If you work with food or medicine, then you’ve heard of title 21 CFR (Code of Federal Regulations) part 11, or as it's more often called, part 11. The goal of this rule is to make it easier, cheaper and faster to get official information that is both regulated by the Food and Drug Administration or FDA and controlled by companies in charge of it. It means that use of electronic records in place of paper ones is acceptable so long as certain guidelines are followed.
But what, exactly, does it control? How can we be sure of who accesses it? What’s it about, anyways? That’s why the QBench blog is here to answer your questions. We’ve gone through and compiled some of the most important features of these rules and discussed them here. With any luck, this should make figuring part 11 much easier.
Part 11 applies to pharmaceutical and medical device companies. If your company makes drugs for patients or devices to assist them, it applies to you! Part 11 of this rule sets a standard of what the FDA wants for electronic records, signatures, and audits. Altogether, this means the standards for electronic information, and making certain who has altered this, what changed, and when. This generates an auditable trail that is easy to follow, which makes the FDA happy! (As a note, an electronic signature isn’t necessarily a digital signature. Confused? Don’t worry, we’ll explain.)
Electronic records are any sort of image, text, audio, data, or graphics represented in a digital form, which is then created, maintained, modified, archived, distributed or retrieved by something electronic, like a computer. This could be anything like testing records for a drug, graphs and charts associated with it, any items presented in a digital format in this manner. This treats electronic records the same as paper records. Paper that is transmitted (such as faxed items and ones signed by authorized persons) are NOT subject to these rules.
An electronic signature is something that indicates the identity of the person who is authorizing the documents, be it username and password or an actual digital signature. This is what we mean by saying that an electronic signature isn’t necessarily a digital one. A digital signature can be used to a certain user, but it isn’t required.
Part of why this is so important is accountability for audits; the FDA can easily verify if the identity of who is accessing the records or authorizing it. This helps to ensure its authenticity. There is no user who should be able to alter records permanently. No user can be above the audit trail for your company’s records, not basic users nor management staff. Finally, each electronic signature must be individual, as group logins decrease accountability and make it easier to falsify records.
One of the most important portions of part 11 is the audit trail. It requires companies to include a traceable log that allows others to trace the users who have made changes to electronic records. Because each individual has their own electronic signature, if a questionable change is made, then the company or auditors can easily find who did this. The user who changed can be held accountable for any suspicious changes. Even something as seemingly small as signing a document must be tracked for audit.
Another part of these laws defines closed and open systems. Closed systems are ones the company has total control over. Being able to access said system through certain terminals or with certain credentials within that particular environment. An open system, however, is not controlled by the company using it. This system requires verification of the person using it and often need the end user to log in with special credentials. When it comes to open systems, such as Software as a Service (SaaS), there has to be the ability for that SaaS to be able to guarantee the sanctity and credibility of their service to their consumer.
This can mean an agreement with the company hosting the software to keep it ‘closed’ or only allowing data access to the company. It could mean guaranteeing a system cannot be changed by those who control the system. Additionally, it means putting in the extra work to make sure it is authentic, the changes made to records have integrity, is irrefutably genuine, and if necessary, can be kept confidential. It it between an individual company and the SaaS that they purchase to find the right fit for them.
Records must be kept for both physical and electronic records. Regardless of the ability to access these records (for example, if the file becomes corrupted or becomes illegible), one must still follow these codes. In cases where the records are retained by an agency, the rule must be always be followed. To be considered onsite records they must be kept in a reasonably accessible area at your company. This can help to guarantee a level of safety regarding access, and as such, a level of integrity. It should be noted, however, that this isn’t required of labs.
In cases where your company creates medical devices, there is an extra step. After validation, they must include a level of concern for said device. The categories for this are minor (no major threat of injury), moderate (use could result in injury), and major (improper use could result in death). This particular category is unique to medical devices and are the only time when this code of conduct must be followed.
This is part 11 in a nutshell; it exists to allow records to have the same level of credibility as their paper counterparts. It helps labs to see that changes made to records are credible and reliable. Without this code of conduct, it would be that much harder to make certain that your lab data is reliable and maintains its integrity. It allows the FDA to look at the audit trail of a company and declare its records authentic. This law assures any changes cannot be argued as to their authenticity or who made them, and it keeps records for this. It also makes faking these records difficult which gives it another layer of certainty.
Despite this law passing over 20 years ago, it remains as important as ever to keep a compliant lab. We hope that this helps to clarify some of the laws associated with part 11.
Citations- University of San Francisco. “21 CFR Part 11 Compliance” Retrieved from https://hub.ucsf.edu/21-cfr-part-11-compliance
Cornell Law University. “21 CFR 1.360 - What are the record retention requirements?” Retrieved from https://www.law.cornell.edu/cfr/text/21/1.360