20 Years Later, 21 CFR Part 11 is More Relevant than Ever

In the late 1990s, the U.S. Food and Drug Administration (FDA) published the 21 CFR Part 11 (aka Part 11) guidance. At a high level, the regulation made electronic records and signatures as valid as paper records and handwritten signatures. The guidance changed the dynamic of data and records management by ushering in a transformation toward modernized technology in the life sciences industry.

Part 11 can apply to a wide variety of electronic documents, including:

• Testing reports.
• Quality control testing results.
• Production records.
• Design drawings.
• Specifications.
• Premarket submission content.
• And more.

Technology is integral in all aspects of our lives. We are using more automation, mobile devices, apps, etc. Also, companies generate vast amounts of data as a byproduct of their processes, information management systems, equipment, personnel, products, and communications.

Part 11 is meant to allow the use of electronic records as much as possible while safeguarding the integrity of data and systems and the validity of electronic signatures. The prevalence of technology and data in life sciences product development makes the regulation more relevant than ever.

Data Access and Protection

The abundance and accessibility of data is a driver of innovation in the life sciences arena. For example, Gnomon Informatics recently received regulatory approval for its eHealthPass, a multifunctional software that provides access to health records, information-sharing with health care professionals, treatment planning and monitoring, and emergency support. It also provides alerts about any abnormal situation as defined by health care professionals.¹

Section 11.10 of the Part 11 regulation cites: “Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and when appropriate, the confidentiality of electronic records.”² Systems like eHealthPass are highly data-centric and function specifically around electronic records and documents. Because these types of systems are becoming the norm in health care, they need to comply with the Part 11 regulations.

Validation

Section 11.10(a) applies to the validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.³ Following the initial launch of Part 11, industry stakeholders expressed concerns that the regulation would increase the time and costs of compliance, thus discouraging innovation and technology advances. Much of the concern surrounded validation, as companies were afraid they needed to validate every system.

In 2003, the FDA revisited Part 11, clarifying that the regulation requires validation only for systems that create, modify, maintain, archive, retrieve, or transmit electronic records. For example, the pharmaceutical company’s accounting system doesn’t need to be validated because it has no impact on the quality of the company’s product. However, a software system used by the company for maintaining clinical trial documents needs to be validated as it has a direct bearing on the quality of the product. A recommendation for complying with this part of the regulation is to perform a risk assessment to determine how a system will impact product quality and safety.

Audit Trails

Evidence of the FDA’s foresight of modernized approaches to data and records management is revealed in the clause about audit trails (Section 11.10(e)), which requires companies to use “secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records.”⁴

Essentially, an audit trail is a log containing metadata that allows you to reconstruct all user actions and events involving data, including who made a change, what was changed, when it was changed, and why. The audit trail can help with change control procedures as well as reveal data tampering or fabrication of results.

Part 11 does not mandate the use of electronic systems. Rather, it specifies the requirements for companies that choose to use digitized systems in their compliance efforts. However, going digital is quickly becoming a necessity. The COVID-19 lockdown imposed restrictions on travel and in-person meetings. This tethered inspectors to their home offices, rendering them unable to perform on-site inspections. In response to this obstacle, the agency explored alternative approaches to reviewing and approving medical products — remote reviews of data and documents was one of the options.

Providing remote access to documents upon request, along with the Part 11 requirement that audit trails be time-stamped, means documents and data need to be in electronic form. To comply, companies still using paper records need to scan all the documents in order to file and track them electronically. Scanning stacks of documents is time consuming and prone a variety of issues such as errors or missing pages.

When the FDA first launched 21 CFR Part 11, records and management systems were still largely paper-based. With the evolution of technology, the regulation is more applicable than ever due to the increased use of digital technology for these quality management tasks.

References:

1. “Gnomon Informatics Gets CE Mark for Medical Device Software,” FDANews, July 15, 2021.
2. “Code of Federal Regulations Title 21 Part 11 Subchapter A: Electronic Records; Electronic Signatures,” U.S. Food and Drug Administration (FDA), Revised as of Apr. 1, 2020.
3. Supra note 2.
4. Supra note 2.