21 CFR Part 11 Compliance: Procedural Controls

Last revised: 
09/29/2016

Procedural controls establish a framework for validating and maintaining the computer system and for ensuring that users understand how to use the system. Procedural controls usually take the form of standard operating procedures (SOPs) and user manuals.

Common SOP Topics:

  • SOP Development and Maintenance
  • Organization, Personnel, and Training
  • Records Management
  • Computer System Development and Maintenance
  • Computer System Verification and Validation
  • Change Control
  • Data Center Security
  • User Account Management
  • Software Installation
  • Back-up and Recovery
  • Operational Use SOPs (as determined)

The number, format, and organization of your procedures and manuals is up to you, but the information contained in them must address the validation concepts found in FDA regulations and guidance documents, taking into consideration the type of system you are creating and maintaining. Here are some tips to minimize up-keep:

  • Keep the scope focused and relevant to the audience and the work being performed.
  • Be as simple and brief as possible.
  • Promote clarity in objectives, responsibilities, and tasks.
  • Be detailed just enough that people know what to do and how to do it, but not so much that you box people in.
  • Stick with a single format, use dates for versions, provide a document history, and require signature approval from designated reviewers.

Key Concepts for Procedural Controls

Vendor/Supplier management
Any computer equipment, instrumentation, and software that you buy needs to come from a reputable vendor and needs to be documented and tested for the environment in which it will be used.

System Lifecycle 
A System Lifecycle is a defined set of expectations, activities, and deliverables promotes a controlled, well-thought-out system through the life of the research project and reduces the risk of errors. How you go about building, assembling, and maintaining your system is an important part of validation. Activities to incorporate in your lifecycle are:

  • Identifying and involving knowledgeable, qualified stakeholders to define, test, and document the system
  • Assessing and addressing risks to the computer system
  • Grouping and prioritizing tasks and completing them in a controlled and orderly manner
  • Describing requirements for the system and maintaining traceability from that starting point through to implementation
  • Verifying individual parts, and the system as a whole, using a combination of reviews, testing, and audits
  • Tracking, evaluating, prioritizing, and fixing defects
  • Identification and control of system components and associated documentation
  • Using change control to manage changes to system components and associated documentation
  • Creating and maintaining documentation of the computer system and development and maintenance activities through the life of the system

Procedures and training
A user who has been trained to operate computer software is less likely to make errors that affect data or cause injury.  Operating procedures and user manuals direct user behavior within specific operational parameters dictated by your system. Procedures need to address user accountability and responsibility for actions taken while using the computer system, and if applicable, the when and why for application of electronic signatures. Training for each individual must be documented. A training certificate works well for this purpose.

Electronic signatures
There are several activities that must take place when you use electronic signatures. You must: 1) notify the FDA in writing* that you are using electronic signatures; 2) verify the identity of individuals who will be using an electronic signature; 3) manage and monitor issuance of electronic signature identifying components; 4) identify loss management and reporting processes for security incidents; and 5) put in place mechanisms for periodic testing of devices that generate electronic signature identifying components. Incorporate these concepts into your SOPs. If your project is funded in whole or in part by NIH, you must keep NIH informed of your communications with the FDA.

Documentation management
All the procedures, manuals, technical documents, protocols, and training certificates that you produce as a result of validation must have their own procedural controls for distribution, access, and change control.