- What is 21 CFR Part 11?
- What Software is Needed?
- Information and Tools for Validating a System
- Related Guidance, Tools and Templates
What is 21 CFR Part 11?
21 CFR Part 11 outlines the federal requirements that help to ensure that electronic records are trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper.
If sponsors or the FDA have questions on Part 11 compliance of any UCSD systems or applications, researchers should contact the Compliance Advisory Services.
Does 21 CFR Part 11 apply to me?
The first step in becoming compliant with the regulations is to determine whether or not you are required to be compliant. The following questions can help lead to the determination:
- Is your clinical trial conducted under an approved IND?
- Is your clinical trial conducted under an approved IDE?
- Does your grant specify that your computer systems must comply with 21 CFR Part 11 or similar requirements?
If you answered yes to any of these questions, your electronic systems of record that are being used to meet predicate rules are required to comply with 21 CFR Part 11.
The second step of the process is to identify the computer systems you are using in your clinical trial.
Addressing the following can help identify all of the computer systems associated with your trial:
- Are you using an outside laboratory for laboratory analysis?
- If so, is the laboratory accredited?
- If the laboratory is not accredited, assurance should be required in regard to the data quality
- Are you using a UCSD laboratory for analysis?
- If yes, the instruments being used should be compliant
- Are you entering data directly into an electronic database?
- If yes, the database must be compliant
- Are you entering data (from paper) into an electronic database?
- If yes, then the database must be compliant (as discussed in the Scope of Guidance for Industry: Computerized Systems Used in Clinical Trials)
- Are you using electronic logs?
- If yes, then the logs must be compliant
Please Note: Not validating your electronic system(s) of record may result in regulatory citations. If you have any questions or concerns about your system, it is highly recommended that you contact the Compliance Advisory Services for assistance.
What software features are necessary to be 21 CFR Part 11 compliant?
Security
- Define which individuals shall have access to the software - a current list shall always be available
- Define what the user roles are for the software (i.e. administrator, data entry, approver, etc.) and what each role can do
- Access to software shall require each user to have a unique username and password
- A defined number of incorrect login attempts shall lock the user from the software
- A defined time of inactivity shall lock the software for a given user
Audit Trails
An audit trail shall be implemented that allows a means to reconstruct data modification.
The audit trail shall include: the name of the user that made the entry, what was changed (not obscuring the original value), the date and time of change and the reason for change.
Electronic Signatures/Digital Signatures
If electronic signatures will be used, they must include the following:
- Name of signer
- Time and Date of signature
- Meaning of signature
Note: An electronic signature consists of two components: id code (username) and password. This is different than the initial login to the software.
Reporting
Users must have the ability to obtain meaningful data from the software.
Software Workflow
The software shall be designed in such a way that a logical process workflow is incorporated (i.e. you are unable to approve until all required pieces are completed).
Record Protection
Data must be backed up on a regular basis
Standard Operating Procedures
- Standard Operating Procedures ensure the consistent use of the software
- Procedures should be developed on how the software will be used for a specific task
- Procedures shall also be developed for administrative functions of the software: how to add users, etc.
- Procedures should also be developed for activities that happen outside of the software in order to ensure the most accurate data
Training
Training should be documented to verify that only trained individuals are using the software.
Validation
A quality validation methodology shall be used to ensure the system (software, people, etc) is performing as intended. It is important to understand that you are validating a SYSTEM and not just the software.
Information and Tools for Validating a System
Validation Plan
The Validation Plan is a document that outlines the process that will be used for validating a specific system. The plan will discuss the specific risk of the system and outline the documents that will be written (how many SOPs). Example template
Functional Requirements
These documents will outline the specific requirements of a system. Typical items covered in a Functional Requirements documents are: User Roles, User Access, Process Workflow and 21 CFR Part 11 Requirements (Audit Trail, Electronic Signature). Example template
These documents are crucial to a successful system validation. Requirements must be written concisely represented. The example below uses content for an Audit Log:
Audit Log report
- User that made the change
- Reason for change
- Previous Value
- New Value
- Date/Time of Change
Server Requirements
This document will outline the necessary hardware and architecture for a system.
Design/Configuration Document
A Design/Configuration Document will outline how the specific software was designed and include any specific configuration. Example template
Installation Qualification
Installation Qualification verifies Server Requirements were met and also verifies the Design/Configuration of the software. Example template
Operational/Performance Qualification
This document "tests" the Functional Requirements document. It will include challenge testing. It is important to ensure all error messages display as necessary. This testing also ensures the workflow is as intended. Example template
Final Validation Report
The Final Validation Report summarizes the testing (including deviations) and is used to release the software for production use. Example template
Change Control
After validation has been completed, all changes to the system must be maintained through a change control process. Here are example templates of information necessary for a compliant change control process:
More references for validating systems and 21 CFR Part 11
- Inspections of Sponsors, CROs and Monitors
- Guidance for Industry Computerized Systems Used in Clinical Investigations
- General Principles of Software Validation; Final Guidance for Industry and FDA Staff
If you have any questions or concerns about your system, it is highly recommended that you contact Compliance Advisory Services for assistance.
Related Tools, Guidance and Templates
- 21 CFR Part 11
- Scope of Guidance for Industry: Computerized Systems Used in Clinical Trials)
- Validation Plan Example template
- Functional Requirements Example template
- Design/Configuration Document Example template
- Installation Qualification Example template
- Operational/Performance Qualification Example template
- Final Validation Report Example template
- Change Control Preapproval
- Change Control Closure
- Inspections of Sponsors, CROs and Monitors
- Guidance for Industry Computerized Systems Used in Clinical Investigations
- General Principles of Software Validation; Final Guidance for Industry and FDA Staff