Continuous improvements in software and technology have had far-reaching impacts on how we complete and record work. In the past, companies exclusively used paper records and, if appropriate, submitted them to the federal government.
However, the advent of advanced computerized systems has made paper records redundant. With companies able to complete operations worldwide, paper records are now insufficient and inefficient. Even companies with regional operations in the same country will only use paper records.
However, electronic records in different file formats are not entirely risk-free from data corruption and malpractice. For this reason, documents need to be verified, and federal agencies have taken concrete steps to ensure the integrity of electronic data consistently.
For companies involved in the production of food, beverages, and pharmaceutical items, retaining records is a vital part of ensuring continued workplace safety and the safety of consumers. As a result, the Food and Drug Administration has established updated guidelines to account for this changing landscape, with record-keeping becoming increasingly electronic.
The result of this was a code of federal regulations that are titled the Food and Drug Administration Code of Federal Regulations, Title 21, Part 11 on Electronic Records/Electronic Signatures. 21 CFR Part 11 regulations operate in conjunction with previous legislation about healthcare – such as the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act.
What is FDA CFR 21 Part 11?
First written in 1997, these federal regulations (alternatively titled 21 CFR Part 11) serve as a legal requirement and set of guidelines for using electronic records and electronic signatures. Specifically, 21 CFR 11 was created by the federal Food and Drug Administration to cover all companies involved in food, beverage, and drug production.
Notably, 21 CFR Part 11 does not cover the electronic submission of documents. Instead, 21 CFR Part 11 stipulates how electronic records/electronic signatures must be submitted, which records fall under Part 11 Regulations, and how electronic records and signatures must be handled by organizations in the food, beverage, and pharmaceutical industries.
Open The Final Guidance Document From The FDA Regarding 21 CFR Part 11 Compliance
Purpose of CFR 21 Part 11
As mentioned, the overall purpose of 21 CFR Part 11 regulations is to offer guidelines and stipulate rules for electronic records and signatures. In addition, these regulations aim to ensure that the data on electronic systems is valid and adequately protected. Essentially, 21 CFR Part 11 regulations permit organizations to use various technological solutions while ensuring that the FDA‘s primary mandate remains uncompromised.
An electronic signature differs substantially from traditional handwritten signatures executed by an individual. Thus, one purpose of 21 CFR Part 11 is to regulate the use of electronic signatures.
Before continuing, a few conceptual definitions are required. First, as per the Food and Drug Administration, an electronic signature means a computer data compilation of a symbol (or series of characters) that an individual has authorized to serve as a legal equivalent of a handwritten signature.
Related to electronic signatures are digital signatures. A digital signature is “an electronic signature based on cryptographic methods of originator identification… [so that] the identity of the signer and the integrity of the data be verified.” Digital signatures serve as an additional and more robust control method.
Essentially, 21 CFR Part 11 ensures that electronic signatures obtained by a company are recognized as equivalent to the traditional handwritten signature. Appropriate digital signature standards must be followed to ensure that an individual’s electronic signature is equivalent to that same individual’s handwritten signature.
An electronic signature is legally binding as a signer’s handwritten signature. Digital signatures (electronic signatures) help identify a specific individual. There are electronic signature components and controls to ensure the validity of these signed records.
Electronic signature components and controls include employing at least two distinct identification components: an ID code and a password. Importantly, before an organization provides any such electronic signature, it must verify the individual’s identity. Should identification codes be missing or compromised, organizations must implement remedial actions.
The second purpose of 21 CFR Part 11 is to establish clear regulations and guidelines on how electronic records must be handled by companies. Electronic records submitted to the agency in place of paper records means that Part 11 regulations would cover these records. As per 21 CFR Part 11, the agency considers an electronic record of being “a combination of text, graphics, data, audio, pictorial, or other information in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.”
Should companies transmit electronic records via a computer system, the Food and Drug Administration’s control measures must be followed. These control measures include controlled system access/limiting system access, establishing a clear audit trail, operational checks, and a means for accurate and ready retrieval of any associated electronic records.
Again, the purpose of these control measures – for electronic records and electronic signatures – is to ensure data integrity and prevent invalid or altered forms.
Who Needs to Comply With CFR 21 Part 11?
As 21 CFR Part 11 is part of a code of federal regulations created by the Food and Drug Administration, all companies producing food, beverages, and pharmaceutical drugs must comply with the outlined regulations.
Moreover, these electronic records must contain information about the quality processes of our food, beverage, and pharmaceutical companies. Thus, information on food and beverage quality sent via electronic systems must be retained. Pharmaceutical companies must store data from laboratory trials that determine the quality, strength, purity, or efficiency.
What Steps Can You Take To Ensure Your Compliance With CFR 21 Part 11?
Frequently, it can be challenging to know which regulations companies must follow and how they should follow them. Thus, the following list should serve as a helpful checklist for ensuring that your organization is following the required regulations.
Check the Applicability of FDA CFR 21 Part 11
Of course, the first step is always to review if your company must adhere to 21 CFR Part 11 regulations.
Reviewing these regulations ‘ applicability is essential if your company operates in the food, beverage, or pharmaceutical market. Moreover, while external consultants can help check how your company should follow these regulations and guidelines, it is ultimately up to your company to ensure that the respective electronic signatures and respective electronic records meet federal regulations and standards.
Should 21 CFR Part 11 regulations apply to your company, computer-generated information or data uploaded to a computer system falls under these federal regulations.
Once you have determined which federal regulations must be adhered to, ensuring that your company complies with them is a constant process. It is also essential to contact the intended agency receiving unit to discuss which electronic documentation is expected and the file formats and the electronic format in which organizations can submit documents.
Ensure Trial Audits are Clear
As part of controls for closed systems (as per the Food And Drug Administration, closed systems are environments where system access is controlled by people responsible for the content of any electronic subject records on the system), clear audit trails are vital.
Thus, time-stamped audit trails that record the date and time of changes to electronic records are crucial. In addition, such audit trail documentation must also detail when such records were created, modified, and deleted.
Additionally, audit trail systems must detail which user(s) created, modified, and deleted electronic records. This means that unique identification codes for users must be completed to establish clear audit trails. Of course, this entails deciding which users will have the authority to create, modify, and delete electronic records.
Finally, a records retention period is also required; further, as per agency regulations, these records must be available for agency review upon request.
Make Sure You are Following FDA’s Guidelines on Electronic Signatures
The Food and Drug Administration has various guidelines about electronic signatures. Should the requirements for electronic signatures be met, any receiving agency will treat electronic signatures as equivalent to handwritten signatures.
As mentioned previously, the first step in using an electronic signature in place of a handwritten signature is to verify the individual’s identity. Additionally, your company must provide any additional requested information or testimony to verify an individual’s electronic signature.
The FDA has also provided electronic signature components and controls. These controls offer unique identification codes to individuals. Both identification codes must be used; however, only one electronic signature component is required. With a combined identification code, organizations can protect their data.
Finally, identification codes must be periodically checked or changed. If identification codes have been lost or compromised, organizations must take steps to deauthorize all devices that generate identification code or password information and issue temporary or permanent replacements.
Follow Practices to Secure Computer Systems and Electronic Records
As a reminder, electronic record means information represented in digital form that is created, modified, or maintained by computer systems.
These system controls aim to prevent the corruption of electronic data and ensure its validity.
Again, the Agency only provides broad outlines for securing electronic records. These outlines include the consistent validation of systems to ensure accuracy, reliability, and consistent intended performance. Additionally, your system must generate accurate and complete copies of documents in both human-readable and electronic forms suitable for FDA inspection.
Finally, there are also some technical requirements that the Food and Drug Administration expects companies to adhere to. These technical requirements include operational system checks to enforce permitted sequencing of events. Authority checks are also required to guarantee that only authorized individuals can electronically sign records, access the computer system input device, and alter records. Of course, any computerized system and attendant documentation must be readily available for FDA inspections.
Choose a QMS That is in Compliance With Part 11
Compliance is an ongoing process; however, complying with Part 11 regulations can prove to be an arduous task should your Quality Management System be incompatible with Part 11 Regulations.
Should your company not have a QMS that complies with Part 11, you will need to factor this into business plans. General QMS solutions will require significant time and investment for configuration and staff training.
Wrapping Up!
Should your organization require a QMS solution that is Part 11 compliant, an excellent place to start is to consult with the NonStop Suite. As the NonStop Suite is Part 11 compliant, using their compliance tool will save your organization time and money.
If you are not using a Part 11 compliant QMS, be sure to contact the NonStop Suite Team today!