Procedures should be available to use secure, computer-generated, time-stamped audit trails to independently record the date
and time of operator entries and actions that create, modify, or delete electronic records. Record changes cannot obscure
previously recorded information. Such audit trail documentation should be retained for a period at least as long as that required
for the subject electronic records and also should be available for agency review and copying.
This requirement has been the subject of many questions and discussions, especially regarding which details must be recorded.
For example, what should be recorded when generating a calibration table? Should each typing error be recorded when entering
a compound name, should each line be recorded when the return key is pressed, or should entries only be recorded when the
session is closed? Too many confirmation steps will affect productivity.
Another concern is that, because everything analysts do can be reconstructed, their creativity could be negatively influenced,
especially in the development of new processes.
Secure Electronic Signatures
In order to deter record and signature falsification, written policies holding individuals accountable and responsible for
actions initiated under their electronic signatures are necessary. This requirement necessitates not only the development
of new procedures but also behavioral changes in the use of logon IDs and passwords. The taboo against sharing a password
with a colleague is usually much lower than teaching somebody how to abuse a handwritten signature, but under Part 11 both
have the same consequence.
Digital Signatures In Open Systems
Persons who use open systems to create, modify, maintain, or transmit electronic records must ensure the authenticity, integrity,
and, if necessary, the confidentiality of electronic records from the point of creation to the point of receipt. Such procedures
and controls include those identified for closed systems, as appropriate, and additional measures such as document encryption
and digital signatures.
Implementing digital signatures requires software for document encryption and may also require hardware and software for generating
digital signatures. Typically, computer systems used in analytical laboratories are closed systems, which do not need digital
signatures. However, record encryption and digital signatures are required in open systems, such as when analytical data generated
by a contract laboratory are transmitted to the sponsor over the Internet. Technology and applications for this purpose have
been described elsewhere.5
New Scope Of 21 CFR Part 11
Although Part 11 has been in place for six years now (and enforced for four years), there is still confusion in industry over
how to implement it. 21 CFR Part 11, as well as early draft guidance documents and FDA staff interpretations, does not distinguish
between record types or criticality. Part 11 compliance was requested for all records that passed through any computer, and
FDA could audit any such records at inspections. Under this very broad interpretation, full implementation turned out to be
very expensive and, for some applications, impractical. In some cases, companies decided against the use of new technology
due to the anticipated additional complexity and cost of implementing Part 11. However, this contradicts the original intent
and spirit of the rule, which was issued to enable the use of new technology while protecting and furthering public health.
With the release of a draft guidance on the scope and applications of Part 11 in February 2003,6 FDA initiated a new, narrower approach. This approach became official with the release of the final guidance on September
3, 2003 and FDA's announcement that it would re-examine Part 11 and initiate a new rule-making process. The new approach likely
will be in effect for the next few years.
The new guidance states that Part 11 applies only when the record is required by a predicate rule and when one or both of
the following conditions apply:
- Electronic records are used instead of paper.
- Persons make printouts but still rely on the electronic records to perform regulated activities.
Figure 1 illustrates the process described by FDA's Part 11 experts for deciding where Part 11 applies. Table 1 gives examples
of records subject to Part 11.
Figure 1: Deciding where Part 11 Applies
First, check if the record is required by a predicate rule (or if the record must be submitted to FDA). Next, determine if
the record falls under the new, narrower scope. Is the record maintained in electronic format in place of paper, or is it
maintained as both electronic and paper records, but the electronic record is used to perform regulated activities? Finally,
conduct a risk assessment of the criticality of the Part 11 records and document the result. Part 11 controls are implemented
based on the outcome of this process.