Ten years ago this was a hot topic. It’s still an important one and solutions that have cGMP significance must still provide 21 CFR Part 11 compliance (Part 11). Regardless of the application users are involved with, its also important they follow procedural and administrative controls required by Part 11. Applications by themselves are not Part 11 compliant and it requires users use them in a Part 11 compliant manner.
This is the first in a series of posts on 21 CFR Part 11 Electronic Records:Electronic Signatures. Part 11 was originally conceived in the early nineties by a joint Industry / FDA Task Force to determine how paperless record systems could be used under cGMP regulations, and has become a requirement and determining factor in IT solution selection in life sciences. Coupled with emerging web-based technologies that are increasingly leveraging global data, resources, and providing productivity gains, Part 11 compliance is no longer the “dread” of the nineties, it is the reality of today.
The rationale behind the final rule in the Federal Register on March 20, 1997 provided criteria under which FDA considers electronic records to be equivalent to paper records, and electronic signatures equivalent to handwritten signatures. FDA believes that the risks of falsification, misinterpretation, and change without leaving evidence are higher with electronic records than with paper records. As stated in the Preamble to the Final Rule, Comments Section F:
“…people determined to falsify records may find a means to do so despite whatever technology or preventative measures are in place. The controls in Part 11 are intended to deter such actions, make it difficult to execute falsification by mishap or casual misdeed, and to help detect such alterations when they occur.”
We still see Part 11 audits as part of software audits and the next several discussion posts will expand on the aspects of the regulation to provide clarification of the rule and examples of how the rule is met. If there are specific areas of the rule that interest you please post to the comments section.
As recently as 2010 the FDA announced stepped up inspections for Part 11 compliance. Most of the recent compliance activity has centered on laboratory information systems but other systems are still frequently cited. OnfiSystems has put together a great website of example (and) real 483 Warning Letters that highlight some the compliance issues cited by the FDA.
One of the most basic deficiencies cited is the failure to validate the system pursuant to the requirements of § 11.10(a) which requires Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. The preamble comment to this requirement clearly indicated the agencies intent as follows: "The agency intends to apply the same validation concepts and standards to electronic record and electronic signature systems as it does to paper systems".
Clearly computerized systems that support manufacturing and whose data is used for cGMP decisions, or in support of those decisions, require validation to ensure that systems are fit for purpose and facilitate Part 11 compliance.
In reply to Chris Amstutz:
What are some of the difference you have found around validation of electronic signatures when implanting software at customer sites? Do you generally find that with Syncade since it is considered COT's functionality that Emerson testing is generally good enough?
Because I love this STUFF,
~Gary Macri
Syncade Ninja
Emerson Process Management
In reply to Gary Macri:
Yes. The electronic signaure functionality is COTS and generally not part of the site validation. What is validated (verified) is the access levels of the user groups to ensure that only personnel assigned to specific user groups can only sign off on those actions associated with the user group that they are assigned to.