Understanding FDA 21 CFR Part 11

Lab personal signing

Title 21 CFR Part 11 establishes the United States’ Food and Drug Administration’s (FDA) regulations concerning the use electronic records and electronic signatures in FDA regulated industries. As such, the regulations, generally speaking, apply to drug makers, medical device manufacturers, biotech companies, biologics developers, CROs, and other FDA-regulated organizations.

Historically, laboratory records were kept in paper, hardcopy form and bore handwritten signatures attesting to the data’s origin and validity. Although it is possible to forge a handwritten signature, handwritten signatures are generally considered to be highly reliable. Perhaps most importantly, it is difficult to refute a document bearing one’s handwritten signature – an important concept called irrefutability. In addition, short of destroying the documents completely, any attempts to change the data or signatures can usually be detected easily.

As more laboratory instruments produce electronic data and more organizations wish to enjoy the efficiencies of storing and sharing information electronically, the challenge becomes how to ensure the same level of reliability for electronic records that is provided by paper records. By their very nature, electronic records are easy to change, both deliberately and accidentally.

Dealing with digital images is particularly challenging. The notion of “photoshopping” images is widespread. A subtle change in contrast, for example, could make important evidence in an image disappear, or it could, beneficially, make it more apparent. Therefore, especially when dealing with images, it is important to know who did what when and to be able to revert to the original data.

CFR 21 Part 11 sets out the FDA’s requirements for handling electronic records in an acceptable manner. Highlights of the regulations with respect to electronic records and electronic signatures include:

Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.

It is generally accepted in the information security community that software vendors should not “roll their own” security functionality because the likelihood of producing something that is as robust as industry standard methods is remote. Therefore, at Quartz Imaging, we leverage the Windows Active Directory security system for access control. When our Quartz PCI-CFR software is started, it requires the user to authenticate with his or her Windows log-in. In addition, we use membership in Active Directory groups to determine which functions of the software are available to the user. The user must re-authenticate in order to apply an electronic signature to the data.

Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records.

Our software records a time-stamped audit trail of all user modifications to data. Previously recorded files are never overwritten. A new version of the file is created each time data is saved. The audit trail is attached to the record and cannot be excised.

Protection of records to enable their accurate and ready retrieval throughout the records retention period.

Electronic records are stored as discrete files in the file system, so NTFS security settings can be applied to the storage location to prevent deletion, changing security attributes, etc. We can provide suggested NTFS security settings upon request. There is no reliance on third-party database systems that may become obsolete over time.

Among other items, signed electronic records shall contain information associated with the signing that clearly indicates the meaning of the signature (such as review, approval, responsibility, or authorship).

Administrators of our software in your organization can establish your own list of permitted reasons for applying digital signatures. Application of electronic signatures to data requires two distinct identification components (user name and password), which are authenticated against your organization’s Active Directory.

Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.

In the Quartz PCI-CFR system, electronic signatures are embedded in the electronic record which is encrypted. In addition, a cryptographic hash function is used to produce a digest to detect any changes. Therefore, the signatures cannot be excised, by ordinary means, without detection.

Storing laboratory data as electronic records can lead to great improvements to efficiency in your organization. Because electronic records can be backed-up, it is possible to achieve even greater reliability than with paper records, which are subject to physical damage and deterioration. However, care must be taken to use software and systems, such as Quartz PCI-CFR, that help you comply with the FDA’s 21 CFR Part 11 regulations.