Regulatory Fine Points: What Research Sites Need to Do for Part 11 Compliance

At Advarra, we strive to provide sponsors, contract research organizations (CROs), and sites with the knowledge they need to perform adequate quality management as they work to advance safer, smarter, and faster research. Similarly, the Society of Quality Assurance (SQA)’s mission statement indicates the organization aims to “Promote and advance the ethics, principles, and knowledge of quality assurance essential to human, animal, and environmental health.”

Last month, at SQA’s annual meeting, Advarra’s VP of Research Services and Strategic Consulting, James Riddle presented Regulatory Fine Points: What Research Sites Need to Do for Part 11 Compliance. In his presentation, Riddle outlined how sponsors should consider 21 CFR Part 11 (Part 11) compliance at research sites and how that fits in with the overall quality management system they may administer, build, audit, or evaluate.

As the research industry is continually evolving and adapting, many institutions, health systems, and private research sites are adopting more electronic technologies to streamline operations. While oftentimes, sponsors or CROs provide sites with validated technology, many adopt these technologies themselves. For quality management professionals and site regulatory personnel in the position to evaluate a system’s effectiveness, quality, and compliance, they need to understand how Part 11 compliance fits into the quality management framework.

Understanding Compliance

According to the Food & Drug Administration (FDA), “Part 11 applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted under any records requirements set forth in Agency regulations.” Essentially, if a research site owns, controls, or operates its own systems with electronic FDA-regulated records, Part 11 applies. This is applicable for electronic records such as:

  • Signed consent forms
  • Source documentation
  • Institutional review board (IRB) records
  • Drug accountability logs
  • Delegation of authority logs
  • Other records required to be kept by the site per FDA regulation

As Sponsors/CROs evaluate sites, it’s important to inquire if there are computer systems in use at the site which store FDA-regulated records in an electronic format, as these will need to be evaluated to determine if the system housing those records has been validated per FDA guidelines. Validation is about objective evidence, consistency, and documentation of the processes put in place. Quality managers or individuals with an understanding of the Part 11 requirements need to make sure the site has appropriately validated any computer systems they’re controlling relative to Part 11 if they store FDA-regulated records within the system. For example, an eRegulatory binder system would apply to this situation because FDA-regulated records are stored electronically. A site’s accounting system, on the other hand, has financial data and would not be subject to Part 11.

To ensure compliance and validation, a site needs to have processes in place to provide objective evidence that they are using and providing good documentation of their records and that they have controls in place that do not allow unauthorized changes to the documentation.  Sites must be able to produce evidence that their electronic records can be trusted in the same way as paper records.

Sponsors have utilized validated computer systems for decades and typically have well-established programs based on GAMP 5 with core documentation including installation qualification (IQ), operational qualification (OQ), and performance qualification (PQ) documents and system development life cycle methods. Individual research sites may be less familiar with validation concepts and need some support from the quality management program or the software vendors to establish the necessary validation documentation.

What is risk-based validation?

According to Pharma Manufacturing, risk-based validation is “a validation philosophy in which qualification and validation processes are streamlined by an honest assessment of risks to product quality posed by an equipment feature, process step, or process capability.”

When coming up with their assessment of risk for systems, sites must be able to justify their definition of risk. Advarra advises most research sites to evaluate their computer systems in the context of risk to human health. For instance, the software used by a device manufacturer to run an implantable pacemaker is high risk. If the software does not work as designed the impact on human health can be immediate and severe.  On the other hand, a site’s regulatory document management system storing electronic records such as consent forms, delegation logs, etc. has a low risk to human health if the system fails. Very similar to the concepts behind Risk-Based Monitoring; computer systems determined to be lower risk can have a less stringent level of validation testing as long as the level of testing is commensurate with the risk as outlined in the site’s risk-based validation SOPs.

Considerations for sites

If a site is collecting, maintaining, or storing essential records in electronic format, it is imperative to maintain Part 11 and validation statuses. Taking an inventory to see where these records are can help the site understand what systems may need to be validated. If sites are using electronic signatures on any of their essential records, Part 11 signature requirements also apply. Sites also need to remember to submit a certificate of intent to use electronic signatures to the FDA.

Additionally, if sites are using commercial, off-the-shelf software, they need to have procedures in place to ensure they are relying on software vendors who are able to attest their computer system complies with Part 11 and is built with computer validation processes in place. This is even easier with software as a service-based (SaaS) vendors, where there are no on-premises servers or other equipment for the site to install and validate in a hardware environment. For private research sites, it’s recommended to rely on a software vendor only if they have attestation about Part 11 – and most vendors will provide attestation.

Before site-level systems subject to Part 11 are set in place, sites need to implement a basic set of standard operating procedures (SOPs). These documentations need to outline policies or procedures on how sites are complying with validation and may include:

  • Policy on Part 11 Compliance and computer system validation
  • Conducting system inventories
  • Validation planning, testing, and summary documentation for covered systems
  • Conducting vendor assessments
  • Training and quality assurance
  • Business continuity plan

Sites can keep the records locally for systems they are maintaining and controlling, as well as the attestation from their vendor. Having this documentation ready for an FDA inspector, and more importantly, a quality manager will help keep research operations smooth and efficient.

Back to Resources