Regulatory Open Forum

 View Only
  • 1.  "Part 11" vs. "Software Validation"

    Posted 14-Apr-2018 12:47
    A common viewpoint is that the requirements of 21 CFR Part 11 (electronic records and signatures) are viewed as equivalent to the software validation requirements of 21 CFR 820.70(i) and ISO 13485:2016 clauses 4.1.6 and 7.5.6 (4th paragraph).

    What is your viewpoint and why?

    Kevin Randall, ASQ CQA, RAC (U.S., Canada, Europe)
    Principal Consultant
    ComplianceAcuity, Inc.
    Golden CO
    United States

  • 2.  RE: "Part 11" vs. "Software Validation"

    Posted 15-Apr-2018 16:10

    In my response, I don't include ISO 13485:2016, since I believe it is easier to stay inside the US system of Part 11 and QSR. Whether certain clauses in ISO 13485:2016 are equivalent to certain sections and subsections in QSR is important, but beyond the scope of this response.

    To ask whether two regulations are equivalent, one must first understand equivalence. While there is no formal definition, I understand that two equivalent regulatory requirements would generate the same procedural elements and quality records. Any difference would move the relationship from equivalent to similar. In a sort of Turing test, one could look at the procedures and required records. If an informed person could not reasonably determine the regulation implemented, then they are equivalent.

    820.70(i) is a requirement for software validation. Applying 820.3(z), software validation provides objective evidence that the software consistently fulfills the requirements of a specific intended use.

    Part 11 generally has two sets of requirements. One deals with electronic records and the other deals with electronic signatures. The electronic records requirement has two subsets related to closed systems and open systems.

    Consequently, there are three potential equivalences to explore. I don't believe that 820.70(i) is equivalent to any of the Part 11 requirements.

    820.70(i) does not require the use of a secure, computer-generated, time-stamped audit trail. 11.10(e) does, so this blocks equivalence in both closed and open systems.

    820.70(i) does not require measures such as document encryption and use of appropriate digital signature standards. 11.30 does, so this blocks equivalence in open systems.

    820.70(i) does not require the printed name of the signer, the date and time of the signature, and the meaning associated with the signature. 11.50(a) does, so this blocks equivalence in electronic signatures.

    Many years ago (as I recall), at least one of the FDA centers said that for pharma inspection the Investigator should always review compliance with Part 11. For a device inspection the Investigator should review compliance with 820.70(i) and not look explicitly at Part 11. As I recall this was a "secondary" requirement. (I don't know if this is the correct term.) The idea is that the device Investigator would not look for Part 11 but would document obvious problems. As a result, device Warning Letters do not cite Part 11. (I don't track pharma Warning Letters.) However, device Warning Letters may cite Part 11 requirements under 820.70(i). A September 21, 2015 Warning Letter to Genesis Biosystems, Inc. says, "For example, your firm uses the software (b)(4), developed by (b)(4), to document, maintain, and track customer complaints electronically. However, as stated by your firm's Director of Quality Assurance (QA) & Regulatory Affairs (RA) during the inspection, the software does not generate time-stamped audit trails to independently record the date and time of operator entries and actions that create, edit, or modify electronic records."

    Dan O'Leary
    Swanzey NH
    United States