Dr. Christopher Joseph Devine, President, Devine Guidance International
Devine Guidance

Part 11 Compliance – Don’t Forget to Validate

By Dr. Christopher Joseph Devine
Dr. Christopher Joseph Devine, President, Devine Guidance International

When implementing a Part 11 compliance program, it is all about three important words: validation; validation; and validation.

Dr. D would like to begin this week’s guidance by wishing all of my readers a very big Happy Thanksgiving. I hope you and your families have a great turkey day as it is Dr. D’s second favorite holiday, behind the Marine Corps Birthday.

That being said, trustworthy, reliable, and equivalent are the three words that come to mind when thinking about compliance requirements associated with the FDA’s Part 11. Simply stated, Title 21 CFR, Part 11 requires FDA regulated organizations to validate and implement adequate controls for:

(a) Establishing audit trails;
(b) Establishing policies for controlling the integrity of electronic signatures;
(c) Establishing documentation for controlling software and electronic records;
(d) Performing audits to verify the effectiveness of the organization’s approach to managing electronic signatures and records; and
(e) Ensuring system security.

Did Dr. D mention validation of these systems is required? Part 11 compliance also covers electronic submissions made to FDA. Similar to all FDA regulations the level of enforcement is always driven by the “plenipotentiary” (look-it-up) powers of the agency. Remember, FDA retains the right to exhibit discretionary enforcement, which can be problematic for such a contentious requirement as electronic signatures and records. Enjoy! 

Part 11 Compliance

The doctor would like to begin this week’s guidance by establishing a simple fact, medical device establishments are required to retain quality records in accordance with 21 CFR, Part 820; Subpart M – Records. Additionally, records must be made reasonably accessible to FDA. Furthermore, there is a minimum retention period of 2-years. What’s the point Dr. D? The point is device establishments must manage and retain records anyway; so why not establish an e-record based system? The point is the concept behind electronic records is that if a device establishment maintains “hard copies” of all records, the paper documents can be categorized as the master copy or authoritative document. In fact, before a device establishment can claim the accuracy of a hard copy record extracted from an electronic source, it must prove the accuracy of the copy extracted. Can you say validation? In short, the copy extracted must be a perfect match to the document stored within the electronic system. This is part of the system validation process.

Additionally, the integrity of the almighty e-signature, including the date, must be maintained. For example, if an organization has an electronic data management system such as CATSWeb™ and/or EtQ, or a transactional-based ERP/MRP system such as SAP and/or Oracle, the dates and e-signatures are captured whenever documents are created and changed or transactions performed. If the integrity of the data can be maintained and history/trail available to audit the data accuracy, including dates and e-signatures, then chances are good the organization is Part 11 compliant.

Finally, any system designed to meet the intent of Part 11 compliance must be properly validated. The purpose of the validation is to ensure:

  • Any changes made to a record are time-stamped, have a link to the person(s) making the changes and the reason behind the changes;
  • The e-signature function supports transactional data and changes to data; 
  • An audit trail is possible; and
  • Adequate security infrastructure is in place to prevent unauthorized system access.

Takeaways

For this week’s brief guidance, Dr. D will leave the readers with just one takeaway. When implementing a Part 11 compliance program, it is all about three important words: (a) validation; (b) validation; and (c) validation. The underlying focus of a Part 11 compliant system is premised on record accuracy; an auditable history of record changes, including date and individual making record changes; and the creation of secure electronic platform. Remember validation is required to support all claims of compliance.

In closing, thank you again for joining Dr. D and I hope you find value in the guidance provided. Until the next installment of DG – cheers from Dr. D. and best wishes for continued professional success. 

References: 

  1. Code of Federal Regulation. (2013, April). Title 21 Part 11: Electronic records; electronic systems. Washington, D.C.: U. S. Government Printing Office.
  2. Code of Federal Regulation. (2013, April). Title 21 Part 820: Quality system regulation.  Washington, D.C.: U. S. Government Printing Office.
  3. Devine, C. (2011). Devine guidance for complying with the FDA’s quality system regulation – 21 CFR, Part 820. Charleston, SC: Amazon.
  4. Part 11. (2003, August). Guidance for Industry – Part 11, Electronic Records; Electronic Signatures — Scope and Application. Retrieved November 17, 2013, from http://www.fda.gov

About The Author

Dr. Christopher Joseph Devine, President, Devine Guidance International