Compliance with US FDA’s 21 CFR Part 11 Regulations is very critical for medical device and pharmaceutical companies. However, there are some grey areas that companies often face when they try to comply with 21 CFR Part 11. There is a common opinion or perception that we have seen where many companies think they are complying (often due to misunderstanding the requirements), but in reality, they are not.
We often believe that 21 CFR Part 11 compliance is only about the validation, audit trail, records, and retention and that we are “safe” because of our paper-based “master” file. We must understand Part 11 Compliance is much more complex than that.
General Prerequisites to ensure compliance with 21 CFR Part 11
- We need to determine whether 21 CFR Part 11 is applicable to our company/industry.
- We need to establish clear audit trails for traceability – design and development.
- We need to follow best practices wrt data protection and password security.
- We need to follow guidelines on electronic signatures – what, where and how.
- We must not outsource responsibility to any 3rd party. We need to understand that we are the real owners of the 21 CFR Part 11 compliance process and not any 3rd Party.
- We need to have proper processes to validate -Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ).
- We need to consider the points related to US FDA’s 21 CFR Part 11 compliance when choosing a Quality Management System (QMS).
In the following pages, we explore the above-mentioned points and discuss helpful information to clear commonly found confusion around this regulation.
Pharma and medical device companies need to know to familiarize themselves clearly with the regulation and comply with FDA’s 21 CFR Part 11 by understanding the following basic concepts:
About 21 CFR PART 11
21 CFR Part 11 is the US FDA’s regulations for electronic documentation and electronic signatures. It outlines the administration of electronic records in a medical device company’s quality management system.
It was first published in 1997, but since then our electronic systems and their capabilities have advanced tremendously. However, the purpose of 21 CFR Part 11 remains applicable even now.
It was designed to cater to the evolving needs of the medical device and pharma industries, with the purpose of helping companies
- know how to use computer systems and software, particularly when it is not performing its intended functionalities
- maintain data safely and securely, and ensure data is not corrupted or lost.
- ensure that approval and review signatures cannot be disputed.
- trace changes to data with all relevant information related to the changes
- prevent and/or detect falsified records and also frauds committed
We have also had to be more practical about how paperwork is managed across organizations that may have multiple offices or multiple people that need to access and update records. Using a paper-based system in a single office is challenging, and with offices based around the globe, it is simply not practical.
With electronic records becoming widely used in many industries, most companies will find that FDA 21 CFR Part 11 is applicable to them. As with many regulations, this is not always received well.
Many companies find the prospect of validating for 21 CFR Part 11 daunting. It is necessary to prove to regulators that the system is robust enough to meet their regulatory requirements which are very challenging to achieve.
For example, there are several companies that are somewhat apprehensive of 21 CFR Part 11 because of the things needed to prove a system is robust enough to meet its standards.
- Applicability of 21 CFR Part 11 regulation to the company
Companies which are reluctant to implement 21 CFR Part 11 compliance often say their “master records” are paper-based, although they do upload documents to a shared file or some accessible place on a server. They have an understanding that “paper-based” records mean no need to deal with Part 11, but this is not the case.
For starters, “master records” is often a misunderstood term. We normally have an understanding that the information written or printed on paper is their “master record” and that what they do subsequently (such as scanning and uploading) does not matter, as long as the information on paper remains filed in the custody. The fact remains that, in the instance the document is uploaded to a server, the company is subject to compliance with 21 CFR Part 11.
In section 11.3, the FDA defines “electronic record” to mean; “any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system”. This makes the definition covered by 21 CFR Part 11 quite broad, and most companies will be impacted such that they need to comply with this regulation.
Hence even though companies may have a paper-based system, they probably do have a pervasive electronic system, even if it is via folder structure. In such cases, validation of records is a mandatory regulatory process in order to ensure that the scanned version matches the paper version.
- Data Security and Password Policies
Data security is a very critical requirement of Part 11 compliance. All users with access need the right roles and permissions. This is applicable whether you use a computerized system or have a simple folder structure in a standalone computer system. If folder structure is used to store the data, then it must be noted that they tend to be cumbersome and complex as far as the compliance part is concerned.
Often we need to navigate into individual folders and check permissions. In order to do that, we will need to deploy valuable resources from the IT Department to provide necessary access, make the records and verify them, thus making the task complex for compliance.
As far as overall system security is concerned, passwords are a major element. Security is the most critical part of 21 CFR Part 11 because we must ensure and provide the right people to have the right permissions and that not just anyone and everyone can access everything in the system.
Password best practices must be applied, but the regulation itself does not have much clarity in this area.
It is very important to consult industry experts on 21 CFR Part 11 to ensure that we would meet Part 11 compliance and could give advice to users for doing so.
Regarding passwords, we have a few best practice guidelines below:
- Access to electronic records should be controlled by a unique login, with a username and password. Users inactive for 10-20 minutes should be logged out automatically.
- We also advise that your system lock out users after 3-5 failed password attempts.
- If the account has been inactive for a period, the user should be locked out. The recommended period for this is 30 days. Alternatively, we may also have 45 or 60 days.
- Audit Trails for Traceability
Properly designed audit trails are required so that we can view which user performed any system action, at what time, to which records, and when the records were created, modified, deleted, or made obsolete.
All events should be recorded with the exact username, date, and time and comments/remarks.
In addition to tracking changes, audit trails apply to moments of access. We must always know when users are logging in and out and when they are locked out. In other words, audit trails help to maintain a complete history of your record-keeping system.”
An important aspect of the audit trail is that FDA can view these records during their audit. We need to ensure that the audit trail module must be designed such that it must be easier and simpler to access the required information in order to ensure a smoother and hassle-free audit.
- Electronic Signatures
There are different ways of using electronic signatures to review and approve information
- Biometric, e.g., fingerprint or retinal scan;
- Digital signatures;
- Handwritten signatures captured in software;
- Electronic signatures with the date and time stamps
Electronic signatures when used will make use of unique usernames and passwords for signees. Generic usernames are not to be used, rather unique usernames that can be easily associated with each user must be used. In order to ensure transparency and data integrity, usernames should be tied to a single person, not to a group.
When something requires approval in any computerised system, an “Approve” or “Reject” button may be clicked to convey the intent, as well as the date and time. Once something is signed in this way, the item is permanently locked and unable to be revised or edited again.
When paper records are used, there will be a loophole because there is an opportunity to mark up paper by hand or track changes in word-processing programs. There is less control than with any reputed computerised system. The document must be locked in the approval process so that compliance with 21 CFR Part 11 is always ensured.
No editing must be allowed once approved; If any changes or editing are required, then a new version will have to be created which will go through the entire approval process.
Another aspect is that when electronic signatures are used, there is the expectation that we need to notify the FDA that we are doing so. In such cases, we need to send them a formal letter to inform them that we are using electronic signatures.
- Company’s responsibility of 21 CFR Part 11 – Not any 3rd party
It has been noticed that there is a trend of software systems claiming that they can take care of all your 21 CFR Part 11 compliance. Ultimately, this is not true because Part 11 compliance is ALWAYS the responsibility of the individual company. Even if a software company claims that its software will take care of it, your company is still not considered to have been absolved of the responsibility.
Any software can do testing and validation of the platform and can provide supporting documentation, but compliance is ultimately your responsibility.
- Installation Qualification (IQ), Operational Qualification (OQ) and Performance Qualification (PQ)
IQ, OQ, and PQ are acronyms that stand for installation qualification, operational qualification, and performance qualification. Since the regulation was developed 20 years ago, the acronyms originally referred to equipment.
The following can be referred to understand IQ, OQ, and PQ in software terms:
Installation Qualification: Is the software installed correctly?
Operational Qualification: Is the software capable of meeting the regulatory requirements and specific operational requirements?
Performance Qualification: Is the software consistently able to produce acceptable results under normal operating conditions?
- Factors during the choice of Computerised system
Compliance is an ongoing process, and you will need to ensure that you are handling electronic documents and signatures correctly throughout your project life cycle.
Your choice of any computerised system will play a key role in CFR Part 11 compliance. If your computerised system is not aligned with CFR Part 11 or does not come with pre-validated templates, you will need to factor that into your business plan. A general-purpose off-the-shelf system will require a lot of configurations, staff training, validation testing, and perhaps outside help to ensure compliance.
All of this requires significant time and capital investment. We recommend that you look into various solutions and consider the needs of your company when it comes to validating one for CFR Part 11 compliance.
Conclusion
Complying with 21 CFR Part 11 does not need to be an onerous task, particularly if you remember that any idea of a “paper-based master record” is a complete misnomer in the instance of any record being uploaded to a computer system.
In other words, almost every company must comply with 21 CFR Part 11 unless they truly do have everything on paper only, with no electronic copies of documents stored anywhere.
Follow these tips to ensure the security and integrity of your records and you should be prepared for an FDA inspection. Remember: medical device companies and pharma companies are ultimately responsible for their own compliance, no matter what third parties may promise.
Still using a manual or paper-based approach to manage your design controls or quality processes?
Click here to learn more about how to learn more about software systems that help companies to comply with 21 CFR Part 11