In 21 CFR Part 11, the FDA establishes its requirements for electronic records and signatures, which also apply to medical device manufacturers.
A lot of companies print everything out on paper then sign it by hand to bypass the wants of Part 11. is that this really necessary?
21 CFR Part 11: A source of fear?!
With Part 11 on Electronic Records; Electronic Signatures the FDA has given tons of companies sleepless nights (and consultants good business), particularly within the pharmaceuticals sector.
Sometimes the wants were interpreted in such an over-the-top manner that the FDA felt compelled to publish the Guidance document: “Part 11, Electronic Records; Electronic Signatures — Scope and Application” to supply clarification. within the end, it saw its own objective, namely to use Part 11 to supply a basis for the replacement of paper documents by electronic information, being thwarted.
But what does 21 CFR Part 11 really require? And which documents are affected?
21 CFR Part 11: Which systems and documents are affected?
21 CFR Part 11 applies whenever information is to be electronically generated, amended, stored, transferred or accessed. this will involve very differing types of data , such as:
Text
Images, videos or
Audio files
The requirements (for IT systems) must be met if the documents generated, stored, transmitted or amended are wont to demonstrate compliance with regulatory requirements, such as:
Release and test protocols
Process and work instructions
Design drawings, software architecture documentation
Specifications, request documents
Records, e.g. production records
Review protocols
As a rule of thumb, you’ll say that systems are subject to 21 CFR Part 11 if the documents “managed” with the systems are
Submitted to the FDA (e.g. for a 510(k) submission) or
Relevant for an FDA inspection, i.e. the testing of the QM system to make sure it complies with 21 CFR Part 820.
The FDA doesn’t require some systems to be “Part 11 compliant”:
Old systems that were operational before 20 August 1997
Systems that generate paper printouts.
So 21 CFR Part 11 is merely applicable if electronic records are replacing paper records.
There is a grey area when a system can produce a paper printout but relies on electronic recording to get it. for instance , manufacturers often automatically generate thousands of pages of test reports, print them out and sign them. during this case, you’d need to justify the choice to not apply Part 11.
The FDA requires the IT systems discussed above to be validated and during this context also refers to the “General Principals of Software Validation” guidance document. This results in the discussion on whether this is often almost validation or about the entire software life cycle. Read more on the topic of computing system validation here.
Open and closed systems
The requirements for open and closed systems are different. A system is closed when the system is under the control of persons who are liable for the electronic records managed by this technique . Otherwise it’s an open system.
An example of a closed system would be a build and test system on the intranet that only the testers or developers responsible can access.
A system that transmits data via the web is additionally considered an open system.
Requirements for closed systems
21 CFR Part 11.10 defines the wants for closed systems. the thought behind the wants is that the people that work with these systems must make sure the authenticity, integrity and, if necessary, confidentiality of the info . For this reason, the subsequent are obligatory:
System validation (performance, the power to detect invalid or altered records).
Generation (also) of human readable records.
Ensuring the protection of records (must be available).
Limiting system access to authorized individuals.
Use of computer-generated, time-stamped audit trails that show who changed what and when. But here the FDA is rowing back, as you’ll read within the above mentioned Guidance Document.
Operational system checks to make sure that (only) the permitted sequencing of steps and events is enforced – if necessary.
Authority checks to make sure that only authorized users can use the system (e.g. electronically generate and sign documents), and access the OS , computer or peripherals.
Peripherals check to make sure that the inputs and outputs are correct
.
Training of the people that work with the system or develop it.
Prevention of falsification in order that people are liable in writing for what they sign.
System documentation e.g. on who has access to the system, how this access is granted, whether it’s for the utilization or maintenance of the system, and on who changed what within the system and when.
Requirements for open systems
21 CFR Part 11.30 places additional requirements on open systems. These include measures like document encryption and therefore the use of digital signature standards to make sure the authenticity, integrity and confidentiality of records.
Digital Signature Requirements
The requirements of 21 CFR Part 11 regarding digital signatures will seem familiar to anyone who has addressed this issue before and, for instance , the German Signature Act:
Content: A digital signature must contain:
The name of the signatory
The date and time of the signature and
The meaning of the signature (e.g. review, approval, author).
Protection against falsification: It must not be possible to falsify the digital signature (21 CFR establishes an equivalent de facto requirements as are in situ for documents).
Link to document: The signature must be linked to the document in such how that it can’t be used on other documents.
Uniqueness: Naturally, it must be possible to assign the signature to a selected individual.
Biometric and non-biometric methods: The identification must be supported biometric methods or two distinct identification components like an identification code and password.
When using identification codes (e.g. user name, initials or number) and passwords, 21 CFR Part 11 establishes the subsequent requirements in 11.200 (a) and 11.300: