21 CFR 11 Overview of the Final Document and its New Scope Ludwig Huber

In 1997, the US Food and Drug Administration issued a regulation"Rule 21 CFR Part 11," that provides criteria for the acceptance of electronic records, electronic signatures, and handwritten signatures (1). FDA issued the guidance in response to requests from the industry. With this regulation, electronic records can be equivalent to paper records and handwritten signatures. The rule applies to all industry segments regulated by FDA that include good laboratory practice, good clinical practice, and current good manufacturing practice.

It is anticipated that electronic records will be more cost effective for the industry and FDA. In addition, the industry expects the drug approval process will be shorter and access to documentation will be faster and more productive. The Part 11 rule requires:

• that companies only use validated computerized systems;

• secure retention of electronic records and instant retrieval;

• user-independent, computer-generated, time-stamped audit trails;

• system and data security, data integrity, and confidentiality through limited, authorized access to systems and records;

• secure electronic signatures for closed and open systems;

• digital signatures for open systems;

• operational checks;

• device checks;

• the determination that individuals who develop, maintain, or use electronic systems have the education, training, and experience to perform their assigned tasks.

This article provides an overview of the rule's key requirements and discusses FDA's new approach and narrower scope of Part 11. Although it presents the current interpretations of the rule and its enforcement, it is important to note that such discussions are ongoing. Frequently updated information is available at www.fda.gov and www.labcompliance.com/e-signatures. Additional information also is presented elsewhere (2).

Key requirements and concerns

System validation. "All computer systems used to generate, maintain, and archive electronic records must be validated to ensure accuracy, reliability, consistent independent performance, and the ability to discern invalid or altered records." (Par. 11.10 [a])

This condition applies to new and existing systems, but is not new for operations using computers in a regulated environment. Most companies have developed strategies for implementing computer system validation.

Nonetheless, older systems can be problematic because they require a formal evaluation and a statement about their validation status (3, 4). The extent of validation depends on the system's complexity and its effect on product quality and data integrity. Under 21 CFR Part 11, older systems that cannot be validated should not be used.

Secure retention of electronic records to instantly reconstruct the analysis. "Procedures should be in place to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Records must be protected to enable their accurate and ready retrieval throughout the records retention period." (Par. 11.10 [b], Par. 11.10 [c])

The agency should be able to trace final results back to the raw data using the same tools the company used when those data were generated. This task is probably one of the most difficult for which to implement requirements. In some instances, records must be kept for ten years or more. Because computer hardware and software have a much shorter lifetime, one can anticipate problems complying with this paragraph.

Under the original interpretation of Part 11, each record had to meet this requirement. In addition, records had to be retained in their original form for the full retention period, as required by the predicate rule. This interpretation has changed with FDA's new scope, however.

Depending on a company's business practices, a record's value over time, and the justified and documented risk assessment, the new interpretation enables companies to copy the electronic records to paper or to standard electronic formats such as portable data format (PDF).

Limited access. "Procedures should be in place to limit the access to authorized users" (Par. 11.10 [d]).

Limited access can be ensured through physical or logical security mechanisms. Most companies already have such procedures in place. For logical security, users typically log onto a system with a user identification (ID) and password. In addition, physical security such as key locks or pass cards is recommended for high-risk areas (e.g., data centers with network servers and archived data). Procedures should be carefully documented and validated.

User-independent, computer-generated time-stamped audit trails. "Procedures should be available to use secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying" (Par. 11.10 [e]).

This paragraph has been the subject of much discussion such as how audit trails should be implemented and about what information should be recorded. An important distinction is that the word independently means independently from the operator. The main purpose of the audit trail is to ensure and prove data integrity. If the data have been changed, the computer should record what has been changed and who made the change.

The audit trail functionality should be built into the software and is especially important for critical computer-related processes with manual operator interaction. Under the new scope of Part 11, the implementation of electronic audit trails should be risk-based, justified, and documented.

Use of secure electronic signatures for closed and open systems. "The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to determine record and signature falsification" (Par. 11.10 [j]).

The main purpose of this requirement is to link electronic signatures to relevant electronic records and the record signer. The system should recognize the signer with a user ID and password. Procedures and technical controls should ensure that the signer is uniquely identified. This rule not only requires the development of procedures, but also necessitates behavioral changes for using ID codes and passwords. Sharing a password with a colleague usually is much less taboo than teaching somebody how to copy a handwritten signature. But under Part 11, both actions have the same consequence. Software also should recognize any change to a signed record, most commonly through linking the electronic signature to the electronic audit trail.

Use of digital signatures for open systems. "Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified for closed systems, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality" (Par. 11.30).

This rule requires software for document encryption and may also require hardware and software for generating digital signatures. Typically, computer systems used in pharmaceutical operations are closed systems that do not need digital signatures. Conversely, an example of an open system is analytical data generated by a contract laboratory that are transmitted to a sponsor through the public Internet. Examples of how open systems can be used are described elsewhere (2).

New scope of 21 CFR Part 11

Although 21 CFR Part 11 has been in place for eight years and enforced for six years, companies are still confused about how to implement it.

For example, the regulation, earlier draft guidance documents, and early interpretations from FDA defined an electronic record as, "any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system" (1, Par. 11.1 [b]). But, the rule makes no distinction among the types of records or their criticality.

FDA requested Part 11 compliance for all such records that were generated or stored on a computer and could ask for such records at inspections. With this very broad interpretation, full implementation was very expensive and for some applications, it was impractical. In some cases, companies decided to keep paper records because of the anticipated additional complexity and cost involved with implementing the technical control required by the rule. This outcome clearly was not the original intent and spirit of the rule which was issued to protect public health and enable new technology to be used.

With the release of the draft guidance on scope and application of Part 11 in Feb. 2003 (5), FDA promoted a new, narrower approach. With the final guidance released on Sept. 3, 2003 and FDA's announcement to reexamine Part 11 and initiate a new rule-making process, this narrower approach became official and probably will be the basis for an updated regulation in the future.

The guidance states that Part 11 applies when:

• the record is required by a predicate rule (e.g., electronic batch records for 21 CFR Part 211 and electronic training records in 21 CFR Part 58);

• the electronic records are used to demonstrate compliance with a predicate rule (e.g., electronic training records for compliance with 21 CFR Part 211).

Part 11 applies in one or both of the following situations:

• when electronic records are used instead of paper;

• when persons make printouts but still rely on the electronic records to perform regulated activities.

Figure 1 illustrates the decision flow to determine which records fall under the scope of Part 11. This figure has been presented several times by FDA staff Part 11 experts. First, we check if the record is required by and can demonstrate compliance with the predicate rule.

Figure 1: Steps to determine whether records are within the scope of Part 11 (7).

Next, we determine if the record fits in the new, more-specific scope of Part 11. The main criterion is whether the record is maintained in electronic format in place of a paper format or in both electronic and paper formats, and whether people rely on the electronic records to perform regulated activities. A regulated activity is any activity required by an FDA regulation. For example, analytical test results must be recorded according to FDA's 21 CFR Part 211. In this case, the regulated activity is not limited to signing the record (e.g., a paper printout of an electronic record). It also includes all steps from data acquisition and evaluation.

Finally, we make a risk assessment of the criticality of the records and document the result. Based on the outcome, appropriate Part 11 controls are implemented.

The final criteria is to evaluate the risk the record has on product quality and data integrity. Examples of high-risk records are electronic batch records and analytical records of final product testing. Errors at this stage will not be identified and cannot be recovered before the product ships to the market. An example of low-risk records are electronic planning documents such as cleaning or maintenance schedules. Electronic standard operating procedures could fall into the medium- or low-risk category, depending on the procedure's effect on product quality. The International Society for Pharmaceutical Engineering has published a list of such risk classifications (6).

Justification and documentation of Part 11 compliance

As explained previously, the implementation of some Part 11 controls should be based on criteria such as:

• where the record is required by predicate rule;

• whether a regulated activity depends on the record;

• a company's business practice;

• effect of operator interaction on data integrity and product quality.

If Part 11 controls are not implemented, FDA must review a documented justification that explains why not. Every company is advised to prepare such documentation.

An example of such documentation is shown in Figure 2. A computerized analytical system used in a pharmaceutical quality control laboratory is reviewed as an example.

Figure 2: Documentation of Part 11 controls (2). (a) A computerized analytical system is represented graphically. The legend indicates who has access to the data on which computer and what data can be changed. (b) Our decisions and justifications. (c) The criticality of the record, if the record is required by a predicate rule, and if the a regulated activity depends on the record. (d) The lower part lists business practices. HPLC is high-performance liquid chromatography and PC is personal computer.

In the example, a sample is injected into a computer-controlled liquid chromatograph. The signal is acquired by the client's system (computer 1) and the original data are stored on the computer as digital data. Data are automatically processed on this computer and the results are transferred with the evaluation parameters to a second system with a database (computer 2) for storage and printout. The operator reviews the printout and, depending on the findings, may decide to manually reevaluate the data. Lastly, the records are maintained in electronic form because the company may need to reprocess the data for business reasons at a later date.

Both computers 1 and 2 must be validated in accordance with the high risk categories. The systems should have built-in electronic audit trails because operators have access to the records and could change records. Audit trails are required by the predicate rules and regulated activities depend on the type of records. We also keep the records in both print and electronic forms because they may be needed to demonstrate compliance with the predicate rule. Further examples of manufacturing, analytical laboratories, and office applications are explained elsewhere (2).

Conclusion

During the initial stages of Part 11 implementation, the industry asked whether a specific computer system should comply with Part 11. Today, several questions are routinely asked such as which records are generated by the system, whether they are required by a predicate rule, what will be the effect on product quality, and how operators can affect record integrity. The answers to these questions will determine the type and level of Part 11 controls that should be justified and documented for FDA and for your management, if funding for Part 11 implementation is required.

Ludwig Huber, PhD, is the compliance program manager at Agilent Technologies, Waldbronn, PO Box 1280, D-76337, Waldbronn, Germany, Ludwig_Huber@agilent.com.

References

1. Code of Federal Regulations, Title 21, Food and Drugs, Part 11, "Electronic Records; Electronic Signatures, Final Rule," Fed. Regist. 62 (54), 13429–13466.

2. "21 CFR Part 11–Electronic Records and Electronic Signatures," (Labcompliance, Oberkirch, Germany, 2005), available at http://www.labcompliance.com/books/part11.

3. International Society for Pharmaceutical Engineering (ISPE), The Good Automated Manufacturing Practices (GAMP) Guide for Validating of Automated Systems in Pharmaceutical Manufacture, GAMP4, (ISPE, Tampa, FL, 2001).

4. L. Huber, Validation of Computerized Analytical and Networked Systems, (Interpharm Press/CRC, Boca Raton, FL, 2002).

5. FDA Guidance for Industry Part 11, Electronic Records; Electronic Signatures Scope and Applications (Draft Feb. 2003, Final Aug. 2003). Available at http://www.fda.gov/cder/guidance/5667fnl.pdf.

6. ISPE, The Good Automated Manufacturing Practices (GAMP) Guide: Risk-Based Approach to Compliant Electronic Records and Signatures, (ISPE, Tampa, FL, 2005).

7. J.C. Famulare, "Current Status and Future Directions of Part 11," paper presented Sept 21, 2004.