Quality & Regulatory > Regulatory FAQs

Frequently Asked Questions

Regulatory FAQs

If you have a regulatory question, please contact us by e-mail at info@toxikon.com.

CFR 21 Part 11

Q: Can a vendor guarantee compliant software for Part 11?

A: It is not possible for any vendor to offer a turnkey 'Part 11 compliant system'. Any vendor who makes such a claim is incorrect. Part 11 requires both procedural controls (i.e. notification, training, SOPs, administration) and administrative controls to be put in place by the user in addition to the technical controls that the vendor can offer. At best, the vendor can offer an application containing the required technical elements of a compliant system.

Q: What is the definition of hybrid system? Could you give an example of one?

A: A 'Hybrid System' is defined as an environment consisting of both Electronic and Paper-based Records (Frequently Characterized by Handwritten Signatures Executed on Paper). A very common example of a Hybrid System is one in which the system user generates an electronic record using a computer-based system (e-batch records, analytical instruments, etc.) and then is required to sign that record as per the Predicate Rules (GLP, GMP. GCP). However, the system does not have an electronic signature option, so the user has to print out the report and sign the paper copy. Now he has an electronic record and a paper/handwritten signature. The 'system' has an electronic and a paper component, hence the term, hybrid.

Q: If using a 'hybrid system' approach to e-signatures, how do you link the handwritten signature to the e-record?

A: Since Part 11 does not require that electronic records be signed using electronic signatures, e-records may be signed with handwritten signatures that are applied to electronic records or handwritten signatures that are applied to a piece of paper. If the handwritten signature is applied to a piece of paper, it must link to the electronic record. The FDA will publish guidance on how to achieve this link in the future, but for now it is suggested that you include in the paper as much information as possible to accurately identify the unique electronic record (e.g., at least file name, size in bytes, creation date and a hash or checksum value.)

Q: What are some examples of audio data that may be captured in the Pharmaceutical Industry? Specific Examples?

A: Audio recordings of regulated patient information or experimental observations are infrequent, but sometimes acquired. Also, audio conferences discussing projects, reports, data are common in the pharma industry. If the data therein is required to be maintained by predicate rules, and the audio file is saved to durable media, Part 11 would apply.

Q: I keep electronic records but have signatures on paper (hybrid systems). Is there a deadline for converting to electronic signatures?

A: No. There is no deadline for converting to electronic signatures. Having handwritten signatures on paper is acceptable if signature are linked to electronic records so signers cannot repudiate records.

Q: When does an audit trail begin?

A: Audit Trail initiation requirements differ for data vs. textual materials. For data: If you are generating, retaining, importing or exporting any electronic data, the Audit Trail begins from the instant the data hits the durable media. For textual documents: if the document is subject to approval and review, the Audit Trail begins upon approval and release of the document.

Q: Should execution of a signature be audit trailed?

A: Yes, execution of a signature must be audit trailed.

Q: Are e-mails controlled documents?

A: If the text in an email supports such activities as change control approvals or failure investigations, then the e-mails have to be managed in a compliant way. Your IT department or designee should be managing and backing up all e-mail and electronic data per standard operating procedures (SOPs),

Q: Can a single restricted login suffice as an electronic signature?

A: No. The operator has to indicate intent when signing something, and he has to re-enter the user ID/password (shows awareness that he is executing a signature) and give the meaning for the e-sig. To support this, Part 11 §11.50, states that signed e-records shall contain information associated with the signing that indicates the printed name of the signer, the date/time, and the meaning, and that these items shall be included in any human readable form of the record.

Q: When are e-signatures required?

A: The predicate rules mandate when a regulated document needs to be signed.

Q: Should a company individually certify that every associate's electronic signature is legally binding?

A: No. The required one-time e-sig certification is for an organization as a whole. Its intent is to certify that a company recognizes that its e-signatures are equivalent to their hand-written signatures.

Q: FDA has issued a new guideline on date and time. It is not mandatory that it is local?

A: You are correct. The Agency has reconsidered their position on local date and time stamp requirements. The draft guidance document reflects their current thinking, and supersedes the position in comment #101 of the Rule with respect to the time zone that should be recorded. The document states, "You should implement time stamps with a clear understanding of what time zone reference you use. Systems documentation should explain time zone references as well as zone acronyms or other naming conventions."

Q: Does outsourcing of a computer make a system an open system? Additionally would the external access of an external vendor for maintenance work (e.g. using a modem) to a computer system make that an open system?

A: According to the Rule, the definition of closed system is "an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system.'' The agency agrees that the most important factor in classifying a system as closed or open is whether the persons responsible for the content of the electronic records control access to the system containing those records. A system is closed if persons responsible for the content of the records control access. If those persons do not control such access, then the system is open because the records may be read, modified, or compromised by others to the possible detriment of the persons responsible for record content. Hence, those responsible for the records would need to take appropriate additional measures in an open system to protect those records from being read, modified, destroyed, or otherwise compromised by unauthorized and potentially unknown parties.

Q: What do you mean by linking e-records to e-signatures?

A: Part 11 Sec. 11.70 states that electronic signatures and handwritten signatures executed to electronic records must be linked (i.e. verifiably bound) to their respective records to ensure that signatures could not be excised, copied, or otherwise transferred to falsify another electronic record. The agency does not, however, intend to mandate use of any particular 'linking' technology. FDA recognizes that, because it is relatively easy to copy an electronic signature to another electronic record and thus compromise or falsify that record, a technology-based link is necessary. The agency does not believe that procedural or administrative controls alone are sufficient to ensure that objective because such controls could be more easily circumvented than a straightforward technology based approach.

Q: Can you share a sample FDA Warning Letter, or is that proprietary information?

A:The FDA Warning Letters can be found on the FDA web site at http://www.fda.gov/foi/warning.htm. The letters are considered public information.

Q: What is 'grand fathering'?

A: "Grand fathering" simply means the possibility that the rule may not apply to any system in existence before the rule came into effect. Part 11 does not allow for grandfathering of legacy systems. Therefore, systems installed before August 20, 1997 must be made compliant or should be replaced.

Q: What is GxP?

A:This refers to the "Good Practices" whose rulings are observed within the pharmaceutical industry. These are Good Laboratory Practice (GLP), Good Automated Manufacturing Practice (GAMP), Good Manufacturing Practice (GMP) and Good Clinical Practice (GCP). The 'x' is merely a placeholder.

Q: What is a 'Predicate Rule'?

A: Any requirements set forth in the Act (Federal Food, Drug and Cosmetic Act), the PHS Act (Public Health Service Act), or any FDA regulation (GxP: GLP, GMP, GCP, etc.). The predicate rules mandate what records must be maintained; the content of records; whether signatures are required; how long records must be maintained, etc. If there is no FDA requirement that a particular record be created or retained, then 21 CFR Part 11 most likely does not apply to the record.

Q: How can you make sure that e-records are still readable throughout the retention period (with focus on the formats)?

A: Currently mostly proprietary formats are in use (e.g. in the lab area) and the possibility to read these formats in a few years may be difficult (especially if the vendor is changed). Printing or converting into PDF or similar is only a partly solution. 'What would/could be a long-term solution here?

There are several possible solutions being considered for long-term data re-processability. They include data migration, data emulation and system 'Time Capsules". As of today, there are no set standards, or widely accepted procedures to ensure long-term data viability.

Q: If you use Electronic Signatures, do you have to comply with Electronic Record Requirements?

A:Use of Electronic Signatures implies that your system is an Electronic Record system and, therefore, must be in compliance with all provisions of 21 CFR Part 11.

Q: Do you have a format or example for the certification for e-signatures that a company can send to the FDA?

A: For the exact wording for the e-sig certification, please consult the FDA website at www.fda.gov. One can also find wording for the certification in the preamble of the final Rule. The response to comment #120 is "…The final rule instructs persons to send certifications to FDA's Office of Regional Operations (HFC-100), 5600 Fishers Lane, Rockville, MD 20857. Persons outside the United States may send their certifications to the same office. The agency offers, as guidance, an example of an acceptable Sec. 11.100(c) certification: Pursuant to Section 11.100 of Title 21 of the Code of Federal Regulations, this is to certify that [name of organization] intends that all electronic signatures executed by our employees, agents, or representatives, located anywhere in the world, are the legally binding equivalent of traditional handwritten signatures."

Q: Which kind of media (CD Roms, WORMs, etc.) can be considered "21CFRPart11 compliant" from point of view of good retention period?

A: In an effort to remain technologically neutral, the FDA does not specify the kind of media that one must use for archiving. There are studies currently underway from independent sources that are trying to test the 'lifetime' of such media as CD ROM, although there is no set standard lifetime for such media. Some companies are doing their own tests on media lifetime.

Q: What are some examples of audio data that may be captured in the Pharmaceutical Industry? Specific Examples?

Q: How do you recommend handling CROs and vendors in a timely basis?

A: The data that a CRO generates is ultimately the responsibility of the company that hires the CRO to do the research. That company must be on top of the CRO, their record keeping practices and their adherence to GxP. If a CRO is sending results back to the study sponsor, a compliant, secure, closed system is best to use. Just like with vendors, it is wise to audit the CROs and the vendors to make sure that they are up on their Part 11 (and GxP compliance).

Q: What must a vendor do to claim that their hardware and software are 'compliant' with 21 CFR Part 11?

A: No vendor can claim that his or her software products are certified Part 11 compliant. A vendor, instead, can say that he has all of the Technical Controls for 21 CFR Part 11 compliance built in to his product. Remember, it is the responsibility of the user to implement the Procedural and Administrative (and correctly and consistently) Controls along with using products with the correct Technical Controls for overall Part 11 compliance.

Q: Does Part 11 apply to instruments themselves that are not connected to computers but that have microprocessors within?

A: If such a system does not generate electronic records according to the definition of e-records in Part 11 (data starting its life written to durable media), and/or these e-records are not subject to the GxP regulations, then Part 11 does not apply.

Q: Are electronic signatures always required on the creation of electronic records?

A: The 'Predicate Rules' (GxP) regulations determine what records must be signed, not Part 11. Not all e-records need to be signed. Check your predicate rules for what records must be signed, when and by whom.

Q: Is a 'Gap Analysis' a necessary step to become 21 CFR Part11 compliant?

A: A Gap Analysis is not a specified requirement of Part 11, however, during the process of becoming Part 11 compliant, most firms undergo a Gap Analysis as part of their assessment/remediation phase.

Q: Is an audit of a vendor enough to ensure that the technical controls (in their product) are all present and compliant?

A: In addition to a vendor audit, one must scrutinize the product itself and its implementation in your facility. Do not forget that validation of the applicable systems in your own environment is the user responsibility (not to mention implementing the procedural and administrative controls for complete adherence to Part 11.)

Q: Could you define and provide examples of systems that are critical to "data integrity"?

A: For Part 11, data integrity is related to the trustworthiness of the electronic records generated/managed by critical systems. The FDA is most concerned about systems that are involved with drug distribution, drug approval, manufacturing and quality assurance because these systems pose the most risk in terms of product quality and/or public safety.

A: How does the digital signature verify that the document hasn't been altered after signing?

Q: A digital signature is computed using a set of rules and a mathematical algorithm such that the identity of the signatory and integrity of the data can be verified. Signature generation makes use of a private key to generate a digital signature. Signature verification makes use of a public key that corresponds to, but is not the same as, the private key. Each user possesses a private and public key pair. Public keys are obviously known to the public, while private keys are never shared. Anyone can verify the signature of a user by employing that user's public key. Only the possessor of the user's private key can perform signature generation. A hash function is used in the signature generation process to obtain a condensed version of data, called a message digest. The message digest is then incorporated into the mathematical algorithm to generate the digital signature. The digital signature is sent to the intended verifier along with the signed message. The verifier of the message and signature verifies the signature by using the sender's public key. The same hash function must also be used in the verification process. The hash function is specified in a separate standard.

A: For an HPLC system, are the parameters entered for a chromatographic run considered an electronic record?

A: For an analytical instrument, any information that is captured by a computerized workstation is considered either data or metadata. (Metadata is described as data-about-data. It's what puts the real data into logical context.) The second that any information hits the 'durable media' it then becomes an electronic record. Parameters that are typically captured by an HPLC system (i.e. flow rate, sample lot #, etc.) are considered metadata. This information should be saved and protected as part of the official electronic record.

[SOURCE: http://www.21cfrpart11.com/]