ESR Cfr 21 FDA

gxpand jv t .com Journal of Validation technology [Autumn 2012] 15

Device Validation Forum.John E. Lincoln]

For more Author

information,

go to

gxpandjvt.com/bios [ABOUT THE AUTHORJohn E. Lincoln is a principal consultant for J.E. Lincoln and Associates LLC, which assists companies in the design and implementation of complete 21 CFR 111, 210, 211, 820 and ISO 13485 quality management systems

that are fully cGMP-compliant and will have pass FDA audits. He may be reached by e-mail at [email protected].

Issues with Medical Device Part 11 Electronic Records; Electronic Signatures

Device Validation Forum discusses regulatory

requirements, scientific principles, strategies, and

approaches associated with medical device valida-

tion that are useful to practitioners. We intend this

column to be a valuable resource for daily work

applications. The key objective for this column is

useful information.

Reader comments, questions, and suggestions

are needed to help us fulfill our objective for this

column. Suggestions for future discussion top-

ics or questions to be addressed are requested.

Case studies illustrating principles associated with

medical devices submitted by readers are also most

welcome. We need your help to make Device

Validation Forum a useful resource. Please send

your comments and suggestions to column coor-

dinator John E. Lincoln at [email protected] or to

journal managing editor Cale Rubenstein at cru-

[email protected].

INTRODUCTION

As the medical device industry moves toward elec-

tronic records (ER) and signatures by in-house sys-

tems and/or cloud/web-based systems, and away from

paper documentation, 21 Code of Federal Regulations

(CFR) Part 11, Electronic Records; Electronic Signatures

(ES) verification and validation (V&V) activities and

documentation become mandatory. These issues are

not only a regulatory/Part 11 concern but also a user/

customer concern.

These requirements should not be viewed as unnec-

essary bureaucratic red tape. All industries, not just

US Food and Drug Administration-regulated ones,

are increasingly faced with these issues. The require-

ments of Part 11 are very similar to those that bank-

ing, finance, legal, and other business entities face.

All must strive to ensure the integrity of electronic

records/signatures as these increasingly replace paper-

based records and documentation systems.

What are these Issues?There are several issues pertinent issues that need to

be described. They discuss how a company can verify

or validate compliance to those portions of Part 11

that are applicable to their operations.

Large software applications having a current good

manufacturing practice (cGMP) impact include enter-

prise resource planning (ERP) systems. ERP valida-

tions typically involve both cGMP activities/records

and purely business/non-cGMP activities/records.

These typically impact all areas of a company. They

often present the most complex challenge for a Part 11

V&V project. Since that is the case, a Part 11 validation

will typically only use test cases/scripts that address

specifically the cGMP functions that the software

performs, when they can be separated. Each test case

is developed from the software requirements specifi-

cation (SRS) or its equivalent, which should only list

those requirements that are cGMP-specific (for the

purpose of the cGMP/Part 11 software V&V).

The companys 21 CFR Part 11 ER/ES requirements

would be included in the SRS. However, the author

recommends that the purely Part 11 requirements be

addressed by test cases in the operational qualification

John E. Lincoln

ES156867_IVTJVT1112_015.pgs 11.21.2012 00:44 ADV blackyellowmagentacyan

16 Journal of Validation technology [Autumn 2012]

Device Validation Forum.

i v t ne twork .com

(OQ), including those addressed by non-software/

offline systems and references to relevant standard

operating procedures (SOPs), manual logs, or similar

documentation. The rationale is that the V&V of Part

11 requirements generally focuses on the existence/

initialization (installation qualification [IQ] or opera-

tional qualification [OQ]) of each applicable element

of Part 11 rather than its repeatability performance

qualification (PQ). Where proof of repeatability is

a concern, test cases could be added to the PQ runs

as well.

As with any validation, a line in the sand must be

drawn prior to start. This means that once the decision

is made to validate, the software must be frozen

in time, with any future changes performed under

revision/release number/change control. Any changes

must include consideration of the degree of effect the

change may have on any previous verification/valida-

tion activities. Where such change control is relatively

easy with hardware, it is increasingly difficult with

software, especially cloud or web-based software

(e.g., applications or data warehousing/storage that

can almost automatically be upgraded, patched,

or have a service pack added by the vendor over the

Internet without notification or input from the using

company).

Whenever this author undertakes such a validation

with a client, a meeting is arranged with the com-

panys information technology (IT) department and

quality assurance (QA) team to initiate systems and

capture and hold all such incoming changes for joint

IT/QA review against existing V&Vs. The appropriate

decision and method of implementation, regression

testing required, and/or similar actions can be decid-

ed, documented with supporting rationale, signed,

dated, and implemented under change control. With-

out such a system in place, any validations are merely

a waste of time and valuable resources.

ELECTRONIC RECORDS/SIGNATURES AREAS REQUIRING V&VThe following are the type of electronic records and/or

e-signatures that require validation under 21 CFR Part

11. These may be exclusive cGMP records or records

used for cGMP decision-making (regardless of the

company written policy):

Any cGMP document that an SOP states is docu-

mented by a controlled hard/paper copy with

manually entered signatures (this includes per-

sonnel actually not using these hard copies but

referring to their computers in order to make

quality control [QC]/cGMP decisions [i.e., it is

not what a company says, but what it is actually

being done])

Management reviews of quality policies, systems,

organization/staffing, audits, etc.

Internal quality audits

Training: conduct, subject matter, and records

Proof of design control activities (an electronic

design history file [e-DHF])

Any cGMP document approval using e-documents

and/or e-signatures

Change control

Documentation of suppliers, evaluation/audits

rankings, and purchasing/quality data

Inventory identification, traceability, and status

Electronic SOPS (e-SOPs)

Monitoring/control of production processes elec-

tronically with e-reports

Environmental controls (heating, ventilation,

and air conditioning [HVAC], vector/pest, et al)

Post monitoring (PM) and/or calibration

scheduling

Record of equipment inspections

Control of manufacturing materials (e.g., lubricat-

ing oils, cleaners)

Test equipment control, including the above

Validation records

Incoming, in-process, and finished goods inspec-

tions: data, acceptance status, quarantine

Non-conformance reports, controls, reviews, dis-

positions, and approvals

Corrective and preventative action (CAPA) sys-

tem documentation, including complaint and

MDR files, failure investigations, and root cause

analysis

Labeling design, control/storage, and issuance/

counts

Packaging documentation

Distribution records

All cGMP e-records (if primary records, as defined

by usage)

Device master record (DMR)

Device history (batch/lot) record (DHR)

Any electronic/computer statistical analysis tools

related to making cGMP decisions (e.g., product

release, which may require additional software

V&V)

As per above, all software systems, independent

of cGMP records/signatures used in manufac-

turing or part of medical devices, require their

own V&V per other guidance documents (820.30

design controls [product validation] and 820.70

[i] automated processes)



John E. Lincoln.

ERP software used to control movement and stor-

age of inventory, as per above

Any other cGMP/QA/QC approval action and/

or status record.

RISK-BASED BLACK BOX V&VSince most projects usually involve commercial off-

the-shelf (COTS) software, the scripts/test cases are run

black box and also involve hardware functionality.

Table I: Subpart 11.10: Verify Records Input and Retention.

Action Initiated Expected Outcome Meet OutcomeVerified By

Initial & Date

Can invalid or altered records be

determined?

Invalid/altered records can be

determined.

Yes/No

Attachment #

Is system capable of producing

accurate/complete hard/paper

copies of electronic records?

System produces accurate/

complete hard copies of ER.

Yes/No

Attachment #

Are records readily retrievable

throughout their retention period

(user to define records/data bases

involved and retention periodone

year from shipment, minimum)?

ERs are readily retrievable

throughout their retention period.

Yes/No

Attachment #

Is system access limited to

authorized personnel (by

password, SOP, and user-provided

and physical security)?

System access is limited to

authorized personnel (state

method).

Yes/No

Comments: __________________________________________________________________________________

QA Reviewed by: _____________________________________ Date: _________________________________

Table II: Verify Audit Trail.


Initial & Date

Does system create/maintain a

secure, time-stamped audit trail?

System creates/maintains a

secure, time stamped audit trail.

Yes/No

Attachment #

Does it record date/time, entries/

actions for any activity that

creates, modifies, or deletes

electronic records (documents

to be controlled by user, and 21

CFR Part 820 Quality System [QS]

Regulation/medical device cGMPs).

System records date/time, entries/

actions for any ER creation,

modification, or deletion of cGMP

records.

Yes/No

Attachment #

Are changed or deleted records

archived and retrievable (records to

be defined by user)?

Changed or deleted records are

archived and retrievable.

Yes/No

Attachment #

Is the audit trail retrievable throughout

that records retention period?

Audit trails are retrievable

throughout the ERs retention

period.

Yes/No

Attachment #

Comments: __________________________________________________________________________________





i v t ne twork .com

Of course, all software V&V is product risk-based. It

is recommended that an International Organization

for Standardization (ISO) 14971 product risk manage-

ment file/report (and use the same format for non-device

industries) be developed prior to developing the V&V

documentation. The degree of risk tied to the user of the

companys products can be used to determine the amount

of test case/script elements necessary to prove compli-

ance. Tie test cases to specific risk document references

by a traceability matrix or commonality of numbering

between hazard/risk entry and test case/script to justify

the degree of verification elements addressed in each test

case. It is crucial to draw that line in the sand on the

software with the support of the company IT department

to prevent non-approved updates, patches, etc. to the

relevant software that could impact the V&V downstream.

Table III: System features/checks.Verify data installation is completed, correct, and readily retrievable.


Initial & Date

Can it be reviewed/copied by FDA?ERs can be reviewed/copied by

FDA.

Yes/No

Attachment #

Does the system enforce sequence

of steps/events if required (e.g., no

release to inverse of non-approved

components/specific steps)?

The system enforces the sequence

of ERP events per referenced flow

charts.

Yes/No

Attachment #

Are only authorized individuals

allowed access to the system,

permitted to sign records, access

the operation/input/output device,

alter records, and perform other

operations (e.g., defined by password

and level of authority/access)?

Only authorized individuals are

allowed access, sign records,

installation/operation access,

records altering, and similar

operations that affect ER accuracy/

retention/retrieve ability.

Yes/No

Attachment #

Does the system check the validity

of the data source if multiple

sources for such data exist?

The system checks one source

therefore there are no checks

between sources.

Yes/No

Comments: __________________________________________________________________________________


Table IV: Training.Verify data installation completed per SOP.


Initial & Date

Is training of all involved personnel

conducted and documented

(user issue/vendor assist)?

Training is conducted periodically

and documented.

Yes/No

Attachment #

Do written policies address the

accountability and responsibility of

individuals actions initiated under

their electronic signature (user

issue)?

Written policies/SOPs address ES

accountabilities/responsibilities.

Yes/No

Attachment #

Comments: __________________________________________________________________________________




John E. Lincoln.

The following test case elements are extracted

directly from 21 CFR Part 11.

ELECTRONIC RECORDS AND ELEC-TRONIC SIGNATURES Subpart A--General Provisions 11.1 - Scope. 11.2 -

Implementation. 11.3 - Definitions.

Subpart B--Electronic Records 11.10 - Controls for closed

systems. 11.30 - Controls for open systems. 11.50 - Sig-

nature manifestations. 11.70 - Signature/record linking.

Subpart C--Electronic Signatures 11.100 - General require-

ments. 11.200 - Electronic signature components and con-

trols. 11.300 - Controls for identification codes/passwords.

DEVELOPING THE TEST CASES/TEST SCRIPTEach element of the subparts of Part 11 are reframed

into questions or statements for which an answer in

the companys Part 11 software or offline systems

will have to be found. Subparts 11.1, 11.2, and 11.3

provide background information and requirements

of the CFR, and consideration is for reference only.

Beginning with subpart 11.10, the suggested

approach described below can be implemented. In

some instances, assumptions have been made regard-

ing the element to verify. When using this example,

the user will have to adjust actual test cases/scripts to

match the systems/applications elements that apply

to their application. Higher risk applications would

require expansion of the number of test case/test script

entries to resolve or verify function of each element.

SOFTWARE VERIFICATION/VALIDATION PROTOCOL FORMAT EXAMPLES The following should be considered as very basic tem-

plates. Applicable test cases or test case elements should

be expanded depending upon the applications being

verified/validated. These present one possible method

among many that could be acceptable in validating elec-

tronic records and electronic signatures to 21 CFR Part 11.

Table V: Systems documentation control.Verify data installation completed per SOP.


Initial & Date

Is systems operation/maintenance

documentation controlled

(user and password limits)?

Systems operation/maintenance

documentation is controlled

(reference method[s]).

Yes/No

Attachment #

Is system documentation under

formal change control with a

time-sequenced audit trail for

changes (Also see other audit

trail questions/comments)?

System documentation is under

formal change control with an audit

trail.

Yes/No

Attachment #

Comments: __________________________________________________________________________________


Table VI: Subpart 11.30.Verify data installation is completed, correct, and readily retrievable.


Initial & Date

Is open system data Open system data is encrypted. N/A

Are open system signatures

digitized?

Open system signatures are

digitized (or reference any alternate

method(s).

N/A

Comments: __________________________________________________________________________________





i v t ne twork .com

VERIFICATION SCRIPT: ELECTRONIC SIGNATURES

Table VII: Subpart 11.50: Electronic Signatures Features.Verify data installation is completed, correct, and retrievable.


Initial & Date

Do electronic signature

manifestations include the printed

name, date/time of signing, and

meaning of signing (approval,

review, responsibility, and feature

is available generally by level of

password-protected /defined level

of access)?

ESs include stated requirements.Yes/No

Attachment #

Is the signature supporting

information mentioned above

displayed and printed on hard

copies of the electronic record?

ESs are displayed, printed, or

obviously linked on hard copies

printed of the ER.

Yes/No

Attachment #

Are signatures linked to the

respective electronic record

to prevent cut/copy/transfer/

falsification (are signatures

imbedded in the actual record/

document or stored in another file

and flagged)?

ESs are either linked to, or

embedded in, the respective ER.

Yes/No

Attachment #

Comments: __________________________________________________________________________________


Table VIII: Subpart 11.100: Unique Electronic Signature.


Initial & Date

Are electronic signatures unique to

an individual (through specific login

and password)?

Unique ESs exist.Yes/No

Attachment #

ID verified before issue?Verification performed by system to

prevent duplicate IDs.

Yes/No

Attachment #

Are electronic signatures reused or

reassigned to others (controlled user

SOP number/user setup)?

ESs are not reusedYes/No

Attachment #

Comments: __________________________________________________________________________________




John E. Lincoln.

Table IX: Subpart 11.200: Secure Electronic Signature.


Initial & Date

Is the signature made up of at least

two components (e.g., code, card,

password combinations, ID and

password, and use physical ID

components [e.g., cards])?

ES has minimum of two

components (describe).

Yes/No

Attachment #

Must the password be executed at

each signing and during a multiple

signing (continuous) session?

Password must be entered for

each signing in multiple signings.

Yes/No

Attachment #

Does the capability exist to be

defined by user?

Capability is defined by user

(describe).

Yes/No

Attachment #

Recommend reentry of password

wherever a new physical signature

would be required rather than a

multiple/continuous-signing feature.

Password reentry is required for

any new signature.

Yes/No

Attachment #

If not continuous, must both

components of the signature be

executed (to be user-defined)?

Describe number of components

required for a signature to be

entered (user ID/user password).

Yes/No

Are non-biometric signatures only

used by their genuine owners (user

SOP defined/a user security issue)?

Describe method used for control

of non-biometric ES: issue of single

user ID/user defined password.

Yes/No

Has it been shown that biometric

signatures can only be used by

their genuine owner (are biometric

signatures [retina or fingerprint

scans, etc.] utilized)?

Biometric signatures are not

currently used in this ERP.Yes/No

Comments: __________________________________________________________________________________


Table X: Planned security breach.


Initial & Date

Would an attempt to falsify an

electronic signature require the

collaboration of at least two

individuals (only in the sense that

one of the two just have been

careless in allowing another to

steal and use his/her password)?

Purposeful falsification of an

ES requires two or more willing

individuals

Yes/No

Is the software configured

to require a minimum of two

passwords to accomplish a defined

action (e.g., document changes)?

A minimum of two ESs are required

for the approval of a cGMP ER.

Yes/No

Attachment #

Comments: __________________________________________________________________________________





i v t ne twork .com

Table XI: Subpart 11.300: User ID/Passwords.


Initial & Date

Are controls in place to assure

the uniqueness of each code/

password combination?

User IDs/passwords are controlled;

system prevents user ID to be re-

issued/re-used

Yes/No

Attachment #

Do procedures require the periodic

checking of the validity of ID codes

(user SOP issue: does software do

this automatically)?

This is controlled in Windows OS;

passwords expire per defined

intervals.

Yes/No

Attachment #

Do passwords periodically expire

and require revision (see above)?

Passwords are controlled by

Windows OS with periodic

expiration/revision.

Yes/No

Attachment #

Is there a procedure to recall ID

codes/passwords when someone

leaves/is transferred?

User IDs/passwords are recalled/

retired when the owner leaves/is

transferred per SOP XXX.

Yes/No

Attachment #

Is there a procedure to

electronically disable any ID code/

password that has been potentially

compromised/lost?

User IDs/passwords can be

disabled if they are suspected of

having been compromised/lost per

SOP XXX.

Yes/No

Comments: __________________________________________________________________________________


Table XII: Outside systems breech/hacking.


Initial & Date

Is there a procedure to detect

attempts at hacking and inform

security (primarily by the audit trail

feature after the fact)?

Hacking can be detected and is

acted upon by reviewing IT or

advanced security logs daily.

Yes/No

Attachment #

Is there a procedure for reporting

repeated or serious attempts at

unauthorized use to management

(could be by means of audit trail

review or user SOP)?

Attempts at unauthorized use

(see above) are documented and

reported to management (describe

method).

Yes/No

Attachment #

Comments: __________________________________________________________________________________




John E. Lincoln.

AN IMPORTANT CAVEATA company may believe and proclaim that it is not

using electronic records and/or electronic signatures.

It may base this on the fact that its SOPs define that

controlled records are paper documents with manual

signatures, and those hard copies are routed for

approval and used for cGMP actions and retains/files.

However, the real test is how records are actually being

used to make cGMP decisions in the company. FDA

consumer safety officers (CSOs)/auditors have been

seen observing company personnel using their com-

puter screen to pull up records and SOPs and then

make cGMP decisions from that image. If this is the

companys practice, even if they are controlling hard

copies and state that in their SOPs, the auditor will

rightly conclude that an e-record is being used and

expect to see 21 CFR Part 11 validation performed.

CONCLUSIONThe use of electronic records and electronic signa-

tures is increasingnot just in regulated industries.

These types of issues will be seen in all industries that

require legally binding documentation. Most profes-

sionals already deal with encrypted transactions on

the Internet and hope that companies have similar

systems in place to ensure integrity versus the grow-

ing danger of identity theft. The type of information

and verification/validation required in 21 CFR Part

11 will be replicated and expanded upon worldwide,

not only in medical products, but in finance, legal,

and all business entities desiring a viable global busi-

ness model. JVT

Table XIII: Loss management.


Initial & Date

Is loss management defined/

practiced for lost or stolen devices

(only by user SOP)?

Loss management of any

applications-accessible devices is

practiced (describe).

Yes/No

Attachment #

Is there a procedure to

electronically disable a device if

its lost/stolen/compromised (by

password access/user alternative)?

Describe any method to disable a

compromised device.

Yes/No

Attachment #

Are there controls for issuance

of temporary and permanent

replacements?

Describe any controls in the

issuance of temporary or

permanent replacement devices.

Yes/No

Attachment #

Is there initial and periodic testing

of tokens/cards?Describe or N/A N/A

Does this check for unauthorized

alterations?Describe or N/A N/A

Comments: __________________________________________________________________________________





i v t ne twork .com

GLOSSARY

Black box Review/verification of software algo-

rithm/coding by observing the soft-

wares operation of the hardware, with-

out access to the actual software code,

as opposed to white box or glass

box testing (see white box below)

CDRH Center for Devices and Radiological

Health

cGMPs Current good manufacturing practices

(for devices it is 21 CFR Part 820)

CFR Code of Federal Regulation

COTS Commercial off-the-shelf software

CSO Consumer safety officer (i.e., the FDA

compliance auditor)

ERP Enterprise resource planning

FDA The United States Food and Drug

Administration

ISO International Standards Organization

IT Information technology

IQ Installation qualification

OS Operating system

OQ Operation qualification

PQ Performance qualification (generally

three or more as needed by inherent

system inputs, et al, variability)

QA Quality assurance

RA Regulatory affairs

R&D Research and development

SOP Standard operating procedure

SRS Software requirements specification

V&V/V[T]&V Verification [Testing] and Validation

White box Code review for logic and adherence to

conventions with no observable prob-

lems (same as glass box review).


Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

Documents

ESR Cfr 21 FDA