Title 21 CFR Part 11: Standard Operating Procedures (SOPs) What are they and why are they important?

January 26, 2012 by · Leave a Comment
Filed under: Compliance, Healthcare, Regulatory 


Standard Operating Procedures (SOPs) –

An SOP is a written document or instruction detailing all steps and activities of a process or procedure. ISO 9001 essentially requires the documentation of all procedures used in any manufacturing process that could affect the quality of the product.[1]

To meet regulations, a company needs rock solid SOPs that outline the entire process around the creation, validation, and training of software used in the regulated industry like clinical trial software.

How does this work?  Think of this as a legal framework within a company, and you will understand its purposes and intentions.  you cannot just put the words SOP on something and call it good, you need to understand the system as a whole and then you can follow the procedures to allow

1- Transparency

2– Traceability

3 – Accountability

4 – Lower risk

5 – Increased Quality

6 – Meeting regulatory requirements obeying the law and protecting the public.

To start off the whole process where do we begin:

Step 1: The first step is to create a document log, this is also called “document control” which is a log of all the documents in the system, this allows you to track document names, document versions, ownership, status (active, inactive,etc..), training requirements and effective dates.  The document log is your catalog of documents, you can also use software systems to track this but all that is needed is an excel spreadsheet and your good to go.  Download Excel 2010 Document Log Template Here:

Document Log Document Log

Step 2: The second document needed is an organization chart which outlines the roles and hierarchy of a company.  This is important as this is the foundation of who is in authority and what they do, and this also dictates what they are required to be trained on.

Download Word 2010 Org Chart Template Here:

Example Org Chart Org Chart

Step 3: The third document you create is a document outlining how you do document management, you cannot have SOP system in place without knowing the genesis of your system, this describes the format, layout, and content of your SOP’s along with processes needed to manage the documents.  It is important to note that SOP’s are like “laws” and as such when they are signed by people who have the roles within an organization to enforce the policies, they become effective, however only after people have been training on the documents and the training is documented as well.

I will dive into more in a later post, for now this is the foundation of compliance for a company.

Title 21 CFR Part 11: Test Protocols

January 25, 2012 by · Leave a Comment
Filed under: Compliance, Healthcare, Regulatory 

I mentioned in an earlier post about protocols, in this post I will describe in detail what this looks like and how it is modeled to be successful.

It is important to note that Standard Operating Procedures (SOPs) are required in order for the system to work as a legal framework and the SOPs will dictate the structure, flow, and process around the documents in a system, SOPs are essentially the core principals to any regulated company.

Parts of a Protocol for validation of software

1 – Approvers

2 – Environment & Setup

3 – Defect Tracking

4 – Test Cases

5 – Test Results

Appendix – This could be a test execution worksheet documentation of the evidence that testing took place.

Part 1 – Approvers

This is a list of people and titles and signatures needed to approve the test protocol, once signed it is in effect, however signing this doesn’t complete the testing it just completes the definition of how to test.

Part 2 – Environment

Describes the system environment testing is being completed in.

Part 3 – Defect Tracking

This is very important what do you do, if when testing a test fails?  You need to track the whole process to ensure it gets documented, fixed or not and risks justification.

Part 4 – Test Cases

These are step-by-step instructions on the testing, it is good idea to track each test case to a requirement to ensure that you can prove you are meeting the definitions of the function of what the software should do.

Part 5 – Test Report

This is the summary of what you will record when testing is complete, how it is recorded and processes around the record keeping.


Usually contains templates or worksheets and review sheets as documented evidence of the testing.

See an example template in MS Word 2010

Example Test Protocol (word 2010): Download here

Title 21 CFR Part 11: Documentation

January 24, 2012 by · Leave a Comment
Filed under: Compliance, Healthcare, Regulatory 

As part of the CFR validation process, what documentation is needed and how does this align with the law?

The overall validation process must be linked to your Standard Operating Procedures (SOPs) which are legally binding laws within an organization.  There is a general pattern common to validation systems that are expected in the Part 11 industry, these are protocols and reports. 

Protocols: a protocol is a process that you follow, spelled out in great detail and the idea of it is you have a protocol that describes what you want to do.

Report: a report is a write-up about the execution of a protocol and the results of the protocol, protocols and reports go together

A protocol and a report don’t really mean anything in the big picture unless you have SOP’s that dictate the use of protocols and reports and tie the whole process and system together in a type of “legal framework”

What is an example of all of this?

A Great example is software validation, how would this work with validation of a software system?  You have a validation protocol, and a validation report, the protocol describes how you validate something, and the report is the write up on how the protocol execution went,

So lets say you are testing module A in your new clinical portal, you draft up a validation protocol to test the system outlining everything you need to test, this usually includes screen-shots and signatures to ensure accountability and more evidence and a worksheet used to sign / initial each test is executed and passed or failed.  Once complete, you then write up a report which outlines how it went, pass/fail and next steps, if things didn’t go well you can write a new protocol version or create a new protocol against the fixes needed.  It is important to note that these documents need a process and the process needs to be complete (secure, auditable, etc..) using defect tracking, etc.. to ensure no defects are allowed in the system.


Title 21 CFR Part 11: FDA Guidance

January 23, 2012 by · Leave a Comment
Filed under: Business, Compliance, Healthcare, Regulatory 
FDA Guidance Documentation:

There was a good point brought up in a comment from a reader of this blog around the fact that the FDA had withdrawn guidance documents around Part 11 therefore they do not enforce it.  There is new guidance so it can be deceiving.

You can see the withdrawn list here I am not linking to them since they are withdrawn the less that is known about them the better.:

  • Guidance for industry, 21 CFR Part 11; Electronic Records; Electronic Signatures Validation
  • Guidance for industry, 21 CFR Part 11; Electronic Records; Electronic Signatures, Glossary of Terms
  • Guidance for industry, 21 CFR Part 11; Electronic Records; Electronic Signatures, Time Stamps
  • Guidance for industry, 21 CFR Part 11; Electronic Records; Electronic Signatures, Maintenance of Electronic Records
  • Compliance Policy Guide, CPG 7153.17: Enforcement Policy: 21 CFR Part 11; Electronic Records; Electronic Signatures
  • ;

There is new guidance which can be downloaded here : [PDF version] or read here:



This can be confusing but don’t let this fool you, the whole reasoning around the FDA withdrawing the Guidance documents was two-fold.

1 – The FDA published this guidance which is a copy (with exception of the header) of the IEEE SDLC process around hardware systems testing and validation, unfortunately software and hardware are very different and the FDA withdrew this to aliviate confustion around audits that didn’t look at any specific system with its application to the intent of the Part 11 law.

In other words, auditors are not very good at interpreting law, they took the guidance as law which had a side-effect of causing huge inefficiencies in the auditing and validation of part-11 systems.

2- Another aspect is if the government gives out advice or guidance it opens itself up for lawsuits, the government should be making laws and enforcing them, not offering guidance on following the laws.

The new guidance is a lot more vague and limited, mostly giving guidance on interpretation of the law and also aligning with any cases that have come to be known.

We are now re-examining part 11, and we anticipate initiating rulemaking to revise provisions of that regulation. To avoid unnecessary resource expenditures to comply with part 11 requirements, we are issuing this guidance to describe how we intend to exercise enforcement discretion with regard to certain part 11 requirements during the re-examination of part 11. As mentioned previously, part 11 remains in effect during this re-examination period.

As you can see part-11 is still in effect, as this would impact public safety and any efficacy of data used in clinical trials among other things.

Title 21 CFR Part 11: Predicate Rules

January 22, 2012 by · Leave a Comment
Filed under: Business, Compliance, Healthcare, Regulatory 
Predicate Rules:

What is a predicate rule?  Predicate rules are rules that help you determine if something applies to you or not. In the case of part-11 compliance, a predicate rule is some other law that dictates what needs to be retained, how long it is needed, any other constraints with respect to electronic systems.  An example is when you are building a system, you need to ask, is this information regulated?  If the answer is yes.. then part-11 applies, along with some constraints like the e-signatures part only applies to records that needed to be “signed” in paper form, and you are replacing this with an electronic system.

What other laws could apply, how do you know?

Well in any regulated industry there are the CFR’s (federal regulations) which spell out in detail the specifics, and other acts as well (Food, Drug and  Cosmetic Act, or the Public Health Service Act and any ammendments) in our case of 21 CFR Part 11, we look at the GXPs (Good Clinical Practices, Good Manufacturing Practices) 


Title 21 CFR Part 11: E-Signature Compliance

January 18, 2012 by · Leave a Comment
Filed under: Business, Compliance, Healthcare, Regulatory 
E-Signature implementation details:

e-signatures are part of the law required for part 11 compliance here is what the law says itself

Subpart C–Electronic Signatures

Sec. 11.100 General requirements.

(a) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else.

(b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual`s electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual.

(c) Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures.

(1) The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations, 12420 Parklawn Drive, RM 3007 Rockville, MD 20857.

Sec. 11.200 Electronic signature components and controls.

(a) Electronic signatures that are not based upon biometrics shall:

(1) Employ at least two distinct identification components such as an identification code and password.

(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.

(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.

(2) Be used only by their genuine owners; and

(3) Be administered and executed to ensure that attempted use of an individual’s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.

(b) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners.

E-Signatures are required when you are replacing a regulated process that is paper-based (required signatures) with electronic signatures. There are 2 parts to this

1 -  As an organization you need to accept e-signatures as physical signatures (or the client running the software)

2- You need to implement the baseline features and have training and signatures of people accepting the signature requirement.

Here are some foundation e-signature requirements for a part 11 compliant system

1 – Unique accounts for each user who signs

2 – Encrypted connection to the system (SSL)

3 – They need to see and agree to the statement of intent to validate this you require some unique data like a username/password, digital identity (biometrics, dongle, rsa token), passphrase, they must provide this with the statement of intent for the signature so they understand they are signing it.

4 – Any user must be able to see all things they have signed in the system (a history of signatures and versions of documents)

5 – Auditing of the entire data stored in an immutable form with full history to prevent falsification (image with checksum etc..)

6- Each signature needs

a. the name of person

b. the date/time of signature

c. a storage mechanism to prevent tampering and ensure integrity

d. statement of intent

e. the role of person

7 – The things being signed cannot be pre-loaded with data, the person must fill out the form on their own, no defaults.

8 – If signing more than 1 thing within a 20 minute window, you can only require password for each signature rather than name/password within the session after 20 minuets they must enter both name and password.

9 – Signature and Data must be stored together and not be separable.

Title 21 CFR Part 11: Security Compliance

January 17, 2012 by · Leave a Comment
Filed under: Business, Compliance, Healthcare, Regulatory 
Security implementation details:

security is part of the law required for part 11 compliance here is what the law says itself

Sec. 11.300 Controls for identification codes/passwords.

Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include:

(a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password.

(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).

(c) Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls.

(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.

(e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner.

Here are some foundation security requirements for a part 11 compliant system

1 – Unique accounts for each user

2 – Encrypted connection to the system (SSL)

3-  Complex Password required (numbers, symbols, length)

4 – Required to change password every 90 days

5 – Password history no reuse within a year

6 – 3 failed attempts lockout system (send notification to administrator)

7 – synchronize time on all servers

8 – show the username, name, and last logged in date on the screen at all times

9 – after 20 minutes log out account

10 – only allow one login at a time per an account

11 – log all activity in an audit log

12 – display version of software on screen (about screen)

13 – encrypt password is hash so it is irreversible and not viewable by anyone

14 – train people on security to thwart attempts at social engineering

With these feature requirements you can see that a part 11 security system has a pretty high level of requirement, but having the features is not enough you need to validation process and training to complete compliance.

Title 21 CFR Part 11: Auditing

January 16, 2012 by · Leave a Comment
Filed under: Business, Compliance, Healthcare, Regulatory 
Auditing implementation details:

Auditing is part of the law required for part 11 compliance here is what the law says itself

e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.

This essentially means you need to collect who is performing the action, what they are doing (record the before and after values), the date and time of the activity, a reason for the activity if not specified implemented in the module.

There are several other aspects of auditing required including time synchronization and unique usernames and passwords.  Without these two things the audit logs don’t really mean anything it is a holistic thing and this explains why it is so important!

It is really valuable to have auditing across the entire system so that you can confirm roles security and authorization levels as well.  Security logging, system access logging, and electronic signature logging are all required and useful for testing of a system as well.

Title 21 CFR Part 11: Compliance

January 15, 2012 by · Leave a Comment
Filed under: Business, Compliance, Healthcare, Regulatory 

The 3 areas (pillars) of compliance

1 – Features

When you are building software for part 11 compliance you need to ensure you meet the features present in the law, this is known as feature level compliance and is only applicable to a specific version. Any change in a system requires revalidation of the features

2 – Validation

Validation of the features listed above is a second-level where you have the features to meet the law, now you have to prove with empirical evidence that you meet the requirements this evidence needs to be physical and linked to a process with integrity. The key works here are you need physical artifacts that stand on their own as validation (Test worksheets, signatures and reviewers signatures, screen captures, logs, etc..)

3 – Training

An often overlooked aspect of any system is training and proof of training, you must ensure the people who use the validated software are trained in it, and that training maps to the validation and features to ensure proper function without training the other 2 areas are pointless as there can be user errors and no accountability.

We will map the features of the law into a software system in a later exercise but essentially there are two main areas of specialty

1. Auditing: This is proof of what is happening by who and how it is changing, in a way that there is no chance of the system not working

2. Security: This is the biggest nut to crack in that you have to have best practice security (encryption, Authentication/Authorization, unique accounts, on screen indicators, password resets, 90 day password changes, password history, complexity, etc.. secure communication lines this is a large area and one of most important, and synchronized time on all system.

3. E-Signatures (optional):If your software is converting paper to electronic and electronic is the primary store, then you must create an e-signature system that has security, auditing and is also a statement of intent within the system to ensure the signature is valid.

Validation is another big piece you need a process that maps features to specifications to tests and this all is robust and transparent.  Any function of software must be validated, with empirical evidence and physical artifacts, all best practice with  clear and concise process.

Training is the third and this entails with going through all functions for each role, and having the student and instructor confirm that they understand and agree training was adequate, this is for the entire process.

In a later segment we will go through more detail of the processes required for compliance and meeting the requirements.

Title 21 CFR Part 11: What is it and why is it important?

January 13, 2012 by · 2 Comments
Filed under: Business, Healthcare, Regulatory 


What is it?

The FDA is a government regulatory authority and CFR is short for “Code of Federal Regulations” which is basically another work for Federal Law.  Each Cabinet in government and governmental body has a Title in the CFR that dictates the laws that apply to a particular governmental body so the first part of this CFR 21 is basically CFR Title 21, which is the body of laws under which the FDA is regulated.  the second part (“Part 11”) is a sub-section under the law that is applied to specific circumstances.  Part 11 in this case applies to Clinical Trials and electronic record keeping for clinical trials.

Sec. 11.1 Scope.

(a) The regulations in this part set forth the criteria under which the agency considers electronic records, electronic signatures, and handwritten signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper.

(b) This part applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted, under any records requirements set forth in agency regulations. This part also applies to electronic records submitted to the agency under requirements of the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act, even if such records are not specifically identified in agency regulations. However, this part does not apply to paper records that are, or have been, transmitted by electronic means.

An interesting thing about CFR 21 Part 11 or more specifically and generally referred to as Part 11 compliance is that there are 2 points of view.

1 – it is just a law and has some ambiguity at that, you can see the law here: Law :and information here:  Title 21 CFR Part 11, it is very small barley fits on 2 pieces of paper and has enormous consequences for software used in the regulated area of Clinical Trials.

2 – Whenever you have a legal area there is what the law says and second is the interpretation of the law, or more specially the interpretation and enforcement of the law. 
You have cases that have been taken to court and interestingly enough have had impact on how things are enforced and what you need to do to come under compliance.  One such court case : here, essentially explains that you cannot grand-father electronic systems into compliance because of the risks and downstream effect, so this court case says that any systems that fall into compliance need to meet the new laws circa 1998.


What is this important?

If you wanted to innovate and differentiate yourself in this industry there is a big barrier to entry and interestingly enough regulatory compliance is expensive and also risky business so it creates a value moat if you can understand and use regulatory compliance to your advantage. 

If you can pass a Part 11 Audit it has extreme value to show not only that your software does what it says it does, it does what the law requires, which ensures safety, security and proper function. 

The most important part of this regulation is that you need to be certain that data in a clinical trial are true and exact, this impacts whether people live or die.  Because of high risk and importance of the software systems once you get a system compliant it reaps enormous benefits in that you charge more money for the software, training, and validation of the system setups.