If your organization is required to keep records or make reports to the United States Food and Drug Administration (FDA), you need to understand the Code of Federal Regulations, Title 21, Part 11 (21CFR11).
The FDA purposefully allows organizations the flexibility to use a variety of technology and methods to meet the regulation; each organization must choose the most appropriate technology and methods to meet the regulation's requirements.
Benefits of electronic records and signatures
There are a number of important benefits that organizations can realize by using electronic records and signatures:
- Increased speed of information exchange
- Cost savings resulting from less storage space
- Reduced data entry and processing errors
- Improved process control
- Reduced shipping costs for data transmission to the FDA
- More efficient FDA reviews and approvals of FDA-regulated products
- More advanced searches
To what types of records does 21CFR11 apply?
The regulation applies to records required by a predicate rule. A predicate rule is an FDA regulation such as Good Laboratory Practice (GLP) or Current Good Manufacturing Practice (CGMP). Predicate rules mandate and define:
- What records must be maintained
- The content of the records
- Whether signatures are required
- How long records must be maintained
21CFR11 does not require organizations to use electronic records or signatures. Rather, if an organization voluntarily chooses to use electronic records or signatures to meet specific predicate rule requirements, 21CFR11 defines the requirements that must be met.
21CFR11 has a number of requirements. If a closed system (an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system) is used to create, modify, maintain or transmit electronic records, the following procedures and controls must be implemented:
- Information systems in the closed system must be validated to ensure their accuracy, reliability and consistent performance.
- The system must be able to generate accurate, complete copies of records.
- Archived records must be protected and capable of being accurately and quickly retrieved.
- The system must use computer-generated, time-stamped audit trails that independently record date and time of operator entries and actions that create, modify or delete electronic records.
- There must be adequate controls over systems documentation (access control and change control).
- There must be documentation that persons who develop, maintain or use the system have the necessary education, training and experience to perform their assigned tasks.
- Access to the system must be limited to authorized persons.
- There must be operational system checks that only allow permitted sequencing of steps and events.
- There must be authority checks that ensure that only authorized persons can use the system.
- There must be device checks that ensure the validity of data input.
- Written policies must be in place holding employees accountable and responsible for actions taken under their electronic signatures.
Open systems (an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system) require the same procedures and controls as for closed systems, plus document encryption and digital signatures as necessary and appropriate.
Signed electronic records
21CFR11 also requires that signed electronic records must include:
- The printed name of the signer
- The date and time when the signature was executed
- The meaning associated with the signature
Requirements for electronic signatures include:
- Signatures must be unique to one individual.
- An organization must verify the identity of an individual before it establishes, assigns, certifies or otherwise sanctions the individual's electronic signature.
- An organization must certify to the FDA that the electronic signatures in its system are intended to be the legally binding equivalent of traditional handwritten signatures.
It is likely that the requirements of 21CFR11 will change in the next couple of years. In August 2003, the FDA released a guidance document stating that it "…will narrowly interpret the scope of part 11 and …anticipate[s] initiating rulemaking to revise provisions of that regulation." The FDA also stated that "…part 11 remains in effect during this re-examination period."
Implications for security managers
Organizations preparing to comply with 21CFR11 must consider a number of factors, including:
- Determination of which records are subject to the regulation
- Determination of whether a system is open or closed
- Defining access to the system
- How to document and review employee education and training
- How to efficiently archive and retrieve electronic records
- How to implement user authority checks
- How to establish controls over system documentation
- How to validate commercial and custom software
- Understanding and responding to the August 2003 guidance document
Increasingly, FDA-regulated organizations are using electronic records and signatures. They are doing so to save time and money or because their business partners are requiring it. Such organizations must have a strong understanding of 21CFR11 or run the risk of non-compliance.
About the author
Steven Weil CISSP, CISA, CBCP is senior security consultant with Seitel Leeds & Associates, a full service consulting firm based in Seattle, Wash. He can be reached at firstname.lastname@example.org.
This was first published in November 2003