21 CFR Part 11 was not among the earliest of quality related regulations imposed on the drug and medical device manufacturing industries. That honor was bestowed on the compulsory retention of samples of every batch of production along with all the individual critical manufacturing records of these batches. This meant all process manufacturing equipment had to be equipped with sensors that would record each of the critical process parameters. These records were mainly created by the use of chart recorders and the final chard recorder log sheet became one of the main critical records of manufacture. So your retention production records would include all these machine log sheets along with the process instructions (SOP’s) the operators worked to; and the certification records of the individual batch raw materials.
Most of these log sheets were issued with part numbers and individual serial numbers and were as blank sheets treated as controlled documents. After use they were signed off by the operator, their supervisor and usually QA prior to being accepted as an official production record. This rendered these documents as fairly robust records of production. Illicit alterations were quite easy to spot - inks dried differently - hand writing varied enormously - access to the documents was controlled and all corrections or alterations needed a supervisors counter signature. That was the situation for many years and where someone did try to make illegal alterations it was usually quickly recognized as such.
Through the eighties and nineties the progressive introduction and use of computer controlled and computer managed equipment meant that records were being produced electronically and held in volatile memories; ready for downloading into a hard copy format that would act as the requisite record. It was quickly recognize by the regulators that this record was not secure, as the data was open to adulteration all the time it was held in the volatile memory and even after it was printed out into hard copy. The robustness of the production record had been lost and the requirement for 21 CFR Part 11 had arrived. Therefore the record must be immediately printed out in hard copy that is designed be as robust as the original record or it must be retained in a protected memory that has been designed to be compliant with the requirements of 21 CFR Part 11.
So the whole intention of 21 CFR Part 11 is to ensure that the predicated retention records are held in a format and system that renders unauthorized editing and deletion to occur. Further requirements mandate security of the record access to the record and a bibliography of amendments
The procurement process normally starts with the production of a documented requirement or group of requirements. For existing facilities this should take the form of a CHANGE REQUEST (CR). As soon as management has agreed to proceed with the CR, approval should be issued to produce a Validation Plan (VP). This plan must be all encompassing. It must give assurance that all aspects of the proposed CR have been studied and the CR impact on existing facilities, utilities, product and personnel have been defined and the appropriate corrective or support actions planned for. A fully detailed User Requirements Specification (URS) can now be authored reviewed and published. Since developing the URS may raise problems that could not be anticipated when the VP was raised; a VP review is required to ensure all aspects of the final approved URS are fully catered for.
With the URS defined and the Validation Plan (VP) in development Validation Risk Assessment (VRA) must be authored and executed to establish the scope and depth of validation that is appropriate for this equipment. This information must be published in the VP and used as the authority for all protocol development Functional Specifications (FS) and or Design Specification (DS), are available they should be reviewed and referenced in the VP. Where these documents are not available a DS or FS may have to be retrospectively developed.
When the DS or FS that is to be used are defined, a approved Design Qualification (DQ). The execution of this DQ must verify that the proposed design will;
The installation of each validatable item and or system must be subjected to, and satisfy, a approved Installation Qualification (IQ) protocol. Details of the scope of the IQ, responsibilities for generating, reviewing and approving of this document must all be documented in the VP.
When the requirements of the IQ have been satisfied, all aspects of the operational capabilities of each system must be fully challenged and verified by the execution of a approved Operational Qualification OQ) protocol. As with the IQ; OQ scope and details of the persons responsible for generating, reviewing and approving of this document will be documented in the VP.
As soon as the executed IQ and OQ protocols having been reviewed and approved, a approved Performance Qualification (P1Q) protocol or Process Qualification P2Q) (this requirement will be documented in the VP) must be issued for execution. The execution of this PQ must verify that the system performance requirements, as specified in the URS have been achieved, and that the system operates in a manner safe to the product and production personnel.
If there are predicate rules that require a signature to be applied, and this signature is applied electronically or digitally, then 21 CFR Part 11 controls must be applied.
Just what does 21 CFR Part 11 apply to? It has become obvious to all persons who use any IT facility that electronic data is extremely easy and simple to manipulate and or corrupt; either knowingly or unknowingly. The regulations contained within 21 CFR Part11 protects predicate rule information from such corruption, and gives assurance of the data integrity.
21 CFR Part11 and Protocols.
Validation protocols such as DQ, IQ, OQ, PQ, along with the associated VMP, URS, VRA, and
VP are usually written and reviewed electronically, however they are completed by hand and are manually signed and reviewed, and as such are not subject to 21 CFR Part Review.
One of three approaches can be used by organizations to address the on-going 21 CFR Part 11 compliance requirements throughout the pharmaceutical and medical devices industries.
The regulation still permits the full submission of paper-based documentation. The issues with this approach include high costs, decreased quality, information storage availability, information retrieval ability, and the general portability of information.
The regulation allows for the electronic records to be stored as equivalent to paper records with handwritten signatures executed. This approach still requires a large amount of printed documentation that carries the same risks and challenges as a full-paper approach, mentioned above, regarding compliancy to the regulation.
This is the real intent of the 21 CFR Part 11 regulatory requirements. This approach increases product quality, saves money with automation of processes, establishes easy data storage and retrieval, provides ease data analysis and reporting, increases the portability of information, and diminishes or eliminates human error.
Regulatory 21 CFR Part 11 Review, states that "the regulations in this part set forth the criteria under which the agency considers electronic records, electronic signatures, and hand-written signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and hand-written signatures executed on paper".
A 21 CFR Part 11 review is implemented through a combination of compliant software, corporate policy and / or procedures. However the regulations are implemented, they must be accompanied by supporting documentation. The implementation of any FDA 21 CFR Part 11 compliant system, whether software, policy or procedure oriented, is not valid without this documentation.
Data contained in documentation such as, the Installation Qualification (IQ), the Operational Qualification (OQ), the Validation Plan and Master Plan (VP & VMP), the Validation-risk-assessment (VRA), the Vendor Audit (VA), the Performance Qualification (P1Q), the Process Qualification (P2Q), the User Requirements Specification (URS), and Standard Operating Procedure (SOP) are normally held in hard copy and not considered as having to be 21 CFR Part 11 compliant.
Software systems used to implement the FDA regulations are the core component of a compliant system. Development of the software must be specifically aimed at satisfying the regulations’ requirements.
FDA specific features must include:-
21 CFR PART 11
For Your Security We are Now TLS 1.2 Compliant
All you need to do is follow the prompts in the attached SOP. They will take you through the completion process section, by section. At the end of this process your generic document has progressed into a detailed, referenced, bespoke company document. The document follows our three level URS system that ensures functionality traceability from the URS to the various testing protocols. A great document to author and use. This document interfaces with our Validation Risk Assessment (VRA), Validation Project Plan (VP), User Requirements Specification (URS), giving a seamless flow from your VMP through the VP - IQ - OQ - PQ, while integrating flawlessly with the URS - DQ - VRA
The Validation Plan (VP), is the starting point for any validation task, and the most important validation document. It improves validation efficiency greatly by forcing all concerned to document, review, and discuss, the proposed methods and allotted responsibilities. It is a mandated document with regulators and auditors.
While in the past validation was more focused on functions of procedures, recently the focus has progressed into infrastructure, networked systems and on security, authenticity and integrity of data acquired and evaluated by systems.
This document was designed to be used as a live document up until the DQ is completed and approved. It uses three levels of URS, URS Level 1, 2 and 3, and is the only URS to guarantee traceability from the URS through to the final PQ and OQ functionality testing. A mandatory requirement for Full Life Cycle Validation of computer systems that are the subject of predicate rules. It can be used on mechanical, electrical and software controlled, monitored or driven systems