In 1997, FDA issued 21 CFR Part 11, which provides criteria for FDA acceptance of electronic records, electronic signatures,
and handwritten signatures.1 In response to requests from industry, the regulation allows electronic records to be treated as equivalent to paper records
and handwritten signatures. By providing faster and more productive access to documentation and accelerating the approval
process, electronic records are expected to be more cost effective for industry and FDA.
The rule applies to FDA-regulated industry segments that must follow Good Laboratory Practice (GLP), Good Clinical Practice
(GCP), and current Good Manufacturing Practice (cGMP) requirements.
Analytical development and quality control laboratories that regularly use computers for instrument control, data acquisition,
data evaluation, data management, data transfer, and archiving must comply. Part 11 applies whenever computer systems are
used for regulated activities, whether they are used as part of an automated analysis system, as part of a network, or as
stand-alone machines (for example, for spreadsheet applications or word processing).
The primary requirements of Part 11 include:
- use of validated computerized systems
- secure retention of electronic records allowing instant reconstruction of analyses
- user-independent, computer-generated, time-stamped audit trails
- system and data security, data integrity, and confidentiality through system access control
- use of secure electronic signatures
- use of digital signatures for open systems.
This article describes the rule's interpretation and enforcement as of January 2004, but discussions are ongoing. Updates
are important and can be found at FDA's website (www.fda.gov) and at www.labcompliance.com.
All computer systems used to generate, maintain, and archive electronic records must be validated to ensure accuracy, reliability,
consistent independent performance, and the ability to discern invalid or altered records.
Table 1: Records Subject to Part 11
System validation is nothing new for laboratories using computers in a regulated environment. Validating computer systems
has been described thoroughly, and most companies have developed strategies for implementation. System validation applies
to both new and existing systems, and problems can arise with older systems. These require a formal evaluation and statement
of their validation status. If an older system cannot be validated, it should not be used under 21 CFR Part 11. Information
on validating software and computer systems is available from several sources.2,3
Electronic Record Retention
Procedures should be in place to generate accurate and complete copies of records in both human readable and electronic form
suitable for inspection, review, and copying by the agency. Records must be protected to enable their accurate and ready retrieval
throughout the records retention period.
FDA expects that final results be kept together with the original data and the procedures for processing the data (metadata).
The agency wants to be able to trace final results back to the raw data using the same tools the user had when the data were
generated. This is probably one of the most difficult requirements of Part 11, as some records must be kept for ten or more
years, and computer hardware and software have a much shorter lifespan.
A second problem lies in deciding exactly which records should be logged and retained. These decisions can be complex, as
chromatographic analyses. Typically in chromatography data acquisition, preprogrammed methods perform evaluation and printout
automatically. Occasionally the preprogrammed integration method proves inappropriate, and analysts must work with the raw
data and adjust parameters to generate more appropriate measurements of peak integrations. This is a manual iterative process
that is frequently subjective, varying from user to user. Should only the final results with the final acceptable parameters
and chromatogram printouts be archived or should all intermediate data be archived as well?
A third problem is maintaining the availability of records throughout the retention period. The challenge lies not with the
durability of storage devices (such as CD-ROMs) but with the longevity of computer hardware, operating systems, and application
software required to reconstruct the analysis. One approach is to migrate existing data as new systems are adopted.4
Procedures should be in place to limit the access to authorized users. Limited access must be ensured through physical and
logical security mechanisms. Most companies already have similar procedures in place. Typically, users log onto a system with
a user ID and password. However, problems have been reported in analytical laboratories when computer controlled systems collect
data over time and users are unable to monitor the system the entire time. To prevent unauthorized access, a screen saver
with password protection should be activated.
Further details on system security are discussed in a later article.