Amadeus International  
Français

21 CFR Part 11 Best Practices

Overview
21 CFR Part 11
Audit Management
Change Control
Corrective Preventive Action
Competency Management
Customer Complaint Management
Electronic Content Management
ISO
Risk Assessment
Sarbanes-Oxley
Validation
eQCM Solution  
Home / Best Practices / 21 CFR Part 11  

The agency will use its enforcement discretion

The agency will use its enforcement discretion
The new mantra at the FDA concerning 21 CFR Part 11 is that “the agency will use its enforcement discretion” during the audit process for 21 CFR Part 11-compliant systems. The latest regulatory guidance for 21 CFR Part 11 represents the Agency's attempt to make Part 11 more flexible and easier to implement. The Agency acknowledges some of the challenges faced by industry as a result of Part 11, which restricted the use of some electronic systems, discouraged innovation in some cases, and resulted in significant costs.

21 CFR Part 11 Lives
Related Links

Many organizations believe that Part 11 is all about electronic signatures. However, the regulation includes specific best practices for electronic records.

We thus strongly recomend you read the following:

The final guidance for 21 CFR Part 11 (dated August 2003)

21 CFR Part 11 Final Rule (Original law dated)

The Agency makes very clear that Part 11 is still in effect. When reviewing the “enforcement discretion” statement, one must be very careful. Enforcement discretion does not mean that the Agency will not enforce! Upon careful inspection of the guidance: the FDA states, “We intend to enforce all other provisions of Part 11 including:

  • Limited system access to authorized individuals;
  • Use of operational system checks;
  • Use of authority checks;
  • Use of device checks;
  • Determination that persons who develop, maintain, or use electronic systems have the education, training, and experience to perform their assigned tasks;
  • Establishment of and adherence to written policies that hold individuals accountable for actions initiated under their electronic signatures;
  • Appropriate controls over systems documentation;
  • Controls for open systems corresponding to controls for closed systems
    bulleted above (§ 11.30);
  • Requirements related to electronic signatures (e.g. §§ 11.50, 11.70, 11.100, 11.200, and 11.300).”

A New Risk-Based Approach

According to leading industry analysts, the costs associated with 21 CFR Part 11 compliance are staggering and could vary from $5 million to $400 million per organization, depending on the size and state of compliance of the company. The new guidance suggests a risk-based approach to Part 11 compliance. When reviewing Part 11, one must first understand the legal, regulatory and practical implications of electronic records.
The basic qualities of good electronic records are their:

  • authenticity
  • reliability
  • trustworthiness
  • integrity
  • accessibility as needed

From a legal perspective, the integrity of electronic records is key. The system and supporting processes all must be of the highest quality. Therefore, it is clear why the Agency stipulated its continued enforcement of the above mentioned principles of Part 11. In other words, the Agency will maintain enforcement for all aspects of Part 11 that ensure record integrity.

Understanding Predicate Rule Requirements
Predicate rule requirements provide governance for most regulatory activities within a life sciences organization. Predicate rules are pre-existing regulatory requirements such as GLP, GMP, and GCP guidelines. These requirements are essential to Part 11 in that they provide the ground rules for management of electronic records produced in accordance with Part 11 guidelines. It is important to understand the risk associated with documents required under current predicate rules, and incorporate this risk assessment in the development of Part 11-compliant systems.

21 CFR Part 11 Best Practices

Compliance with 21 CFR Part 11 cannot be achieved with technology alone. It may only be achieved through technology coupled with policies and procedures to ensure compliance. The following best practices are organized according to technology and policy procedures. These best practices were adopted based on practical experience in developing Part 11-compliant systems since August 20th, 1997.

Technology Best Practices

  1. Audit trail must be independently generated All changes to records within a Part 11-compliant system should include time and date-stamped audit trails. Failure to do so violates 21 CFR Part 11.10(e), which clearly stipulates an “independently-recorded” audit trail. If an audit trail is independently recorded, that means it cannot and should not be turned on or off on demand. Further, as a control for closed systems, 21 CFR Part 11.10(j) states its intent is to “deter record and signature falsification”. Notice that the requirement sites BOTH record AND signature falsification.

  2. Ensure that system maintains a “irrefutable link” between documents, metadata and the electronic signature. When electronic records are signed within Part 11-compliant systems, there must be an irrefutable link between the electronic record (document and/or associated metadata) and the electronic signature. Current best practice is to design systems such that whenever the electronic record is displayed, printed, or otherwise accessed, the signature manifestation is always displayed. Further, it is best practice to maintain this irrefutable link when archiving electronic records in order to maintain integrity and authenticity of the records.

  3. Establish clear electronic signature manifestations for all electronic records. This is the most clearly defined part of the Final Rule; yet, it is the most misunderstood within the vendor community and the industry in general. If any record is signed in accordance with 21 CFR Part 11, it must include the following components, according to §11.50(a)(1),(2),(3):
    • Printed name of the signer (e.g. John R. Smith);
    • Date and time of signature execution (it is typically best practice to include the time on the server versus the time of the user desktop.
    • Meaning of signature (such as review, approval, responsibility, or authorship).

    It is current best practice to design systems in which these signature elements appear on all signed electronic records.
  1. Validate the system. 21 CFR Part 11.10(a) stipulates that “validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records”  Although the agency relaxed some Part 11 requirements, it is still good best practice to validate any Part 11-compliant system.

  2. Establish role-based access and control. The system must provide adequate security controls to prevent unauthorized access. Current best practice is to establish security based on the role of the user. In most systems, users play multiple roles. For instance, any given user may be both an author and a reviewer; security controls should thus support these rules and allow authorized system administrators to configure security access accordingly.

  3. Establish password and identification controls. 21 CFR Part 11.300 requires that password controls be unique and protected. Current best practice is to require password and ID control changes every 60 to 90 days. When employees are terminated or otherwise no longer require system access, they should be immediately disabled from the system in accordance with Part 11 guidelines.

  4. Series of signings. Best practice for execution of a series of signings in accordance with Part 11.200(1)(i) is to require BOTH signature components for each signing. Although Part 11.200(1)(i) allows, after the first signing “subsequent signings, shall be executed using at least one electronic signature component”.

  5. Avoid hybrid systems, where practical. A hybrid system is defined as an automated process which combines electronic records and manual paper records. Current best practice is to migrate to a fully automated electronic records/electronic signature system. Although the FDA does not prohibit hybrid systems, they have expressed concern over the years about their acceptability and ability to achieve sustained compliance. Amadeus' compliance process control systems allow organizations to avoid hybrid systems and processes and move to higher levels of compliance through automated compliance process control systems.

  6. Do not over customize technology solutions. Over customization has resulted in accelerated costs for compliance with Part 11. Be practical. All pharmaceutical, medical device and biotechnology organizations strive for the same goal when it comes to Part 11. Current best practice is to leverage off-the-shelf technology where applicable. There are many Part 11-compliant systems on the market. Apply the principle of Caveat Emptor: “let the buyer beware.” Examine your vendors' compliance with Part 11 requirements. Conduct supplier audits to ensure a quality-oriented software development process.

Policy and Procedure Best Practices

  1. Establish corporate internal policies and guidelines for Part 11. Written procedures codify management's intent and criteria for operational execution and excellence. 21 CFR Part 11 Subpart B 11.10 (j) requires “the establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification”. It is clear that the intent is to avoid fraudulent activity. Part 11 stipulates that such policies be established by each organization to ensure compliance. As a best practice, it is recommended that, at a minimum, the following policies and procedures be established in association with any system developed in compliance with Part 11:
    • Validation policy and procedures (21 CFR Part 11.10(a))
    • Disaster recovery
    • Revision and change control procedures (21 CFR 11.10(k)(2))
    • System access and security procedures (21 CFR Part 11.10(c),(d),(g))
    • Training procedures (21 CFR Part 11.10(i))
    • Document control procedures (21 CFR Part 11.10(k)(1), (2))

  2. Develop a clear, comprehensive migration strategy. As Part 11 systems mature, electronic records captured within the system must be migrated to near line or far line storage. Migration requires the transfer of the audit trail, electronic signatures and their associated records. It should be clear from paragraph 2 in the above technology best practices section that an irrefutable link be maintained until ultimate destruction of the electronic record. In most cases, migration is often an after-thought. Current best practice for Part 11 is to consider a comprehensive migration strategy up front. This involves review of predicate rule requirements and migrating complete electronic records to ensure integrity and authenticity.

  3. Understand the impact of Part 11 “open” or “closed” system definitions. An open system environment according to 21 CFR Part 11.3(9) means “an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system”. A closed system environment according to Part 11.3(4) means “an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system”.  There are differences in the requirements depending upon the system type, so it is important to ensure that the company understands what type of system it has and if changes in that system will change its type.  If so, they must ensure that the system still meets the Part 11 requirements.

  4. Establish retention policies based on current predicate rule requirements. Part 11 systems are designed to support the electronic management (signature/records) of records required by current predicate rules. Part 11 is not a mandate. It is a guideline for those organizations that CHOOSE to use electronic records and signatures. Prior to the development and deployment of any electronic records/signature system, current best practice is to establish retention policies based on current predicate rule requirements.

When determining your guidelines for Part 11 compliance, you should review the above current best practices. Best practices for Part 11 provide a baseline for acceptable systems implementation. Best practices by definition can be legally derived or based on acceptable industry standards. Part 11 is considered a legal best practice in and of itself.

Amadeus strongly recommends adopting a top-down approach to compliance. The new guidelines recently issued by the FDA are good and acceptable business practices, even in the absence of a strict regulatory requirement. Compliance with Part 11 makes good business sense. Determine how Part 11 can be best applied to your organization and use your best judgment as to applied technology. Amadeus offers a comprehensive suite of solutions that have Part 11 compliance built-in.
Copyright © 2008 Amadeus International | Privacy Policiy | Terms & Conditions | Site map
Print