| A Brief History of 21 CFR Part 11
Jul. 1992: Draft rule is published (ANPRM)
Mar. 1997: Final rule is published
Jul. 1999: Enforcement policy
2001-2002: Various draft guidances
Feb. 2003: Withdrawal of enforcement policy
Feb. 2003: Withdrawal of draft guidances
Feb. 2003: Issue of new draft guidance
Aug. 2003: Issue of (final) guidance
Dec. 2005?: Draft issue of rewritten rule
Common Part 11 Terms
Subpart A, section 11.3, defines the terms used in Part 11 as follows:
Biometrics--A method of verifying an individual's identity based on measurement of the individual's physical feature(s) or repeatable action(s) where those features and/or actions are both unique to that individual and measurable.
Closed system--An environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system.
Open system--An environment in which system access isn't controlled by persons who are responsible for the content of electronic records that are on the system.
Digital signature--An electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and parameters such that the identity of the signer and the integrity of the data can be verified.
Electronic record--Any combination of text, graphics, data, audio, pictorial or other information representation in digital form that's created, modified, maintained, archived, retrieved or distributed by a computer system.
Electronic signature--A computer data compilation of any symbol or series of symbols executed, adopted or authorized by an individual to be the legally binding equivalent of the individual's handwritten signature.
Handwritten signature--The scripted name or legal mark of an individual handwritten by that individual and executed or adopted with the present intention to authenticate a writing in a permanent form. The act of signing with a writing or marking instrument such as a pen or stylus is preserved. The scripted name or legal mark, while conventionally applied to paper, may also be applied to other devices that capture the name or mark.
All organizations involved in drug and device distribution, approval, manufacturing and quality assurance are aware of the Food and Drug Administration's 21 CFR Part 11 (or more familiarly, Part 11), but individuals within these organizations frequently have trouble understanding its application. The FDA considers any organization that uses electronic signatures to be an entity with an electronic record system that must comply with the code in its entirety. The FDA focuses on the systems of the aforementioned organizations because they directly affect public safety. Part 11 relates data integrity to the reliability of the electronic records created and managed by an organization's critical operating systems.
It's been nearly 13 years since the FDA published its first draft of this document in 1992 (see the figure on page 26). During the last decade, the FDA published the final rule (1997), released an enforcement policy (1999) and drafted guidances (2001-2002). In 2003, however, the FDA withdrew the enforcement policy and the draft guidance, and reissued a new guidance, leaving industry experts perplexed regarding the FDA's resoluteness to Part 11 compliance. Many industry experts have misinterpreted these FDA actions as a regression on enforcing the Part 11 code, but this idea constitutes a major disservice to these industries. Entities that have remained true to the intent of Part 11 by providing a formal description of information technology (IT) best practices will be in a much better position to ensure that their data have the same or greater level of integrity than their shippable products.
Part 11 consists of three subparts. Subpart A contains the general provisions and describes the code's scope, implementation and definitions. Subpart B defines the requirements for electronic records and subpart C does the same for electronic signatures. The FDA defines the scope of Part 11 as follows: "The regulations in this part set forth the criteria under which the agency considers electronic records, electronic signatures, and handwritten signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper."
This regulation applies to all electronic records "created, modified, maintained, archived, retrieved or transmitted" under any FDA documentation requirements and includes "electronic records submitted to the agency under requirements of the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act, even if such records aren't specifically identified in agency regulations." The regulation doesn't apply to electronically transmitted paper documents. Once a company meets all the regulation's requirements, electronic records and signatures are equal to handwritten documents and signatures, and the FDA has the right to inspect any hardware or software used to create, maintain or store these electronic documents.
Section 11.2 says that companies can maintain documents in electronic form and use electronic signatures in place of traditional signatures. An organization can present documents to the FDA electronically as long as they meet Part 11 requirements. In some cases (e.g., when not accepted under Part 11), companies must submit paper records for official submissions. The FDA must certify a company's electronic signatures. The required one-time certification is for an organization as a whole and helps ensure that companies recognize electronic signatures as equivalent to handwritten ones.
Section 11.3 simply defines the terms used in Part 11.
Subpart B focuses on electronic records and discusses the applicable controls for closed and open systems (sections 11.10 and 11.30, respectively), signature manifestations (11.50) and processes for linking signatures to documents (11.70). As written in subpart B, the integrity of system operations and information stored in a given system are protected by certain measures for closed systems including: "1) validation; 2) the ability to generate accurate and complete copies of records; 3) archival protection of records; 4) use of computer-generated, time-stamped audit trails; 5) use of appropriate controls over systems documentation; and 6) a determination that persons who develop, maintain, or use electronic records and signature systems have the education, training and experience to perform their assigned tasks."
Whether a system is closed or open depends on whether the individuals responsible for the content of the electronic records control access to the system containing those records. If so, the system is closed; if not, it's open and requires additional precautions. These precautions include document encryption and using appropriate digital signature standards to ensure that entities maintain all records with "authenticity, integrity and confidentiality." Open systems also require all the controls required for closed systems.
To maintain closed-system security, any individuals accessing the system must be authorized, and only they can access the operation system, perform operations or sign records electronically--all of which must be verified with authority checks. In addition, organizations must hold authorized individuals accountable and responsible for any activity undertaken using their electronic signatures by written policies intended to prevent fraudulent activities. Finally, a given entity must be able to provide the FDA with readily retrievable, readable records for inspection and review on demand with a secure, time-stamped audit trail indicating all operator actions. New documentation must not obscure previous documentation.
Section 11.50 covers signature manifestations, which must include: "the printed name of the signer, the date and time when the signature was executed, and the meaning (such as review, approval, responsibility and authorship) associated with the signature." Additionally, signature manifestations must meet all electronic record requirements. Specifically, each operator must indicate intent when signing something, and he or she has to re-enter the user ID and/or password (that shows awareness that he or she is executing a signature) and give the meaning for the electronic signature. To support this, section 11.50 states that signed electronic records shall contain information associated with the signing that indicates the printed name of the signer, the date and time, the meaning, and that these items shall be included in any human-readable form of the record.
Section 11.70 requires that a given system must link a signature, whether electronic or handwritten, to a particular electronic record in such a manner that signatures are protected from excision, duplication or transfer that could result in document falsification. If an individual handwrites a signature on an electronically generated document, it must link to the electronic record. Peripheral but essential data describing the electronic data of interest are called "metadata" and must be integrated into the document they describe. Metadata might include who owns the data, the author, the size in bytes and the creation date. The FDA asserts that this link must be technology-based and verifiable, and that administrative and procedural controls alone won't protect the document's integrity; however, the FDA doesn't endorse or require the use of any particular technology to do so. (Note: The master record is still the electronic record, and signing a printout of an electronic record doesn't exempt the electronic record from Part 11 compliance.)
The general requirements of subpart C as outlined in section 11.100 say that electronic signatures are legally binding and equivalent to handwritten signatures. Only the one individual verified by the issuing entity can use a given electronic signature. Once assigned, an organization must not reassign an electronic signature nor allow its reuse by anyone other than the original assigned individual.
Part 11 doesn't outline which electronic records organizations must electronically sign, nor does it define who must sign them or when--that's the domain of the predicate rules (GxP) regulations. Predicate rules mandate what records must be maintained and for how long, if signatures are required and so forth, according to the defined requirements, if they exist, in any FDA regulation (e.g., GxP: GLP, GMP and GCP), such as in Part 11.
Entities must design electronic signatures based upon biometrics in such a way that only the legitimate owner can use them according to section 11.200. When organizations base electronic signatures on something other than biometrics, they must use at least two discrete identification features (e.g., a password and an identification code). Section 11.300 says that organizations must employ controls that ensure the security and integrity of an electronic signature when basing these on the use of identification codes with passwords rather than biometrics.
Organizations must report attempts at electronic signature forgery according to Part 11, but the code doesn't define how this must occur. Most software solutions have a system in place for reporting abuse attempts. Although the controls for identification codes and/or passwords usage is listed under subpart C--"Electronic Signatures," the controls for password and/or user ID usage apply to both electronic records and electronic signatures.
The confusion surrounding the withdrawal of the enforcement policy, and the withdrawal and reissue of the draft guidance, has left practitioners wondering about the best next step. The FDA's 2003 Guidance for Industry, Part 11, "Electronic Records; Electronic Signatures--Scope and Application" states, "As an outgrowth of its current good manufacturing practice (cGMP) initiative for human and animal drugs and biologics, FDA is re-examining Part 11 as it applies to all FDA-regulated products. We anticipate initiating rulemaking to change Part 11 as a result of that re-examination. This guidance explains that we will narrowly interpret the scope of Part 11. While the re-examination of Part 11 is underway, we intend to exercise enforcement discretion with respect to certain Part 11 requirements. That is, we do not intend to take enforcement action to enforce compliance with the validation, audit trail, record retention and record-copying requirements of Part 11 as explained in this guidance. However, records must still be maintained or submitted in accordance with the underlying predicate rules, and the Agency can take regulatory action for noncompliance with such predicate rules. In addition, we intend to exercise enforcement discretion and do not intend to take (or recommend) action to enforce any Part 11 requirements with regard to systems that were operational before August 20, 1997, the effective date of Part 11 (commonly known as legacy systems)."
The FDA anticipates release of a new draft and proposed rule for Part 11 in December 2005, and the Good Automated Manufacturing Process (GAMP) guide is anticipating how this will affect practitioners. According to Per Olson of ABB Group, who conducted a recent audio conference titled "Introduction to GAMP Good Practice Guide: A Risk-Based Approach to E-Record Compliance," the FDA's new draft release expected in December 2005 should reflect a very similar theme to the new GAMP guide. Regardless, GAMP's guidance provides an excellent risk-driven, value-based model for applying electronic records and signature compliance regulations.
In the quest for greater efficiency, many organizations are converting to electronic systems. Most currently have in place some sort of hybrid system that combines paper and electronic records. For example, an individual might use the computer system to create electronic-device history records (eDHR) and then print the document, apply a handwritten signature and file it. The justifications for moving to a "paperless" environment include 99.99-percent error-free revision control, a significant increase in first-pass yields and reducing quality review times by as much as 70 percent. Although using electronic signatures and records is voluntary, once an entity chooses to employ electronic documentation of any type and use it as the "system of record," it must comply with Part 11. The FDA regulations provide criteria that define acceptable electronic records and electronic signatures as well as criteria for executing handwritten signatures
to electronic records; these criteria
determine when the FDA will consider electronic records and signatures as equivalent to paper records and handwritten signatures.
Again, the FDA mandates that organizations provide a secure audit trail for all electronic records and signatures. Organizations must initiate the audit trail for data and textual information at different points. For example, the moment data arrive at the durable-media stage, they must be audit-trailed. The FDA doesn't currently specify the types of media used for archiving (e.g., CD-Rom or floppy disk), so the best bet for an individual company is to aim for longevity of
the medium. Textual documents are unique in that they must be audit-trailed upon approval.
Despite what some software vendors may tell you, there is no such thing as an "FDA-compliant" software package. Vendor audits are necessary to ensure that a product's technical controls are compliant, but organizations must carefully examine any software implementation in their facilities because the applicable system validation, and the corresponding procedural (e.g., capability maturity model) and administrative (e.g., software development life cycle) controls, are ultimately the user's responsibility. No vendor can guarantee compliant software for Part 11 because the FDA doesn't endorse any software solution; however, a vendor can help a compliant system meet the technical requirements of Part 11 based on its interpretation of the regulation by having all the technical controls for Part 11 compliance built directly into the product. Technology that uses a systemic approach to compliance can help practitioners leverage multiple business and regulatory initiatives with data elements to create a manufacturing compliance platform that works to combine operational manufacturing, corporate enterprise and quality compliance. A solid software solution meets these requirements effortlessly.
In anticipation of the forthcoming rewritten rule, the above information should provide some insight into the applicability of risk-based approaches to electronic records and electronic signatures. As with all best practices, enormous gains in efficiency and productivity will ultimately result in significant cost savings from implementation. Documentation and paper trail methodologies have become so costly, compliance can actually exceed manufacturing costs. Part 11 isn't just a cost of doing business; it's a trail of forensic evidence testifying to the quality of products.
13430 Federal Register, Vol. 62, No. 54, Thursday, March 20, 1997. Rules and regulations, Department of Health and Human Services, Food and Drug Administration. 21 CFR Part 11 [Docket No. 92N-0251] RIN 0910-AA29 Electronic Records; Electronic Signatures (www.21cfrpart11.com/pages/faq/).
Pharmaceutical cGMPs for the 21st Century: A Risk-Based Approach. FDA, 2002 (www.fda.gov/oc/guidance/gmp.html).
General Principles of Software Validation; Final Guidance for Industry and FDA Staff. FDA, Center for Devices and Radiological Health, Center for Biologics Evaluation and Research, 2002 (www.fda.gov/cdrh/comp/guidance/938.html).
Guidance for Industry, FDA Reviewers and Compliance on Off-the-Shelf Software Use in Medical Devices. FDA, Center for Devices and Radiological Health, 1999 (www.fda.gov/cdrh/ode/guidance/585.html).
Joseph Vinhais, RAC, is vice president of regulatory compliance for Camstar Systems Inc. and brings 20 years of experience in quality management and manufacturing best practices to the life sciences industry. Vinhais provides leadership in FDA, GxP, ISO, and QS regulatory and compliancy requirements within product, marketing and sales initiatives for world-class organizations.