21 CFR Part 11 Electronic Signatures:
20 years ago 21 CFR part 11 Electronic records, Electronic Signatures was published. 21 CFR Part 11 is a section of the Code of Federal Regulations (CFR) in which the United States Food and Drug Administration (FDA) establishes legal requirements regarding the use of electronic records and electronic signatures.
Part 11 was developed at the request of the pharmaceutical industry in particular (but also applies to other industries regulated under 21 CFR) because no legal guidelines were available for the use of electronic files and signatures.
The use of digitised systems had increased dramatically Electronic Signatures, but there was uncertainty about the criteria by which electronic files and signatures could be considered accurate, authentic, reliable, confidential and equivalent to paper documents and handwritten signatures.
The problem was that electronic systems were not yet as confident as paper systems. Not entirely wrong, because I also remember from that time when several copies of Excel files were in circulation where in the end nobody knew what the master was.
Convenience Of Electronic Systems
Let alone that someone still had the certainty that the edits he had made in a copy, also ended up in the final file. The convenience of electronic systems is therefore also its weakness. If a correction is clearly visible on paper, most electronic systems did not have such an audit trail.
Around 1990, the US Pharmaceutical Manufacturing Association (PMA, now Pharmaceutical Research and Manufacturing Association (PhRMA)) and the US Parenteral Drug Association (PDA) formed technical groups to develop rules for the use of electronic databases within the pharmaceutical industry.
They discussed their progress many times with the FDA task force set up under the leadership of Paul J. Mortise. In 1994 a draft regulation was published. It took another 3 years until the final regulation was published on March 20, 1997 and six months later, on August 20, 1997, the regulation was effective.
But the regulation was interpreted and implemented in different ways by the industry. For example, there was uncertainty about which systems and files the regulation related to. By itself, the regulation only includes requirements for controlling electronic files and electronic signatures.
There is no mention of which files and signatures are covered by the regulation.
For this purpose, the regulation refers to the existing regulations applicable to the product concerned. These include the Good Laboratory Practice (GLP), Good Clinical Practice (GCP) and Good Manufacturing Practice (GMP) regulations.
But these regulations are not always very explicit about where registration is required. There is often an implicit expectation of recording.
In addition to uncertainty about which registrations must comply with part 11, there was also uncertainty about the systems. Application of the “typewriter rule” (a word processor that is only used to generate a document that is printed and Electronic Signatures signed) .
Hybrid systems (systems consisting of both digital and paper applications) led to different interpretations of the regulation.
there was discussion about whether software Electronic Signatures, especially operating software and executable files, should be regarded as a record or as a system. It was also unclear whether the regulation only applied to electronic data stored .
Durable media or also to temporary Electronic Signatures data stored on non-durable media that has little or no ability to maintain audit trails or to export data to other electronic systems or files.
If there is a possibility to maintain an audit trail, when in the lifecycle of the data should it be maintained: from the source, from the moment the data has been verified.
The moment the data can be influenced by human changes?
Systems for archiving or further processing Electronic Signatures the data in which data is copied or transformed to another Electronic Signatures file format also resulted in the necessary differences of interpretation.
A problem with part 11 is that the requirements relate to a desired future paperless state, but do not take enough into account the current practices after 20 years.
Software products that enable compliance with the regulation have been available for 20 years, but many old systems are still used by companies.
Use of electronic systems
The second problem is that the industry already made an intensive use of electronic systems, but that these often involve hybrid systems. The option to go back to a fully paper-based system is not real; Despite all the management risks, hybrid systems will remain a daily reality for the time being.
An enforcement policy was published in 1999so that compliance could be maintained from 2000 onwards. However, as the industry had barely recovered from the millennium Electronic Signatures problem, they were not yet ready to comply with the new regulation.
Organising this compliance
Organising this compliance turned out to be many times more drastic than the entire millennium problem. During this time I was also sent to London by my former employer for a meeting on 21 CFR part 11.
I didn’t understand much about it yet, but one thing had become clear, a lot is coming our way. After extensive reading and deepening in the material, it was clear to me that digital resources had to be handled very differently and that research into the suitability of these resources and training of the users were requirements.
The employer thought otherwise: the ICT service provider was given 3 months to translate the regulation into an SOP and with that the job was done.
It was only when the regulator suspended the statement of compliance with GLP that it became clear to management that controlling digital systems for data integrity is no Electronic Signatures nonsense and should be taken seriously, according to the regulators.