Title 21 CFR Part 11: FDA Guidance

January 23, 2012 by · Leave a Comment
Filed under: Business, Compliance, Healthcare, Regulatory 
FDA Guidance Documentation:

There was a good point brought up in a comment from a reader of this blog around the fact that the FDA had withdrawn guidance documents around Part 11 therefore they do not enforce it.  There is new guidance so it can be deceiving.

You can see the withdrawn list here I am not linking to them since they are withdrawn the less that is known about them the better.:

  • Guidance for industry, 21 CFR Part 11; Electronic Records; Electronic Signatures Validation
  • Guidance for industry, 21 CFR Part 11; Electronic Records; Electronic Signatures, Glossary of Terms
  • Guidance for industry, 21 CFR Part 11; Electronic Records; Electronic Signatures, Time Stamps
  • Guidance for industry, 21 CFR Part 11; Electronic Records; Electronic Signatures, Maintenance of Electronic Records
  • Compliance Policy Guide, CPG 7153.17: Enforcement Policy: 21 CFR Part 11; Electronic Records; Electronic Signatures
  • ;

There is new guidance which can be downloaded here : [PDF version] or read here:



This can be confusing but don’t let this fool you, the whole reasoning around the FDA withdrawing the Guidance documents was two-fold.

1 – The FDA published this guidance which is a copy (with exception of the header) of the IEEE SDLC process around hardware systems testing and validation, unfortunately software and hardware are very different and the FDA withdrew this to aliviate confustion around audits that didn’t look at any specific system with its application to the intent of the Part 11 law.

In other words, auditors are not very good at interpreting law, they took the guidance as law which had a side-effect of causing huge inefficiencies in the auditing and validation of part-11 systems.

2- Another aspect is if the government gives out advice or guidance it opens itself up for lawsuits, the government should be making laws and enforcing them, not offering guidance on following the laws.

The new guidance is a lot more vague and limited, mostly giving guidance on interpretation of the law and also aligning with any cases that have come to be known.

We are now re-examining part 11, and we anticipate initiating rulemaking to revise provisions of that regulation. To avoid unnecessary resource expenditures to comply with part 11 requirements, we are issuing this guidance to describe how we intend to exercise enforcement discretion with regard to certain part 11 requirements during the re-examination of part 11. As mentioned previously, part 11 remains in effect during this re-examination period.

As you can see part-11 is still in effect, as this would impact public safety and any efficacy of data used in clinical trials among other things.

Title 21 CFR Part 11: Predicate Rules

January 22, 2012 by · Leave a Comment
Filed under: Business, Compliance, Healthcare, Regulatory 
Predicate Rules:

What is a predicate rule?  Predicate rules are rules that help you determine if something applies to you or not. In the case of part-11 compliance, a predicate rule is some other law that dictates what needs to be retained, how long it is needed, any other constraints with respect to electronic systems.  An example is when you are building a system, you need to ask, is this information regulated?  If the answer is yes.. then part-11 applies, along with some constraints like the e-signatures part only applies to records that needed to be “signed” in paper form, and you are replacing this with an electronic system.

What other laws could apply, how do you know?

Well in any regulated industry there are the CFR’s (federal regulations) which spell out in detail the specifics, and other acts as well (Food, Drug and  Cosmetic Act, or the Public Health Service Act and any ammendments) in our case of 21 CFR Part 11, we look at the GXPs (Good Clinical Practices, Good Manufacturing Practices) 


Title 21 CFR Part 11: E-Signature Compliance

January 18, 2012 by · Leave a Comment
Filed under: Business, Compliance, Healthcare, Regulatory 
E-Signature implementation details:

e-signatures are part of the law required for part 11 compliance here is what the law says itself

Subpart C–Electronic Signatures

Sec. 11.100 General requirements.

(a) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else.

(b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual`s electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual.

(c) Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures.

(1) The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations, 12420 Parklawn Drive, RM 3007 Rockville, MD 20857.

Sec. 11.200 Electronic signature components and controls.

(a) Electronic signatures that are not based upon biometrics shall:

(1) Employ at least two distinct identification components such as an identification code and password.

(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.

(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.

(2) Be used only by their genuine owners; and

(3) Be administered and executed to ensure that attempted use of an individual’s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.

(b) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners.

E-Signatures are required when you are replacing a regulated process that is paper-based (required signatures) with electronic signatures. There are 2 parts to this

1 -  As an organization you need to accept e-signatures as physical signatures (or the client running the software)

2- You need to implement the baseline features and have training and signatures of people accepting the signature requirement.

Here are some foundation e-signature requirements for a part 11 compliant system

1 – Unique accounts for each user who signs

2 – Encrypted connection to the system (SSL)

3 – They need to see and agree to the statement of intent to validate this you require some unique data like a username/password, digital identity (biometrics, dongle, rsa token), passphrase, they must provide this with the statement of intent for the signature so they understand they are signing it.

4 – Any user must be able to see all things they have signed in the system (a history of signatures and versions of documents)

5 – Auditing of the entire data stored in an immutable form with full history to prevent falsification (image with checksum etc..)

6- Each signature needs

a. the name of person

b. the date/time of signature

c. a storage mechanism to prevent tampering and ensure integrity

d. statement of intent

e. the role of person

7 – The things being signed cannot be pre-loaded with data, the person must fill out the form on their own, no defaults.

8 – If signing more than 1 thing within a 20 minute window, you can only require password for each signature rather than name/password within the session after 20 minuets they must enter both name and password.

9 – Signature and Data must be stored together and not be separable.

Title 21 CFR Part 11: Security Compliance

January 17, 2012 by · Leave a Comment
Filed under: Business, Compliance, Healthcare, Regulatory 
Security implementation details:

security is part of the law required for part 11 compliance here is what the law says itself

Sec. 11.300 Controls for identification codes/passwords.

Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include:

(a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password.

(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).

(c) Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls.

(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.

(e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner.

Here are some foundation security requirements for a part 11 compliant system

1 – Unique accounts for each user

2 – Encrypted connection to the system (SSL)

3-  Complex Password required (numbers, symbols, length)

4 – Required to change password every 90 days

5 – Password history no reuse within a year

6 – 3 failed attempts lockout system (send notification to administrator)

7 – synchronize time on all servers

8 – show the username, name, and last logged in date on the screen at all times

9 – after 20 minutes log out account

10 – only allow one login at a time per an account

11 – log all activity in an audit log

12 – display version of software on screen (about screen)

13 – encrypt password is hash so it is irreversible and not viewable by anyone

14 – train people on security to thwart attempts at social engineering

With these feature requirements you can see that a part 11 security system has a pretty high level of requirement, but having the features is not enough you need to validation process and training to complete compliance.

Title 21 CFR Part 11: Auditing

January 16, 2012 by · Leave a Comment
Filed under: Business, Compliance, Healthcare, Regulatory 
Auditing implementation details:

Auditing is part of the law required for part 11 compliance here is what the law says itself

e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.

This essentially means you need to collect who is performing the action, what they are doing (record the before and after values), the date and time of the activity, a reason for the activity if not specified implemented in the module.

There are several other aspects of auditing required including time synchronization and unique usernames and passwords.  Without these two things the audit logs don’t really mean anything it is a holistic thing and this explains why it is so important!

It is really valuable to have auditing across the entire system so that you can confirm roles security and authorization levels as well.  Security logging, system access logging, and electronic signature logging are all required and useful for testing of a system as well.

Title 21 CFR Part 11: Compliance

January 15, 2012 by · Leave a Comment
Filed under: Business, Compliance, Healthcare, Regulatory 

The 3 areas (pillars) of compliance

1 – Features

When you are building software for part 11 compliance you need to ensure you meet the features present in the law, this is known as feature level compliance and is only applicable to a specific version. Any change in a system requires revalidation of the features

2 – Validation

Validation of the features listed above is a second-level where you have the features to meet the law, now you have to prove with empirical evidence that you meet the requirements this evidence needs to be physical and linked to a process with integrity. The key works here are you need physical artifacts that stand on their own as validation (Test worksheets, signatures and reviewers signatures, screen captures, logs, etc..)

3 – Training

An often overlooked aspect of any system is training and proof of training, you must ensure the people who use the validated software are trained in it, and that training maps to the validation and features to ensure proper function without training the other 2 areas are pointless as there can be user errors and no accountability.

We will map the features of the law into a software system in a later exercise but essentially there are two main areas of specialty

1. Auditing: This is proof of what is happening by who and how it is changing, in a way that there is no chance of the system not working

2. Security: This is the biggest nut to crack in that you have to have best practice security (encryption, Authentication/Authorization, unique accounts, on screen indicators, password resets, 90 day password changes, password history, complexity, etc.. secure communication lines this is a large area and one of most important, and synchronized time on all system.

3. E-Signatures (optional):If your software is converting paper to electronic and electronic is the primary store, then you must create an e-signature system that has security, auditing and is also a statement of intent within the system to ensure the signature is valid.

Validation is another big piece you need a process that maps features to specifications to tests and this all is robust and transparent.  Any function of software must be validated, with empirical evidence and physical artifacts, all best practice with  clear and concise process.

Training is the third and this entails with going through all functions for each role, and having the student and instructor confirm that they understand and agree training was adequate, this is for the entire process.

In a later segment we will go through more detail of the processes required for compliance and meeting the requirements.

Title 21 CFR Part 11: What is it and why is it important?

January 13, 2012 by · 2 Comments
Filed under: Business, Healthcare, Regulatory 


What is it?

The FDA is a government regulatory authority and CFR is short for “Code of Federal Regulations” which is basically another work for Federal Law.  Each Cabinet in government and governmental body has a Title in the CFR that dictates the laws that apply to a particular governmental body so the first part of this CFR 21 is basically CFR Title 21, which is the body of laws under which the FDA is regulated.  the second part (“Part 11”) is a sub-section under the law that is applied to specific circumstances.  Part 11 in this case applies to Clinical Trials and electronic record keeping for clinical trials.

Sec. 11.1 Scope.

(a) The regulations in this part set forth the criteria under which the agency considers electronic records, electronic signatures, and handwritten signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper.

(b) This part applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted, under any records requirements set forth in agency regulations. This part also applies to electronic records submitted to the agency under requirements of the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act, even if such records are not specifically identified in agency regulations. However, this part does not apply to paper records that are, or have been, transmitted by electronic means.

An interesting thing about CFR 21 Part 11 or more specifically and generally referred to as Part 11 compliance is that there are 2 points of view.

1 – it is just a law and has some ambiguity at that, you can see the law here: Law :and information here:  Title 21 CFR Part 11, it is very small barley fits on 2 pieces of paper and has enormous consequences for software used in the regulated area of Clinical Trials.

2 – Whenever you have a legal area there is what the law says and second is the interpretation of the law, or more specially the interpretation and enforcement of the law. 
You have cases that have been taken to court and interestingly enough have had impact on how things are enforced and what you need to do to come under compliance.  One such court case : here, essentially explains that you cannot grand-father electronic systems into compliance because of the risks and downstream effect, so this court case says that any systems that fall into compliance need to meet the new laws circa 1998.


What is this important?

If you wanted to innovate and differentiate yourself in this industry there is a big barrier to entry and interestingly enough regulatory compliance is expensive and also risky business so it creates a value moat if you can understand and use regulatory compliance to your advantage. 

If you can pass a Part 11 Audit it has extreme value to show not only that your software does what it says it does, it does what the law requires, which ensures safety, security and proper function. 

The most important part of this regulation is that you need to be certain that data in a clinical trial are true and exact, this impacts whether people live or die.  Because of high risk and importance of the software systems once you get a system compliant it reaps enormous benefits in that you charge more money for the software, training, and validation of the system setups.

Technical Writing: Writing a good functional specification.

January 11, 2012 by · Leave a Comment
Filed under: Business, Design, Uncategorized, Writing 

Documentation… The bane of many developers and architects, who would rather write code or prototypes, maybe even tests or bug fixes.  Documentation has been a topic of great controversy, pitting Agile against Waterfall.  There have been many attempts over the decades to replace technical or functional specifications with Domain Specific Languages (DSLs) that can auto-generate code from a written document.  What is unfortunate is that the value of good documentation is lost in the mix usually because of some common pitfalls.

Pitfall # 1 –The goal and reasoning behind documentation is not clear.

Pitfall # 2 – The value of the documentation is not usually given to those who create it, and ultimately it is usually a lower priority than code and as a process is usually not followed so code and documentation get out of sync.

Pitfall # 3 – Developers have not been training appropriately around good practices, and guidance, these are usually given to analysts and project managers, who don’t know the code or technical capability as well.

Pitfall # 4 – Time…. usually as a lower priority no time is given to documentation and many modern practices (Agile) value readable code over documentation (Thought I would argue a functional specification is similar to a story, but perhaps more technical in business terms.)

Startup Success–How to hire great people.

January 10, 2012 by · Leave a Comment
Filed under: Business, Startup 

In my previous posts I have discussed how important people are to making a great startup, In this post I will outline the characteristics that I think make for great people to help make you startup or your business a success. 

I think the number one character trait in looking for great people is simple… Integrity.  If you think about it, this is a great characteristic and makes for easy decisions, but how do you know if a person has integrity?  This is the most challenging aspect of this requirement, however you can read how people respond to problems, you can examine a resume and look for any red flags that show lapses in integrity, but to start to answer this question lets look at the core qualities of integrity so we can unpack this and see if there is some guidance we can use to make this clear.




1 – Integrity is a concept of consistency of actions, values, methods, measures, principles, expectations, and outcomes. In ethics, integrity is regarded as the honesty and truthfulness or accuracy of one’s actions. Integrity can be regarded as the opposite of hypocrisy,[1] in that it regards internal consistency as a virtue, and suggests that parties holding apparently conflicting values should account for the discrepancy or alter their beliefs.


I really like the part where it is the opposite of hypocrisy, so we are looking for an honest and ethical person.  I would hope most people would have this virtue, but unfortunately this is most likely a rare trait.  Some things to consider,

a) Do they claim to know things but don’t know them as well?

b) Do they take credit for everything or offer to give credit where it is due?

c) Listen to everything they say, usually there will be very straightforward times, especially when you have them tell you a story about a time they had a challenge, or learning something new, these are revealing to the persons true nature.

d) Watch their behavior for kindness, and politeness

Lets say you found a candidate, here are the other qualities in the order of importance.

2 – Motivation is similar to passion and only if the person has integrity will there motivations be in the best interest of the company.  With the proper motivation everything else will fall into place, this is important to be sure the candidate has motivation as well!


3 – Capacity is in third that with the proper motivation if they have capacity they can then understand what is needed and why things are important, and how to make things improve.


4 – Understanding is impossible without capacity as you really limit your understanding if you have no capacity to understand!


5 – Knowledge is meaningless without understanding!


6 – Experience is blind without knowledge!

How strange this is, that usually hiring decisions are based on experience instead of the things that fall in place with the proper foundation!

Startup Success Tip–It is not about the technology.

January 9, 2012 by · Leave a Comment
Filed under: Business, Startup 

Building a business is not straightforward or easy, things that seem like common sense surprisingly are not the right choices for success.  Knowing that the goal of a startup is ultimately to make money, with this in mind it is a good thing to remind yourself about as you progress in making a startup successful. 

With many startups based on technology and solutions it is a big trap that you can fall into easily, thinking it is about the technology.  What really makes it work and successful is the core issue of solving a problem, making the pain go away, and possibly giving pleasure or all three.  I call these the three P’s

1- Problem : This is ultimately what you are solving the niche where you fit in.

2- Pain: This is the pain you are making less, or removing, where people most likely are willing to pay you money to make it go away.

3- Pleasure: The converse is that pleasure, bringing pleasure and taking away pain are almost the same, you can think of games or other interactions matching in this category.




Technology is important, it is the means to an ends, however there are so many technological solutions, that they are interchangeable in many ways, there is no one secret sauce people are solving problems and if for some reason you technology works, that is great but don’t think that is what it is about.

I think the key ingredient to a successful startup is knowing the technology is not key, but the people are!  People are what make technology work, and people are what it is all about, that and of course a solution and plan for making money!  Many large companies buy out startups not just for the company as a technological asset, but for the data, business establishment, and most importantly the people who executed correctly.

How do we find the right people for hiring, this will be coming up!

Stay Tuned.