GxP Compliance FAQs

A general term used to refer to the FDA’s “good practice” regulations, where the “x” can stand for Clinical, Laboratory, or Manufacturing in Good Clinical Practice (GCP), Good Laboratory Practice (GLP) and Good Manufacturing Practice (GMP).

Part 11 is an abbreviated way of referring to FDA’s regulation on electronic records and electronic signatures, known as 21 CFR Part 11.

It applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted under any records requirements (predicate rules) set by the Agency (FDA). It also applies to electronic records submitted to the FDA (even if such records are not specified in the regulations).

Any FDA regulation that requires certain records to be maintained or submitted to the Agency. For example, 21 CFR 312 for Investigational New Drug (IND) Applications requires the following:

21 CFR 312.62(b) requires an investigator to maintain case histories that record all observations and other data pertinent to the investigation on each individual administered the investigational drug or employed as a control in the investigation.

If an investigator is maintaining the above records (case histories) in electronic format, then 21 CFR Part 11 applies to these records.

Records required to be maintained under predicate rules:

• Maintained in electronic format in place of paper
• Maintained in electronic format in addition to paper format and that are relied on to perform regulated research-related activities
• Records submitted to FDA in electronic format under predicate rules (even if such records are not specified in Agency regulations)

No, FDA does not intend to assess compliance of EMR systems with 21 CFR 11. However, FDA’s acceptance of data from clinical investigations for decision-making purposes depends on FDA’s ability to verify the quality and integrity of the data during FDA inspections.

Documented evidence that a computerized system performs its intended functions, reliably, and with consistent intended performance in its operating environment.

Much like conducting a research study, system validation begins with a plan (Validation Plan) that outlines the validation tasks and deliverables. A series of documents are created to document the system installation, system’s functions, end users’ requirements for the system, test scripts, as well as how each requirement will be tested to demonstrate that the system operates as intended. When the system is tested following the approved test scripts, each executed step is recorded and many screenshots are collected as evidence. In addition, a series of SOPs are created to describe topics such as: how to use the system, system maintenance, security, access management, back- up and recovery, among others. At the end of the validation effort, a Validation Summary Report is generated and the final outcome is described.

Typically, system validations are performed by Research Information Technology (IT) along with the end users of the system who execute User Acceptance Testing to demonstrate that the system operates as intended using the end users’ workflows and configurations.

A system can only be Part 11 compliant if it meets the control requirements set forth in 21 CFR Part 11 AND if it was validated in-house. This includes User Acceptance Testing by the end users to demonstrate that the system operates as intended using the end users’ workflows and configurations.

No. A system can only be Part 11 compliant if it meets the control requirements set forth in 21 CFR Part 11 AND if it was validated at the University for its intended use.

Yes. A system can only be Part 11 compliant if it meets the control requirements set forth in 21 CFR Part 11 AND if it was validated in-house for its intended use.

Contact Helen Miletic, Director of Research Quality Assurance at hmiletic@med.miami.edu

Electronic signatures that are intended to be the equivalent of handwritten signatures or initials required by predicate rules must be executed using a system that meets the control requirements set forth in 21 CFR Part 11 AND that system must be validated at the University for its intended use.

Electronic signatures that are intended to be the equivalent of handwritten signatures or initials required by predicate rules must be executed using a system that meets the control requirements set forth in 21 CFR Part 11 AND that system must be validated in-house for its intended use.

In addition, electronic signatures that are not based on biometrics (e.g. fingerprint) must use at least two identification components such as a username and password to ensure that each electronic signature is unique to one individual. The electronic signature must also be linked to the electronic record to ensure that the signature cannot be excised, copied, or otherwise transferred to falsify an electronic record.

The electronic signature manifestation must contain the following:

• Printed name of the signer
• Date and time when signature was executed
• Meaning of the signature (e.g. approval, review or authorship)

For more details on electronic signatures, refer to 21 CFR Part 11: Electronic Records; Electronic Signatures.

The only Adobe e-signature that has been validated at the University is Adobe Self Sign Using Digital ID. You can use this electronic signature in FDA-regulated research as it meets the control requirements set forth in 21 CFR Part 11 AND it has been validated at the University for this use. Refer to the University’s training module on ULearn, by searching the key words “Digital ID.”