Requirements for Electronic Records Contained in 21 CFR 211

FDA Title 21 Code of Federal Regulations (CFR) Part 11, often referred simply as Part 11, came into effect on Mar. 20, 1997 (1, 2). Part 11 provides, under certain circumstances, the FDA acceptance criteria for electronic records (e-recs), electronic signatures (e-sigs), and handwritten signatures (h-sigs), which when executed to e-recs are equivalent to paper records (p-recs, where records are defined as a collection of related data treated as a unit) and h-sigs executed on paper.

After FDA issued Part 11, the global regulated industry turned its attention to e-recs and their related management. This article presents the opinion of the author about the need for Part 11 by the regulated industry. The author considers that Subpart B in Part 11, which focuses on electronic records, is not essential to delineate the FDA regulatory expectations on regulated e-recs in the cGMP framework (3). The elements contained in 21 CFR 11 Subpart B, Electronic Records, bring together the earliest FDA regulations and policies.

The e-rec requirements delineated in Part 11 are about predicate rules requirements. Since 1984, questions have been raised as to the applicability of various sections of the cGMP regulations to computer systems (4). It was established that where computer systems perform functions covered by cGMP regulations, software, in general, would be regarded as records. The kind of record (e.g., standard operating procedure, master production record) that the software constitutes will be governed by how the software is used in the manufacture, processing, packing, or holding of the drug product. The exact use will then be used to determine and apply the appropriate sections of the regulations that address equipment and records.

Consequently, understanding the regulatory requirements for records in the applicable regulation and how these records are managed on paper provides guidance as to how e-recs and data are to be appropriately managed electronically.

For example, 21 CFR Part 211 covers cGMPs for finished pharmaceuticals. When the regulated user uses a computer system to perform any regulated operation under Part 211, Section 211.68 (i.e., automatic, mechanical, and electronic equipment) provides the applicable regulatory requirements (5).

Speaking strictly on the integrity of information stored in computer systems, the applicable requirements in 211.68 include:

• Computer systems e-recs must be controlled including records retention, backup, and security

• There must be procedural controls and technologies to ensure the accuracy and security of computer systems I/Os data.

• Computer systems must have adequate controls to prevent unauthorized access or changes to data or e-recs, inadvertent erasures, or loss.

Based on the above requirements, the relevant principles applicable to e-recs and data in the 2008 cGMP include (6):

Access Authorization Principles

• Computer systems should have sufficient controls to prevent unauthorized access or changes to data. There should be controls to prevent omissions in data (e.g. the system turned off and data not captured). There should be a record of any data change made, the previous entry, who made the change, and when the change was made (7, 8).

Data Input Principles

• Input to and output from the computer or other records or data must be checked for accuracy (9).

• In the context of data integrity, computer systems must be validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records (10).

• Where critical data are being entered manually, there should be an additional check on the accuracy of the entry. This can be done by a second operator or by the system itself (7, 11).

• Computerized systems exchanging data electronically with other systems should include appropriate built-in checks for the correct and secure entry and processing of data, in order to minimize the risks (12).

Data Storage and Backup Principles

• Regular backups of all files and data should be made and stored in a secure location to prevent intentional or accidental damage (13, 14).

• A backup file of data entered into the computer or related system shall be maintained (15).

• Data should be checked periodically to confirm that they have been accurately and reliably transferred (16, 17).

• If system breakdowns or failures may result in the permanent loss of records, a back-up system should be provided. A means of ensuring data protection should be established for all computerized systems (7).

Section 21 CFR Part 11.10 describes the controls (whether technological or procedural) that must be implemented by the regulated user to ensure the integrity of the computer system operations and the information stored closed systems. The 21 CFR Part 211.68 requirements on e-recs can be correlated with those in 21 CFR Part 11.10, as shown in Table I.

Table I: Correlation of 21 CFR Part 211.68 with 21 CFR 11.10.

Computer systems electronic records must be controlled including records retention, backup, and security.

  d, g

There must be procedural controls and technologies to ensure the accuracy and security of computer systems I/Os electronic records and data.

  a, b, h

Computer systems must have adequate controls to prevent unauthorized access or changes to data, inadvertent erasures, or loss.

  c, d, e, g

Other requirements in Part 211 that complement 211.68 that can be correlated with Part 11.10 are shown in Table II.

Table II: Correlation of other portions of 21 CFR 211 with 21 CFR 11.10.

Personnel qualification, 211.25

  I

Process control (e.g., computer systems) properly designed, 211.100(a)

  f

Documentation and operational checks, 211.188(b)

  k, f

As illustrated, the correlation of Part 11 with Part 211 indicates that Part 11 is not essential.  The elements contained in 21 CFR 11 Subpart B, Electronic Records, bring together all applicable requirements to computer systems in Part 211.

As in Part 211, a similar analysis can be performed to each of the predicate rules (e.g., 820). The analysis will demonstrate that FDA regulatory expectations on regulated e-recs are embedded in each predicate rule and that 21 CFR 11 Subpart B is not necessary.

As a final thought, it is important to remember that the regulatory requirements for the data do not change whether data are captured on paper, electronically, or using a hybrid approach.

References

1. FDA, “21 CFR Part 11, Electronic Records; Electronic Signatures; Final Rule,” Fed. Regist. 62 (54) 13429 (Mar. 20, 1997).
2. Code of Federal Regulations, Title 21, Food and Drugs (Government Printing Office, Washington DC) Part 11.
3. O. López, Pharmaceutical Engineering, 21 (3), (2001).
4. FDA, “Computerized Drug Processing; CGMP Applicability To Hardware and Software,” Compliance Policy Guide 425.100.
5. O. López, J. GXP Compliance, 15 (2), 82–92 (2011).
6. FDA, “Code of Federal Regulations, Title 21 Food and Drugs, Parts 210 and 211, Direct final rule; Withdrawal; Amendment to the Current Good Manufacturing Practice Regulations for Finished Pharmaceuticals; Withdrawal,” Fed. Regist. 73 (66), 18440–18441 (Apr. 4, 2008).
7. ICH, Q7 GMPs Guide for Active Pharmaceutical Ingredients (2007).
8. EC, EudraLex, Volume 4, Annex 11: Computerized Systems, items 7.1, 9, 12 (Brussells, June 2011).
9. FDA, “Computerized Drug Processing; Input/Output Checking,” Compliance Policy Guide 425.400 (1987).
10. FDA, Final Guidance for Industry and FDA Staff: General Principles of Software Validation (Rockville, MD, Jan. 2002).
11. EC, EudraLex, Volume 4, Annex 11: Computerized Systems, item 6 (Brussells, June 2011).
12. EC, EudraLex, Volume 4, Annex 11: Computerized Systems, item 5 (Brussells, June 2011).
13. WHO, Technical Report Series 937, Annex 4. Appendix 5, Section 5.1 (Geneva, 2006).
14. EC, EudraLex, Volume 4, Annex 11: Computerized Systems, item 7.2 (Brussells, June 2011).
15. Code of Federal Regulations, Title 21, Food and Drugs (Government Printing Office, Washington DC) Part 211.68(b).
16. WHO, Technical Report Series 937, Annex 4, Appendix 5, Section 3.3 (Geneva, 2006).
17. EC, EudraLex, Volume 4, Annex 11: Computerized Systems, item 17 (Brussells, June 2011).

Orlando Lopez is a senior consultant with the Quantic Group, Fort Washington, PA.