Inspections, Compliance, Enforcement, and Criminal Investigations
The intent of this attachment is to collect, in one place, references to computer systems found throughout Part III. Computer systems and operations should be thoroughly covered during inspection of any facility. No additional reporting is required under this Attachment.
In August 1997, the Agencys regulation on electronic signatures and electronic recordkeeping became effective. The Regulation, at 21 CFR Part 11, describes the technical and procedural requirements that must be met if a firm chooses to maintain records electronically and/or use electronic signatures. Part 11 works in conjunction with other FDA regulations and laws that require recordkeeping. Those regulations and laws ("predicate rules) establish requirements for record content, signing, and retention.
Certain older electronic systems may not have been in full compliance with Part 11 by August 1997 and modification to these so called "legacy systems" may take more time. Part 11 does not grandfather legacy systems and FDA expects that firms using legacy systems are taking steps to achieve full compliance with Part 11.
If a firm is keeping electronic records or using electronic signatures, determine if they are in compliance with 21 CFR Part 11. Determine the depth of part 11 coverage on a case by case basis, in light of initial findings and program resources. At a minimum ensure that: (1) the firm has prepared a corrective action plan for achieving full compliance with part 11 requirements, and is making progress toward completing that plan in a timely manner; (2) accurate and complete electronic and human readable copies of electronic records, suitable for review, are made available; and (3) employees are held accountable and responsible for actions taken under their electronic signatures. If initial findings indicate the firms electronic records and/or electronic signatures may not be trustworthy and reliable, or when electronic recordkeeping systems inhibit meaningful FDA inspection, a more detailed evaluation may be warranted. Districts should consult with center compliance officers and the Office of Enforcement (HFC-240) in assessing the need for, and potential depth of, more detailed part 11 coverage. When substantial and significant part 11 deviations exist, FDA will not accept use of electronic records and electronic signatures to meet the requirements of the applicable predicate rule. See Compliance Policy Guide (CGP), Sec. 160.850.
See IOM sections 594.1 and 527.3 for procedures for collecting and identifying electronic data.
Personnel - Part III, C.1.c. (21 CFR 58.29)
Determine the following:
- Who was involved in the design, development, and validation of the computer system?
- Who is responsible for the operation of the computer system, including inputs, processing, and output of data?
- If computer system personnel have training commensurate with their responsibilities, including professional training and training in GLPs.
- Whether some computer system personnel are contractors who are present on-site full-time, or nearly full-time. The investigation should include these contractors as though they were employees of the firm. Specific inquiry may be needed to identify these contractors, as they may not appear on organization charts.
QAU Operations - Part III, C.2 (21 CFR 58.35(b-d))
- Verify SOPs exist and are being followed for QAU inspections of computer operations.
Facilities - Part III, C.3 (21 CFR 58.41 - 51)
- Determine that computerized operations and archived computer data are housed under appropriate environmental conditions.
Equipment - Part III, C.4 (21 CFR 58.61 - 63)
For computer systems, check that the following procedures exist and are documented:
- Validation study, including validation plan and documentation of the plan's completion.
- Maintenance of equipment, including storage capacity and back-up procedures.
- Control measures over changes made to the computer system, which include the evaluation of the change, necessary test design, test data, and final acceptance of the change.
- Evaluation of test data to assure that data is accurately transmitted and handled properly when analytical equipment is directly interfaced to the computer. and
- Procedures for emergency back-up of the computer system, (e.g., back-up battery system and data forms for recording data in case of a computer failure or power outage).
Testing Facility Operations - Part III, C.5 (21 CFR 58.81)
- Verify that a historical file of outdated or modified computer programs is maintained.
Records and Reports (21 CFR 58.185 - 195) (PART III C.10.b.)
- Verify that the final report contains the required elements in 58.185(a)(1-14), including a description of any computer program changes.
Storage and Retrieval of Records and Data - Part III, C.10.c. (21 CFR 58.190)
- Assess archive facilities for degree of controlled access and adequacy of environmental controls with respect to computer media storage conditions.
- Determine how and where computer data and backup copies are stored, that records are indexed in a way to allow access to data stored on electronic media, and that environmental conditions minimize deterioration.
- Determine how and where original computer data and backup copies are stored.