Dating back to the late 1990’s, the Food and Drug Administration (FDA) began to address the use of computers and software systems in the drug/device discovery, submission and approval process. This lead to the establishment of Title 21 CFR Part 11 which is the part of the Code of Federal Regulations that establishes the FDA’s regulations on electronic records and electronic signatures. Commonly referred to as simply Part 11, it defines the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records. In laymen’s terms, FDA 21 CFR Part 11 compliance dictates that those companies who use electronic systems for document and signature control must provide assurance that the electronic documents are authentic. This concept is widely referred to as data integrity.
The following diagram outlines all the key components of 21 CFR Part 11 requirements:
A review of some simple and direct questions regarding Part 11 compliance can help you to understand its requirements and implementation.
Which systems are affected by the 21 CFR Part 11 Requirements?
Part 11 applies whenever information is to be electronically generated, amended, stored, transferred or accessed. This can involve very different types of information, such as text data, images and videos and even audio files. The requirements for IT systems must be met if the documents generated, stored, transmitted or amended are used to demonstrate compliance with regulatory requirements, such as:
- Release and test protocols
- Process and work instructions
- Design drawings, software architecture documentation
- Specifications, request documents
- Records (example: production records, test results)
- Review protocols
As a rule of thumb, you can say that systems are subject to 21 CFR Part 11 data integrity regulations if the documents “managed” within the systems are submitted to the FDA or relevant for an FDA inspection, i.e. the testing of the Quality Management system to ensure it complies with 21 CFR Part 820.
What are the “key” obligations of a 21 CFR Part 11 Compliant System?
- System validation that confirms the ability to detect invalid or altered records
- Generation of human readable records.
- Ensuring the protection of records – records/data cannot be altered
- Limiting system access to authorized individuals
- Use of computer-generated, time-stamped audit trails that show who changed what and when.
- Operational system checks to ensure that only the permitted sequencing of steps and events is enforced.
- Authority checks to ensure that only authorized users can use the system and access the operating system, computer or peripherals.
- Peripherals check to ensure that the inputs and outputs are correct.
- Training of the people who work with the system or develop it.
- Prevention of falsification so that people are liable in writing for what they sign.
- System documentation on who has access to the system, how this access is granted, whether it be for the use or maintenance of the system, and on who changed what in the system and when.
A key component of any current Part 11 Software centers on the use of Digital or Electronic Signatures. What are the necessary parameters to insure this section of the system meets the FDA requirements?
- Content: A digital signature must contain the name of the signatory, the date and time of the signature and the meaning of the signature (e.g. review, approval, author, etc.).
- Protection against falsification: It must not be possible to falsify the digital signature
- Link to document: The signature must be linked to the document in such a way that it cannot be used on other documents.
- Uniqueness: It must be possible to assign the signature to a specific individual.
- Biometric and non-biometric methods: The identification must be based on biometric methods or two distinct identification components such as an identification code and password.
While a read through of the actual CFR document specific to Part 11 compliance can understandably make anyone’s head spin, the key questions outlined can help you form a basic understanding of the FDA requirements. The requirements are truly based on a simple directive: ensure that the data generated by a system is authentic, maintains integrity and is not subjected to alteration in any form.
The Leak Detection Associates’ Management Team understands the significance of regulatory guidance and requirements to its clients and is leading the helium leak detection industry sector in the area of 21 CFR Part 11 data integrity regulations specifically. Currently under development is a new software program that will operate a Helium Leak Detector in a manner that will adhere to all 21 CFR Part 11 Compliance requirements.