Part 11 Compliance Requires Strong, Targeted SOPs

Compliance with 21 CFR Part 11 demands that an FDA-regulated life-sciences company use a set of three key system-specific standard operating procedures (SOPs) to support validation efforts, says a new white paper from industry vendor MasterControl.

Under Part 11, companies that choose to maintain erecords to meet predicate rules are required to validate their erecord-keeping systems.

Example: Under 21 CFR Part 820, medical device manufacturers must maintain records pertaining to design history, complaints and complaint investigations, among other issues.

FDA inspectors want to see documentation for any Part 11 compliance program. To provide that, MasterControl recommends a set of the three following system-specific SOPs:

System Administration and Configuration: Define system configuration, such as security administration and other settings, include procedures for functionality such as creation and administration, define audit trail functionality, define change control to design system configuration, such as changes to configuration upgrade, validation and system revalidation, and define system ownership and system issues resolution, such as maintenance, upgrades, backups and disaster recovery; User Administration and Management: Describe the creation of new user accounts and user account types, assign and approve user or workgroup security rights, include old or inactive accounts and password changing procedures, and define the procedure for esignature manifestation; and Document Control: Include a system or vendor product usage statement, include revision numbering, approvals and document numbering, define controlled document distribution, describe the records retention process and define the document lifecycle.

An effective document control system should track active accounts of each user in the system, MasterControl says. The system administrator should be able to monitor user licenses and connections through the system module and track usage rights and access to documents. The information, though, should he accessible only to the system administrator.

Part 11 emphasizes security practices to limit access to authorized users and to hold them accountable for written policies and key records. MasterControl advocates a program that meets or exceeds the FDA's security requirements.

Access security requirements include:

Dual passwords for document approval; Password expiration, encryption and certification; Account lockout that allows the system administrator to lock an account both for login and approval anytime either is compromised; Remote access security; and Automatic logout of idle workstations.

The system administrator should have the means and authority to force users off the system as needed.

The FDA's record retention requirements depend on a predicate rule, MasterControl noted. "The agency encourages companies to base any decision to maintain records on a justified and documented risk assessment and a determination of the value of the records over time," the white paper said. Companies should make certain that all actions made regarding any document are captured in the audit trail and that any deleted InfoCard can be restored. -- Michael Causey