21 CFR Part 11 is a section in the Code of Federal Regulations (CFR) that sets forth the United States Food and Drug Administration’s (FDA) guidelines on using: Electronic records (ER), and electronic signatures (ES).
Each title of the CFR addresses a different regulated area: 21 CFR relates to Pharmaceuticals and Medical Devices. Part 11 is applicable to ER/ES
Definitions:
Electronic Record: Any combination of text, graphics, data, audio, or pictorial information represented in digital form that is created, modified, maintained, archived, retrieved or distributed by a computer.
Electronic Signature: A compilation of any symbol(s) executed to be the legally binding equivalent of an individual’s handwritten signature.
Handwritten Signature: The scripted name or legal mark of an individual handwritten by that individual and executed or adopted with the present intention to authenticate a writing in a permanent form.
Digital Signature: An electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified
Part 11 is a law that ensures that organizations define the criteria under which electronic records and signatures are considered to be: Accurate, Secure, Authentic, Trustworthy, Reliable, Confidential & equivalent to paper records & handwritten signatures on paper.
FDA Guidance for Electronic Records/Signatures (ER/ES)
The guidance was prepared by FDA with assistance from industry representatives; the goal was to protect public safety in a cost-effective manner.
The FDA regulation went into effect on August 20, 1997. It defines criteria required by FDA to ensure that electronic records and electronic signatures are trustworthy and reliable, and the electronic signatures are the equivalent of handwritten signatures.
Since 2000 FDA stated that in addition to the released criteria, they would consider: electronic records to carry the same compliance requirements as paper records, and electronic signatures as an equivalent to the traditional wet ink handwritten signatures. FDA has released a number of guidance papers to clarify the rule and how it should be interpreted
Rule Details : 21 CFR Part 11 Compliance
- It applies to the use of any computer system supporting processes within FDA’s scope of responsibility, or “predicate rules” (e.g., research/development, manufacturing, lab testing, clinical trials, and others)
- The regulation applies to any record that is electronically created, modified, maintained, archived, retrieved or transmitted that is under FDA requirements for records
- The regulation typically applies to the pharmaceutical, biotechnology, medical device industries, and more recently, to the tobacco and related industries.
- Keynote speeches by FDA insiders early in the 21st century, and high-profile audit findings focusing on computer system compliance, caused companies to mount a defense against rule enforcement they were unprepared for procedurally and technologically.
- Complaints about wasting critical resources, non-value added aspects, and confusion within about the true scope and enforcement aspects resulted in the “Scope and Application” Guidance released by FDA in 2003.
- The “Scope and Application” document was intended to clarify how Part 11:
- should be implemented, and
- would be enforced
- It was not intended to convey the full force of law, but to express the FDA’s “current thinking” on Part 11 compliance.
- Many within industry complained that some areas of the 2003 guidance contradicted requirements in the 1997 Final Rule.
- In 2007, FDA issued a guidance document for computers used in clinical investigations that supplemented the 2003 guidance; this was part of the international harmonization program.
- In 2010, FDA began conducting inspections to evaluate industry’s ER/ES application, understanding and compliance.
- As technology continues to change, 21 CFR Part 11 also must be revisited, reviewed, and updated, accordingly
Download : Master Plan for 21CFR Part 11 Compliance
21 CFR Part 11 Compliance : Features of Your System
- A range of features must be in place to manage electronic records and processes.
- This is one of several key areas of compliance that must be in place to pass FDA muster.
- Better control over documentation regulated by FDA
- Typical workflow software ensures all signatures are acquired and valid.
- Ability to reduce inventory and associated cost.
- Increased customer satisfaction.
- The use of ER/ES capability will also deliver some downsides:
- The use of all process workflows associated with the ER/ES capability must be adhered to without fail
- The use of printers in the same functional area where ER/ES capability exists must be evaluated before assuming you can go “paperless”
- There must be assurances for:
- Audit trail functionality
- Identity management and assigned roles
- Segregation of duties
- Security
What is Audit Trail:
- Know which user did what action and when
- Know when records are created, modified, deactivated, or changed (NEVER delete data or records)
- Record all events with the exact username, date and time
- Know when users log in and be aware of any lock-outs
- Part 11 is intended to provide fraud detection and know when changes have been made
- The audit trail allows the FDA to review your system and be provided proof of everything that has happened
- More specifically:
- Track of creations/modifications/deletions electronically
- Maintain all entered data, and do not obscure original data when changes are made, as original data is raw data
- Automatically record identity of individual who made change
- Require the user to record the reason for the change, reentering the password before entry
- Prevent users from modifying or deleting an audit trail
- NEVER DELETE,
- only DEACTIVATE
- IF there is an audit trail indicating:
when this occurred, who did it, and why it was done
- More specifically:
- Synchronize the system date and time to an international standard (Meridian time)
- Prevent users from being able to change the date or time.
- Document all date and time changes (except daylight savings time).
- Include the time zone, year, month, day, hour, and minute in the date and time stamp
Identity Management and Assigned Roles:
- These identify who reviewed and/or approved any information
- There are multiple ways to comply:
- Biometric, e.g. fingerprint or retinal scan
- Digital signatures
- Scanning
- Handwriting capture in software
- Electronic signatures
- The signature:
- must convey the intent, not just the name, date and time
- should be permanently locked and never edited
- you must notify FDA that you are using electronic signatures.
- There are multiple ways to comply:
Segregation of Duties:
- Users must have clearly defined and separate roles in their actions
- Review and approval should be done by someone independent of the user creating and/or modifying data
- The audit trail should identify the unique set of user credentials being used to take any action
Security:
- Restrict access to systems and data by external software applications by encrypting data as it is transferred and/or using a firewall
- Maintain a cumulative record with names of authorized personnel, titles, and description of access
- Prevent, detect and mitigate effects of viruses and other harmful software code
- Apply numerous levels of security to ensure authenticity of each user in the system
- Require users to set a signature password on first log in
- Require use of an “approval” signature (same or different from login password) to sign off on any document
Data Integrity:
RELATED READING :
Common Issues Related to data Integrity
FDA’s Dec 2018 Guidance on Data Integrity
- Use prompts, flags, and other help features to encourage consistent use of terminology
- Specify valid vs. invalid ranges and alert the user with a prompt for data out of range
- Do not allow the system to automatically enter default data if a required field is by-passed
- Allow the system to populate a field with data duplicated from another field, but only after analyzing potential consequences
- Design the system to attribute each data record to each individual subject
- Be able to reconstruct source documentation for FDA review
- Be prepared to fully describe to FDA how data was obtained and managed
- Document what software and hardware are used
Change Control:
- Maintain data integrity when making changes to the computer system, such as software upgrades, security and performance patches, equipment repairs, etc.
- Carefully evaluate effects of any changes before and after making them
- Test and validate changes that exceed previous operational limits, or include new and/or revised functionality
- Document all computer system changes
Training:
- Provide training in the operation of the computer system led by qualified individuals as needed
- Conduct training sessions as needed on a continuing basis in case of changes in personnel and the computer system
- Provide training for users involved in system validation
Summary :
Part 11 essentially allows any paper records to be replaced by an electronic record, and allows any handwritten signature to be replaced by an electronic signature.
Requirements for record retention and review do NOT differ by data format
Paper-based and electronic data record-keeping systems are subject to the SAME requirements
Quality and Compliance built into everyday programs leads to inspection readiness
Think about how you treat compliance with paper systems before you take any action with ER/ES
Read : Best Practices of CSV, Data Integrity & 21 CFR Part 11 Compliance