FDA 21 CFR Part 11 is the holy grail for electronic document authenticity and validity in the life sciences industry. It is part of the Code of Federal regulations set forth by the United States Food and Drug Administration (FDA) and lays the foundation for paperless systems. It is a set of guidelines for organizations to implement good practices by defining the conditions under which electronic records and signatures are considered to be genuine, accurate and equivalent to paper records and handwritten signatures. FDA 21 CFR Part 11 essentially allows any paper record to be replaced by an electronic record, and allows any handwritten signature to be replaced by an electronic one.
With the explosive growth of computer systems in the life sciences industry and automation playing an increasing role in development, the need for securing electronic records is more crucial than ever. 21 CFR Part 11 works with predicate rules (requirements set forth by any FDA regulation) that require companies to maintain records as part of their compliance.
How do you become FDA 21 CFR Part 11 Compliant?
To be fully compliant with 21 CFR Part 11, your entire team needs to understand how to treat documents and signatures. The following is a checklist to identify current areas of risk and adhere to key components of compliance.
This sub-part/section encompasses the scope of compliance to 21 CFR Part 11 and relevant definitions. It deals with general information about the qualification criteria for FDA to accept the documents that can be submitted in electronic form. This section also provides information about the documents that cannot be submitted to FDA in electronic form, superseding criteria to meet other agency regulations and criteria for documents that need to be maintained but not submitted to FDA. Electronics records can be used in place of paper records and electronic signatures can be used in lieu of traditional ink signatures, in whole or in part, provided the below requirements are met:
Records in electronic form are created, modified, maintained, archived, retrieved, or transmitted according to the requirements set forth by Part B of 21 CFR Part 11.
Electronic records are created on or after August 20 ,1997.
Electronic signatures are equivalent to handwritten signatures according to the requirements set forth by Part C of 21 CFR Part 11
Computer systems (including hardware and software), controls, and attendant documentation are readily available for FDA inspection if necessary.
Sub-part B: Electronic records
This section deals with guidelines for the implementation of closed and open electronic record-keeping systems. Closed systems refer to those in which access is controlled by individuals responsible for content generation. Open systems refer to those in which access is controlled by a third-party and not by individuals responsible for content generation. At a high level, this involves maintaining an audit trail, keeping copies of electronics records and archiving them and making them traceable and accessible to regulators. Successful implementation of the following requirements ensures compliance to Sub-part B of 21 CFR Part 11:
Procedures and controls to ensure the authenticity, integrity, and confidentiality of electronic records in closed and open systems. Integrity and accuracy of the records can be ensured by validating the source of data input, and by rejecting the invalid and incomplete data.
Limiting access to the system to authorized individuals only. This can be achieved by performing authentication checks and authorization checks to ensure that only authorized individuals can use the appropriate features of the system, electronically sign a record or alter a record.
Accurate and complete generation of copies of records by the system, in both human readable and electronic form, for inspection, review, and copying by the FDA.
Protection, retention and ready retrievability of electronic records throughout the record retention period.
Audit trail that captures and stores the date & time of entries, actions that create, modify, or delete electronic records. Ensure audit trail includes the User ID, original and new values of altered / new records as appropriate. Also ensure that the audit trail does not overwrite log files throughout the retention period.
Establishment and adherence to an official policy to prevent signature falsification.
Maintenance of documentation (system operation and maintenance related documents) using version control system
Enforcement of permitted sequence of steps and events as appropriate. This can be done by implementing proper work flow.
Providing appropriate training to individuals responsible for developing and maintaining the electronic records
Protection of electronic records and signatures during transit (Applicable for ‘Open’ systems). This can be achieved by encrypting the data and by using digital signatures/certificates.
Signed electronic records contain the printed name of the signer, the date and time of signature and the meaning of the signature (such as approval, review, etc.)
Binding of electronic signatures to their respective electronic records to protect against falsification.
Sub-part C: Electronic Signatures
Another crucial aspect of adhering to 21 CFR Part 11 is the secure use of electronic signatures. This necessitates the limiting of system access and knowing which users are accessing the database.Successful implementation of the following requirements ensures compliance to Sub-part C of 21 CFR Part 11:
Electronic signature is unique to an individual, never reused or reassigned to another user
Procedure and controls to verify the identity of an individual prior to allocating an electronic signature
Ensuring that non bio-metric electronic signature is made up of at least two components, for instance, an identification code and a password
Ensuring bio-metric electronic signatures can be used only by their genuine owner
Password is requested each time, when electronic signatures are used several times during a session. When electronic signatures are used in separate sessions, both components of the electronic signature are required for each signing
Attempted falsification of an electronic signature would require the collusion of at least two individuals. This can be enforced by ensuring database access is restricted to only admin user, in a live system.
System maintains the uniqueness of each identification code and password combination, such that no two individuals have the same combination of identification code and password
Ensuring periodic expiry and revision of passwords. This can be done by ensuring that passwords automatically expire after a certain number of days and that the same password cannot be used again when change password operation is performed.
Recall of identification codes and passwords in cases where an individual leaves the organization or is transferred to another location
Electronic disabling of identification code or password if they are potentially lost or compromised
System can detect and report attempts at unauthorized use
Established procedures for loss management to combat cases where a device is lost or stolen
Procedures and controls exist for the issuance of temporary and permanent replacements of electronic signatures
Initial and periodic testing of systems or devices that issue / generate identification codes to ensure they function properly
FDA 21 CFR Part 11 has a range of features that are required when implementing a computer system to manage electronic records and processes. Prominent among these include electronic signatures, audit trails, security and data integrity. There are also Standard Operating Procedures (SOPs) to govern and describe how these features are enforced. Additionally, there must also be controls to allow users to identify when the system does not function as per its intended use. Compliance to FDA 21 CFR Part 11 helps the Life Science community to streamline business processes and reduce turnaround time, human errors and costs.