A Simple & Effective Approach for Achieving Compliance with 21 CFR part 11
21 CFR Part 11 – Overview
Title 21 Part 11 defines the U.S. Food & Drug Administration’s criteria under which electronic records and electronic signatures are considered trustworthy, reliable and generally equivalent to paper records or documents and traditional handwritten signatures. These regulations apply to electronic records and forms that are created, modified, archived, maintained, transmitted or received under stated record requirements set forth in FDA Regulations. It also applies to electronic records submitted to the agency under the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act, even if such records are not specifically identified in agency regulations. Part 11’s rule does not apply to paper documents electronically submitted such as faxes or scanned and e-mailed documents.
Because sections of the regulation have been challenged and deemed excessive, the FDA has stated that while the requirements set forth in part 11 still remain in effect they are exercising discretion in its enforcement. In this enforcement, the FDA will consider a company’s business practice when deciding if the requirements of part 11 pertain to them, however all records submitted to the FDA in electronic form are part of a regulatory filing expected to meet part 11 requirements. Companies are encouraged to review and implement a well-documented compliance strategy in order to most effectively meet part 11’s electronic document and signature requirements, and determine based on predicate rules, whether specific records are part 11 records. The Agency still expects part 11 requirements to be met by companies that choose to use electronic records to satisfy the requirements of the regulations or predicate rules as these records are created, modified, archived, retrieved or transmitted. Electronic signatures relating to these records, if executed under the regulations outlined by the Agency are considered trustworthy, reliable and generally equivalent to handwritten signatures.
A digital or electronic signature is defined by the FDA as: An electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified. This means that an individual can ‘sign’ an electronic record or document, and their ‘signature’ will be considered a legally binding equivalent to a traditional hand written signature as long as the mark meets the requirements of part 11 regulations governing the creation and implementation of electronic signatures. An acceptable signature will contain:
- The printed name of the signer
- The time and date that the signature was executed; and
- The meaning (such as review, approval, responsibility, or authorship) associated with the signature.
Electronic signatures and handwritten signatures on electronic records must be linked to their respective records to ensure their authenticity and that the signature cannot be excised, copied or transferred in an attempt to falsify an electronic record. In Part 11 (Sec 11.100) the FDA has issued general requirements pertaining to the issuance and maintenance of electronic signatures. The requirements state that an electronic signature must be unique to one individual and should not be reused or reassigned to anyone else, and that prior to being assigned or recording their mark, the company must verify an individual’s identity. In addition, individuals using electronic signatures must certify to the Agency prior to or at the time of signing that their signature is intended to be the legally binding equivalent to their hand written signature. This certification must be submitted in paper form and signed with a traditional hand written signature to the Office of Regional Operations and may be required to provide additional certification if the Agency requests it.
In order to maintain the integrity, authenticity and confidentiality of electronic signatures and electronic documents, companies must implement and adhere to regulated controls such as system validations, audits, audit trails, limiting system access, and operational system checks.
Standards.org breaks these controls into 2 categories: Technical and procedural.
- “Technical controls” relate to the status of, and specific functionality built into, computerized systems used to support regulated activities; each applicable computerized system must evidence compliance to these controls. Technical controls include, but are not limited to, the following: 1) the computerized system performs as intended; 2) only authorized access to and use of the computerized system is permitted; 3) all regulated data is maintained, can be reconstructed and can be readily retrieved; 4) the uniqueness of authentications (e.g., User ID and Password combinations) regarding using the computerized system and applying electronic signatures can be guaranteed; and, 5) electronic signatures cannot be removed, copied/pasted to other electronic records or otherwise tampered with. The proper operations to achieve compliance to these technical controls must be supported by appropriate testing (e.g., confirmation of functionality, challenge/stress testing as applicable) and objective evidence (e.g., test scripts and screen prints/reports that provide confirmation of test results, traceability from tests to requirements to confirm that all functionality has been tested). Regarding those instances where the computerized system design provides compliance to a given technical control objective, the pertinent design feature/function (e.g., system functionality) should be documented in adequate detail – in a functional specification and/or technical design document – to permit one to understand how the feature/function works.
- “Procedural controls” are those policies and procedures, preferably global in scope, which define processes that support compliance to 21 CFR part 11. These policies and procedures will be designed to promote outcomes such as, but not necessarily limited to, the following: 1) computerized systems are developed, deployed and maintained in a formal and appropriate manner, 2) all documentation for computerized systems is current and reflective of the operation of the respective system, 3) all electronic records are backed up and recoverable, 4) all electronic records are protected against unauthorized logical and physical access, and 5) all staff who develop, maintain and use the respective computerized system is appropriately trained. All policies and procedures should be developed, approved and maintained as “controlled documents” which are versioned documents, populated with specific information, and are generated and maintained to support a regulated activity.
In addition to these controls, computer systems (including hardware and software), controls, and attendant documentation maintained under Part 11 shall be readily available for, and subject to, FDA inspection.
Blue Harbors’ Approach
PHASE 1 – Validation Scope Assessment
Determine and document all systems and processes that should be considered as in-scope for the 21 CFR part 11 compliance validation assessment.
PHASE 2 – Current State Validation Assessment
Perform a validation assessment of identified in-scope systems and document current controls in place which support validation compliance as well as gaps which require remediation.
PHASE 3 – Gap Impact Assessment
Identify and document systematic and procedural gaps preventing compliance with 21 CFR Part 11.
PHASE 4 – Initial Compliance Recommendations
Develop and document a remediation plan for the mitigation of the identified gaps, as well as a detailed project plan to follow in achieving compliance with 21 CFR part 11.
PHASE 5 – Continuous Compliance Recommendations
Provide detailed recommendations for maintaining a continuous state of compliance once an initial state of compliance is achieved.
PHASE 6 – Post-Remediation Compliance Validation Audit
Establish an ongoing compliance validation audit plan to ensure compliance is maintained going forward.