Three Tips on Part 11
Carl Anderson, GxP Perspectives
GUEST COMMENTARY
Three things you need to know about 21 CFR part 11
by Emma Barsky & Len Grunbaum
Fifteen years after becoming effective, 21 CFR part 11 seems to generate as much controversy as it did when it was first implemented. At this point in time, we cannot think of another regulation that sparks as many disagreements with respect to its interpretation and generates as many discussions. Why is that?
Since the inception of the regulation as of August 1997, compliance has been, in our view, analogous to the story of Goldilocks and the Three Bears: compliance in some companies has been too hot (i.e., too restrictive and expensive); compliance in some companies has been too cold (i.e., minimal if any at all); and, compliance in some companies has been just right (i.e., cost-beneficial and based on an effective risk assessment). So, while we do not in any way want to equate compliance with the regulation to a bowl of porridge, we hereby offer three main things that you need to know about 21 CFR part 11 to help you make your compliance just right:
THE IMPORTANCE OF VALIDATION
2. You need to know the minimum documentation that must be available to support compliance with 21 CFR part 11. Irrespective of the development model employed (e.g., waterfall, Agile/Scrum), the software delivery model employed (e.g., software-as-a-product, software-as-a-service) or data hosting model employed (e.g., internal data center, outsourced hosting), as applicable, a documentation suite that truly supports compliance should encompass the following:
• User/functional requirements, including 21 CFR part 11 requirements, to describe what the system is supposed to do;
• Technical specifications to define how the system is built and how it works, and which is the critical component in supporting effective system maintenance (e.g., troubleshooting problems, assessing the impact of planned bug fixes and enhancements);
• Development/validation SOPs, and evidence of compliance (e.g., required documentation, required approvals, developer-level and user acceptance testing), to define the process for developing and deploying a system that operates as intended and meets regulatory requirements;
• Traceability between test evidence and all requirements;
• Change control SOP and supporting change request/change control records to ensure that the system continues to operate as expected;
• Training SOP and supporting training records to support staff qualifications regarding system development, maintenance and use;
• IT infrastructure SOPs (e.g., logical/physical security, back-up and recovery, etc.) and supporting records to evidence on-going protection and availability of records.
3. You need to know that, for a given system, the quality of testing and quality of reviews are of paramount importance because they may compensate for ineffective development and/or validation SOPs. In other words, the devil (or in this case the saving angel) is in the details. Therefore, it is important that
• Testing is complete and reflective of true system risks;
• Test evidence is supportive of test results/conclusions and/or does not raise “red flags”;
• Reviews are timely and reasonable (e.g., only a realistic number of detailed test scripts should be reviewed in one day);
• Incident reports are reviewed and approved by appropriate individuals promptly.
If testing practices, testing evidence and/or testing reviews are questionable, they will constitute a serious gap from a risk-based perspective because 1) one may not be able to rely on the given system’s operation, results, etc., and/or 2) data quality and integrity may be viewed as being compromised.
Is your Compliance Running Too Hot or Too Cold?
Emma Barsky and Len Grunbaum
Partners of The Practical Solutions Group, LLC
609.683.0756
Practical Solutions
====
Join the GxP Perspectives Linkedin Group Here
Or get an email subscription (on the right sidebar)
====
GxP Perspectives 
First, Len and Emma, thanks for your sharing your thoughts…they seem “just right.”
If you were asked by a family practice doc in a small town (busy practice, nets about 150K a year, recently adopted an off the shelf EMR) who conducts a few trials a year, “what should I be doing about Part 11?” What advice would you give?
Assuming that any of the EMR information will be submitted to the sponsor in electronic form for ultimate submission to the FDA, we suggest that the family practice doctor does the following:
1. Request, from the EMR vendor, a certificate attesting to the fact that the system meets the 21 CFR part 11 requirements. If this certificate cannot be obtained, then the family practice doctor, who uses the EMR system, should perform and document an independent assessment (e.g., audit of the vendor and/or detailed testing) to determine whether the system meets 21 CFR part 11 requirements. The vendor’s audit certificate, independent audit and/or in-house testing should focus on the 21 CFR part 11 features (e.g., audit trail, access control, e-signatures).
2. Identify where records are being maintained and document how the family practice doctor can confirm that the regulated records are protected (e.g., backup and recovery, physical security).
Reblogged this on Clinical Research Management & Leadership and commented:
We are currently running a trial were the primary endpoint is assessed with commercially acailable US sodtware. Can one rely on the validation documentation that comes with the product or is additional validation required according to 21CFR?
I am referring both questions to Len & Emma. You might want to check out Christian’s blog at: http://mrcmeyer.com/
At a minimum, one needs to confirm that the system operates as intended in the user’s operating environment, so additional user acceptance testing will be necessary. This testing would need to include additional tests and challenges commensurate with operational risks that may be present in the user’s environment (e.g., hardware platform, concurrent number of users).
Thank you for the reply – it is very helpful!