Data integrity is crucial to assuring reliable data. For that reason, PTL has considered and implemented systems that ensure information and data security, integrity, and compliance. 21 CFR Part 11[1] is the key guidance for handling electronic records and electronic signatures in an FDA-compliant setting. The text is concise and publicly available online.
Considerations for high integrity of electronic systems:
Electronic Records – General
21 CFR Part 11 is a set of guidelines established to ensure electronic records, electronic signatures, and handwritten signatures on such records are “trustworthy, reliable, and equivalent to”[1] the traditional paper versions. Such records can be “created, modified, maintained, archived, retrieved, or transmitted”[1]. They may be purely on-site or submitted to FDA as a drug application. The only records exempt from the guidelines are those generated by systems unchanged since August 20, 1997 – when Part 11 went into effect. Such legacy systems’ prevalence is waning across the industry largely due to challenges maintaining the electronics.
Electronic Records – Closed Systems
A closed system is one in which access is limited to authorized individuals in the company, and the company controls content within the system. These systems must be validated to show “accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.”[1] Thorough webinars are available from well-reputed sources to discuss the particular requirements behind such validation. In general, GAMP 5[2] is a vital reference as the original and respected source for such guidance. All controls are to ensure “authenticity, integrity, and, when appropriate, the confidentiality”[1] of records.
To comply with the guidance, several questions must be considered and associated actions implemented. What is your record retention period, and can you readily retrieve accurate records throughout the duration? Is access to your systems restricted to only authorized users, with appropriate permissions levels assigned—and are these periodically checked as personnel and systems evolve? Are your results being tracked for creation, modification, and deletion activities by accurate time and date stamps on an audit trail—and are records prior to a change maintained? Do you confirm a program’s sequence of events is executed correctly and cannot be compromised? Do you use authority checks to ensure the individuals acting in the system are allowed? Are device checks used to ensure the data input is valid? Are the individuals maintaining the systems and using the records trained with relevant education and/or background experience? Do you adhere to written policies of accountability for users’ actions under electronic signatures? Do you control documentation access and distribution regarding systems operations and maintenance? Do you control and maintain an audit trail recording revision of systems documentation?
Electronic Records – Open Systems
Open systems are those with access not controlled by individuals responsible for the content of the electronic records therein. These systems must adhere to the procedures and controls for closed systems, along with others: Are the open systems documents encrypted? Are you upholding standards for digital signatures to ensure authenticity, integrity, and confidentiality?
Electronic Records – Signature Manifestations and Linking to Records
When an individual signs an electronic record, associated information about the occasion must be included. Is the signature accompanied by a printed name? The date and time of the signing? The purpose of the signature, such as authorship or approval? All of these features must be included whether on paper or electronically generated. Once the signature is applied along with its information, is it inextricably connected to the record to avoid falsification or other use elsewhere?
Electronic Signatures – General
Electronic signatures are the legally binding equivalent of a handwritten signature, composed of computerized symbols certified by an individual as their unique mark. The individual’s identity shall be verified by the parent organization and the electronic signature shall be unique to that individual. Written certification goes to the FDA, and the individual must be prepared to provide further information upon request.
Electronic Signatures – Components and Controls
If your electronic signature is based upon biometrics (e.g. face recognition), they shall be unique and not re-usable across individuals. Other electronic signatures must also be unique and not re-usable, but also meet the following needs: Does the electronic signature need at least two identification components (e.g. code and password) at each use? Do repeat signatures in a single system access session require both identification components to begin, then one known only to the signer for the rest? Does an electronic signature used by someone other than the certified individual require collaboration between both users?
Electronic Signatures – Controls for Identification Codes/Passwords
Electronic signatures must be protected to ensure uniqueness and security. Ask whether these controls are in use: Is each identification code/password combination unique without repeats for any individuals? Are the combinations checked and/or revised periodically? Are procedures in place to ensure security in case of lost or otherwise compromised tokens containing access information, including re-issuance? Are unauthorized access attempts prevented and reported in the appropriate channels? Are tokens periodically checked for functionality and that they haven’t been tampered with?
Conclusion
A laboratory will not necessarily have to comply with every detail in this guidance; for example, open systems may not apply, or electronic signatures may not be in use. The lab must justify which requirements are applicable and document how it meets each recommendation—each is free to leave room for interpretation. The quality and security of your data are assured when these questions are answered with a resounding, “Yes,” and when PTL is your analytical partner, you may move forward with confidence that these questions have been answered. Learn more about PTL Standards and Methods.
By Rebecca Wolfrom, Methods Compliance Specialist
References
[1] Electronic Records; Electronic Signatures. Code of Federal Regulations (CFR), Part 11, Title 21, 2022.
[2] GAMP 5: A Risk-Based Approach to Compliant GxP Computerized Systems. Good Automated Manufacturing Practice (GAMP), International Society of Pharmaceutical Engineering (ISPE), 2022.
