21 CFR part 11 can be summed up in three words: Verify, Audit, and Track with one guiding compass, honesty. Companies must be able to prove without a shadow of a doubt that any person taking any action within a system is who they say they are. Any action taken within a given environment cannot be changed without documentation and everything done should be accessible for inspection at a later time.
So from this, we can establish that an electronic signature needs to be as trusted as a paper signature, documentation is key, and actions taken can be inspected or audited.
Two key concepts
A closed system is a computer system whose user access is controlled by the same people responsible for its contents. I like to think a good example is being a diary for a company’s equipment. All the juicy secrets are written down or stored and the owner chooses who has access and who doesn’t and mainly known vetted people would be using it.
An open system is a computer where user access is NOT controlled by the same people responsible for its contents. A good example would be Wikipedia, you are given an account with a personally identifying code, but you can add or subtract whatever you want within the platform. Wikipedia can’t confirm who they are prior to giving access to the document so you want to have all the time and date details of when the information was accessed, what was changed and what was original content as well as ensuring that the identifying code given for them to use is on everything they touch
Now for the technical….
A great resource I read was The Ultimate Guide to 21 CFR Part 11 by Marin Richeson, I think the summary was on point and it took legalese and made it digestible. Read it below.
21 CFR Part 11 consists of three Subparts:
A – General Provisions
B – Electronic Records
C – Electronic Signatures
SUBPART A – GENERAL PROVISIONS
- Part 11 applies to all electronic records that fall under FDA regulations.
- If an organization can prove to an auditor that their electronic records/signatures are as trustworthy as paper records/ink signatures, the FDA will accept electronic instead of paper.
- The FDA will accept electronic submission instead of paper IF those submissions 1) adhere to Part 11 requirements and 2) are included among the types of documents that the FDA accepts electronically.
SUBPART B – ELECTRONIC PROVISIONS
- Organizations using electronic records must establish and document procedures and controls that ensure the following qualities in their electronic records:
– Confidentiality (when appropriate)
– Irrefutability (i.e., no way to deny that a record is genuine)
- The following topics must be addressed in documented procedures and controls: computer systems validation (CSV), record rendering, document storage and record retention, system access, audit trails, workflows, authority checks, device checks, personnel qualifications, personnel accountability, and document control.
- Systems that fall into the category of “Open” (as defined in Sub-part A) require additional procedures/ controls.
- Electronic signatures must include the printed name of the signer, the date and time of the signature, and the meaning of the signature.
- Electronic signatures must be forever linked to their respective records.
SUBPART C – ELECTRONIC SIGNATURES
- Organizations that wish to use electronic signatures must inform the FDA in writing prior to making the switch.
- Each individual who will be using an electronic signature must
1) have their identity confirmed and
2) use a unique signature that has never been and will never be used by another individual.
- There are specific design requirements for electronic signatures that are biometric (e.g., fingerprint scan) and those that are not (e.g., user ID and password).
- For electronic signatures that make use of user IDs and passwords/passcodes, there are specific requirements for passwords and for passcode generating devices.
Good stuff, right? At the end of the Day why do you need to be compliant with the FDA?
Altering data is like altering the story the record tells and who put the data changes the record as well. Imagine if you could attribute your name to the great literary arts and say you did it rather than Hemingway or Shakespeare. The difference between a 1 and a 0 have strong implications in binary code. Being compliant or making your equipment complaint with 21CFR part 11 keeps the story true and if it is false, you can see it and find out who is responsible.
Please find a link to the Regulation bellow:
Link to The Ultimate Guide to 21 CFR Part 11.
Written By: Shazib Syed, Engineer I