com

Open Systems
36
Persons who use open systems to create, modify, maintain, or transmit
electronic records shall employ procedures and controls designed to ensure the
authenticity, integrity, and, as appropriate, the confidentiality of electronic
records from the point of their creation to the point of their receipt. Such
procedures and controls shall include those identified in 11.10, as appropriate,
and additional measures such as document encryption and use of appropriate
digital signature standards to ensure, as necessary under the circumstances,
record authenticity, integrity, and confidentiality.
When organizations use open systems, all of the regulations for closed systems
still apply but, additional steps need to be taken to ensure the record qualities
of authenticity, integrity, confidentiality and irrefutability described in section
11.10.
www.KatalystHLS.com

37
www.KatalystHLS.com

SUBPART B: SECTION 11.50 – Signature
Manifestations
38
a) Signed electronic records shall contain information associated with the
signing that clearly indicates all of the following:
(1) The printed name of the signer;
(2) The date and time when the signature was executed; and
(3) The meaning (such as review, approval, responsibility, or authorship)
associated with the signature.
When an electronic record is signed, the record must contain information
associated with its signing that indicates:
• Printed name of signer
• Date and time of signature
• Meaning of signature
www.KatalystHLS.com

SUBPART B: SECTION 11.50 – Signature
Manifestations
39
(b) The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section
shall be subject to the same controls as for electronic records and shall be
included as part of any human readable form of the electronic record (such as
electronic display or printout).
When an electronic record is signed, the bulleted items in (a) are subject to the
same controls for electronic records and must be in human-readable format.
www.KatalystHLS.com

40
www.KatalystHLS.com

SUBPART B: SECTION 11.70 –
Signature/Record Linking
41
Electronic signatures and handwritten signatures executed to electronic records
shall be linked to their respective electronic records to ensure that the
signatures cannot be excised, copied, or otherwise transferred to falsify an
electronic record by ordinary means.
A signature (ink or electronic) executed on an electronic record has to be
connected to that record forever. It cannot be removed, covered over, erased,
transferred tec.
www.KatalystHLS.com

42
www.KatalystHLS.com

43
www.KatalystHLS.com

SUBPART C: SECTION 11.100 – General
Requirements
44
(a) Each electronic signature shall be unique to one individual and shall not be
reused by, or reassigned to, anyone else.
Organizations using electronic signatures should ensure that each signer has a
unique electronic signature cannot be used by anyone else.
www.KatalystHLS.com

Requirements
45
(b) Before an organization establishes, assigns, certifies, or otherwise sanctions
an individual's electronic signature, or any element of such electronic signature,
the organization shall verify the identity of the individual.
Before allowing an individual to execute their electronic signature, an
organization needs to first verify the identity of that individual.
www.KatalystHLS.com

Requirements
46
(c) Persons using electronic signatures shall, prior to or at the time of such use,
certify to the agency that the electronic signatures in their system, used on or
after August 20, 1997, are intended to be the legally binding equivalent of
traditional handwritten signatures.
Before an organization implements the use of electronic signatures, it must
notify the FDA of its intention and state that it will consider electronic
signatures to be as legally binding as ink signatures.
www.KatalystHLS.com

Requirements
47
(c) (1) The certification shall be submitted in paper form and signed with a
traditional handwritten signature, to the Office of Regional Operations (HFC-
100), 5600 Fishers Lane, Rockville, MD 20857.
(c) (2) Persons using electronic signatures shall, upon agency request, provide
additional certification or testimony that a specific electronic signature is the
legally binding equivalent of the signer's handwritten signature.
The first step in the notification process is to write an Electronic Signature
Certificate Statement that is signed with ink signatures and mail it to the FDA at
the Office of Regional Operations (HFC-100), 5600 Fishers Lane, Rockville, MD
20857.
If the FDA asks for additional proof that the organization will consider electronic
signatures to be legally binding, the organization must provide it.
www.KatalystHLS.com

48
www.KatalystHLS.com

SUBPART C: SECTION 11.200 – Electronic
Signature components and controls
49
(a) Electronic signatures that are not based upon biometrics shall:
(1) Employ at least two distinct identification components such as an
identification code and password.
Electronic signatures that are not biometric (i.e., not based on a physical
feature, like a fingerprint) should employ at least two distinct identification
components (i.e., user ID and password)
www.KatalystHLS.com

50
(a) (1)(i) When an individual executes a series of signings during a single,
continuous period of controlled system access, the first signing shall be
executed using all electronic signature components; subsequent signings shall
be executed using at least one electronic signature component that is only
executable by, and designed to be used only by, the individual.
When using electronic signatures:
• The first time after logging in, to execute their e-sig, a signer must enter all of
their credentials (e.g., user ID and password)
• For signings after that, but during that same login session, the signer has to
only enter one credential (e.g., password)
www.KatalystHLS.com

51
(a) (1) (ii) When an individual executes one or more signings not performed
during a single, continuous period of controlled system access, each signing
shall be executed using all of the electronic signature components.
Each time a user logs out (or is timed out) and logs back into a system, the user
executes their electronic signature, the clock restarts, and the user has to enter
all of their signature components (i.e., user ID and password)
www.KatalystHLS.com

52
(a) (2) Be used only by their genuine owners; and
(a) (3) Be administered and executed to ensure that attempted use of an
individual's electronic signature by anyone other than its genuine owner
requires collaboration of two or more individuals.
Electronic signatures may only be used by the individuals to which they are
assigned.
Electronic signatures should be set up so that it would take two or more people
acting together to attempt to use someone else’s signature
www.KatalystHLS.com

53
(b) Electronic signatures based upon biometrics shall be designed to ensure that
they cannot be used by anyone other than their genuine owners.
Electronic signatures that are biometric (e.g., based on a retinal scan) can only
be used by the individuals they are assigned to.
www.KatalystHLS.com

54
www.KatalystHLS.com

SUBPART C: SECTION 11.300 – Controls for
identification codes/passwords
55
Persons who use electronic signatures based upon use of identification codes in
combination with passwords shall employ controls to ensure their security and
integrity. Such controls shall include:
Organizations using electronic signatures should employ controls over user
identification codes.
www.KatalystHLS.com

56
(a) Maintaining the uniqueness of each combined identification code and
password, such that no two individuals have the same combination of
identification code and password.
Controls should ensure that no two uses can have the same combination of user
ID and password; each combination must be unique.
www.KatalystHLS.com

57
(b) Ensuring that identification code and password issuances are periodically
checked, recalled, or revised (e.g., to cover such events as password aging).
Passwords must be changed periodically and should be set to expire after a set
period of time. Organizations should establish and maintain policies and/or
procedures to address password distribution and expiration.
www.KatalystHLS.com

58
(c) Following loss management procedures to electronically deauthorize lost,
stolen, missing, or otherwise potentially compromised tokens, cards, and other
devices that bear or generate identification code or password information, and
to issue temporary or permanent replacements using suitable, rigorous controls.
If a passcode token/device is lost or stolen, it must be de-authorized and a
secure replacement must be issued.
www.KatalystHLS.com

59
(d) Use of transaction safeguards to prevent unauthorized use of passwords
and/or identification codes, and to detect and report in an immediate and
urgent manner any attempts at their unauthorized use to the system security
unit, and, as appropriate, to organizational management.
Unauthorized attempts to use a user ID or password/passcode must be
detected and reported to the appropriate person/group in the organization for
investigation.
www.KatalystHLS.com

60
(e) Initial and periodic testing of devices, such as tokens or cards, that bear or
generate identification code or password information to ensure that they
function properly and have not been altered in an unauthorized manner.
Passcode tokens must be tested before they are issued for use and tested
periodically while in use to make sure they are functioning correctly.
www.KatalystHLS.com

61
www.KatalystHLS.com

SUMMARY
62
Subpart A-General Provisions
• Part 11 applies to all electronic records that FDA regulations
• If an organization can prove to an auditor that their electronic
records/signatures are as trustworthy as paper records/ink signatures, the
FDA will accept electronic instead paper.
• The FDA will accept electronic submission instead of paper if those
submissions 1) adhere to Part 11 requirements and 2) are included among
the types of documents that the FDA accepts electronically.
www.KatalystHLS.com

SUMMARY
63
Subpart B – Electronic Records
• Organizations using electronic records must establish and document
procedures and controls that ensure the authenticity, integrity,
confidentiality and irrefutability of their records
• The following topics must be addressed in documented procedures and
controls: computer system validation (CSV), record rendering, document
storage and record retention, system access, audit trails, workflows,
authority checks, device checks, personnel qualifications, personnel
accountability and document control
• Systems that fall into the category of “Open”(as defined in Subpart A) require
additional measures of control.
• Electronic signatures must include information to indicate the printed name
of the signer, the date and time of the signature and the meaning of the
signature.
• Electronic signatures must be forever linked to their respective records.
www.KatalystHLS.com

SUMMARY
64
Subpart B – Electronic Signatures
• Organizations that wish to use electronic signatures must inform the FDA in
writing prior to making the switch.
• Each individual who will be using and electronic signature must 1) have their
identity confirmed and 2) use a unique signature that has never been and
will never be used by another individual.
• There are specific design requirements for electronic signatures that are
biometric (e.g., fingerprint scan) and those that are not (e.g., user ID and
password)
• For electronic signatures that make use of User IDs and
passwords/passcodes, there are specific requirements for passwords and for
passcode-generating devices.
www.KatalystHLS.com

THANK YOU
Questions?
Contact:
Website: www.KatalystHLS.com
e-mail: info@KatalystHLS.com
Phone: 908-967-5588
Fax: 908-967-5589
www.KatalystHLS.com
65

21 CFR Part11_CSV Training_Katalyst HLS

More Related Content

What's hot

Similar to 21 CFR Part11_CSV Training_Katalyst HLS

More from Katalyst HLS

Recently uploaded

21 CFR Part11_CSV Training_Katalyst HLS