April 29th, 2021
21 CFR Part 11 Checklists. We've come a long way....or have we? The year is 1997. Bill Clinton is in his second term, Windows 95 is revolutionary, a laptop only weighs 6-8 pounds and 21 CFR Part 11, the US Food and Drug Administration's (FDA) regulation on electronic records and electronic signatures went into effect (enforcement to begin in 2001). Two decades ago, most software used in the life-sciences industry was not compliant and many to most quality processes were managed via paper records. I remember paper-based SOP management, part drawings, batch records and CAPA forms. In an effort to make sure a computer application complied with 21 CFR Part 11 requirements, most organizations mapped the regulation, line-by-line, to a checklist, executed to identify any gaps and create remediation plans.
It's 2020; software vendors across regulated industries don't just understand compliance of e-records and e-signatures, it's become standard and routine. Neither novel nor new, it's simply an expectation in the aeronautical, financial, medical, life-sciences and numerous other business sectors that software vendors are capable of meeting basic ERES requirements. So, why are we still executing those 21 CFR Part 11 checklists? I've reached out to a number of my contacts to better understand this curios artifact from the 90's. Follow me down the rabbit hole and let allow me to propose another option.
The Part 11 Checklist, typically executed before or after testing, determines what ERES requirements are applicable and/or whether the computer system under evaluation/testing satisfies them. That's all good until you realize that we don't do predicate rule checklists. If I'm validating a compliant management system, I don't map applicable portions of 21 CFR Part 210 / 211 or 21 CFR Part 820, do I? Why? It's fully understood that we're defining requirements for that system (user and/or functional) that consider business needs and regulatory expectations. We "bake" regulatory compliance into those requirements. Well, why don't we do the same thing for ERES?
Rather than creating a separate 21 CFR Part 11 Checklist, build all of the ERES requirements into your Requirements Specification template. Include appropriate subsections: Open Systems, Closed Systems Audit Trails; Nonbiometric Signatures, Biometric Signatures and Procedural. Populate the template will every possible ERES requirement. You'll still need to perform an ERES Applicability Assessment, but the output of that simply determines if that system must adhere to 21 CFR Part 11, and what if yes, which subsections (groups of requirements) are applicable. Those applicable sections then map to the subsections I just defined in your Requirements Specification template. The Validation Lead keeps the ones that are applicable and deletes the ones that are now.
It's a simple concept and it eliminates a curious 20 year old artefact. The important pitfalls to consider are:
What do you think? Are you ready to eliminate one more validation document on your journey to efficient, streamlined, value-added computer validation practices. If you'd like to discuss this topic further, call us for an appointment! As always, we're here to help.
Copyright © 2021 Compliance Group All rights reserved.