Agenda

• Evolution of Computer system: Old Scenario

• Evolution of Computer system: Current Scenario
• Need of Part 11 Rule
• Fundamental requirements of GxP (Clinical) Data
• Background and Purpose of Part 11
• Intended key objectives of Part 11 Regulations
• Definitions used
• Sections in Part 11
• Subpart A
• Subpart B
• Subpart C

www.qclynx.com
1
Evolution of Computer system: Old Scenario

Case History Paper CRF

Clinical DB
(eCRF)
w/o eSignature

1. Data are registered in the paper Case History

2. Data are reported in the CRF Paper Form
3. Data are migrated in the Clinical DB (option: Electronic Signature)

www.qclynx.com 2
Loaded with Paper

www.qclynx.com 3
Evolution of Computer system: Current Scenario

Case History

Clinical DB
Network (eCRF)
w/o eSignature

1. Data are registered in the Case History form

2. Data are directly recorded in the Clinical DB through remote access and
electronically signed

www.qclynx.com 4
Need of Part 11 Rule

• Accept/promote new technologies-

• Benefit industry & FDA
• Operational efficiencies
• Paperwork reduction
• FDA Concerns
• Retain full ability for the agency to promote/protect public health

www.qclynx.com 5
Fundamental requirements of GxP (Clinical) Data

Security Integrity

Traceabili
ty

• Attributable
• Legible
Data shall be • Contemporaneous
(regardless the • Original
format !) • Accurate
Complete, Consistent, Enduring,
Available
(ALCOA +)
www.qclynx.com 6
Background and Purpose of Part 11
US-FDA in 1997 issued a regulation that provides criteria for acceptance by the FDA of electronic records, electronic signatures and
handwritten signatures.

Code of Federal Regulations (CFR): Set of rules published by the federal government to regulate various businesses conducts.

50 sections, known as titles, reviewed yearly.

Title 21 is the portion of the Code of Federal Regulations that governs food and drugs within the US for the Food and Drug
Administration(FDA), the Drug Enforcement Administration (DEA), and the Office of National Drug Control Policy (ONDCP). Title 21 is
the set of rules describing the Food, Drug and Cosmetics Act, and the law enforcement body, FDA that enforces this Act.

CFR Title 21 has 1499 parts that deal with every aspect of discovering, preclinical cytotoxicity testing, phase I, phase II, phase II
manufacturing, inter-state commerce, etc. food, drugs, biologics, blood, vaccines and cosmetics.

Part 11 of the CFR Title 21 code regulates electronic records and electronic signatures.

www.qclynx.com 7
Background and Purpose of Part 11 (Cont.…)
• To summarize the rules, if one must maintain records for GxP, or must submit records to the FDA and would like to
do so electronically in place of on paper, then the software used to create the electronic records must be Part 11
compliant. However, if one uses software but creates paper documentation for GxP, then the software itself need
not be Part 11 compliant for the laboratory to do Part 11 compliant work.
• The complete text on the matter is reprinted here, obtained from the FDA Part 11 compliance recommendation
document1. The FDA considers Part 11 to apply to:

−Records that are required to be maintained under predicate rule requirements and that are maintained in
electronic format in place of paper format. On the other hand, records (and any associated signatures) that
are not required to be retained under predicate rules, but that are nonetheless maintained in electronic
format, are not part 11 records. We recommend that you determine based on the predicate rules, whether
specific records are part 11 records. We recommend that you document such decisions.

−Records submitted to FDA, under predicate rules in electronic format. However, a record that is not itself
submitted, but is used in generating a submission, is not a part 11 record unless it is otherwise required to
be maintained under a predicate rule and it is maintained in electronic format.

−Electronic signatures that are intended to be the equivalent of handwritten signatures, initials, and other
general signings required by predicate rules. Part 11 signatures include electronic signatures that are used,
for example, to document the fact that certain events obscure previous entries.

www.qclynx.com 8
Intended key objectives of Part 11 Regulations

Retention/documenta Integrity/security of FDA Access to Records

tion of records Records

Accountability for
Authentication of
Maintaining Records Validation
Electronic Signatures
System

www.qclynx.com 9
Interpreting the FDA’s rule on Electronic Records and Electronic Signatures
• 21 CFR Part 11 has been the subject of much interpretation over the last few years. For an
analytical instrument, complying means addressing the following issues, in accordance with
predicate rules that apply (cGMP, GLP):
➢ Controlling system access
➢ Ensuring proper system use
➢ Keeping system and record histories
➢ Proving record integrity
➢ Establishing record responsibility
➢ Protecting and retrieving the record throughout the retention period
➢ Ensuring that record-producing system is functioning properly and is fit-for-purpose

www.qclynx.com 10
Terminology
• A clear understanding of the terminology is of utmost importance for a common understanding of the rule
and its implementation. Lets see few common words used in CFR standards:
• Meta data: Meta data is important for reconstructing a final report from raw data. In chromatography it includes integration
parameters and calibration tables.
• Predicate Rule: Any requirements set forth in the Act (Federal Food, Drug and Cosmetic Act), the PHS Act (Public Health Service
Act), or any FDA regulation (GxP: GLP, GMP, GCP, etc.). The predicate rules mandate what records must be maintained; the
content of records; whether signatures are required; how long records must be maintained, etc. If there is no FDA requirement
that a particular record be created or retained, then 21 CFR Part 11 most likely does not apply to the record.
• Person: ”Person includes an individual, partnership, corporation, association, government agency, or organizational unit
thereof, and any other legal entity.“
• Electronic Record: Any combination of text, graphics, data, audio, pictorial, or other information representation in digital form
that is created, modified, maintained, archived, retrieved, or distributed by a computer system.
• Electronic Signature: Means a computer data compilation of any symbol or series of symbols executed, adopted or authorized
by an individual to be the legally binding equivalent of that individual’s handwritten signature
• Biometric: Biometrics is "a method of verifying an individual's identity based on measurement of the individual's physical
feature(s) or repeatable action(s) where those features and/or actions are both unique to that individual and measurable".
Examples of biometrics include facial recognition, voice recognition and fingerprint scanners. Most of them need specific
hardware and software. The biggest problem with such devices is validating that they work reliably for the specified user but
not for anyone else.

www.qclynx.com 11
Terminology (Cont.….)
• Closed System: Closed Systems means “an environment in which system access is controlled by persons who are responsible for
the content of electronic records that are on the system.”
• Open System: Open system means “an environment in which system access is not controlled by persons who are responsible
for the content of records that are on the system.”
• Hybrid systems: Hybrid systems are a combination of electronic records and paper records. They are common systems in
analytical laboratories today. Raw data are recorded electronically to reconstruct the analysis but the final results are printed
and signed on paper. The FDA does not prohibit hybrid systems but has expressed some concerns about their acceptability.

www.qclynx.com 12
Sections in Part 11

Subpart A – Subpart B – Subpart C –

General Electronic Electronic
Provisions Records Signatures

Sec. 11.10 Controls for Sec. 11.100 General

closed systems requirements
Sec. 11.1 Scope
Sec. 11.30 Controls for Sec. 11.200 Electronic
Sec. 11.2 Implementation
open systems signatures and controls
Sec. 11.3 Definitions
Sec. 11.50 Signature Sec. 11.300 Controls for
manifestations identification
Sec. 11.70 Signature/record codes/passwords
linking

www.qclynx.com 13
Subpart A – General Provisions
11.1 Scope
Section - Statement Interpretation
a) The regulations in this part set forth the criteria The purpose of Part 11 is to ensure that electronic
under which the agency considers electronic records, records and electronic signatures can be trusted as
electronic signatures, and handwritten signatures much as paper records and ink signatures.
executed to electronic records to be trustworthy,
reliable, and generally equivalent to paper records
and handwritten signatures executed on paper.
(b) This part applies to records in electronic form that All electronic records that are used for regulated
are created, modified, maintained, archived, purposes are subject to Part 11.
retrieved, or transmitted, under any records
requirements set forth in agency regulations. This A paper record that is transmitted electronically (e.g.,
part also applies to electronic records submitted to as an email attachment) is NOT subject to Part 11.
the agency under requirements of the Federal Food,
Drug, and Cosmetic Act and the Public Health Service
Act, even if such records are not specifically identified
in agency regulations. However, this part does not
apply to paper records that are, or have been,
transmitted by electronic means.
www.qclynx.com 14
Subpart A – General Provisions
11.1 Scope
Section - Statement Interpretation
(c)Where electronic signatures and their associated If an organization can prove, typically via computer
electronic records meet the requirements of this system validation, that its electronic signatures
part, the agency will consider the electronic comply with Part 11, the FDA will accept electronic
signatures to be equivalent to full handwritten signatures instead of ink.
signatures, initials, and other general signings as
required by agency regulations, unless specifically If some other regulation specifically requires ink, that
excepted by regulation(s) effective on or after August regulation supersedes Part 11
20, 1997.
(d) Electronic records that meet the requirements of If an organization can prove that its electronic records
this part may be used in lieu of paper records, in comply with Part 11, the FDA will accept electronic
accordance with 11.2, unless paper records are records instead of paper.
specifically required.

www.qclynx.com 15
Subpart A – General Provisions
11.1 Scope
Section - Statement Interpretation
(e) Computer systems (including hardware and The proof required in the previous two letters (c and
software), controls, and attendant documentation d) must be maintained in such a way that the FDA can
maintained under this part shall be readily available inspect it (i.e., documentation is king).
for, and subject to, FDA inspection.
(f) This part does not apply to records required to be There are a few obscure types of records that are
established or maintained by 1.326 through 1.368 of excluded from Part 11, because they fall under other
this chapter. Records that satisfy the requirements of regulations, but the vast majority need to comply.
part 1, subpart J of this chapter, but that also are
required under other applicable statutory provisions
or regulations, remain subject to this part.

www.qclynx.com 16
Subpart A – General Provisions
11.2 Implementation
Section – FDA Rule Interpretation
(a) For records required to be maintained but not For regulated records that are NOT submitted to the
submitted to the agency, persons may use electronic FDA, an organization can use electronic instead of (or
records in lieu of paper records or electronic signatures in addition to) paper, as long as it can prove that its
in lieu of traditional signatures, in whole or in part, electronic records comply with Part 11.
provided that the requirements of this part are met.
(b) For records submitted to the agency, persons may For regulated records that are submitted to the FDA, an
use electronic records in lieu of paper records or organization can use electronic instead of paper as long as
electronic signatures in lieu of traditional signatures, in these two conditions are met:
1. It can prove that its electronic records comply with
whole or in part, provided that:
(1) The requirements of this part are met; and Part 11.
(2) The document or parts of a document to be submitted have been identified in 2. The FDA is capable of accepting those types of
public docket No. 92S-0251 as being the type of submission the agency accepts in records electronically.
electronic form. This docket will identify specifically what types of documents or
parts of documents are acceptable for submission in electronic form without The types of e-records that the FDA accepts are listed in
paper records and the agency receiving unit(s) (e.g., specific centre, office, public docket No. 92S-0251.
division, branch) to which such submissions may be made. Documents to agency If there is any doubt as to whether a record can be
receiving unit(s) not specified in the public docket will not be considered as official
if they are submitted in electronic form; paper forms of such documents will be submitted electronically, contact the receiving unit at the FDA
considered as official and must accompany any electronic records. Persons are before attempting submission.
expected to consult with the intended agency receiving unit for details on how
(e.g., method of transmission, media, file formats, and technical protocols) and
whether to proceed with the electronic submission.
www.qclynx.com 17
Subpart B – Electronic Records
11.10 Controls for Closed system
Section – Statement Interpretation
Persons who use closed systems to create, modify, Validation:
maintain, or transmit electronic records shall employ
procedures and controls designed to ensure the How an organization proves (to itself and auditors) that
authenticity, integrity, and, when appropriate, the the data in a computer system can be trusted.
confidentiality of electronic records, and to ensure that
the signer cannot readily repudiate the signed record
as not genuine. Such procedures and controls shall Validation protocols that comprehensively qualify the installation,
operation, and performance.
include the following:
(a) Validation of systems to ensure accuracy, reliability,
consistent intended performance, and the ability to
discern invalid or altered records.
(b) The ability to generate accurate and complete Record generation and copying:
copies of records in both human readable and How an organization makes sure that all electronic
electronic form suitable for inspection, review, and records that an auditor might want to see and/or copy
copying by the agency. Persons should contact the can be provided in a language/format that humans
agency if there are any questions regarding the ability (not just computers) can understand.
of the agency to perform such review and copying of Ability to generate accurate and complete copies of records in both
human-readable and electronic form suitable for FDA inspection, review,
the electronic records. and copying.
www.qclynx.com 18
Subpart B – Electronic Records
11.10 Controls for Closed system
Section – Statement Interpretation
(c) Protection of records to enable their accurate and Record Protection: How an organization protects
ready retrieval throughout the records retention documentation and keeps it readily available for as
period. long as it’s required to be stored. Metadata & Backup
(d) Limiting system access to authorized individuals. Access Limitation: How an organization ensures that
only the right people have access to each computer
system.
Includes security features, like login requirements and session inactivity
timeouts, that limit access to authorized individuals
(e) Use of secure, computer-generated, time-stamped Audit Trails: How an organization ensures that a
audit trails to independently record the date and time complete history of an electronic record is
of operator entries and actions that create, modify, or automatically captured by a computer system, retained
delete electronic records. Record changes shall not in the system for the right amount of time, and
obscure previously recorded information. Such audit viewable by humans.
trail documentation shall be retained for a period at
least as long as that required for the subject electronic Record the date and time of all entries and actions that create, modify, or
delete data, along with the name of the person who performed the action
records and shall be available for agency review and
copying.

www.qclynx.com 19
Subpart B – Electronic Records
11.10 Controls for Closed system
Section – Statement Interpretation
(f) Use of operational system checks to enforce Workflow: How an organization makes sure that
permitted sequencing of steps and events, as electronic workflows in computer systems function
appropriate. correctly.
Life cycle or process flow activities setup
(g) Use of authority checks to ensure that only Authority check: How an organization limits user access
authorized individuals can use the system, (system level and record level) and verifies that the
electronically sign a record, access the operation or users performing functions in the system are
computer system input or output device, alter a record, authorized to do so
or perform the operation at hand. User credentials to access the information

(h) Use of device (e.g., terminal) checks to determine, How an organization verifies that equipment being
as appropriate, the validity of the source of data input used for regulated purposes is functioning properly.
or operational instruction.
i) Determination that persons who develop, maintain, Training: How an organization makes sure only trained
or use electronic record/electronic signature systems and qualified people perform functions on or within
have the education, training, and experience to the system.
perform their assigned tasks. Preparation of training plan to make the client staff understand the
implication of Part 11 on their work

www.qclynx.com 20
Subpart B – Electronic Records
11.10 Controls for Closed system
Section – Statement Interpretation
(j) The establishment of, and adherence to, written Accountability: How an organization holds individuals
policies that hold individuals accountable and accountable for the integrity of their actions related to
responsible for actions initiated under their electronic electronic records and electronic signatures.
signatures, in order to deter record and signature
falsification. Preparation of training plan to make the client staff understand the
implication of Part 11 on their work
(k) Use of appropriate controls over systems Documentation Control: How an organization controls
documentation including: documents related to system operation and
(1) Adequate controls over the distribution of, access maintenance and preserves the complete history of
to, and use of documentation for system operation and changes made to these documents.
maintenance.
(2) Revision and change control procedures to maintain Should follow change control and life cycle management procedures for
document control
an audit trail that documents time-sequenced
development and modification of systems
documentation.

www.qclynx.com 21
Subpart B – Electronic Records
11.30 Controls for Open system
Section – Statement Interpretation
Persons who use open systems to create, modify, For an organization using open systems*, everything
maintain, or transmit electronic records shall employ for closed systems (Section 11.10) still applies. In
procedures and controls designed to ensure the addition, it must take more steps (whatever makes the
authenticity, integrity, and, as appropriate, the most sense, given the risks and available options) to
confidentiality of electronic records from the point of ensure the same record qualities described in Section
their creation to the point of their receipt. Such 11.10:
procedures and controls shall include those identified ➢ Authenticity
in 11.10, as appropriate, and additional measures such ➢ Integrity
as document encryption and use of appropriate digital ➢ Confidentiality (when appropriate)
signature standards to ensure, as necessary under the ➢ Irrefutability (i.e., no way to deny that a record
circumstances, record authenticity, integrity, and is
confidentiality. ➢ genuine)

www.qclynx.com 22
Subpart B – Electronic Records
11.50 Signature manifestations
Section – Statement Interpretation
a) Signed electronic records shall contain information Any time an electronic record is signed, the following
associated with the signing that clearly indicates all of information must be visible and associated with the
the following: signature:
(1) The printed name of the signer; ✓ Printed name of signer
(2) The date and time when the signature was ✓ Date and time of signature
executed; and ✓ Meaning of signature (e.g., content is accurate,
(3) The meaning (such as review, approval, format is correct, data calculations were verified)
responsibility, or authorship) associated with the
All signed records clearly indicate who signed the record, when the
signature. signature was executed, and the meaning of the signature

(b) The items identified in paragraphs (a)(1), (a)(2), and The points mentioned in 11.50 (a) must be in human-
(a)(3) of this section shall be subject to the same readable format.
controls as for electronic records and shall be included
as part of any human readable form of the electronic
record (such as electronic display or printout).

www.qclynx.com 23
Subpart B – Electronic Records
11.70 Signature/record linking
Section – Statement Interpretation
Electronic signatures and handwritten signatures Any kind of signature (ink or electronic) executed to an
executed to electronic records shall be linked to their electronic record must remain connected to that
respective electronic records to ensure that the record forever. It can’t be removed, covered over,
signatures cannot be excised, copied, or otherwise erased, transferred, etc.
transferred to falsify an electronic record by ordinary
means. Signatures are irrevocably linked to source records in the secure database,
and signatures are maintained in that database

www.qclynx.com 24
 Subpart B – Electronic Signatures
11.100 General Requirements
Section – Statement Interpretation
(a) Each electronic signature shall be unique to one Each person must have a unique electronic signature that
individual and shall not be reused by, or reassigned to, has never been and never will be used by anyone else.
anyone else.
(b) Before an organization establishes, assigns, certifies, or Before someone can use an electronic signature, his/her
otherwise sanctions an individual's electronic signature, or identity must be verified.
any element of such electronic signature, the organization
shall verify the identity of the individual.
(c) Persons using electronic signatures shall, prior to or at Before an organization implements electronic signatures, it
the time of such use, certify to the agency that the must notify the FDA of its intention and state that it will
electronic signatures in their system, used on or after consider electronic signatures to be as legally binding as ink
August 20, 1997, are intended to be the legally binding signatures.
equivalent of traditional handwritten signatures. The first step in the process is to write and mail the FDA a
(1) The certification shall be submitted in paper form and signed paper letter signed with ink signatures.
with a traditional handwritten signature, to the Office of Regional If the FDA asks for additional proof that an organization
Operations (HFC-100), 5600 Fishers Lane, Rockville, MD 20857. will consider electronic signatures to be legally binding,
(2) Persons using electronic signatures shall, upon agency request,
the organization must provide it.
provide additional certification or testimony that a specific
electronic signature is the legally binding equivalent of the signer's
handwritten signature. www.qclynx.com 25
 Subpart B – Electronic Signatures
11.200 Electronic signature components and controls
Section – Statement Interpretation
(a) Electronic signatures that are not based upon biometrics shall: Electronic signatures that are NOT biometric (i.e., not based on a
(1) Employ at least two distinct identification components such as an physical feature, like a fingerprint) must be designed as follows:
identification code and password. They must be made up of at least two distinct parts (i.e., user ID and
(i) When an individual executes a series of signings during a single, password).
continuous period of controlled system access, the first signing shall ❑ The first time a user signs a record after logging into a system, the
be executed using all electronic signature components; subsequent system must require them to enter ALL of the parts of their
signings shall be executed using at least one electronic signature signature (i.e., user ID and password). Subsequent signings during
component that is only executable by, and designed to be used only that same session only require the use of ONE part (i.e., password).
by, the individual. ❑ Each time a user logs out and logs back in (or gets timed out by the
(ii) When an individual executes one or more signings not performed system), the clock restarts and the first record signed after logging
during a single, continuous period of controlled system access, each in must require ALL parts of the signature.
signing shall be executed using all of the electronic signature ❑ Electronic signatures can only be used by the individuals to whom
components. they are assigned.
(2) Be used only by their genuine owners; and ❑ However, if an individual’s electronic signature must be used by
(3) Be administered and executed to ensure that attempted use of an someone it’s not assigned to, the system must require at least two
individual's electronic signature by anyone other than its genuine people to work together to do so.
owner requires collaboration of two or more individuals. E.g.: “The system administrator and the individual’s supervisor would
need to work together to use the individual’s signature.” This would
only come into play if the individual who should have signed was
unavailable (e.g., left the company, out on medical leave) and there
was no workaround available.
www.qclynx.com 26
Subpart B – Electronic Signatures
11.200 Electronic signature components and controls
Section – Statement Interpretation
(b) Electronic signatures based upon biometrics shall Electronic signatures that are biometric (e.g.,
be designed to ensure that they cannot be used by fingerprint scan, retinal scan) can only be used by the
anyone other than their genuine owners. individuals to whom they are assigned.

Not Applicable, if not integrated with any biometric systems.

www.qclynx.com 27
Subpart B – Electronic Signatures
11.300 Controls for Identification codes and passwords
Section – Statement Interpretation
Persons who use electronic signatures based upon use For electronic signatures that make use of
of identification codes in combination with passwords identification codes (i.e., user IDs) and
shall employ controls to ensure their security and passcodes/passwords, the following controls need to
integrity. Such controls shall include: be in place:
(a) Maintaining the uniqueness of each combined No two users can have the same combination of user
identification code and password, such that no two ID and password – each combination must be unique –
individuals have the same combination of identification and each user ID can only be assigned to one
code and password. individual, ever (no re-use allowed)

Ensuring the uniqueness of name

A configurable account lockout mechanism that protects against attempts
at guessing username/password combinations.
(b) Ensuring that identification code and password Passwords must be checked, recalled, or changed from
issuances are periodically checked, recalled, or revised time to time.
(e.g., to cover such events as password aging).
Ensure systems support initial change password, session-timeout,
frequency change password configurations etc…

www.qclynx.com 28
Subpart B – Electronic Signatures
11.300 Controls for Identification codes and passwords
Section – Statement Interpretation
(c) Following loss management procedures to If a passcode token/device is lost or stolen, it must
electronically deauthorize lost, stolen, missing, or be deauthorized and a secure replacement must be
otherwise potentially compromised tokens, cards, issued.
and other devices that bear or generate
identification code or password information, and to
issue temporary or permanent replacements using
suitable, rigorous controls.
(d) Use of transaction safeguards to prevent Unauthorized attempts to access user IDs or
unauthorized use of passwords and/or passwords/passcodes must be detected and
identification codes, and to detect and report in an reported to the appropriate person/group in the
immediate and urgent manner any attempts at organization for investigation.
their unauthorized use to the system security unit,
and, as appropriate, to organizational management. A configurable notification mechanism to alert system administrators
of bad login attempts

www.qclynx.com 29
Subpart B – Electronic Signatures
11.300 Controls for Identification codes and passwords
Section – Statement Interpretation
(e) Initial and periodic testing of devices, such as Passcode tokens must be tested before they are
tokens or cards, that bear or generate identification issued for use and periodically while in use to make
code or password information to ensure that they sure they’re functioning correctly.
function properly and have not been altered in an
unauthorized manner.

www.qclynx.com 30
Summary & Benefits
Benefits:
➢ Ensure the protection and ready retrieval of electronic records
➢ Ensure operational consistency across all departments
➢ Improve productivity and efficiency of existing staff through automation
➢ Minimize and possibly eliminate the maintenance and retention of paper documentation
➢ Meet study timelines
➢ Perform faster study-related searches and establish trends
➢ Provide study-related submission information in formats acceptable to the FDA

Summary:
➢ FDA objective was to create a set of guidelines that allow the maximum possible use of the electronic technology
➢ 21 CFR Part 11 defines criteria under which electronic records and electronic signatures are considered to be
trustworthy, reliable and equivalent to paper records.
➢ If both the Procedural and Technical requirements are met then the product is 21 CFR Part11 Compliant.

www.qclynx.com 31
Questions?
Thank You

www.qclynx.com 32