FDA 21 CFR Part 11 Compliance
Why Does FDA 21 CFR Part 11 Compliance Matter?
In March of 1997, FDA issued final part 11 regulations that provide criteria for acceptance by FDA, under certain circumstances, of electronic records, electronic signatures, and handwritten signatures executed to electronic records as equivalent to paper records and handwritten signatures executed on paper. These regulations, which apply to all FDA program areas, were intended to permit the widest possible use of electronic technology, compatible with FDA’s responsibility to protect the public health, CFR Part 11 applies to drug makers, medical devices manufactures, biotech companies, biologics developers, CROs, and other FDA-regulated industries.
FDA 21 CFR part 11 primarily intends to enforce provisions related to the following controls and requirements:
- limiting system access to authorized individuals
- use of operational system checks
- use of authority checks
- use of device checks
- determination that persons who develop, maintain, or use electronic systems have the education, training, and experience to perform their assigned tasks
- establishment of and adherence to written policies that hold individuals accountable for actions initiated under their electronic signatures
- appropriate controls over systems documentation
- controls for open systems corresponding to controls for closed systems bulleted above (§ 11.30)
- requirements related to electronic signatures (e.g., §§ 11.50, 11.70, 11.100, 11.200, and 11.300)
- Continued compliance with these provisions are expected and records that are required to be maintained or submitted must remain secure and reliable in accordance with the rules.
Our deliverables
- Audit Confirmation Letter
- 21 CFR Part 11 Detail Assessment Report
Computer System Validation (CSV) and 21 CFR Part 11 includes:
- SOPs, policies, and guidelines
- Personnel qualifications and training records
- System Validation (Software Development Life Cycle) activities and documentation
- Validation Plan
- Design/Configuration, Test plans, scripts, protocols, and reports, Traceability
- Types of systems and records, including batch records, clinical trial data capture, safety analysis, and document management
- Software and documentation change control
- Archiving and data retention
- User documentation and support
- Configuration management
- Installation and maintenance
- Physical and electronic security
- Backup and recovery
- Facilities management
- Network vulnerability scan report
- Advisory services on FDA, HHS/OCR or OIG audit (additional charges may apply)
Our Step-by-Step Approach:
- Defining the scope of the security risk analysis
- Inventorying ePHI systems
- Assessing current security measures and reviewing past security risk assessment report
- Determining the likelihood of threat occurrence
- Identifying risks using automated and manual vulnerability analysis
- Prioritizing implementation
- Documentation of findings
- Security risk assessment report
- Summary Report
- Action Plan
- Annual update