Q&A – Regulatory Fine Points: Exploring 21 CFR Part 11 Validation

In a recent webinar, James Riddle, Shannon Roznoski, and Stuart Cotter of Advarra presented Regulatory Fine Points: Exploring 21 CFR Part 11 Validation. The trio reviewed how the partnerships between software vendors, research institutions, and other stakeholders work to support regulatory guidelines. They discussed in detail which parts each party is responsible for when building, implementing, and maintaining clinical trials software in a government-regulated process. Due to time constraints, they weren’t able to answer all audience questions during the Q&A period, so James, Shannon, and Stuart have responded to additional questions in this blog.

Q: What is the difference between electronic signatures and digital signatures and what are the Part 11 implications for each?
A: 21 CFR Part 11 part C covers this in some detail. A digital signature is typically used as a type of electronic signature, with digital implying some additional verification of the identity using a public key infrastructure. Digital implies a control on the electronic signature. However, you can also implement other controls around electronic signatures including biometrics. The implications for Part 11 are the same. If you are using an electronic signature instead of a physical wet ink signature for an FDA predicate rule requirement, Part 11 would apply.

Q: How can I tell if a system is compliant for electronically storing documents (whether DocuSign, network folders, or other systems)?
A: The best path is to first ask the vendor for their attestation showing the software was developed for Part 11 compliance. You can then contact your technology compliance team to verify the system is included in the organization’s overall computer software validation program.

Q: During the webinar, you discussed SOPs for the validation process. Are these SOPs created by the vendor or created by the site/sponsor who is implementing the software?
A: Both the vendor and consumer have responsibilities related to 21 CFR Part 11 compliance and validation, and the extent to which responsibilities lie with the vendor or consumer will depend on the type of software and how it is hosted. The sponsor or regulated entity is ultimately responsible for assessing the quality of the data used in support of clinical investigations.

At a minimum, an organization should have procedures in place that define a risk-based framework for evaluating the software you use and determining whether 21 CFR Part 11 applies (and to what extent). Your procedures should also define how vendors are assessed, how validation and change control are conducted, and how documentation is maintained. Training and user access are also generally managed by the organization and would need to be covered by policies or procedures. In this case, it is often possible to leverage procedures you already have in place.

For products that are offered in the Software as a Service (SAAS) model, where the vendor hosts and manages the product, the vendor takes on more responsibilities for compliance, and should have procedures in place related to physical and logical security, backups, disaster recovery, installation qualification, and some level of validation testing. It is still the responsibility of the consumer to audit the vendor to ensure they meet your requirements in these areas.

For products that are installed and maintained by your IT team on hardware managed by your organization, the responsibility for these activities would lie with your organization and would require the appropriate procedures to manage them.

Q: If 21 CFR Part 11 Compliance refers to systems used to store data/documents, what is the meaning of a Part 11-compliant signature?
A: 21 CFR Part 11 covers both electronic records and electronic signatures. Electronic records may be documents but may also be records in a database, such as subject eCRFs or lab data. Electronic signatures are applied electronically to an electronic record and must meet specific criteria outlined in the regulation in order to be considered Part 11-compliant.

Electronic signatures must be unique to the individual (usually a unique username and password combination), the identity of the individual must be verified by the organization, and the organization must certify to the FDA that they are adopting electronic signatures and that they are legally equivalent to hand-written signatures.

Within the system, the signature manifestations must be associated to the record being signed. The signature manifestation include:
• The printed name of the signer
• The date and time that the signature was applied
• The meaning of the signature

Q: Currently, some software is sold as 21 CFR Part 11-compliant, but offered alongside a version that is not FDA-compliant. These “non-compliant” systems may still have the ability to generate a report or certificate of completion with regard to validity of the signatures. If we can generate that audit trail, does it comply with Part 11?
A: Many organizations put themselves at risk by storing FDA-regulated documents (such as research regulatory binders) in electronic format on an un-validated shared file system or electronic records storage. Organizations can validate their shared file storage systems, but most don’t. It is better to rely on a known vendor who specializes in regulatory document management. Even when using a vendor, the organization responsible for the records must include the commercial software as part of their overall computer software validation program.

To learn more about how to stay compliant with your electronic systems, view our webinar Regulatory Fine Points: Exploring 21 CFR Part 11 Validation.

If you’d like to learn more about Advarra’s 21 CFR Part 11-compliant eRegulatory management system, sign up for a personalized demo.

Need guidance developing your organization’s overall computer software validation strategy? The Advarra consulting team can help.

Back to Resources