Does 21 CFR Part 11 apply to validation protocols? It has become obvious to all persons who use any IT facility that electronic data is extremely easy and simple to manipulate or corrupt, either knowingly or unknowingly. 21 CFR Part 11 protects predicate rule information from such corruption, and gives assurance of the data integrity.

Validation protocols such as DQ, IQ, OQ, PQ, along with the associated VMP, URS, VRA, and VP can be prepared electronically, however they are completed by hand and are manually signed and reviewed, and as such are not subject to 21 CFR Part Review.

Full Life Cycle validation requirements are portrayed visually in the diagram below. In this diagram the standard requirements are shown in BLUE boxes whereas the additional requirements for Full Life Cycle Validation (FLCV) are shown in ORANGE boxes. This layout is not definitive, and reasoned alternatives work just as well. The whole concept is that the software design must be planned, managed, and subjected to documented reviews throughout the entire design stage. All of this must be laid out in the QUALITY PLAN (QP), which must be a peer reviewed and company approved document. Without a QP being in place, it is almost impossible to achieve satisfactory FLCV. If these requirements are rigorously applied, it becomes impossible to achieve retrospectively, and inhibits the use of commercial off the shelf software (COTS). We know that some COTS software has, and is, used in a number of Product Quality Critical (PQC) software systems. The judgment whether a COTS system can or cannot be used is fraught.

Part 11 Review, states that "the regulations in this part set forth the criteria under which the agency considers electronic records, electronic signatures, and hand-written signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and hand-written signatures executed on paper".

This final ruling of Part 11 Review, published on March 20, 1997 and in effect since August 20th, 1997 defines the requirements that are to be met before submitting documentation in electronic format. These requirements were amended in 2004. The amendment put more emphasis on the end user justifying what data warrants 21 CFR Part 11 Review protection and what data does not. The ruling further states that "This part applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted, under any records requirements set forth in agency regulations (i.e. predicate rules).

Part 11 Review is implemented through a combination of compliant software, corporate policy and / or procedures. However the regulations are implemented, they must be accompanied by supporting documentation. The implementation of any 21 CFR Part 11 compliant system, whether software, policy or procedure oriented, is not valid without this documentation.

Data contained in documentation such as, the Installation Qualification (IQ), the Operational Qualification (OQ), the Validation Plan and Master Plan (VP & VMP), the Risk Impact Assessment (RIA), the Vendor Audit (VA), the Performance Qualification (P1Q), the Product Qualification (P2Q), the User Requirements Specification (URS), and Standard Operating Procedure (SOP) are normally held in hard copy and not considered as having to be Part 11 Review compliant.

Software systems used to implement the FDA regulations are the core component of a compliant system. Development of the software must be specifically aimed at satisfying the regulations’ requirements. FDA specific features must include:

• Secure audit log of all user activity and system data
• Unique electronic signatures using two distinct components
• Automatic signature and record linking
• Password ageing
• Control of unauthorized access attempts
• Version control of electronic documents
• Data archiving and retrieval
• Accurate time and date stamping

Sites Of assistance in understanding the FDA approach to 21CFR Part 11: