Electronic Records; Electronic Signatures

[Audio] FDA 21 CFR Part 11 Regulation Training IT Electronic Records; Electronic Signatures 21 CFR Part 11 Officer Siemens Healthineers IT Version 05 | 2Q FY24 Doc ID: IT PD 11 TR 02 05 Restricted © Siemens Healthineers, 2024 <!speaker:en-IE-ConnorNeural> Welcome to the FDA 21 CFR Part 11 Regulation Training for Health-in-ears IT. <!wait:1>.

[Audio] Benefits of Part 11 Training and Implementation While full understanding of any compliance topic can seem difficult, this training will help you to: Gain a basic knowledge of the topic, Know where the topic comes from to reference its details as needed, Increase your confidence level when it is applicable, Follow a systematic approach to handle it, Know where to get help and support, and Reduce risk for Siemens Healthineers by achieving compliance. listen first win together learn passionately step boldly own it We Version 05 21 CFR Part 11 Officer SHS IT | SHS IT ST QGC QSM Restricted © Siemens Healthineers, 2024 <!speaker:en-IE-ConnorNeural> While full understanding of any compliance topic can seem difficult, this training supports learning passionately, and will help you so that you have the basic knowledge, appropriate references, and confidence needed to step boldly on the topic of Part 11. You'll also have a systematic approach to own it, and know where to get the help and support you need to reduce risk for Siemens health-in-ears, so we win together. <!wait:1>.

[Audio] FDA 21 CFR Part 11 Training Objectives Following this training, you will understand: WHY training is necessary for IT WHAT FDA 21 CFR Part 11 is HOW Part 11 applies to IT WHY Part 11 is important WHEN Part 11 is applicable WHEN Part 11 is not applicable WHAT is defined for Siemens Healthineers WHICH records are in scope of Part 11 WHAT Part 11 requires HOW to determine Part 11 relevance in IT WHO is responsible for Part 11 compliance Version 05 <!speaker:en-IE-ConnorNeural> Following this training, you will understand why this training is necessary for IT, what FDA 21 CFR Part 11 is, how it applies to IT and why it is important, when it should be applied and when not, what is defined for Part 11 for Siemens health-in-ears, which records are in scope, what it requires, how to determine if your application is relevant and who is responsible. <!wait:1>.

[Audio] Why is FDA 21 CFR Part 11 Training Mandatory? Each employee shall be trained regarding her/his responsibility for the correctness of electronic records and signatures and possible consequences in case of misconduct! IT implements FDA 21 CFR Part 11 requirements as part of IT applications, so IT employees shall be familiar with and adhere to this compliance topic when applicable. The organizational unit is responsible for the training records. IT Administrators have special considerations for your role. Version 05 <!speaker:en-IE-ConnorNeural> As a medical device manufacturing company, Siemens Health-in-ears must comply with FDA regulations. To fulfill part of these regulations, you are receiving this mandatory training for two reasons. <!click>One. Each employee shall be trained regarding her or his responsibility for the correctness of electronic records and signatures and possible consequences in case of misconduct! And <!click>Two. I.T. implements FDA 21 CFR Part 11 requirements as part of I.T. applications, so I.T. employees shall be familiar with and adhere to this compliance topic when applicable. <!click>If you are an I.T. Administrator, you have special considerations described later in this training, specific to this role. <!click>It is the responsibility of each organizational unit to keep training records as well. <!wait:1>.

[Audio] FDA 21 CFR Part 11 Training Structure FDA SHS QT QR SHS IT / SHS BLs Like other compliance topics, there are 3 perspectives for FDA 21 CFR Part 11: External Legal and Regulatory Body (FDA) Siemens Healthineers Compliance Governance Unit(SHS QT QR) Siemens Healthineers Compliance Assurance Unit(s)(SHS IT / SHS BLs) This training content will provide information from each perspective, with the perspective noted where applicable. Martha Thomas Sonja <!speaker:en-IE-ConnorNeural> Like other compliance topics relevant for Siemens Health-in-ears, there are 3 perspectives for FDA 21 CFR Part 11. <!break:500> <!click><!speaker:en-US-NancyNeural>Hello everyone, my name is Martha . I will be guiding you in the training from an FDA perspective as the external legal and regulatory body. <!click><!speaker:en-US-EricNeural>Hello everyone, I am Thomas. I will be guiding you from a Q.T. perspective as the Compliance Governance Unit of Siemens Health-in-ears. <!click><!speaker:en-GB-BellaNeural>And my name is Sonja . My focus is compliance assurance from the Siemens health-in-ears IT perspective. Let's continue with Martha giving us more information about what FDA 21 CFR Part 11 is. <!wait:1>.

[Audio] What is FDA 21 CFR Part 11 Electronic Records; Electronic Signatures? U.S. Food and Drug Administration (FDA) issued the final Title 21 of the Code of Federal Regulations, Part 11 - Electronic Records; Electronic Signatures FDA 21 CFR Part 11 defines the requirements under which the FDA considers electronic records and electronic signatures as trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper. In other words, Part 11 is an FDA regulation that legally imposes requirements on manufacturers when they choose to maintain FDA required records in electronic form.  <!speaker:en-US-NancyNeural>Thank you Sonja. In March 1997, the U.S. Food and Drug Administration (or FDA), issued the final Title 21 of the Code of Federal Regulations, called Part 11 - Electronic Records; Electronic Signatures. (also known as FDA 21 CFR Part 11 or more simply as Part 11). This regulation became effective on August 20, 1997. <!click>Part 11 defines the requirements under which the FDA considers electronic records and electronic signatures as trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper. <!click>In other words, Part 11 is an FDA regulation that legally imposes certain requirements on manufacturers when they choose to maintain FDA required records in electronic form for devices they intend to market and sell in the United States. <!wait:1>.

[Audio] How does Part 11 apply to IT? There are multiple FDA regulatory requirements / predicate rules that apply to medical device manufacturers. Medical Device Manufacturers which intend to sell medical devices in the United States of America shall establish and maintain a Quality Management System (QMS) for the Design, Manufacture, Packaging, Labeling, Storage, Installation, and Servicing of their finished medical devices according to 21 CFR Part 820. Each org unit shall define within their QMS controls to fulfill regulatory compliance. SHS IT, while not producing medical devices, does provide Healthineers with non-product software in support of the design, manufacturing, packaging, labeling, storage, installation and servicing of medical devices – where Part 11 requirements may be relevant. Quality Interface Agreement QIA4 has been established by QT to define the delivery of regulatory compliant IT services by IT (as a primary supplier of non-product software) for various BLs. The QMS for IT is embedded within ITSM – where processes are defined to safeguard the IT applications for Part 11 when applicable and fulfill the delivery described in QIA4. Predicate Rules 21 CFR 820 (QMS) QIA4 ITSM    <!speaker:en-US-NancyNeural>There are multiple FDA regulatory requirements or predicate rules that apply to medical device manufacturers. As examples: <!click>Medical Device Manufacturers which intend to sell medical devices in the United States of America shall establish and maintain a Quality Management System (QMS) for the Design, Manufacture, Packaging, Labeling, Storage, Installation, and Servicing of their finished medical devices according to 21 CFR Part 820. <!click>Each org unit shall define within their QMS controls to fulfill regulatory compliance. <!click>IT, while not producing medical devices, does provide Healthineers with non-product software in support of the design, manufacturing, packaging, labeling, storage, installation and servicing of medical devices – where Part 11 requirements may be relevant. <!click><!speaker:en-US-EricNeural> Thank you Martha. This is important from a Q.T. perspective because the Quality Interface Agreement QIA4 has been established by Q.T. to define the delivery of regulatory compliant IT services (since IT is a primary supplier of non-product software) for various Business Lines. <!click><!speaker:en-GB-BellaNeural> The QMS for IT is embedded within ITSM – where processes are defined to safeguard the IT applications for Part 11 when applicable and fulfill the delivery described in QIA4. Martha, please tell us why Part 11 is so important. <!wait:1>.

[Audio] Why is Part 11 Important? Compliance to Part 11 is of the same importance as the other applicable FDA regulatory requirements or predicate rules. The FDA is enforcing fulfillment of these requirements by inspections. Noncompliance to Part 11 observed in an FDA Inspection can result in multiple consequences for Siemens Healthineers (e.g., an FDA Warning Letter). Form 483s Notifies management at the conclusion of an inspection of objectionable conditions Does not constitute a final Agency determination Companies are encouraged to respond Warning Letters Sent by FDA to advise of violations Request written response as to steps taken to address violation Seizure Action brought against product that is adulterated and/or misbranded Removes violating products from commerce Injunction Court ordered May be sought by FDA to require an individual or corporation to do or refrain from doing a specific act Criminal Prosecution & Fines May recommend prosecution for certain violations Fines ranging from $100k-500k; imprisonment for up to 1 year  <!speaker:en-US-NancyNeural>Compliance to Part 11 is of the same importance as the other applicable FDA regulatory requirements or predicate rules. The FDA is enforcing fulfillment of these requirements by inspections. Noncompliance to Part 11, observed in an FDA Inspection, can result in multiple consequences for health-in-ears. (for example, an FDA Warning Letter). Here you can see the progression of severity resulting from these types of inspections – <!click>from Form 483, <!click>to warning letters, <!click>to seizure of products, <!click>court injunction <!click>and ultimately criminal prosecution and fines. <!break:500> Each results in consequence that is public information, and as such could be used against Siemens healthineers by its competitors. Therefore these actions harm healthineers and its customers. <!wait:1>.

[Audio] When is Part 11 applicable? The 21 CFR Part 11 requirements apply to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted under any record requirements set forth in FDA regulations (predicate rules). Part 11 also applies to electronic records submitted to the FDA under requirements of the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act, even if such records are not specifically identified in FDA’s regulations. Hyperlinks are equivalent to references in paper documents therefore hyperlinks are part of the electronic record. Note: The predicate rules tell us which records are quality relevant. 21 CFR Part 11 mandates additional requirements for specifically identified quality relevant records.   <!speaker:en-US-NancyNeural>But when is Part 11 applicable? The 21 CFR Part 11 requirements apply to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted under any record requirements set forth in FDA regulations (predicate rules). Part 11 also applies to electronic records submitted to the FDA under requirements of the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act, even if such records are not specifically identified in FDA's regulations. Hyperlinks are equivalent to references in paper documents. Therefore hyperlinks are part of the electronic record. <!click><!speaker:en-US-EricNeural> Please take note: predicate rules tell us which records are quality relevant. 21 CFR Part 11 mandates additional requirements for specifically identified quality relevant records. <!wait:1>.

[Audio] When is Part 11 not applicable? The 21 CFR Part 11 requirements do not apply for: IT applications, which do not store regulated records for further use. However, those IT applications shall be validated as Q-relevant. Paper records sent and received by fax or transmitted by electronic means. Any regulatory activities required by predicate rules or by a manufacturer’s quality management system which is based on a paper system only even if these records are stored electronically.   <!speaker:en-US-NancyNeural>It's also important to understand when Part 11 is NOT applicable: The 21 CFR Part 11 requirements do not apply for IT-Applications, which do not store regulated records for further use. However, those IT-Applications shall be validated as Q-relevant. Paper records sent and received by fax or transmitted by electronic means. Any regulatory activities required by predicate rules, or by a manufacturers quality management system, which is based on a paper system only, even if these records are stored electronically. <!click><!speaker:en-US-EricNeural> Q.T. has defined Part 11 for Siemens Health-in-ears with 2 key documents. <!wait:1>.

[Audio] What is defined at Siemens Healthineers level for Part11? GD80 describes common understanding of requirements and how to implement them. QR 0 defines mandatory quality management system and process requirements. <!speaker:en-US-EricNeural> In addition to the regulation, Q.T. QR (as the governing body in Siemens Health-in-ears for compliance assurance to statutory requirements for quality management) supports the Business Units and Business Lines by interpreting FDA regulations and predicate rules, and by providing corresponding quality requirements (QR's) and guidance documents (GD's), so that IT and the business can implement controls through their QMS to assure their specific compliance. <!click>QR 0 defines mandatory quality management system and process requirements. <!click>GD80 describes common understanding of requirements and how to implement them. Let's get more details about these documents. <!wait:1>.

[Audio] QR 0 – Requirements of Part 11 What does Part 11 Require? The Siemens Healthineers units shall implement the following requirements in their QMS: Each Organizational Unit which is using electronic records and/or electronic signatures for quality related documentation shall document in its quality management system how the requirements of 21 CFR Part 11 are fulfilled, and compliance is maintained. ITSM processes and Compliance Companion Tool Each unit shall appoint a 21 CFR Part 11 officer, responsible for compliance and ensuring compliance for purchase or development of IT Systems for internal use. ITSM List of SHS IT Internal Contacts Each employee is in the same way as for paper records responsible for the correctness of electronic records and electronic signatures. IT PD 15 A01 – Documented Information Control Each employee shall be trained about his/her responsibility regarding the correctness of electronic records and electronic signatures. Training IT PD 15 A01 – Documented Information Control and this FDA 21 CFR Part 11 Training   <!speaker:en-US-EricNeural> QR0 provides the requirements of Part 11 for all of Health-in-ears. The Siemens Health-in-ears units shall implement the following requirements in their QMS: <!click>Each Organizational Unit which is using electronic records and/or electronic signatures for quality related documentation shall document in its quality management system how the requirements of 21 CFR Part 11 are fulfilled, and compliance is maintained. <!click><!speaker:en-GB-BellaNeural> These requirements have been implemented by I.T. within ITSM processes and the Compliance Companion <!click><!speaker:en-US-EricNeural> Each unit shall appoint a 21 CFR Part 11 officer, responsible for compliance and ensuring compliance for purchase or development of I.T. Systems for internal use. <!click><!speaker:en-GB-BellaNeural> This is implemented by I.T. within the ITSM List of SHS I.T. Internal Contacts. <!click><!speaker:en-US-EricNeural> Each employee is in the same way as for paper records responsible for the correctness of electronic records and electronic signatures. <!click><!speaker:en-GB-BellaNeural> This is implemented by I.T. within I.T. PD 15 A01 – Documented Information Control. <!click><!speaker:en-US-EricNeural> Each employee shall be trained about his or her responsibility regarding the correctness of electronic records and electronic signatures. <!click><!speaker:en-GB-BellaNeural> This is implemented by I.T. within Training I.T. PD 15 A01 – Documented Information Control and this FDA 21 CFR Part 11 Training for I.T. <!wait:1>.

[Audio] QR 0 – Requirements of Part 11 for Administrators Administrators shall not: Create/change/modify/delete electronic records/audit trails/signatures/signature manifestations in the name of others; Inspect nor demand passwords or cryptographic keys or give anyone else access; and Influence the signature record linking (for electronic as well as for handwritten signatures). Administrators shall be trained regarding their special responsibilities. FDA 21 CFR Part 11 Training <!speaker:en-US-EricNeural> QR 0 also provides the requirements of Part 11 for system Administrators. <!click>Administrators shall not: Create, change, modify, delete electronic records, audit trails, signatures, signature manifestations in the name of others; Inspect nor demand passwords or cryptographic keys or give anyone else access; and Influence the signature record linking (for electronic as well as for handwritten signatures). <!click>Administrators shall be trained regarding their special responsibilities. <!click><!speaker:en-GB-BellaNeural> These requirements are implemented by I.T. with this training. Thomas, please tell us more about GD80. <!wait:1>.

[Audio] GD 80 – Implementation of Part 11 Requirements Which Records are In Scope? Examples of the in-scope electronic records for the design, manufacturing, packaging, labeling, storage, installation and servicing of medical devices include: Device History File (DHF), also called Engineering History Record (EHR): design and engineering records, e.g., specifications, tests results Device Master Record (DMR): requirements on which production is based, e.g., drawings Device History Record (DHR): records of history and maintenance of every single product, e.g., test results, serial numbers Quality System Record (QSR): e.g., Q-procedures, process descriptions, data of the CAPA-process   <!speaker:en-US-EricNeural> GD 80 – describes the Implementation of Part 11 Requirements for Affected I.T. Systems and Records. Examples of the in-scope electronic records for the design, manufacturing, packaging, labeling, storage, installation and servicing of medical devices include things like: <!click>A Device History File (DHF), also called Engineering History Record (EHR). design and engineering records, for example, specifications, tests results. <!click>A Device Master Record (DMR). requirements on which production is based, for example, drawings. <!click>A Device History Record (DHR). records of history and maintenance of every single product, for example, test results, serial numbers, and <!click>A Quality System Record (QSR). for example, Q-procedures, process descriptions, data of the CAPA-process. Sonja can you please give us a scenario for I.T. to consider? <!wait:1>.

[Audio] Relevant Records and Signatures A Scenario for IT to Consider A Siemens Healthineers medical device injures a patient directly or performs in a sub-standard way injuring a patient indirectly. IT did not manufacture the device or develop the software that is part of the medical device, however, any pending investigation can include records from IT services/applications which must be protected: How was the device manufactured? Were the suppliers of any device components managed appropriately? Were marketing materials for the device accurate to avoid misuse? Was the device installed correctly? Were installation personnel trained to do their jobs? Were there any complaints registered with respect to the device? Was the device serviced in an adequate manner? Were service personnel trained to do their jobs? <!speaker:en-GB-BellaNeural> Sure! Imagine if Siemens Health-in-ears medical device injures a patient directly, or performs in a sub-standard way, injuring a patient indirectly. <!click>I.T. did not manufacture the device or develop the software that is part of the medical device. However, any pending investigation can include records from I.T. services or applications which must be protected: Those records provide evidence to support the answer to the following questions. <!click>How was the device manufactured? Were the suppliers of any device components managed appropriately? Were marketing materials for the device accurate to avoid misuse? Was the device installed correctly? Were installation personnel trained to do their jobs? Were there any complaints registered with respect to the device? Was the device serviced in an adequate manner? Were service personnel trained to do their jobs? Part 11 is organized to define what records need to be protected and how. <!wait:1>.

[Audio] Part 11 Subparts and Sections What Does Part 11 Require? Part 11 requirements are organized by subparts with sections. Subpart A – General Provisions Subpart B – Electronic Records Subpart C – Electronic Signatures   GD 80 provides the Healthineers interpretation for the requirements. <!speaker:en-US-NancyNeural>Part 11 requirements are organized by the FDA using sub parts with sections : Sub part A defines General Provisions for Part 11 scope, implementation and definitions. Sub part B focuses on Electronic Records, with respect to controls for close and open systems, signature manifestations and linking. Sub part C focuses on Electronic Signatures. More detailed descriptions of each subpart and section can be referenced in the Appendix of these training materials. <!click><!speaker:en-US-EricNeural> GD 80 provides the Health-in-ears interpretation for the requirements. It's also important to know the FDA Part 11 structure so you can use it as a reference in case of questions. When in doubt – the FDA regulation is always the binding rule. <!wait:1>.

[Audio] How does IT Determine Part 11 Relevance? Completing the Q-Aspect of Compliance Companion Pre-Assessment There is a specific Q aspect in the Compliance Companion to support determining and tracking of: Quality relevance Part 11 relevance Possible Q-Relevant suppliers Person safety hazards Device quality risk Other predicate rules Other regulations  Version 05 <!speaker:en-GB-BellaNeural> To support I.T. in determining Part 11 relevance the Q aspect has been added to the ITCCS tool. I.T. Compliance Coordination Service (ITCCS) is a centralized, coordinated service to support fulfillment of Siemens Health-in-ears compliance topics. There is a specific Q aspect in the tool to support determining and tracking of: Quality relevance Part 11 relevance Possible Q-Relevant suppliers Person safety hazards Device quality risk Other predicate rules and Other regulations <!wait:1>.

[Audio] Completing the Q-Aspect of Compliance Companion Pre-Assessment Facilitating a Working Session AGENDA Introductions Roles/responsibilities Objectives Rationale Session details Next steps Sales Data 1 Data 2 0.25 0.75 AM QM The business and IT should work together to complete the Q-Aspect in a facilitated session. Session should be scheduled by IT Application Manager or Project Manager and have a set agenda. PM 25% IT Application Manager Creates Compliance Companion entry Updates CMDB Incorporates resulting requirements into application Updates quality documents as needed 1 IT Quality Manager* Facilitates discussion Helps walk through the tool Uses references from QT/FDA Checks that requirements are included, identifiable, traceable 2 Support Roles IT Business QIA4 OPTIONAL (as needed) Project Manager Ensures requirements are included, identifiable, traceable 3 Sales Data 1 Data 2 0.75 0.25 BL BL Q Business Representative* Provides responses to questions Provides necessary records and signatures for 820 subparts Provides additional predicate rules, regulations, corresponding requirements and records Determines potential quality relevant suppliers Decision maker 4 75% OPTIONAL (as needed) Business Quality Representative* Supports responses by business representative Supports decision making by business representative 5 Decision Makers * Supported by Part 11 Officer from respective area as needed. 21 CFR Part 11 Officer SHS IT | SHS IT ST QGC QSM 21 CFR Part 11 Officer SHS IT | SHS IT ST QGC QSM Restricted © Siemens Healthineers, 2022 Version 05 <!speaker:en-GB-BellaNeural> It is recommended to have a facilitated working session for the Q aspect. Facilitation of the working session includes review of each participant role, the meeting objectives and rationale, tool responses, follow up items and next steps. Let's take a look at who participates and how: <!click>The IT application manager <!wait:1.5> <!click>The IT quality manager <!wait:1.5> <!click>And the project manager <!wait:1.5> These three facilitate and participate in the working session. <!click>The business participants, <!wait:1.5> <!click>including quality representation as appropriate, must provide the necessary information and decisions regarding the answer to each specific question. Additional details regarding the Q aspect are in the Appendix of this training. <!wait:1>.

[Audio] Completing the Q-Aspect of Compliance Companion Direct Access to Regulations and Information During the session it is important to review each page and each question carefully within the tool. Just-in-time references are included in the tool to support the topics if determining the answer requires deeper discussion: Subparts Definitions Examples Disclaimer  Question 18 is a critical question, because if the application does NOT store regulated records, Part 11 does not apply, but the application will still be Q-Relevant and require validation. Version 05 21 CFR Part 11 Officer SHS IT | SHS IT ST QGC QSM <!speaker:en-GB-BellaNeural> During the session it is important to review each screen and question carefully in the Q aspect, so the correct corresponding requirements can be provided. <!click>Just-in-time reference links are included in the tool to support the topics if determining the answer requires deeper discussion: <!click>Sub parts. <!break:500> <!click>Definitions. <!break:500> <!click>Examples. <!break:500> <!click>Disclaimer. <!break:500> <!click>Please note this important point. Question 18 is a critical question, because if the application does NOT store regulated records, Part 11 does not apply, but the application will still be Q-Relevant. <!wait:1>.

[Audio] Completing the Q-Aspect of Compliance Companion Pre-Assessment Requirement Sets Based on the answers to the questions, Part 11 Requirement Sets needed for the IT application will be provided by the tool. Possible sets are: Closed System Electronic Records (ELREC) Open System Electronic Records (ELREC) Electronic Signatures (ELSIG) Hybrid System Electronic Signatures (ELSIG) The tool Requirement Set(s): Help establish a core set of quality relevant and Part 11 requirements Include support on the Instructions tab Must be included in and managed as part of the application requirements Should be easily identifiable and retrievable in the event of audit As the application changes over time, it is important to evaluate each change and determine if the change impacts any of the Q-Aspect answers. If so, a Compliance Companion entry should be created for the release. Version 05 <!speaker:en-GB-BellaNeural> Based on the answers to the questions, Part 11 Requirement Sets needed for the IT application will be provided by the tool. Possible sets are: <!click> Closed System Electronic Records Open System Electronic Records Electronic Signatures Hybrid System Electronic Signatures <!click> What should you know about the Requirement Set(s)? <!break:500><!click> They help establish a core set of quality relevant and Part 11 requirements. They include support on the Instructions tab. They must be included in and managed as part of the application requirements. They should be easily identifiable and retrievable in the event of audit (for example, by requirement keys/IDs, documentation section, tool tags/extraction criteria). <!click> As the application changes over time, it is important to evaluate each change and determine if the change impacts any of the Q-Aspect answers. If so, a new ITCCS tool entry should be created for the release. On the ITCCS website, there is additional information to support the evaluation of application changes. <!wait:1>.

[Audio] Who is responsible for Part 11 compliance? Healthineers Employees Ensure correctness of electronic records and electronic signatures as defined by QR0 Assure and maintain the validity of the referenced information IT Employee Follow ITSM processes (QMS is embedded therein) Safeguard IT applications for Part 11 when applicable as per IT PD 15 A01 Documented Information Control Protect electronic records and signatures as defined by the BLs and assure compliance Version 05 <!speaker:en-US-EricNeural> In closing it is important to re-emphasize who is responsible for Part 11 compliance. In the same way as for paper records and handwritten signatures, <!click>each Siemens Healthineers employee is responsible for the correctness of electronic records and electronic signatures as defined by QR0. The individual responsible for the record is also responsible to assure and maintain the validity of the referenced information. Any employee found guilty of a falsification could be also subject to company disciplinary consequences. <!click>IT (as primary supplier of non-product software for the business) has embedded its QMS within ITSM – where processes are defined and must be followed to safeguard IT applications for Part 11 when applicable. In IT this is regulated with the Process Description IT PD 15 A01, Documented Information Control. So, in addition to the Siemens Healthineers employee obligation, IT employees must be aware of FDA 21 CFR Part 11 in order to adequately protect electronic records and signatures as defined by the business and assure compliance. <!wait:1>.

[Audio] Conclusion This training has explained: WHY training is necessary for IT WHAT FDA 21 CFR Part 11 is HOW Part 11 applies to IT WHY Part 11 is important WHEN Part 11 is applicable WHEN Part 11 is not applicable WHAT is defined for Siemens Healthineers WHICH records are in scope of Part 11 WHAT Part 11 requires HOW to determine Part 11 relevance in IT WHO is responsible for Part 11 compliance Version 05 <!speaker:en-US-EricNeural> This concludes the FDA 21 CFR Part 11 Training for IT. <!wait:2>.

[Audio] Thank you for your attention! listen first win together learn passionately step boldly own it We Version 05 <!speaker:en-GB-BellaNeural> Please refer to the appendix of these materials for additional information. From Martha, Thomas and myself, thank you for your attention! For further support, please use the Part 11 Officer contact list in the appendix of these materials. <!wait:1>.

[Audio] Additional Information References: FDA 21 CFR Part 11 Electronic Records; Electronic Signatures FDA 21 CFR Part 820 Quality System Regulation SHS QR 0 - 21 CFR Part 11 Electronic Records; Electronic Signatures SHS GD 80 - Interpretation of 21 CFR Part 11 SHS QIA 4 - Quality Interface Agreement - IT Services List of SHS IT Internal Contacts ITSM Service Management Portal SHS IT PD 15 A01 Documented Information Control FDA Guidance: FDA Guidance for Industry: Part 11, Electronic Records; Electronic Signatures — Scope and Application FDA General Principles of Software Validation; Final Guidance for Industry and FDA Staff    For additional information, please use the following references and guidance available from FDA, QT, and IT. Questions and support requests for Part 11 within IT should be directed to your quality manager or quality department. The remaining slides provide a glossary of terms used within this training..

[Audio] Back up Definitions (1 of 2) Term Definition Audit Trail The independent recording of the date and time of operator entries and actions that create, modify, or delete electronic records. Read access only is not to be recorded. The recording must be computer generated and secure. [QR 0] Authenticity The true origin (individual or IT system) of the electronic record is known. [GD80] Closed System An environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system. [FDA 21 CFR Part 11, Sec. 11.3] Digital signature An electronic signature based on cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified. [FDA 21 CFR Part 11, Sec. 11.3] Electronic record Any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system. [FDA 21 CFR Part 11, Sec. 11.3] Electronic signature A computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual‘s handwritten signature. [FDA 21 CFR Part 11, Sec. 11.3] Integrity Content and representation of a record is complete, nothing was added or changed. Integrity does not imply that the content of the record is correct or reliable. [GD80] Intended Use A summary description of what the service or application does. For SHS IT, the intended use also covers who uses it, and where the users are located. [IT Application Management Process] Version 05.

[Audio] Back up Definitions (2 of 2) Term Definition Non-Product Software (NPSW) Any software used in the production of a medical device, e.g., software used to automate design, testing, component acceptance, manufacturing, labeling, packaging, distribution, and complaint handling, or any software used in the implementation of the QMS, e.g., software used to automate aspects of the quality management system, such as create, modify, maintain, archive, retrieve or transmit documents or records in electronic form, or software used to perform security tests, e.g., Security Vulnerability Scanning, or software that automates processes regulated by medical regulations. Not in scope: software used as a component or part of a medical device, or software that is itself a medical device. [ITSM Glossary] Open System An environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system. [FDA 21 CFR Part 11, Sec. 11.3] Predicate Rule Requirements set forth in the Federal Food, Drug and Cosmetic Act, the PHS Act, or any FDA regulation, with the exception of Part 11. Most predicate rules are contained in Title 21 of the Code of Federal Regulations. [GD80] Quality-Relevant Documents Documents on which activities are based, that are required by medical device regulations, or that provide proof about the compliancy to such regulations, including those documents that are mandatory by the respective Quality Management System for evidence of compliancy. [GD28] Regulatory Action Any action required by the predicate rules or by the valid quality system. [GD80] Version 05.

[Audio] Back up Subpart A – General Provisions Subpart A includes information regarding: 11.1 Scope. 11.2 Implementation. 11.3 Definitions. The content of these sections is incorporated throughout this training and the guidance from FDA, QT and IT – but is mentioned here as a reference. Subpart A includes information regarding: 11.1 Scope of the regulation 11.2 Implementation of the regulation, and 11.3 Definitions specific to the regulation These components are incorporated throughout this training and the corresponding guidance from FDA, SHS QT and SHS IT – we only mentioned them here as a future reference for you..

[Audio] Back up Subpart B – Electronic Records (1 of 3) 11.10 Controls for closed systems. Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records. Protection of records to enable their accurate and ready retrieval throughout the records retention period. Limiting system access to authorized individuals. Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying. Subpart B has 4 main components for Electronic Records. The first is Part 11.10 Controls for closed systems: A closed system means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system. Most IT systems in SHS IT are closed systems, as we control system access. 11.10 indicates that Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records. Protection of records to enable their accurate and ready retrieval throughout the records retention period. Limiting system access to authorized individuals. Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying..

[Audio] Back up Subpart B – Electronic Records (2 of 3) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate. Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand. Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction. Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks. The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification. Use of appropriate controls over systems documentation including: Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation. Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate. Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand. Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction. Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks. The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification. Use of appropriate controls over systems documentation including: Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation..

[Audio] Back up Subpart B – Electronic Records (3 of 3) 11.30 Controls for open systems. Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in § 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality. 11.50 Signature manifestation. Signed electronic records shall contain information associated with the signing that clearly indicates all of the following: The printed name of the signer; The date and time when the signature was executed; and The meaning (such as review, approval, responsibility, or authorship) associated with the signature. The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout). 11.70 Signature/record linking. Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means. Note: SHS internally may experience electronic records where signatures are captured on paper – this is known as a “hybrid” system. The second component of Subpart B is Part 11.30 Controls for open systems. An open system means an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system. The objectives for an open system are the same as for a closed system. However – because the system is open, additional and special considerations must be applied. Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality. The third component for Subpart B is Part 11.50 Signature manifestations. Signed electronic records shall contain information associated with the signing that clearly indicates all of the following: The printed name of the signer; The date and time when the signature was executed; and The meaning (such as review, approval, responsibility, or authorship) associated with the signature. The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout). The last component is Part 11.70 regarding signature/record linking. Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means. Note: SHS internally may experience electronic records where signatures are captured on paper – this is known as a "hybrid" system..

[Audio] Back up Subpart C – Electronic Signatures (1 of 3) 11.100 General requirements. Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else. Before an organization establishes, assigns, certifies, or otherwise sanctions an individual's electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual. Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures. The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations (HFC-100), 5600 Fishers Lane, Rockville, MD 20857. Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer's handwritten signature. Version 05 Subpart C has 3 main components for Electronic Signature. Part 11.100 provides the General requirements. Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else. Before an organization establishes, assigns, certifies, or otherwise sanctions an individual's electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual. Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures. The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations (HFC-100), 5600 Fishers Lane, Rockville, MD 20857. Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer's handwritten signature..

[Audio] Back up Subpart C – Electronic Signatures (2 of 3) 11.200 Electronic signature components and controls. Electronic signatures that are not based upon biometrics shall: Employ at least two distinct identification components such as an identification code and password. When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components. Be used only by their genuine owners; and Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals. Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners. Version 05 Part 11.200 provides the requirements for Electronic signature components and controls. Electronic signatures that are not based upon biometrics shall: Employ at least two distinct identification components such as an identification code and password. When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components. Be used only by their genuine owners; and Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals. Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners..

[Audio] Back up Subpart C – Electronic Signatures (3 of 3) 11.300 Controls for identification codes/passwords. Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password. Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging). Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls. Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management. Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner. Part 11.300 provides the Controls for identification codes/passwords. Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password. Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging). Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls. Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management. Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner. While the subparts and sections contain detailed information – SHS IT has implemented a way to support you in determining Part 11 relevance and its corresponding requirements for an IT application..

[Audio] Back up Decision Tree for Regulatory and Part 11 Relevance Part 11 Requirement Set(s) 3) A predicate rule is any FDA regulation that requires companies to maintain certain records and submit information to the FDA as part of compliance. 4) Regulatory action means any action required by the predicate rules or by the valid quality system..

[Audio] Back up Compliance CompanionTool Compliance Companion is a centralized, coordinated service to support the business, project managers, change managers, and application managers regarding SHS compliance topics. The Compliance Companion tool must be used for IT managed applications to assess relevance of these compliance topics. Additional Compliance Companion Tool Training with the ITSM_Compliance Companion User Guide is available in Learn4U. The Siemens Healthineers business must provide IT with the information/requirements (per QIA4) to determine compliance topic relevancy..

[Audio] Back up Q-Aspect Detailed Workflow Q-Rel Do additional regulations require Q-Rel handling? Create/ update ITCCS entry Open QRel/FDA Part 11 aspect Review disclaimer Determine 820 subpart records Determine 820 subpart signatures Determine additional predicate rules Store? Y Quality relevant suppliers Receive rqmt sets / messages Release (finish) Aspect .pdf report emailed Determine additional predicate rule records Determine additional regulations Determine additional regulation records Open? Hybrid? Y Aspect tile values reflected Continue? N = aspect not applicable (BL user or IT RAC/P11 no change) Y = aspect is applicable (IT user / ITSM user) Open ELREC Closed ELREC Hybrid ELSIG ELSIG ELREC IT SQM ELSIG ELREC Application managed by IT? Y Q-Rel? Y/N Q-Rel Part 11 X Not Part 11 Part 11 or Manual update of SHARP CMDB data Part 11 If no records, then X Not Part 11 Incorporate rqmts into specification (identifiable) Manual update of AMP (tailoring/ classification) BL or IT RAC/P11 no change? TOOL BENEFITS: Streamlines the decision-making process using a structured approach Provides all references at point of use Provides relevant requirement sets that can more easily be included in requirements specification Increases guidance for implementation and evidence More easily connects applications, with potential quality relevant suppliers Applicable Requirement Set Auto-email to IT SQM team Possible Requirement Set Legend Coming in next version.

[Audio] FDA 21 CFR Part 11 Regulation Training IT Electronic Records; Electronic Signatures 21 CFR Part 11 Officer Siemens Healthineers IT Version 05 | March 2024 <!speaker:en-IE-ConnorNeural> Welcome to the FDA 21 CFR Part 11 Regulation Training for Health-in-ears IT. <!wait:1>.