FDA 21 CFR Part 11 Compliance: Are You Complying With These Four Critical Electronic Records Requirements?

Part 11 can apply to a wide variety of electronic records, including testing reports, quality control testing results, production records, design drawings, specifications, premarket submission content, and much more. Those records are not just documents containing text – these records also include images, drawings, and other electronic files. It’s important to note that FDA differentiates between “closed systems” with inherently controlled access (e.g., closed section of the company intranet only accessible to internal personnel) versus an “open system” that allows any access or external access like connections to the internet (e.g., in the “Cloud” storage, Google Drive, etc.). Requirements for both systems are shown here.

Let’s walk through four important aspects of Part 11 compliance that you need to consider.

1. Maintaining Security and User Access Controls

The key point here is that you need to conduct authority checks to make sure only authorized people can use the system, sign records, change records, or access the system and electronic records in some way. You’ll also need to keep close watch over documentation that shows how to operate and maintain the system. If an unauthorized person does access your system, there needs to be a means of automatically and immediately reporting the breach to the system security unit or organizational management. Best practices, and good compliance with Part 11, dictate that passwords must be changed periodically.

Here’s are two real life examples of noncompliance taken from actual FDA Warning Letters:

“Firm failed to exercise appropriate controls over computer or related systems to ensure that only authorized personnel institute changes in master production and control records, or other records.”

“IT staff share user names and passwords to access your electronic storage system for data – your IT staff can delete or change directories and files without identifying individuals making changes.”

2. Complying with Electronic Signature Requirements

There’s more to this than meets the eye. Electronic signatures must include the printed name of the signer, the date and time of the signature, and the relevance of the signature (reviewed, approved, drafted by, etc.). There are a few other important points to note. First, an electronic signature must be unique to a specific individual and cannot be signed as “QA Manager” or “Regulatory Department.” Second, you are required to have a written policy that holds signatories accountable for any actions initiated under their signature. Third, the signature must be linked to a specific document and include the date and time signed.

A common red flag that could catch the attention of an FDA inspector includes a mixture of documented reviews and approvals, some of which are electronically scanned while others are paper based and only stored in binders. This commonly occurs between different areas of the organization.  There is a difference between electronic signatures and scanning signatures on hard copy documents; those scanned documents become electronic records.  Organizations must be clear on when they are truly using electronic signatures versus when a signed document becomes an electronic record.

The problem with this scenario is that because the paper records were scanned and stored electronically – and those documents are used to perform regulated activities – the company is obligated to comply with Part 11. Electronic signatures and handwritten signatures executed to electronic records are held to the same standard of compliance.

What is an FDA predicate rule?

“Predicate rule” is an FDA term that refers to the underlying requirements set forth in the Food, Drug, and Cosmetic Act; the Public Health Service Act; and other FDA regulations. It refers to any FDA regulation that includes record-keeping requirements such as what records must be maintained, the contents of those records, signature requirements, and duration of record retention. Any requirement in Part 11 is always associated with a predicate rule; this means that if another regulation requires records to be maintained electronically, then Part 11 would apply.

Here’s a brief example. 21 CFR Part 820.80(e)(4) says, “Each manufacturer shall document acceptance activities required by this part. These records shall include the signature of the individual(s) conducting the acceptance activities.” As such, this “predicate rule” would apply appropriate parts of Part 11 if the manufacturer is using electronic signature(s) for recording acceptance activities.

3. Validating Your Process

You know the drill. Once you have implemented a process you need to validate it. FDA makes this pretty clear in Subpart B of Part 11, noting that procedures and controls for closed systems shall include: “validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.” Once a system is identified, its validation should be planned. Part 11 System Validation Process includes activities such as project management, system risk assessment, validation planning, system design and specifications, system description, testing, traceability, and validation reporting. Part of your validation process should include testing to ensure that only authorized people can access electronic records and make changes. Also, you must have documented training in place for everyone using the system. For more on this, see Part 11, Subpart B.

4. Creating an Audit Trail

Part 11 mandates that you can generate accurate and complete records for review and identify any changes made to these electronic records.  As an example, if a database maintaining customer complaint data is changed for any reason, an audit trail is created to identify who made the change, the type of change made, and the date of the change. This audit trail needs to be computer generated and time-stamped so that an entire sequence of document development and modification is clear. The audit trail part of an electronic system is designed so the audit trail cannot be tampered with and remains permanent. You’ll need to make sure that your system is set up so that the author or person making the change cannot claim that the document is not genuine. This is important because nobody wants to be in a “I never signed that” or “I never changed that” situation. The need to implement audit trails should really be based on the underlying need to meet specific predicate rules in other regulations.

Mobile technology can make audit trails tricky. Many medical device and pharmaceutical manufacturers are integrating mobile technology such as tablets and smartphones into the QMS processes for activities, including design and development, inventory control, receiving/shipping, equipment/facility maintenance, and more. When this technology is used it can sometimes obscure the originator of the record or compromise the security of the electronic record.