Regulatory Open Forum

This message was posted by a user wishing to remain anonymous

The software we will be using for electronic signatures is 21 CFR Part 11 compliant.  Do we need to be 21 CFR Part 11 compliant if we are only using that software?  Or is it enough that they are?

You must be able to show that your system and how it is configured and installed on your computers allows for the system to be managed in accordance with 21 CFR 11.  So, for example, if you are installing a system onto several stand-alone computers, are they able to comply with the requirements?  Or do several people in the organization (or the lab, or the team) use the same (or worse - the administrator!) credentials?  Or are there credentials required at all to get into the system, the computer, etc.

Then you need to consider the audit trail capability.  Without this or if someone is able to over-ride or over-write the audit trail, you have a major issue with attribution and authentication.  Both major issues in the reviewer/auditor/inspector world.

What about ensuring that every person has their own credentials, auditable reporting, and even specific job training on your system?  How do you ensure that only the individual is able to actually access the information under their credentials?  How can you ensure that the only person whose e-signature on the file is the one who actually did the work/training/etc.?  

Way too much here to go into the depth that this discussion probably needs to take on for your company.  I strongly suggest that you work with someone versed in the proper showings that the system is validated from your use perspective.  It is great that the company you are purchasing from claims the system is "Part 11 compliant" but you are still responsible for not only ensuring the accuracy and veracity of the statement from the company but also ensuring that you put in place the necessary controls to allow the software to function as advertised/expected during your use of the system.  In my opinion, you will pay much higher prices for simply "accepting" the developer's assurances that the software meets Part 11 requirements than you will if you put in place your own proof of the Part 11 compliance in your particular situation and setting.  Remember, when a developer claims Part 11 compliance, they can't be aware of every use or situation in every company so they are often simply claiming that the product has the backbone to be Part 11 compliant.  You have to fill in the rest.

------------------------------
Victor Mencarelli MS
Global Director Regulatory Affairs
New YorkNY
United States
------------------------------

Original Message:
Sent: 31-Oct-2022 11:34
From: Anonymous Member
Subject: Electronic signatures and FDA 21 CFR Part 11

This message was posted by a user wishing to remain anonymous

The software we will be using for electronic signatures is 21 CFR Part 11 compliant.  Do we need to be 21 CFR Part 11 compliant if we are only using that software?  Or is it enough that they are?

This message was posted by a user wishing to remain anonymous

Thank you Victor for your thorough response.
Original Message:
Sent: 31-Oct-2022 12:10
From: Victor Mencarelli
Subject: Electronic signatures and FDA 21 CFR Part 11

You must be able to show that your system and how it is configured and installed on your computers allows for the system to be managed in accordance with 21 CFR 11.  So, for example, if you are installing a system onto several stand-alone computers, are they able to comply with the requirements?  Or do several people in the organization (or the lab, or the team) use the same (or worse - the administrator!) credentials?  Or are there credentials required at all to get into the system, the computer, etc.

Then you need to consider the audit trail capability.  Without this or if someone is able to over-ride or over-write the audit trail, you have a major issue with attribution and authentication.  Both major issues in the reviewer/auditor/inspector world.

What about ensuring that every person has their own credentials, auditable reporting, and even specific job training on your system?  How do you ensure that only the individual is able to actually access the information under their credentials?  How can you ensure that the only person whose e-signature on the file is the one who actually did the work/training/etc.?

Way too much here to go into the depth that this discussion probably needs to take on for your company.  I strongly suggest that you work with someone versed in the proper showings that the system is validated from your use perspective.  It is great that the company you are purchasing from claims the system is "Part 11 compliant" but you are still responsible for not only ensuring the accuracy and veracity of the statement from the company but also ensuring that you put in place the necessary controls to allow the software to function as advertised/expected during your use of the system.  In my opinion, you will pay much higher prices for simply "accepting" the developer's assurances that the software meets Part 11 requirements than you will if you put in place your own proof of the Part 11 compliance in your particular situation and setting.  Remember, when a developer claims Part 11 compliance, they can't be aware of every use or situation in every company so they are often simply claiming that the product has the backbone to be Part 11 compliant.  You have to fill in the rest.

------------------------------
Victor Mencarelli MS
Global Director Regulatory Affairs
New YorkNY
United States

Original Message:
Sent: 31-Oct-2022 11:34
From: Anonymous Member
Subject: Electronic signatures and FDA 21 CFR Part 11

This message was posted by a user wishing to remain anonymous

The software we will be using for electronic signatures is 21 CFR Part 11 compliant.  Do we need to be 21 CFR Part 11 compliant if we are only using that software?  Or is it enough that they are?