The Quickest, Dirtiest Breakdown of Part 11 for Monitoring Systems EVER!
In this week's blog, Senior Regulatory Expert Paul Daniel gives a brief (very brief) overview of 21 CFR Part 11 and Annex 11. Paul has Part 11 on the brain because he is currently updating our White Paper on how our monitoring solution handles the requirements of the regulation -- the next version will include EMA's Annex 11.
According to Annex 11:
"Where a computerized system replaces a manual operation, there should be no resultant decrease in product quality, process control or quality assurance. There should be no increase in the overall risk of the process."
The FDA similarly says that the purpose of Part 11 is to make sure electronic records are:
"...trustworthy, reliable, and generally equivalent to paper records."
The important system controls of Part 11 and Annex 11 include the following elements:
- Human Readable Copies
- Protection and Retention of records
- Audit trails
- Restricted access for authorized users only
- Authority checks
- Device checks
- Written procedures
- System documentation
With regard to validation, Part 11 lays out the need for validation in the first item of Section 11.10: "Controls for Closed Systems":
(a) "Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records." For Vaisala's systems, we provide an IQOQ set of protocols and, if the customer desires, we execute as well. Furthermore, our systems are designed to prevent and identify alteration of records.
The next item in "Controls for Closed Systems" states: (b) "The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, nd copying by the agency." The fact that there is a specific regulation regarding human-readable copies demonstrates how far the software industry has evolved. It would be hard today to imagine a user-friendly system that did not allow printing of documents and data. For most monitoring systems, the records of interest are the actual historical monitoring values. And for most systems, creating a human-readable copy likely means that historical data and event logs may be printed out in a secure format, such as a PDF document.
The protection and retention of records, as described in Section 11.10 (c) means that whatever data your system produces, it may not be altered. In addition, to meet the requirement of "ready retrieval throughout the records retention period," your data needs to be archived in a way that it can be conveniently restored – you don’t want to make an auditor wait! Or, if you store the data permanently within your database, the database should be designed in such a way system's performance should not degrade as the database grows over time. How you meet this requirement may have as much to do with the design of your system as it does with your system administration policies around archival.
Item (e) in Section 11.10 - Controls for Closed Systems states:
"Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying."
In terms of an environmental monitoring system, this means that the electronic records (data and events) cannot be manually created, modified, or deleted. The Audit Trail of your system needs to capture any changes to metadata (schedules and report templates) and configuration data without obscuring earlier entries. Even better if your system doesn’t allow any changes to sensitive records.
As a closed system, your monitoring system needs to limit access to only "authorized individuals." That's item (d) in Section 11.10. Typically this means that all who have access to the system have a distinct username and secure password. Often a system will integrate with your OS authentication to leverage commonly used, pre-existing password management tools.
There is a lot more I could say about Part 11 - but is should be clear by now that it's really about risk management for electronic records and the new technology of digital signatures. The key idea is that validation and monitoring system security measures are most important when they pertain to critical records - that is, records that represent the effects of your Quality System. Less effort can be devoted to less critical records.
Part 11 and Annex 11 were introduced to address the key differences between computerized and manual systems and make electronic records equivalent to paper records as evidence of quality process execution. Today, most environmental monitoring systems used in GxP compliant firms are inherently aligned with the requirements of both the "Elevens." However, the risk comes not from the systems themselves, but in how they are implemented and maintained.
Although your monitoring system probably included User and Administrator manuals and CDs that are fairly easy to integrate into your Document Management System, the procedures that control documentation are still your responsibility. As good as your monitoring system may be (and, if you have a Vaisala system, it's awesome!), only the procedures of your Quality System keep you in compliance with Part 11/Annex 11.
PS – I know some of you are concerned about Electronic Signatures as well. Managing electronic signatures is a specialized software function. Specialty enterprise software exists for implementing Electronic Signatures within an Electronic Document Management System (EDMS). For Vaisala's monitoring solution, we recommend a "hybrid" system, which means it uses electronic records combined with handwritten signatures, wherein the PDF outputs can be imported into and EDMS.
Stay tuned for an updated version of our White Paper: "Assessment of Vaisala Veriteq viewLinc Continuous Monitoring System Compliance to 21 CFR Part 11 Requirements".
We received a great email from one of our blog readers. Here is a comment from blog reader Christopher R. Lee.
Thank you, Mr. Lee, for sending us your comments! (posted below)
Paul's reply to these comments was:
"Very cool! I like his viewpoint -- seems like a front-line explanation of a risk-based approach, combined with the experience of someone who has had to ensure quality both within and outside of a strict corporate structure." PD
Christopher R. Lee wrote:
21 CFR 11 had been around a long time before I retired, & I was fortunate enough to retire a fairly long time ago. It seems that nothing has changed and that the regulators have no idea how things work in real life, including sending space shots to the edge of the solar system.
If you want to set up a spreadsheet to calculate content uniformity according to the pharmacopeias, you can't, because IT will take 2 years to decide if the project is worth considering. It's much easier to pay someone to spend hours on each calculation using a (qualified?) pocket calculator.
Christopher R. Lee
Exploring Analytical Chemistry