FDA 21 CFR Part 11 Compliance - 6 Factors Every Regulated Firm Should Know

    Improve compliance with 21 CFR Part 11 regulations and avoid FDA citations and warning letters.

    21 CFR Part 11 specifies requirements for handling electronic records and electronic signatures and applies to any records covered by FDA regulations that exist in an electronic form. The main objective behind implementing this regulation was to prevent fraud while facilitating, promoting the possible use of electronic technology to reduce expenditures incurred from paper sources. This article provides an overview of FDA requirements for electronic systems and the applicability of 21 CFR Part 11. It also details consequences for non-compliance and six key aspects FDA regulated firms should focus on so as to ensure compliance.

    21 CFR Part 11 Compliance Checklist

    What is 21 CFR Part 11?

    21 CFR Part 11 regulates the use of electronic records and electronic signatures required by predicate rules governing manufacturing processes in FDA regulated industry. It mainly focuses on ensuring the authenticity, reliability, integrity of data in the form of electronic records and signatures. The regulation was implemented as an effort by the agency to set minimum compliance guidelines for computerized systems and minimize the possibility of data misappropriation.

    The objectives of 21 CFR Part 11 can be listed as:

    • Validating systems to ensure accuracy, reliability
    • Enhancing ability to generate accurate and complete copies
    • Control and identification of records, system documentation
    • Preventing methods to falsify records
    • Accurate and ready retrieval of records
    • Limiting system access to authorized individuals

    Applicability of 21 CFR Part 11

    21 CFR Part 11 applies to all aspects of the research, clinical study, maintenance, manufacturing, and distribution of medical products by firms which choose to use electronic records or signatures. The regulation applies to all records which exist in an electronic form even if they don't have to be submitted to the FDA but have to be maintained in facilities.

    These regulations do not mandate the use of electronic records and electronic signatures by firms. The rules also provide flexibility to determine customized methods of security to fulfil compliance requirements.

    FDA regulated companies are expected to chart out a detailed implementation plan that suits their business goals and should be aware that the regulations apply to all electronic systems used.

    Why is 21 CFR Part 11 Compliance Important?

    21 CFR Part 11 regulations have resulted in broadening the scope of FDA inspections thus making many organizations vulnerable to non-compliance.

    The FDA has tightened its enforcement actions of late and non-compliance (especially in areas of system validation, protection of records - common citations during audits) can result in FDA Form 483s, warning letters, an injunction in the form a market recall or ban on importation /commercial distribution and so on.

    Citations for non-compliance can prove very expensive as they can result in direct and indirect penalties by the FDA actions. Warning letters issued publicly can affect a company's stock value and can ultimately result in reduced revenues.

    Firms should focus on three areas of compliance:

    • Validation of computer systems used through a development life cycle. This should be followed by testing within the firm's current operating environment so as to stay in compliance with Part 11 requirements.
    • Operations carried out should be based on standard operating written procedures,
    • Product features that exist in the system software should be utilized to fulfil requirements

    The Agency has made it clear to companies that:

    • they have to be fully compliant with 21 CFR Part 11 and applicable predicate regulations
    • revenue procured during non- compliance with regulations will be considered illegal and is subject to seizure.
    • non-compliance can also result in severe penalties
    • various aspects like criticality of the data, type of systems used to manage the data will be considered during audits for grading the level of compliance
    • It follows a realistic approach towards problems faced and considers that time is required for existing systems to attain full compliance with 21 CFR Part 11
    • It will undertake a "risk-based" approach in the process of enforcing compliance to technical controls like validation, audit trails, record retention and so on

    6 Key Factors Essential for 21 CFR Part 11 Compliance

    1. Apply Predicate Rules for Complete Compliance

    Predicate rules are FDA regulations that require companies to maintain certain records and submit information (both paper and electronic sources) as part of compliance.

    FDA regulated companies and personnel working with electronic systems and records must know the predicate rules that apply to their industry in order to use Part 11

    On issues pertaining to signatures and records, 21 CFR Part 11 allows:

    • Any predicate rule that calls for a record to be satisfied with an electronic record
    • Any predicate rule that calls for a signature to be satisfied with an electronic signature

    It should also be noted that predicate rules do not directly address computer or software validation.

    While 21 CFR Part 11 addresses the issues of electronic signatures, records and systems validation, it is the predicate rule that details the kind of records required and the signatures needed to validate/certify them. Therefore, it is crucial for companies to improve their awareness of the predicate rules that lay the groundwork for Part 11 compliance.

    2. Enforce Strict Security Measures

    It is important to authenticate the process of verifying the identity of users to control access to critical data assets, perform electronic transactions and prevent manipulation of electronic records.

    According to the regulations, "records are less trustworthy and reliable if it is relatively easy for someone to deduce or execute by chance a person's electronic signature where the ID is not confidential and the password is easily guessed."

    Firms should ensure that software with enhanced security features such as user ID with a strong password (preferably a two-factor authentication) is used. This will provide a high assurance system that records are trustworthy.

    Computer systems should carry features like:

    • auto-lockout of inactive accounts,
    • automatic logouts
    • not allow multiple logons from dissimilar locations,
    • usernames that identify a person and are not generic
    • unique passwords,
    • limited control delete capabilities in data transfer process
    • operational system checks to enforce the correct sequencing of events in the software,
    • a validity check for every input field
    • log all user access activity

    Companies should understand the need for robust security in the form of electronic signatures so as to comply with Part 11 as well as improve business processes, protect intellectual property, mitigate the risk of litigation and protect an organization from liability.

    3. Ensure Data Transfer is Secure

    The secure transfer of data is a cornerstone of Part 11 compliance. In order to ensure this, FDA regulated firms must implement the following measures in electronic systems:

    • Control and limit delete capabilities - data can be inactivated but should not be deleted. The archiving process can be deleted once the audit trails have been generated and saved elsewhere.
    • Encrypt all data transferred outside of the intranet firewall
    • Encrypt all data that is taken offsite through laptops or removable media
    • Checks in the operational systems to enforce correct sequencing of events (a three step event should not miss out on the second step and so on) and validity of input data (dates have to be dates, numbers have to be numbers and so on).
    • Date formats that are unambiguous - therefore months should always be first three letters such as JAN or FEB as this is universally understood. So, the format should be DD-MMM-YYYY (for e.g. 31-DEC-2021)

    4. Generate Audit Trails for All Electronic Records

    Audit trails can be generated to authenticate and confirm the integrity of regulated records and signatures which often remains as the greatest challenge to FDA regulated companies. An audit trail is a series of documents or a documentation archive that allows reconstruction of the course of events and should contain

    • details regarding the reason for the change
    • name and user ID of the person making the change
    • date and time
    • the original and final entry in the database

    Firms should ensure that all changes made to the electronic data (any modification, updates or deletion) and every transaction made in the system database is recorded through an audit trail.

    Firms should re-establish requirement for audit trail functionality of internal system software. Risk assessment procedures should involve reviewing the potential risks associated with traceability and data integrity of the records.

    5. Comply with Electronic Signature Requirements

    Firms are increasingly using electronic information systems to improve efficiency of operation and for developing enhanced security policies so as to transform to a paperless environment and thereby significantly reduce costs.

    Electronic signatures should uniquely identify an individual. Part 11 stipulates that controls for electronic signatures should be based on identification codes and passwords.

    The regulations state that:

    • Electronic signatures cannot be modified or copied by anyone
    • Standard Operating Procedures must be implemented and followed for the issue, expiry and loss management of electronic signatures
    • Written policies must be implemented to hold users accountable for actions undertaken with their electronic signatures
    • Electronic signatures are not digital signatures

    A compliant electronic signature must have the following components:

    • A public user name that uniquely identifies the user
    • A private password known only to the user
    • The meaning of the electronic signature (stating the reason for it)
    • Date and time on which the signature was executed
    • The object that is signed should display the printed name, date, time and meaning of the signature
    • The signed object should be permanently locked to prevent future editing or modification
    • The electronic signature must be permanently linked to the signed object

    6. Validate Electronic Systems

    Computer systems are subject to validation requirements and all software used for storing clinical data must be validated in order to stay in compliance with 21 CFR Part 11. Firms must demonstrate that software used in systems meet company requirements for each purpose served by the software.

    Firms should ensure that:

    • there is continuous maintenance and scheduled internal reviews of computer systems as a part of the ongoing quality management system
    • required documentation should be maintained for all validation that is carried out for electronic systems
    • validation of individual utilities, equipment and instruments should be also be completed
    • validation of software is a regular part of the maintenance of electronic systems, especially in the case of version updates and re-installation and so on

    The electronic system must be validated from the perspective of the developer. When validated from the user perspective, it should be done so as to ensure accuracy, reliability and performance.

    FDA Regulated Firms Must Ensure Part 11 Compliance to Generate Accurate and Usable Data

    21 CFR Part 11 compliance has to be adopted not just to avoid the wrath of the regulator, but also to ensure that data captured electronically is accurate and clean. With the widespread adoption of electronic systems to capture and record data has also come the risk of manipulation and loss. This is the biggest risk for FDA regulated companies that rely heavily on accuracy of data in all processes - from clinical trials to production to customer complaint management. The important of Part 11 compliance can therefore not be stressed strongly enough - it's not just the risk of warning letters that come with non-compliance, but consumer safety and the reputation of a company as well.

    How can FDA compliance training help?

    The areas highlighted above are just a small part of the wide range of practices and processes for FDA compliance. Subjects such as FDA compliance are multi-faceted and complex and can be better understood after attending a training course such as the ones offered by ComplianceOnline. Our courses are available as live webinars, training recordings and in-person seminars. We also offer customized training courses developed in conjunction with organizations that wish to train large groups of their employees.

    We offer training in other areas FDA compliance such as marketing and promotion, QSR, regulatory submissions and handling regulatory audits and inspections. If you are interested in our wide range of FDA compliance training courses, please click here.