21 CFR Part 11 - Requirements and New Scope

February 15, 2004
Ludwig Huber

BioPharm International, BioPharm International-02-15-2004, Volume 2004 Supplement, Issue 1
Page Number: 40–45

The FDA rule on electronic signatures and electronic records was issued in 1997, but the details of implementation are still being debated. The 2003 FDA guidance redefines the scope of 21 CFR Part 11. Understanding which records now fall under the scope of the rule can help you begin implementing your compliance plan.

In 1997, FDA issued 21 CFR Part 11, which provides criteria for FDA acceptance of electronic records, electronic signatures, and handwritten signatures.1 In response to requests from industry, the regulation allows electronic records to be treated as equivalent to paper records and handwritten signatures. By providing faster and more productive access to documentation and accelerating the approval process, electronic records are expected to be more cost effective for industry and FDA.

The rule applies to FDA-regulated industry segments that must follow Good Laboratory Practice (GLP), Good Clinical Practice (GCP), and current Good Manufacturing Practice (cGMP) requirements.

Analytical development and quality control laboratories that regularly use computers for instrument control, data acquisition, data evaluation, data management, data transfer, and archiving must comply. Part 11 applies whenever computer systems are used for regulated activities, whether they are used as part of an automated analysis system, as part of a network, or as stand-alone machines (for example, for spreadsheet applications or word processing).

The primary requirements of Part 11 include:

  • use of validated computerized systems
  • secure retention of electronic records allowing instant reconstruction of analyses
  • user-independent, computer-generated, time-stamped audit trails
  • system and data security, data integrity, and confidentiality through system access control
  • use of secure electronic signatures
  • use of digital signatures for open systems.

This article describes the rule's interpretation and enforcement as of January 2004, but discussions are ongoing. Updates are important and can be found at FDA's website (www.fda.gov) and at www.labcompliance.com.

System Validation

Table 1: Records Subject to Part 11All computer systems used to generate, maintain, and archive electronic records must be validated to ensure accuracy, reliability, consistent independent performance, and the ability to discern invalid or altered records.

System validation is nothing new for laboratories using computers in a regulated environment. Validating computer systems has been described thoroughly, and most companies have developed strategies for implementation. System validation applies to both new and existing systems, and problems can arise with older systems. These require a formal evaluation and statement of their validation status. If an older system cannot be validated, it should not be used under 21 CFR Part 11. Information on validating software and computer systems is available from several sources.2,3

Electronic Record Retention

Procedures should be in place to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Records must be protected to enable their accurate and ready retrieval throughout the records retention period.

FDA expects that final results be kept together with the original data and the procedures for processing the data (metadata). The agency wants to be able to trace final results back to the raw data using the same tools the user had when the data were generated. This is probably one of the most difficult requirements of Part 11, as some records must be kept for ten or more years, and computer hardware and software have a much shorter lifespan.

A second problem lies in deciding exactly which records should be logged and retained. These decisions can be complex, as in quantitative chromatographic analyses. Typically in chromatography data acquisition, preprogrammed methods perform evaluation and printout automatically. Occasionally the preprogrammed integration method proves inappropriate, and analysts must work with the raw data and adjust parameters to generate more appropriate measurements of peak integrations. This is a manual iterative process that is frequently subjective, varying from user to user. Should only the final results with the final acceptable parameters and chromatogram printouts be archived or should all intermediate data be archived as well?

A third problem is maintaining the availability of records throughout the retention period. The challenge lies not with the durability of storage devices (such as CD-ROMs) but with the longevity of computer hardware, operating systems, and application software required to reconstruct the analysis. One approach is to migrate existing data as new systems are adopted.4

Limited Access

Procedures should be in place to limit the access to authorized users. Limited access must be ensured through physical and logical security mechanisms. Most companies already have similar procedures in place. Typically, users log onto a system with a user ID and password. However, problems have been reported in analytical laboratories when computer controlled systems collect data over time and users are unable to monitor the system the entire time. To prevent unauthorized access, a screen saver with password protection should be activated.

Further details on system security are discussed in a later article.

Audit Trails

Procedures should be available to use secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes cannot obscure previously recorded information. Such audit trail documentation should be retained for a period at least as long as that required for the subject electronic records and also should be available for agency review and copying.

This requirement has been the subject of many questions and discussions, especially regarding which details must be recorded. For example, what should be recorded when generating a calibration table? Should each typing error be recorded when entering a compound name, should each line be recorded when the return key is pressed, or should entries only be recorded when the session is closed? Too many confirmation steps will affect productivity.

Another concern is that, because everything analysts do can be reconstructed, their creativity could be negatively influenced, especially in the development of new processes.

Secure Electronic Signatures

In order to deter record and signature falsification, written policies holding individuals accountable and responsible for actions initiated under their electronic signatures are necessary. This requirement necessitates not only the development of new procedures but also behavioral changes in the use of logon IDs and passwords. The taboo against sharing a password with a colleague is usually much lower than teaching somebody how to abuse a handwritten signature, but under Part 11 both have the same consequence.

Digital Signatures In Open Systems

Persons who use open systems to create, modify, maintain, or transmit electronic records must ensure the authenticity, integrity, and, if necessary, the confidentiality of electronic records from the point of creation to the point of receipt. Such procedures and controls include those identified for closed systems, as appropriate, and additional measures such as document encryption and digital signatures.

Implementing digital signatures requires software for document encryption and may also require hardware and software for generating digital signatures. Typically, computer systems used in analytical laboratories are closed systems, which do not need digital signatures. However, record encryption and digital signatures are required in open systems, such as when analytical data generated by a contract laboratory are transmitted to the sponsor over the Internet. Technology and applications for this purpose have been described elsewhere.5

New Scope Of 21 CFR Part 11

Although Part 11 has been in place for six years now (and enforced for four years), there is still confusion in industry over how to implement it. 21 CFR Part 11, as well as early draft guidance documents and FDA staff interpretations, does not distinguish between record types or criticality. Part 11 compliance was requested for all records that passed through any computer, and FDA could audit any such records at inspections. Under this very broad interpretation, full implementation turned out to be very expensive and, for some applications, impractical. In some cases, companies decided against the use of new technology due to the anticipated additional complexity and cost of implementing Part 11. However, this contradicts the original intent and spirit of the rule, which was issued to enable the use of new technology while protecting and furthering public health.

With the release of a draft guidance on the scope and applications of Part 11 in February 2003,6 FDA initiated a new, narrower approach. This approach became official with the release of the final guidance on September 3, 2003 and FDA's announcement that it would re-examine Part 11 and initiate a new rule-making process. The new approach likely will be in effect for the next few years.

The new guidance states that Part 11 applies only when the record is required by a predicate rule and when one or both of the following conditions apply:

  • Electronic records are used instead of paper.
  • Persons make printouts but still rely on the electronic records to perform regulated activities.

Figure 1: Deciding where Part 11 AppliesFigure 1 illustrates the process described by FDA's Part 11 experts for deciding where Part 11 applies. Table 1 gives examples of records subject to Part 11.

First, check if the record is required by a predicate rule (or if the record must be submitted to FDA). Next, determine if the record falls under the new, narrower scope. Is the record maintained in electronic format in place of paper, or is it maintained as both electronic and paper records, but the electronic record is used to perform regulated activities? Finally, conduct a risk assessment of the criticality of the Part 11 records and document the result. Part 11 controls are implemented based on the outcome of this process.

Which Records Must Be Retained?

There is no question that certain laboratory records must be retained according to predicate rules. These include raw data, instrument control, processing parameters (metadata), and results. There is also no question that Part 11 applies when we use electronic records instead of paper for these records. Typically, analyses and evaluation of the results of the final product is the last check before the product is released to the market. Laboratory systems that perform such analyses are considered high risk because errors that are not identified at this stage cannot be recovered. Therefore, all Part 11 controls discussed in this paper should be implemented, the most important being:

  • Access to the system and data should be limited and controlled.
  • The computer should have a built-in electronic audit trail that records all changes to records made by operators (for example, manual reprocessing of chromatograms).
  • Original data (like chromatographic raw data) should be kept in electronic form together with metadata and final results.
  • Handwritten signatures and electronic signatures should be linked to electronic records.
  • Systems must be validated according to the requirements of predicate (GxP) rules.

Other systems, like word processors used to write validation reports, are not so critical, and not all Part 11 controls need to be implemented. Validation efforts for such systems should include a well documented installation, but there is no need for extensive testing.

The final decision on whether records fall under the scope of Part 11 and which controls should be implemented should be based on a risk assessment and on the business practices applied in specific laboratories.

More details of the new scope of Part 11 are available in a previously published article.7

References

1. FDA. Code of Federal Regulations, Title 21, Part 11 electronic records; electronic signatures; final rule.

Federal Register

1997; 62(54):13429-13466.

2. ISPE. The good automated manufacturing practices (GAMP) guide for validation of automated systems in pharmaceutical manufacture, GAMP 4. Tampa (FL): ISPE; 2001.

3. Huber L. Validation of computerized analytical and networked systems. Boca Raton (FL): Interpharm Press; 2002.

4. Huber L, Winter W. Implementing 21 CFR Part 11 — electronic signatures and records in analytical laboratories, part 4 — long term archiving and ready retrieval. BioPharm 2000; 13(6):58-64.

5. Huber L. Case study: web applications. In: Wingate G, editor. Computer systems validation. Boca Raton, FL: Interpharm/CRC Press; 2003.

6. FDA. Guidance for industry: Part 11, electronic records; electronic signatures — scope and application. (Draft February 2003, Final version August 2003). Available at URL: www.fda.gov/cder/guidance/5667fnl.pdf.

7. Winter W, Huber L. Part 11 is not going away: the new electronic records draft guidance. BioPharm International 2003; 16(5):28-34.