21 CFR Part 11 was not among the earliest of quality related regulations imposed on the drug and medical device manufacturing industries. That honor was bestowed on the compulsory retention of samples of every batch of production along with all the individual critical manufacturing records of these batches. This meant all process manufacturing equipment had to be equipped with sensors that would record each of the critical process parameters. These records were mainly created by the use of chart recorders and the final chard recorder log sheet became one of the critical records of manufacture. So your retention production records would include all these machine log sheets along with the process instructions (SOP’s) the operators worked to; and the certification records of the individual batch raw materials.
Most of these log sheets were issued with part numbers and individual serial numbers and were as blank sheets treated as controlled documents. After use they were signed off by the operator, their supervisor and usually QA prior to being accepted as an official production record. This rendered these documents as fairly robust records of production. Illicit alterations were quite easy to spot - inks dried differently - hand writing varied enormously - access to the documents was controlled and all corrections or alterations needed a supervisors counter signature. That was the situation for many years and where someone did try to make illegal alterations it was usually quickly recognized as such.
Through the eighties and nineties the progressive introduction and use of computer controlled and computer managed equipment meant that records were being produced electronically and held in volatile memories; ready for downloading into a hard copy format that would act as the requisite record. It was quickly recognize by the regulators that this record was not secure, as the data was open to adulteration all the time it was held in the volatile memory and even after it was printed out into hard copy. The robustness of the production record had been lost and the requirement for 21 CFR Part 11 had arrived. Therefore the record must be immediately printed out in hard copy that is designed be as robust as the original record or it must be retained in a protected memory that has been designed to be compliant with the requirements of 21 CFR Part 11.
So the whole intention of 21 CFR Part 11 is to ensure that the predicated retention records are held in a format and system that renders unauthorized editing and deletion to occur. Further requirements mandate security of the record access to the record and a bibliography of amendments
The procurement process normally starts with the production of a documented requirement or group of requirements. For existing facilities this should take the form of a CHANGE REQUEST (CR). As soon as management has agreed to proceed with the CR, approval should be issued to produce a Validation Plan (VP). This plan must be all encompassing. It must give assurance that all aspects of the proposed CR have been studied and the CR impact on existing facilities, utilities, product and personnel have been defined and the appropriate corrective or support actions planned for. A fully detailed User Requirements Specification (URS) can now be authored reviewed and published. Since developing the URS may raise problems that could not be anticipated when the VP was raised; a VP review is required to ensure all aspects of the final approved URS are fully catered for.
With the URS defined and the Validation Plan (VP) in development Validation Risk Assessment (VRA) must be authored and executed to establish the scope and depth of validation that is appropriate for this equipment. This information must be published in the VP and used as the authority for all protocol development Functional Specifications (FS) and or Design Specification (DS), are available they should be reviewed and referenced in the VP. Where these documents are not available a DS or FS may have to be retrospectively developed.
When the DS or FS that is to be used are defined, a approved Design Qualification (DQ). The execution of this DQ must verify that the proposed design will;
The installation of each validatable item and or system must be subjected to, and satisfy, a approved Installation Qualification (IQ) protocol. Details of the scope of the IQ, responsibilities for generating, reviewing and approving of this document must all be documented in the VP.
When the requirements of the IQ have been satisfied, all aspects of the operational capabilities of each system must be fully challenged and verified by the execution of a approved Operational Qualification OQ) protocol. As with the IQ; OQ scope and details of the persons responsible for generating, reviewing and approving of this document will be documented in the VP.
As soon as the executed IQ and OQ protocols having been reviewed and approved, a approved Performance Qualification (P1Q) protocol or Process Qualification P2Q) (this requirement will be documented in the VP) must be issued for execution. The execution of this PQ must verify that the system performance requirements, as specified in the URS have been achieved, and that the system operates in a manner safe to the product and production personnel.
If there are predicate rules that require a signature to be applied, and this signature is applied electronically or digitally, then 21 CFR Part 11 controls must be applied.
Just what does 21 CFR Part 11 apply to? It has become obvious to all persons who use any IT facility that electronic data is extremely easy and simple to manipulate and or corrupt; either knowingly or unknowingly. The regulations contained within 21 CFR Part11 protects predicate rule information from such corruption, and gives assurance of the data integrity.
21 CFR Part11 and Protocols.
Validation protocols such as DQ, IQ, OQ, PQ, along with the associated VMP, URS, VRA, and
VP are usually written and reviewed electronically, however they are completed by hand and are manually signed and reviewed, and as such are not subject to 21 CFR Part Review.
One of three approaches can be used by organizations to address the on-going 21 CFR Part 11 compliance requirements throughout the pharmaceutical and medical devices industries.
The regulation still permits the full submission of paper-based documentation. The issues with this approach include high costs, decreased quality, information storage availability, information retrieval ability, and the general portability of information.
The regulation allows for the electronic records to be stored as equivalent to paper records with handwritten signatures executed. This approach still requires a large amount of printed documentation that carries the same risks and challenges as a full-paper approach, mentioned above, regarding compliancy to the regulation.
This is the real intent of the 21 CFR Part 11 regulatory requirements. This approach increases product quality, saves money with automation of processes, establishes easy data storage and retrieval, provides ease data analysis and reporting, increases the portability of information, and diminishes or eliminates human error.
Regulatory 21 CFR Part 11 Review, states that "the regulations in this part set forth the criteria under which the agency considers electronic records, electronic signatures, and hand-written signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and hand-written signatures executed on paper".
A 21 CFR Part 11 review is implemented through a combination of compliant software, corporate policy and / or procedures. However the regulations are implemented, they must be accompanied by supporting documentation. The implementation of any FDA 21 CFR Part 11 compliant system, whether software, policy or procedure oriented, is not valid without this documentation.
Data contained in documentation such as, the Installation Qualification (IQ), the Operational Qualification (OQ), the Validation Plan and Master Plan (VP & VMP), the Validation-risk-assessment (VRA), the Vendor Audit (VA), the Performance Qualification (P1Q), the Process Qualification (P2Q), the User Requirements Specification (URS), and Standard Operating Procedure (SOP) are normally held in hard copy and not considered as having to be 21 CFR Part 11 compliant.
Software systems used to implement the FDA regulations are the core component of a compliant system. Development of the software must be specifically aimed at satisfying the regulations’ requirements.
FDA specific features must include:-
21 CFR PART 11
For Your Security We are Now TLS 1.2 Compliant
Tragedy: At least 12 children die of tetanus contracted from contaminated diphtheria vaccine. Result: Requires in spections and testing of biologics manufacturers’ facilities and products.
Creates one of the first government regulatory agencies (now known as FDA); the culmination of 25 years of lobbying, this act makes it illegal to sell “adulterated” or “misbranded” food or
Tragedy: Sulfanilamide made with poisonous solvent causes 107 deaths. Result: Requires manufacturers to prove the safety of products before marketing.
Insulin Amendment requires FDA to test and certify purity and potency of insulin. Tragedy: nearly 300 deaths and injuries from distribution of sulfathiazole tablets tainted with phenobarbital.
Result: FDA revises manufacturing and quality controls drastically, the beginning of what will later be called GMPs.
Regulates biological products and control of communicable diseases.
Tragedy: Thalidomide causes birth defects in thousands of European babies. Result: Manufacturers must prove efficacy of products before marketing them and ensure stricter control over drug testing.
Good manufacturing practices for manufacturing, processing, packing, or holding finished pharmaceuticals were first published.
Establishes minimum current good manufacturing practices for blood establishments in the collecting, processing, com patitibility testing, storing, and distributing of blood and blood components.
Tragedy: the Dalkon Shield IUD seriously injures many patients. Response: New law strengthens FDA authority to oversee
A major rewrite for the drug GMPs and GMPs for medical devices were published. These regulations establish minimum current good manufacturing practices for manufacturing, processing, packing, or holding drug products and medical
Establishes good laboratory practices for conducting nonclinical laboratory studies that support applications for research or
marketing permits for human and animal drugs, medical devices for human use, and biological products.
Tragedy: 100 children reported seriously ill linked to lack of chloride in soy-based formulas. Result: Congress gives FDA authority to set and enforce nutritional and quality standards.