Understanding FDA 21 CFR Part 11
Understanding FDA 21 CFR Part 11, and how it affects you. Signature of digital documents for the pharmaceutical industry. Pharmaceutical manufacturing is a strictly regulated process and requires each step to be well documented and precisely followed. The records can be paper-based or electronic. The FDA provides guidelines for manufacturers to be compliant.
In previous articles we looked at how to comply with 21 CFR Part 11. In this article, we will examine the terminology used in this specific regulation for the compliant systems and digital signatures.
Types of Digital Environments
- Closed system
- Open system
To control the manufacturing activities in the pharmaceutical industry and the distribution of medicines in the market, the relevant rules and regulations were composed considering these two environments.
Below we will examine both types of systems and their specific requirements.
Closed System – The Organization Controls the Digital Environment
The 21 CFR Part 11, Section 11.3 defines a closed type system as follows:
Closed System means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system.
The most important part of the definition is that any platform, software or server that are being used for the regulatory activities, must be in the company’s absolute control.
The term “system” has a broader meaning when read in the context of 21 CFR. It includes:
- Everything that is used in the generation, modification, storage, and retrieval of the electronic records
- The tools which were used in the generation of the electronic records, along with the established controls on these tools
- The people, the machines, and the methods utilized to execute a given task
In a Closed System, the entire system is in the control of the company and no external systems can penetrate into it without explicit permissions.
The users who are creating the electronic records are themselves responsible for the originality and integrity of the content within them, throughout the records’ entire lifecycle.
In an automated manufacturing plant, the company develops its own software, they install it on their own server and the system will remain in the premises of the company. This company is the absolute owner of the system. Access control (users, groups, security levels) are defined to be able to access the system, and user levels for privileges are granted for each level.
Part 11 Requirements of Electronic Records for Closed System
The requirements of electronic records are composed in 21 CFR Part 11, Subpart B-Electronic Records.
Without exceptions, these requirements and rules must be met by all pharmaceutical companies. Part 11 applies to all digital records at all stages in the pharmaceutical manufacturing industry.
Below are the requirements in three different parts for a Closed System.
A. Generation of Electronic Records
- The generation of electronic records must be made only through validated systems, to ensure they are compliant.
- The validation procedure and the documentation of the validation must prove that the used software can produce accurate, reliable, complete and consistent electronic records. Additionally, the software has to prove that it has the ability to recognize any invalid or altered electronic records.
- The software should also be capable of generating accurate and complete copies of the original electronic records in a human readable form, along with the electronic form (i.e., all digital components of a record such as raw data and metadata).
- When electronic records are created, modified or deleted:
- The computer-generated audit trails along with accurate time-stamp must be maintained. The system has to automatically record the complete history of the electronic record.
- Any new data that is generated when an existing electronic record is modified or altered, must not overwrite or obscure the original record’s original data.
- The electronic workflow in the system has to function properly, along with the access controls and security checks implemented.
- The users must have sufficient education, training, and experience who are responsible for identifying, assigning and the authorization of creating, modifying and maintaining the electronic records. The organization must also certify that these authorized individuals are fit enough to execute their assigned tasks as per the regulatory norms.
B. Control and Access of Electronic Records
- A detailed SOP (Standard Operating Procedure) has to be written regarding the control and maintenance of electronic records in the organization.
- In the SOP procedures and controls have to be defined that will be used at different levels of the workflow, to ensure the integrity, the authenticity and the confidentiality of the electronic records.
- The access of all computerized systems has to be limited to authorized persons only.
- All users who have access to the system need to be clearly identified, and their scope of access (permission level) needs to be defined clearly without ambiguity.
- The creator of the electronic records is responsible for the contents within a particular record. The system must clearly, without doubt show the ownership of the generated record with unique user identity.
- When an external device is used to enter data into the computer system, then the integrity of this device and the validity of the data that was entered into the system has to be guaranteed.
- Company-wide policies and procedures have to be defined for the use of electronic signatures. These need to be linked to the users’ operations and to the electronic records in the computerized systems.
- The policies must hold every user accountable for the integrity and confidentiality of the electronic records, and for the use of electronic signatures at all levels of operations and the electronic workflows.
C. Maintenance and Retention of Electronic Records
- The electronic records have to be retained as long as they are required, as per the requirements in the predicate rules.
- The records should be stored in a secured environment, protecting them from natural disasters and fire accidents.
- A disaster recovery management system and planning have to be implemented.
- The audit trail of the data must be available for the entire lifetime of the electronic record.
- The introduction, revision, and distribution operating procedures of the system must be done through appropriate control systems, like a Change Control procedure.
- The access to the Computerized System operation procedures needs to have adequate controls.
- To prevent unauthorized changes, the maintenance activities of the Computerized System must be done through proper Change Control systems.
- The introduction, modification, and removal of any audit trails must be done through proper Change Control systems.
Since in Closed System, the control of the system and the electronic records is in the hands of the organization, it is the responsibility of the company to meet the above requirements.
This also means that being compliant with the Part 11 requirements will automatically make the organization accountable for their electronic records’ tampering and falsifying activities in the regulatory environment within their premises.
Open System – Organization is not in Control of the Digital Environment
The 21 CFR Part 11, Section 11.3 defines the Open System as follows:
Open System means an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system
This definition of a system is for organizations that are using different platforms and servers which are not in their control, to generate and transfer electronic records.
All cloud services and other internet services from external third parties fall under this category.
In this type of environment, the users can create or retrieve an electronic record, but they cannot control the change in the content (originality and integrity) while it is transferred on the internet due to possible vulnerabilities and internet issues (for example when using a cloud eQMS system). This will mean that the users are not responsible if there is a change of content during the ‘record transfer process’ between the sender and receiver (for example while the record is being uploaded to the cloud).
An organization wants to send an electronic document RecordX.doc to the US FDA via email.
In this case there is no warranties that the attached document in the email will reach the FDA without modifications due to cybersecurity problems on the internet. FDA may receive a modified content of RecordX.doc if any fraud takes place in between i.e., after delivering and before receiving the email.
Because of this reason, additional controls are required to be implemented when the organization is using an Open System. The electronic records’ originality, integrity and confidentiality have to be ensured by taking the appropriate security measures.
Part 11 Requirements Of Electronic Records – Open System
In an Open System, the user or signer is not responsible for the electronic record’s originality, integrity and confidentiality because the electronic records are not in the organization’s control.
Additional controls and measures have to be implemented for an Open System, which we will list below.
However, all requirements that were described for a Closed System are still fully applicable to an Open System.
The additional requirements are as follows.
- A detailed SOP (Standard Operating Procedure) has to be written for the creation, modification, maintenance or the transmit of the electronic records.
- Elaborative procedures have to be established, and adequate controls implemented for the security of the electronic records when they are transferred via the internet.
- The procedures and controls regarding the electronic records in an Open System must ensure the records’ authenticity, integrity, and confidentiality.
- Adequate security checking systems have to be used throughout the whole record management process, i.e. from the point of creation to the point of receipt. This includes, for example the malware protection, use of firewalls and the installation of antivirus software on the used systems.
- Document encryption procedures have to be used wherever they are appropriate.
- Digital signatures must be used to ensure the electronic record’s authenticity, confidentiality, and integrity.
Due to their nature, an organization must be more careful and foreplaning if an Open System is used for the regulatory activities.
Generally, it’s safer and more recommended to use a Closed System for federally regulated activities in the pharma industry. This can ensure that there won’t be any data integrity issues, and greatly reduces business risks too.
Availability of Electronic Records for FDA Inspection (audit)
All electronic records which will fall under the cGMP records’ category, and thus require to be maintained as part of predicate rules, must be available for US FDA inspection at any time.
This enforcement is applicable to all US and foreign companies who wish to enter the US medical market.
The electronic records need to be:
- Displayed in human-readable form, for example through electronic display or printed form.
- Readily available throughout the records’ life-cycle or retention period, at any time, for the review and inspection of US FDA.
- Remain complete, accurate and consistent throughout the records’ life-cycle, and must be able to be shown non-tampered/original records to USFDA during the inspection.
If any copies of the original electronic records are submitted for the review of US FDA, then these records also must be met with the same requirements that were described for Closed- and Open Systems i.e., these copies also need to meet all Part 11 requirements.
FDA 21 CFR Part 11 regulates the use of electronic records that are used for federally regulated purposes.
All of these electronic records must be in a human-readable form and ready for auditing at any time.
There are two types of digital environments described in Part 11:
Closed System and Open System.
In this post we have examined both types and the specific requirements for them.
The Closed System is in the control of the organization, and the electronic record’s signer is responsible for its content.
In the Open System, the control and management of the system is third-party, therefore it is not in the hands of the organization and the record’s signer is not responsible for the content in the electronic records. Because of this, the system needs additional security checks to protect the originality, accuracy, consistency, and confidentiality of the electronic records.
Regardless of the chosen system type, all electronic records must be generated through properly validated computerized systems and all records must be accurate, reliable, complete and consistent throughout their life-cycle.