There is often some confusion in companies about 21 CFR Part 11 and related compliance. Many companies think they meet the requirements but in reality they are not.If you think it’s all about validation, audit trails, records and retention, and that your business is safe because it has paper master files, maybe you should review your idea. The question is more complex.
Let’s clarify and give some advice, especially to companies that deal with medical devices.
Table of Contents
What is 21 CFR Part 11?
21 CFR Part 11 is a regulation that defines the criteria required by the FDA for electronic data to be truthful, robust and 21 cfr part 11 compliance to the corresponding paper data.
The first part of 21 CFR Part 11 deals with electronic records and data retention, while the second part is inherent to electronic signatures.
One thing to remember is that 21 CFR dates back to 1997, so it is obvious that in the last 20 years our knowledge of electronic systems and their potential have changed a lot.
Who Should Apply 21 CFR Part 11? Any company where electronic data is used must apply the regulation.
Dato elettronico: “any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.” (11.3)
Purpose of 21 CFR Part 11
know how to use computer systems and software and when they are not working properly
keep your data securely to prevent it from being modified or lost
track changes to the data
identify data falsification and prevent it
Controls for closed systems
Those who use closed systems to create, modify, store or transmit electronic data must have procedures and controls to ensure the authenticity, integrity, and confidentiality of the data through:
system validation
ability to generate certified and controlled copies of data
data protection
limited and controlled access to the system
use of audit trail
operating system checks
access controls
adherence to the SOPs
checks on documentation
Password and access management
Passwords are one of the most secure components of a system. With passwords it is possible to know the role, permissions and limitations of each user.
It is good practice to apply password management best practices, but in this case the document is vague. Here are some general indications to improve security and choose a good password:
minimum 8 characters
do not use common words
use alphanumeric characters
change the password every 90 days
do not reuse the last 6 passwords
do not show the text as you type the password
do not allow the browser to save the password
the password must be personal and non-transferable
do not write the password on paper or post-its
Access to electronic data must be controlled by unique IDs and with personalized logins that provide access via username and password.
After a period of inactivity (about 10 minutes) you should be expected to log out of the system. Any login attempts should be suspended after 3 unsuccessful entries of your credentials.
If an account has been inactive for a long period of time, it must be locked out. This period is usually quantified in 30 days.
Audit trail and electronic signature
The purpose of the audit trail is to know what each user did and when they did it. The audit trail tracks when data is created, changed, deleted and when all these changes have occurred.
All the events that occur concerning a datum must be recorded with the name of the person who made the modification, the date and the time.
The purpose of 21 CFR Part 11 also includes detecting fraud and knowing when each change occurs helps with this task.The audit trail is the complete history of electronic data management.
In 21 CFR Part 11 there is also talk of electronic signature for the review and approval of information.The electronic signature must be associated with a unique and personal username and password and must be completed with date and time.It is essential that once a data has been signed for approval, it becomes impossible to modify.
Remember that:
Compliance with 21 CFR Part 11 is always the responsibility of the company. No softward and / or validation company can take responsibility for you.
Consulting firms will be able to test and validate your platform, support you in filling out the necessary documentation and help you achieve compliance but the ultimate responsibility remains with the company.
Restrict access to the system
A compliant vision system must have a secure authentication mechanism to prevent unauthorized access. The best solution is to link to the manufacturer’s active directory account to verify users and issue appropriate certificates. Any user or login changes must be recorded and appear in the audit log.
Use audit logs
In a compliant vision system, changes to a setting, for example, of a parameter on an image-based scanner, will create a timestamped record, a record that cannot be edited or deleted, and can be reviewed by an auditor at a later time.
Validation
Users of a compliant vision system must demonstrate proper software installation via Installation Qualification (IQ), proper software operation via Operational Qualification (OQ), and proper system operation in context of production through Performance Qualification (PQ).
Cognex supports compliance with 21 CFR Part 11
While end users are responsible for final validation to ensure full compliance, Cognex, together with its global network of integration partners, provides all the documentation needed to support the IQ and OQ, as well as the software functions needed to complete the PQ. All Cognex vision systems provide the security and access controls needed to ensure compliance during operations.
The challenges of complying with CFR 21 Part 11
Compliance typically involves creating work instructions to meet each specific 21 CFR Part 11 regulation, developing validation protocols to ensure proper configuration, operation and performance of equipment and software, creating standard operating procedures (SOP) and extensive training for personnel using the equipment and programs.
Any tool that facilitates this process is helpful.
Many manufacturers in FDA regulated industries use our OLYMPUS CIX100 technical cleanliness inspector . Built with an intuitive interface, efficient data acquisition and quick reporting options, the CIX100 system can help you quickly and easily assess the cleanliness of manufactured components to determine if they meet company and international standards
