Work, Learn, Play

21 CFR Part 11 Electronic Records and Signatures Regulation – 20 Years On

This year is the 20th anniversary of the publication of Title 21 Code of Federal Regulations Part 11 (21 CFR Part 11 or just Part 11), the US Food and Drug Administration (FDA) regulation about control of electronic records and electronic signatures for computerised systems used by pharmaceutical and medical device companies. This is a relatively small regulation (less than 2 complete pages of the Federal Register) that has had and continues to have a big impact on regulated organisations and software suppliers.

When implementing computerised systems, the requirements of Part 11 need to be fully understood. To help this, I want to explore the following areas in this blog post:

 

What is Part 11?

Part 11 is a regulation that mandates controls for electronic records generated during the course of regulated activities or for records that are submitted to the FDA even if there is no stated requirement for the record in agency regulations. In addition, it permits the use of electronic signatures (most typically in the form of a unique combination of user identity and password) to sign electronic records instead of traditional handwritten signatures.

The regulation consists of three sub-parts:

  1. Scope and Definitions
  2. Electronic Records
  3. Electronic Signatures

The main regulations are found in sub-parts B and C. However, do not be misled into thinking that there is a division between records and signatures – far from it. Part 11 is an integrated regulation. Sub-part B contains requirements for electronic signatures and sub-part C contains controls to ensure the integrity of electronic records as well as electronic signatures.

 

Technical, Procedural and Administrative Controls of Part 11

Reading the Part 11 regulations you can divide the requirements into three types of control:

Looking at the three types of control means that there are two parties involved in ensuring Part 11 compliance:

Only when the regulated user and the supplier work together can there be Part 11 compliance. From this a supplier cannot state that the application is 21 CFR Part 11-compliant as they can only provide technical controls.

 

Interpretation of Part 11 by the Applicable Predicate Rule

In itself, Part 11 only mandates the controls that need to be in place for electronic records and electronic signatures. However, there is no statement in the regulation of what records need to be generated or maintained or where signatures need to be applied. This is the role of the applicable predicate rule.

What you may ask is a predicate rule? Quite simply this is a term referring to the existing GXP regulations that are applicable to healthcare and life sciences organisations. These are Good Laboratory Practice (GLP), Good Clinical Practice (GCP) and Good Manufacturing Practice (GMP) and collectively shortened to GXP where the X can refer to one or more of these three regulations.

The predicate rules that an organisation works to have explicit (stated directly) or implicit (implied) requirements for records and signatures. For example, the GLP regulation for staff training mandates that there are records providing evidence of that training.

In contrast, the pharmaceutical GMP regulation requires that staff are trained but does not state – but implies – that records are needed. However, for GMP-regulated organisations can they contemplate an inspection without up-to-date training records?

Similarly, there are very few explicit regulated requirements for signatures, but read the applicable predicate rule carefully as there are implicit requirements e.g. review, verify and approve will mean a signature is required.

 

Why Do I Need to Validate my LMS?

One of the explicit or implicit requirements of any pharmaceutical and medical device regulations is for validation of computerised systems to demonstrate that the software is fit for purpose and can meet its intended uses.

This is applicable to a Learning Management System (LMS) as it is a key component of any regulated organisation’s quality management system. If you cannot demonstrate that staff have the appropriate combination of education, training and experience, then an inspection starts to run off the rails.

Of course, this raises the question of what is software validation?

 

What is Software Validation?

In essence, to demonstrate that the software is fit for intended use it requires the following main documents to be written:

Understanding 21 CFR Part 11 and its implications on LMS software and software validation is essential when implementing a Learning Management System in pharmaceutical, biotech or medical device companies.

 

 

Contributor

Dr Bob McDowall is an analytical chemist with over 40 years experience, including over 30 years experience implementing and validating informatics solutions in regulated environments. He has a PhD in forensic toxicology and 15 years experience working in the pharmaceutical industry.

He has been a consultant for 24 years and is currently the Director of R D McDowall Limited and was Visiting Research Fellow at the University of Surrey, UK from 1991 to 2001. Bob also trains and writes on the subject of computerised system validation, data integrity and is the author of a book on the validation of chromatography data systems, the second edition of which has just been published. Bob provides consulting services for NetDimensions Learning to be validated in client environments for intended use along 21 CFR Part 11 and GXP requirements.