21 CFR Part 11 Compliance: What You Need to Know
February 20, 2020
In 1997, the FDA enacted regulation 21 CFR Part 11, which outlines how FDA regulated industries must handle electronic signatures and electronic records. This regulation sets the standards that must be met by pharmaceutical, medical device, and bio-tech companies that wish to use an electronic business management system, like an ERP system, quality management system, and / or a quality document management system. These standards apply to all phases of Life Sciences companies, including research, manufacturing and distribution of products and services. This article covers what you need to know about 21 CFR Part 11 compliance.

The FDA holds all life sciences companies and executives accountable to very stringent quality and safety standards. Companies use a mixture of electronic systems that are integrated for efficient operations. Any company that uses systems such as warehouse management, materials resource planning, enterprise resource planning, laboratory information management, or clinical trial management must insure that those systems are in compliance with the regulation.

Before proceeding any further, let’s be clear: 21 CFR Part 11 does not require the use of electronic systems and records. Instead, it establishes the criteria by which Life Sciences companies must use those electronic systems and records in a controlled manner that ensures company data and processes are as trustworthy, reliable, and secure as paper records and handwritten signatures.

During the transition to electronic records and signatures, many companies have a hybrid approach where some of their operations still use signed hardcopy documents. The issue with the Hybrid System is defining what is considered the authoritative document within these mixed environments. If a company regulated by the FDA retains paper copies of all required documents, and they stipulate that these hardcopy documents are the authoritative source, then the systems do not specifically need to meet the 21 CFR Part 11 requirements. If a hardcopy document is produced from its electronic source, there are standards as to what must be on the document for it to be authoritative.

Consider an analytical system that generates a test results document that requires the signature of the tester. If the current system does not support electronic signatures, then the user prints out the results and signs the paper document in the appropriate place. Part 11 does not make the use of electronic signatures mandatory, so this is a valid situation. The paper document and signature is authoritative when linked to the system data by making sure there is sufficient information on the printed document, such as size, date and time stamps and checksums.

In its “Scope and Application” statements, the FDA continues to review and redefine the regulations because they have been seen as overly broad and costly to implement. It is up to the regulated company to insure that all of their systems that trigger Part 11 are in compliance. That includes addressing all of the following system and process-related checks:

  • System Validation– Any systems that trigger 21 CFR Part 11 must be shown to be consistent and reliable. The key is that they must demonstrate this at any time and the appropriate documentation be available for review. Should there be any changes in the system, such as an upgrade or patch, regression and integration testing must be done to make sure that the system is still compliant. The procedures to do this must be created by the company using the systems.
  • Records Management – All of the standards must be met regarding how electronic records are managed throughout their entire life cycle of creation, change, maintenance, archival, retrieval, sending and receiving. As the work flow passes records back and forth between multiple systems, all of the standards must be retained.
  • System Security – There are minimum standards defined for who can access information, how the access is obtained and controlled, and what is required when other electronic systems use the data. This pertains to both logical and physical information. These controls range from the password requirements for a user to view information to the way in which electronic records are made available for an FDA submission.
  • Audit Trail Management – This is the most complicated standard to implement and the biggest challenge for any life science company. What should include an audit trail, under what conditions and for how long are questions every company asks. For instance, when does company email need an audit trail? What changes made during a batch process should be recorded in an audit trail? There are hundreds of points in a company that need to be considered.

It is also very important to note that no vendor can guarantee that their system meets 21 CFR Part 11 compliance 100%. Administrative controls are defined by the system users. Procedural controls such as how notifications are handled, how staff are training and the content of standard operating procedures are again up to the user. The vendor can only state that their system is in compliance when used in a manner that follows the regulations.

Of course, there are costs associated with FDA 21 CFR Part 11 compliance, but the impact of non-compliance can be exponentially greater. Public awareness of an FDA warning letter can send stocks down and reduce customer and consumer trust and loyalty.