Why Is Part 11 Third-Party Attestation Important?
Software designed for clinical research sites is being adopted at an astonishing clip. A recent poll from our webinar on Preparing Research Organizations for Digital Tools and Part 11 Compliance revealed that more than 85 percent of research organizations have implemented, or are preparing to implement, some type of research automation software. Software solution providers are entering the market with innovative products such as electronic regulatory binders, electronic source documentation, electronic consent, and all manner of other eTools to automate the research administration process.
As a result, the Data Protection and Compliance Service team at Kinetiq gets this question from sites all the time: “What do I need to consider when choosing these new software solutions?” Our response is simple—make sure the solution you select works for what your site wants to accomplish; and make sure whatever system you select provides an independent attestation of Part 11 compliance.
What is “Part 11” Anyway?
The FDA 21 CFR Part 11 regulation has been around for 20 years. It governs and articulates when the FDA will accept electronic records or signatures in lieu of handwritten versions to support an FDA “predicate rule.” (A predicate rule is any FDA regulation that requires you to store and potentially produce for the FDA a set of records, signatures, or approvals.)
Put simply—if the FDA requires you to keep a
record and you keep it electronically, Part 11 applies to you.
These records may relate to research, but they also go beyond research to drug and device manufacturing, clinical practice, GxP—FDA requires you to keep a lot of records. If the FDA requires you to keep a record and you keep it electronically, Part 11 applies to you.
Under Part 11, computer systems that create, modify, maintain, or transmit electronic records subject to FDA predicate rules must be validated (21 CFR 11.10(a)). In essence, validation lays out what test, documentation, and controls must be in place for the FDA to trust your computerized records and signatures the same way the agency trusts handwritten physical records and signatures.
(To learn more about Part 11 and FDA’s guidance on Computer Software Validation download this recent white paper Considerations for using eTools in Research: Part 11 and System Validation.)
How Does Computer System Validation Work Exactly?
“Computer software validation” is simply a proven methodical approach to software testing and documentation with the end goal of producing a set of evidence that will provide sufficient documentation to the FDA that the computer system is producing the intended results; and the FDA can accept the electronic records in lieu of a paper record.
Imagine that an FDA representative who has come to visit your research site asks you to produce some required records (e.g. source documentation, eligibility verification, signed consent, etc.). If you say something like, “Just a minute, let me pull that up in the computer for you,” you just triggered questions about the underlying electronic record you are about to produce. The FDA representative’s next question may well be, “How do you know the record you are showing me is the actual unaltered record meeting the ALCOA standards (Attributable, Legible, Contemporaneous, Original, and Accurate)?” The correct response is, “We validated the underlying computer system where the record is created and maintained following FDA’s guidance on Computer Software Validation and in conformance with our site’s standard operating procedure on risk-based computer software validation. Would you like to see our validation documentation?”
Your validation documentation could look something like this:
Where Do Software Solution Providers Fit In?
As a research site, unless you build your own customized research automation software, you probably have little or no control over the requirements, development methods, testing, and other documentation associated with the software you use. Most software packages are cloud-based and require little or no configuration on the site’s part. Research sites then must rely on the software vendor to complete the lion’s share of the computer software validation effort and evidence set.
For instance, the Q Consent electronic consent platform offered by Quorum is 100% cloud-based, requires minimal configuration on the part of the end user, and has no localized installation of software or hardware. All major parts of the validation evidence set necessary to demonstrate compliance with Part 11 and the FDA’s guidelines on computer software validation are completed by the Quorum development team. This leaves only a few site-specific pieces for the site’s risk-based computer software validation and Part 11 compliance plan (e.g. training, local security issues, etc.). Quorum provides its Q Consent customers with a letter from a third-party auditor affirming its software is Part 11 compliant.
Why Is an Independent Third-Party Attestation of Part 11 Compliance Important?
FDA Draft Guidance from July 2017 makes it clear that research organizations can rely on attestations from software vendors that their software systems are developed to Part 11 standards and ready for final validation by the end user. FDA has also made it clear in previous software validation guidance that it is the responsibility of the end user to verify the Part 11 compliance status of their vendors. It is important to have peace of mind that your vendor is doing things right! Many sponsors and research sites require their vendors to produce an attestation of compliance performed by an independent third party separate from the software solution provider.
A third-party attestation provides the end user with additional assurance that a given software vendor is indeed compliant with the regulations, and their software was developed following the principles of software validation as required by FDA.
Kinetiq provides independent assessments for Part 11 compliance.
Check out our recent case study highlighting how
CRIO, Inc. utilized our service to secure
a third-party attestation of compliance.
A good risk-based computer software validation plan will leverage these attestations of Part 11 compliance and put any system with a third-party attestation in a lower risk stratification. This can substantially reduce the amount of local computer system validation needed.
If you don’t have a risk-based computer software validation strategy, SOPs, or plan, you need one before you start utilizing electronic records subject to FDA predicate rules. If you do have a Part 11 compliance program in place, review your vendor qualification procedures to make sure you are taking advantage of the FDA guidance that allows you to rely on statements from the vendor about their compliance status. Above all, be absolutely sure your vendors are compliant—after all, the FDA will be showing up at your doorstep, not your software vendor’s, to audit how you are using all those new automation systems.