Key Characteristics of FDA Part 11 Compliance
Properly managing sensitive information to maintain privacy and security has become paramount in recent years. Today, pharmaceutical companies and medical device manufacturers are increasingly using the Internet to broaden their services making compliance with FDA regulation even more important.
As a result, these manufacturers need to observe robust security and management protocols to maintain compliance with the U.S. Food and Drug (FDA) Administration’s 21 Code of Federal Regulations (CFR), Part 11 and the predicate rules.
Electronic Records and Signatures Defined
Under normal circumstances electronic records are an amalgamation of data, text, audio, graphics, and images that are created, archived, modified, retrieved, maintained, and distributed via a computerized system.
Electronic signatures are computerized data complied of symbols that can be adopted, executed, or authorized like a legally binding handwritten signature.
The regulations that surround electronic records and signatures may only cover the minimum requirements for implementation. Therefore, it’s really up to the organization to make their systems more secure.
What Part 11 Really Means
So far, Part 11 has been perceived to be quite broad and this has created some confusion. In some cases, it has led to unnecessary expenses and controls. Misperceptions about the regulation can stifle technological advances and innovations.
If you narrow it down, the crux of Part 11 is as follows:
- If electronic records are used in a controlled environment instead of paper, Part 11 will be applicable
- If devices are used to generate printouts of electronic records (and the paper printouts meet all applicable FDA rules) and staff only rely on paper records to carry out regulated functions, this would not be considered as “using electronic records in lieu of paper records.” As a result, Part 11 would not be triggered on this occasion
Often, real-world business practices determine whether you are using electronic records and not paper records. For example, if you use a computer to generate paper records but rely on electronic records to conduct regulated activities, then the FDA will, most probably, consider it to be an electronic record and not a paper record.
The best way to approach compliance with Part 11 is to first figure out whether your company plans on relying on paper records or electronic records to carry out regulated activities. Further, to be on the safe side, it is important to document these decisions and steps in a specification document and / or in a Standard Operating Procedure (SOP).
Validation of Electronic Records
The FDA will enforce specific Part 11 requirements for validation of computerized systems at its own discretion. Before you decide to validate computer systems within your organization, first determine the impact the system will have on your ability to stay compliant.
It’s also important to note that even if there aren’t any established requirements to validate current systems, it might still be important to validate it. The best way to approach this issue is to perform a detailed risk assessment. It’s the best way to ensure that the system does not affect your product safety, quality, and record integrity.
Maintain Audit Trails
The FDA will also exercise discretion on time-stamped, computer-generated audit trails. As a result, individuals need to ensure that changes to records do not confuse the time, sequence of events, or previous entries.
Base your decisions concerning audit trails on risk assessments and apply appropriate controls based on your assessment.
Audit trails are usually mandatory when users of the system are expected to create, modify, or delete regulated records.
Legacy Systems
For systems that were already in operation before August 20, 1997, the agency plans to exercise discretion for all Part 11 requirements. In other words, the agency will not take action if the system falls under the following criteria:
- The system was operational before August 20, 1997
- The system was compliant before the effective date
- Availability of documented evidence justifying the system as appropriate for intended use
- The system currently meets all applicable requirements
If the system has been updated since the effective date, Part 11 controls need to be applied to electronic records and signatures pursuant to enforcement requirements.
Maintenance of Records
Whenever there’s an inspection, you will be required to provide useful and reasonable access to copies of records.
It’s best to provide copies of electronic records in portable formats like the following:
- XML
- SGML
Throughout the record retention period, protected data needs to be easily accessible and reliable. Again, it’s best to base your decision on record retention on a risk assessment and on established rules.
Although Part 11 may seem broad and confusing in some instances, it is, in fact, quite specific and narrow. If you need help with Part 11 or any other compliance regulation, contact GxP-CC. Armed with decades of practical experience, GxP-CC consultants can help tailor your practices to stay compliant and efficient.