1. Apply Predicate Rules For Complete Compliance
Predicate rules are FDA regulations that require companies to maintain certain records and submit information (both paper and electronic sources) as part of compliance. Predicate rules are regulations such as Good Laboratory Practices (GLP), Good Clinical Practices (GCP) and Current Good Manufacturing Practices (cGMP).
FDA regulated companies and personnel working with electronic systems and records must know the predicate rules that apply to their industry in order to use Part 11.
On issues pertaining to signatures and records, 21 CFR Part 11 allows:
• Any predicate rule that calls for a record to be satisfied with an electronic record
• Any predicate rule that calls for a signature to be satisfied with an electronic signature
It should also be noted that predicate rules do not directly address computer or software validation.
While 21 CFR Part 11 addresses the issues of electronic signatures, records and systems validation, it is the predicate rule that details the kind of records required and the signatures needed to validate/certify them. Therefore, it is crucial for companies to improve their awareness of the predicate rules that lay the groundwork for Part 11 compliance.
2. Enforce Strict Security Measures
It is important to authenticate the process of verifying the identity of users to control access to critical data assets, perform electronic transactions and prevent manipulation of electronic records.
According to the regulations, “records are less trustworthy and reliable if it is relatively easy for someone to deduce or execute by chance a person’s electronic signature where the ID is not confidential and the password is easily guessed.”
Firms should ensure that software with enhanced security features such as user ID with a strong password (preferably a two-factor authentication) is used. This will provide a high assurance system that records are trustworthy.
Computer systems should carry features like:
• Auto-lockout of inactive accounts,
• Automatic logouts
• Not allow multiple logons from dissimilar locations,
• Usernames that identify a person and are not generic
• Unique passwords,
• Limited control delete capabilities in data transfer process
• Operational system checks to enforce the correct sequencing of events in the software,
• A validity check for every input field
• Log all user access activity
Companies should understand the need for robust security in the form of electronic signatures so as to comply with Part 11 as well as improve business processes, protect intellectual property, mitigate the risk of litigation and protect an organization from liability.
3. Ensure Data Transfer Is Secure
The secure transfer of data is a cornerstone of Part 11 compliance. In order to ensure this, FDA regulated firms must implement the following measures in electronic systems:
• Control and limit delete capabilities – data can be inactivated but should not be deleted. The archiving process can be deleted once the audit trails have been generated and saved elsewhere.
• Encrypt all data transferred outside of the intranet firewall
• Encrypt all data that is taken offsite through laptops or removable media
• Checks in the operational systems to enforce correct sequencing of events (a three step event should not miss out on the second step and so on) and validity of input data (Dates have to be dates, numbers have to be numbers and so on).
• Date formats that are unambiguous – therefore months should always be first three letters such as JAN or FEB as this is universally understood. So the format should be DD-MMM-YYYY (for e.g. 31-DEC-2012)
4. Generate Audit Trails For All Electronic Records
Audit trails can be generated to authenticate and confirm the integrity of regulated records and signatures which often remains as the greatest challenge to FDA regulated companies. An audit trail is a series of documents or a documentation archive that allows reconstruction of the course of events and should contain
• Details regarding the reason for the change,
• Name and user ID of the person making the change,
• Date and time,
• The original and final entry in the database.
Firms should ensure that all changes made to the electronic data (any modification, updates or deletion) and every transaction made in the system database is recorded through an audit trail.
Firms should re-establish requirement for audit trail functionality of internal system software. Risk assessment procedures should involve reviewing the potential risks associated with traceability and data integrity of the records.
5. Comply With Electronic Signature Requirements
Firms are increasingly using electronic information systems to improve efficiency of operation and for developing enhanced security policies so as to transform to a paperless environment and thereby significantly reduce costs.
Electronic signatures should uniquely identify an individual. Part 11 stipulates that controls for electronic signatures should be based on identification codes and passwords.
The regulations state that:
• Electronic signatures cannot be modified or copied by anyone
• Standard Operating Procedures must be implemented and followed for the issue, expiry and loss management of electronic signatures
• Written policies must be implemented to hold users accountable for actions undertaken with their electronic signatures
• Electronic signatures are not digital signatures
A compliant electronic signature must have the following components:
• A public user name that uniquely identifies the user
• A private password known only to the user
• The meaning of the electronic signature (stating the reason for it)
• Date and time on which the signature was executed
• The object that is signed should display the printed name, date, time and meaning of the signature
• The signed object should be permanently locked to prevent future editing or modification
• The electronic signature must be permanently linked to the signed object
6. Validate Electronic Systems
Computer systems are subject to validation requirements and all software used for storing clinical data must be validated in order to stay in compliance with 21 CFR Part 11. Firms must demonstrate that software used in systems meet company requirements for each purpose served by the software.
Firms should ensure that:
• There is continuous maintenance and scheduled internal reviews of computer systems as a part of the ongoing quality management system
• Required documentation should be maintained for all validation that is carried out for electronic systems
• Validation of individual utilities, equipment and instruments should be also be completed
• Validation of software is a regular part of the maintenance of electronic systems, especially in the case of version updates and re-installation and so on.
The electronic system must be validated from the perspective of the developer. When validated from the user perspective, it should be done so as to ensure accuracy, reliability and performance.