The use of electronic records and electronic signatures required by predicate regulations governing manufacturing activities is governed by 21 CFR Part 11 in the industry subject to FDA regulation. It mainly focuses on ensuring the validity, reliability, and integrity of data in the form of electronic records and signatures. In an effort to establish baseline compliance criteria for electronic systems and lessen the likelihood of data theft, the agency put the regulation into effect.
There are some Crucial Factors for Complying with 21 CFR Part 11.
Implement Predicate Rules to Ensure Full Compliance
Predicate rules are FDA rules that compel businesses to keep specific records and provide data (from both paper and electronic sources) in order to comply.
To use Part 11, FDA-regulated organizations and people working with electronic systems and records must be aware of the predicate regulations that are relevant to their industry.
In regard to concerns involving signatures and records, 21 CFR Part 11 permits:
- Every premise that requires a record must be satisfied by an electronic record
- Any requirement for a signature in a predicate rule must be satisfied by an electronic signature.
Predicate rules do not specifically address software or computer validation, it should be emphasised.
The predicate rule specifies the types of records needed and the signatures required to validate/certify them, even though 21 CFR Part 11 addresses the issues of electronic signatures, records, and system validation. Therefore, it is imperative for businesses to raise their level of understanding of the predicate regulations that serve as the foundation for Part 11 compliance.
Implement Strict Security Procedures
In order to complete electronic transactions, manage access to vital data assets, and avoid record manipulation, it is crucial to authenticate the process of confirming the identity of users.
The regulations state that “records are less trustworthy and reliable” if it is relatively simple for someone to figure out or execute by accident a person’s electronic signature when the ID is not confidential and the password is obvious.
The usage of software with enhanced security features, such as user IDs and strong passwords (ideally two-factor authentication), should be ensured by businesses. This will offer a high assurance system for the reliability of records.
Assure Secure Data Transfer
Part 11 compliance is based on the safe flow of data. The following procedures must be implemented in electronic systems by companies subject to FDA regulation in order to ensure this:
- Data can be inactivated but shouldn’t be deleted, therefore control and restrict your ability to delete. Once the audit trails have been created and saved somewhere else, the archiving process can be stopped.
- Encrypt every piece of data that is transmitted outside of the intranet barrier.
- Encrypt any data taken offsite by laptops or other portable devices.
- Verifications in the operational systems to ensure accurate event sequencing (a three-step event shouldn’t skip the second stage, for example) and the accuracy of input data (dates have to be dates, numbers have to be numbers and so on).
- Unambiguous date formats should always start with the first three letters of the month, such as JAN or FEB, because they are the most widely recognised. DD-MMM-YYYY should be the format (for e.g. 31-DEC-2021)
Create audit trails for each and every electronic document.
The integrity of regulated data and signatures may be verified and authenticated via audit trails, which is often the biggest problem for businesses subject to FDA regulation. A documentation archive or a sequence of papers known as an audit trail allow for the reconstruction of an event’s timeline and should include
- specifics about the change’s motivation
- the change’s maker’s name and user ID
- time and date
- the database’s initial and last entries
Businesses should make sure that every transaction made in the system database and every change made to electronic data (including any modification, updating, or deletion) is documented through an audit trail.
Follow the requirements for electronic signatures
Businesses are increasingly utilising electronic information systems to boost operational effectiveness and create increased security policies in an effort to go paperless and so drastically cut expenses.
An individual should be uniquely identified by an electronic signature. The restrictions for electronic signatures must, according to Part 11, be based on identifying codes and passwords.
The rules provide that:
- Electronic signatures are unchangeable and uncopyable by anyone.
- For the issue, expiry, and loss management of electronic signatures, standard operating procedures must be implemented and followed.
- To hold users accountable for actions committed with their electronic signatures, written policies must be put in place.
- Digital signatures are distinct from electronic signatures.
Examine electronic devices
To continue to be in compliance with 21 CFR Part 11, computer systems are subject to validation requirements, and all software used to store clinical data must also be validated. For each purpose that the software serves, businesses must show that the programme complies with their criteria.
Businesses must make sure that:
- The continuing quality management system includes planned internal assessments and constant repair of computer systems.
- For every electronic system validation, the necessary paperwork must be kept on hand.
- It is also necessary to conduct individual utility, equipment, and instrument validation.
- Software validation is a common component of electronic system maintenance, particularly in the case of version updates, re-installation, and other similar situations.
The electronic system needs to be verified from the standpoint of the creator. It should be validated from the user’s point of view to guarantee performance, correctness, and dependability.