Abstract
Just what is “21 CFR Part 11”?
Do I need to consider it when designing lab automation software? Sure, I store data electronically, but my “official” copy is a signed hardcopy stored in my documentation control system, so Part 11 doesn't apply to me, right?
These and similar questions are being asked with increasing frequency during the development process for both off-the-shelf and custom lab automation software. This article presents a brief overview of the FDA regulation concerning the use of electronic records and electronic signatures and a guide for software analysts and developers.
Regulation Overview
Records are kept for a number of reasons. 21 CFR Part 11 (Part 11) 1 applies only to those records “that persons create, modify, maintain, archive, retrieve, or transmit under any records or signature requirement set forth in the Federal Food, Drug, and Cosmetic Act (the Act), the Public Health Service Act (PHS Act), or any FDA regulation. Any requirements set forth in the Act, the PHS Act, or any FDA regulation, with the exception of part 11, are referred to … as predicate rules.” 3 Traditionally these records have been paper-based and stored in files or binders. When those records required signatures, the document was distributed to all parties on the signature list, and the signatures were stored along with the original.
Part 11 does not address what types of records should be kept, how long they should be kept, or who should sign them. It does not require that a company make the transition from paper record keeping to electronic record keeping. It does not require that a company use electronic signatures or biometric identification for their paper records. What Part 11 does is provide the “criteria under which the FDA will consider electronic records to be equivalent to paper records, and electronic signatures equivalent to traditional handwritten signatures.” In other words, if a company chooses to switch from paper records to electronic records, this regulation describes what must be done to satisfy an FDA audit.
Compliance through Software?
One of the most important facts that a software developer should understand about Part 11 is that no single software application or set of applications can force an organization to be compliant. The job of the software developer is to provide the organization with the tools it needs to meet the regulation. The organization must then, among other things, configure the application, train users, maintain an emergency backup plan, limit system access, hold users accountable for electronic signatures, control system documentation, establish SOPs to prevent the reuse of electronic signatures, and certify that electronic signatures are legally binding before compliance can be achieved.
Most of the individual requirements in the regulation can be sorted into two categories, those that the organization must put in place (commonly referred to as ‘procedural controls’) and those that the software in question must implement. There are, of course, a number of requirements that can and should be sorted into both groups. The purpose of this article is to provide a high level view of those requirements the software developer must take into account to ensure that the organization gets the tools it needs.
Software Design Considerations
Electronic records must be maintained in such a way that their authenticity, integrity and, if applicable, confidentiality are maintained. If a system is defined as “closed” (system access is controlled by persons who are responsible for the content of the records), then the following is a list of software development issues that must be considered.
“Systems must be validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.” 1
Records must be stored in such a way that they can be inspected, viewed, or copied by the FDA in both human readable and electronic form.
Legacy data must still be readable or convertible if legacy hardware is not to be maintained. This must be taken into account when upgrading or replacing systems. Electronic records must be maintained for as long as the paper records that they replace.
Secure, computer-generated, time-stamped audit trails must independently record operator activities that create, modify or delete electronic records without obscuring previously recorded data. Regarding systems that might span different time zones, the agency advises that a “time zone reference should be part of the time stamp and appear in human readable forms of the time stamp.” 4
Sequencing of process steps or events must be enforced whenever possible.
Only authorized individuals must be allowed to use the system, sign a record, or alter an existing record.
Time sequenced development and modification of all systems documentation must be logged via an audit trail.
If a system is defined as “open” (emailed records, internet-based applications, etc.), then the following items should also be considered.
Document encryption may be necessary to maintain confidentiality.
Digital signature standards may be used to ensure record authenticity and integrity.
Signatures considerations:
The printed name of the signer, the date and time the record was signed, and the meaning of the signature (record reviewed, record approved, etc.) must be captured as part of any signature.
Any human-readable form of a signed record must display this information.
Any electronic or handwritten signature must be linked to its corresponding electronic record so that it cannot be copied and used to falsify another record.
Electronic signatures do not have to be based on biometrics (retinal scan, fingerprint, etc.). Username/passwords can be used, but the following criteria must be met:
At least two distinct identification components must be used.
If a user signs multiple documents in a single session, at least one of the components must be used for each document.
While a strict definition for a “single session” is not provided, the regulation does make it clear that if more than one document is signed, but they aren‘t signed in the same session, both components must be used to execute the signature.
While most controls for usernames and passwords are carried out with company SOPs and training, there are some related software design considerations.
Each combination of username and password must be unique.
Usernames should not be reused.
Passwords should expire periodically.
Safeguards should be implemented to detect and report user names and passwords that may have been compromised. (Disable the combination and alert system administrators and/or management).
Conclusion
Part 11 is often discussed, but many times misunderstood. In its purest form, the regulation is a set of criteria that must be met by any company wanting to keep FDA required records in electronic form. The criteria may be divided into requirements that must be implemented by software developers and those that must be implemented by the organization. This article presents a brief list of those that affect software developers. The referenced documents and suggested additional reading provide an excellent starting place for understanding this regulation and its implications. Additional guidance documents from the FDA and from the GAMP (Good Automated Manufacturing Practice) Special Interest Group are expected later this year.
Glossary
Closed System — An environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system. 2
Electronic Record — Any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system. 2
Electronic Signature — A computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual's handwritten signature. 2
Handwritten Signature — The scripted name or legal mark of an individual handwritten by that individual and executed or adopted with the present intention to authenticate a writing in a permanent form. The act of signing with a writing or marking instrument such as a pen or stylus is preserved. The scripted name or legal mark, while conventionally applied to paper, may also be applied to other devices that capture the name or mark. 2
Open System — An environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system. 2
Predicate Rule — Any requirement set forth in the Federal Food, Drug, and Cosmetic Act, the Public Health Service Act, or any FDA regulation, with the exception of part 11. 3