Keeping sensitive data and information private and secure is as important to pharmaceutical and device manufacturers as it is difficult.
Companies are increasingly digitizing information about their products and processes, which means compliance with the FDA’s rules on data security has become a top concern.
These protocols are laid out in the FDA’s 21 Code of Federal Regulations (CFR), Part 11. As with most regulations concerning digital information management, Part 11 can seem complicated, especially for those who aren’t well-versed on the systems and procedures it covers.
To demystify these complex guidelines, we’ve simplified the key takeaways of Part 11 into a quick-and-easy guide. Let’s start with the most basic questions and work our way into the details:
What are electronic records and electronic signatures?
Electronic records are broadly defined as a collection of information, text, images, data, and all other media that are created, edited, stored, managed and distributed digitally through computers. In most cases, these records hold the same information as a physical printed record—the only difference is that they exist digitally.
Similarly, an electronic signature is treated with the same authority as a traditional legally-binding handwritten signature, but instead of being on paper, it’s a digital symbol within a computer system.
[Read Also:] Clinical Research and Electronic Informed Consent
It’s important to keep in mind that regulations for both electronic records and electronic signatures are intended to lay out the minimum requirements for security. In most cases, however, this is not enough to protect you from real-world threats. While the bar might be set relatively low for regulators, it’s on companies to go above and beyond to ensure their systems are truly safe.
What defines “electronic” recordkeeping?
Many companies are confused by what they see as broad, high-level rules expressed in Part 11. In some cases, misinterpretations have even led to investments in unnecessary systems and processes that bring high costs with no payoff.
There are two central points at the core of Part 11 that speak to whether or not it applies in the first place:
- The rules of Part 11 only apply when electronic records are used in a controlled environment rather than paper.
- If a device is used to print electronic records and staff rely on paper records in order to carry out regulated actions, it would not be considered using an electronic record in lieu of paper records. In this case, you’re simply using an electronic record to create a paper record, therefore Part 11 would not apply.
Even given these criteria, the line between digital and paper recordkeeping can be blurry since many companies use both formats in some capacity. Organizations often struggle to determine whether they’re using electronic or paper records according to the FDA’s particular definition.
In these cases, it’s usually best to look at the real-world use of your records. More specifically, what format do you rely on to conduct regulated activities? If you print paper records for circulation amongst your team, but ultimately use digital records to perform regulated actions, chances are the FDA will deem it an electronic record.
Whatever the case, it’s important to document these details and the steps involved in either in a specification document or a Standard Operating Procedure (SOP) for regulators to see.
Enforcing Part 11 and validating electronic records
The FDA uses its own discretion to enforce particular requirements of Part 11 for validation of computerized systems.
Prior to validating your computer systems, it’s important to gauge the impact it will have on compliance moving forward. While there might not be a requirement to validate a particular system, it still might be in your best interest to do so.
[Read Also:] What Makes for a Good Validation Master Plan?
Perform a risk assessment to determine whether or not validation will affect the safety and/or quality of your products as well as the integrity of your records. If you believe validation might cause issues, contact a compliance expert who can help you avoid unwanted consequences.
Keeping a detailed audit trail
Regulators may also decide to enforce the rules surrounding time-stamped digital audit trails, so be diligent when recording times, sequences of events, and all previous entries into your recordkeeping system.
Incorrect records—no matter how inconsequential the problem might seem—can signal bigger problems to regulators and open the door to more comprehensive investigations.
[Read Also:] 5 Items to Stock in Your FDA Inspection War Room
Keep in mind that in cases where users of the system are expected to create, change or delete regulated records, audit trails are mandatory.
Older legacy systems
If you’re using a system that’s been in place before August 20, 1997, chances are you won’t be required to abide by Part 11 requirements. The agency has stated it intends to “exercise discretion” if systems were operational and compliant before this date, or if documented evidence is available to justify the system as appropriate for its intended use.
If you are using a legacy system and it’s been updated since that date, Part 11 controls will need to be applied to both electronic records and electronic signatures.
You’ll need to provide access to copies of your electronic records when regulators arrive for inspections. We recommend keeping your records in sharable, easily-read file formats like PDF, XML, and SGML.
While the language used in Part 11 can be difficult to clearly understand, its guidelines are actually relatively narrow in scope.
If you’re in need of compliance remediation in reference to Part 11 or any other FDA regulation, our team of former FDA and industry experts can help you craft quality practices and train your team to remain compliant. Contact our team today and grab our free whitepaper: The Complete Guide to Compliance Remediation.