We all know that in the European Union, Life Science companies that export to the United States must comply with 21 CFR Part 11.
The regulation, overseen by the US Food and Drug Administration (FDA), oversees electronic records and electronic signatures. This blog post will offer a deep dive on this topic.
Introduction
We’ve discussed the meaning of electronic records and audit trails.
Both involve the use of electronic signatures, which are key to improving productivity in the regulated quality control laboratory. This improved productivity can help companies in the Life Sciences release products to market faster.
Sounds appealing, right? And whether your organization uses digital tools or is still transitioning to electronic systems, understanding both the EU GMP Annex 11 and 21 CFR Part 11 guidelines is essential.
For the time being, we will focus specifically on compliance with the 21 CFR Part 11 electronic records and electronic signature requirements. We will discuss the differences between open and closed systems, and go over some key considerations for using electronic signatures.
Consider this your guide to electronic records and 21 CFR Part 11. And to get a deeper understanding of the topic, check our training below:
21 CFR Part 11 Overview
21 CFR Part 11 addresses the use of technology in quality systems. The regulation outlines the FDA’s controls for ensuring electronic signatures and records are as trustworthy as paper-based ones.
Before we examine the specifics, let’s break down the name of the guideline:
- 21 stands for “Title 21.” This section of the overarching CFR regulation applies to food and drugs.
- CFR is short for the “Code of Federal Regulations.” This is a coded set of laws published by the United States federal government.
- Part 11 is the scope of the regulation specific to electronic records and electronic signatures, and to the electronic systems used to create, modify, maintain, archive, retrieve, or transmit them.
The history of 21 CFR Part 11 dates back to March 1997. During this time, the FDA published its first set of criteria for electronic records and electronic signatures. The regulation took effect in August 1997.
Then, in September 2003, the FDA published a narrow, practical interpretation of Part 11 requirements. The governing body recommended a risk-based approach to:
- Validating electronic systems
- Implementing electronic audit trails
- Archiving electronic records
The FDA confirmed that if you choose to use records in electronic form, Part 11 would apply.
Conversely, if you use computers to generate paper printouts of electronic records, and you rely on the paper records to perform your regulated activities, then Part 11 would not necessarily apply.
Here is a helpful overview: any information that is generated and stored within an electronic system is a Part 11 record. In addition, Part 11 records include those that are maintained in electronic format instead of paper format, and those that are maintained in electronic format in addition to paper format.
Now let’s talk about electronic records and electronic signatures in relation to 21 CFR Part 11.
Electronic Records
Part 11 defines electronic records as:
“Any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.”
An organization’s electronic records may be a part of a closed system or an open system.
A closed system means that access is controlled internally—by the people in the company who are responsible for the content of the electronic records.
Organizations that rely on closed systems generally store electronic records exclusively on their own hardware. The records are then accessible on the organization’s internal network via username and password.
Databases with audit trails are a common example of a closed system. Most systems in analytical laboratories are closed as well. Even Scilife represents a closed system.
According to 21 CFR Part 11, Computer System Validation (CSV) and Document Control are essential to ensuring authenticity, integrity, confidentiality, and irrefutability of the records in a closed system.
But what about open systems?
In an open system, the people in the company who are responsible for the system’s electronic records do not control system access. Rather than requiring a username and a password, digital signatures are needed to verify the identities of those who sign any documents.
Open systems can be compliant, but more controls are needed to protect the records from being read, modified, destroyed, or compromised by unauthorized parties. Security and data integrity are usually more challenging in this way.
For example, consider a vendor offering a license to a record-keeping software solution. In this case, the vendor controls access to both the software and the records. They may require certain elements of a compliant system, but the system is not inherently compliant. This means that it’s the user’s responsibility to implement the appropriate controls.
Electronic Signatures
Traditionally, quality documents like risk assessments, change requests, and training records were printed on paper and handed to each reviewer. They were then approved via wet-ink signature.
Electronic signatures are more efficient. Part 11 defines electronic signatures as:
“A computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual’s handwritten signature.”
In simple terms, an electronic signature is a simple, legally binding way to authenticate the identity of the person signing a digital document. It is considered the equivalent of a handwritten signature on a paper document.
The FDA approves of electronic signatures over handwritten ones on paper documents if the organization meets certain requirements:
- First, the electronic signature must be unique to one individual.
- Second, the printed name of the signer, along with the date and time, and the signer’s digital signature, should be listed.
- And finally, the intent of the signature (e.g., authorship, review, or approval) must be displayed.
When it comes to validating electronic signatures, these aren’t the only considerations. For example, electronic signatures that are not based on biometrics must employ at least two unique identification components—like a username and password for the first login. To track further activities, password authentication alone is typically sufficient.
That said, the FDA does not permit the sharing of electronic signatures. If the original signer is absent, however, their supervisor and system administrator can jointly sign electronically on their behalf.
Ultimately, though, duplication is prohibited. According to 21 CFR Part 11, no two people can have the same identification code or password, and sharing electronic signatures is not allowed.
Transaction safeguards and loss management procedures can, in this way, prevent issues from compromising your organization’s electronic signatures.
Conclusion
In conclusion, these are the key factors to consider when promoting 21 CFR Part 11 compliance within your organization. In this regulation, the FDA describes specific criteria for electronic records and electronic signatures—specifically for Life Science companies that export their pharmaceuticals or medical devices to the United States.
The regulation is designed to promote the undisputed approval of signatures, the traceability of changes, and the prevention of falsified records via robust data security measures.
To this end, organizations should always choose a QMS that aligns with this regulation. Find out how Scilife’s Smart QMS can help you comply with 21 CFR Part 11 today!
