21 CFR Part 11: An FDA Regulatory Compliance for Electronic Records

Industry:Medical Devices       Added By:Admin       Posted On:Sept. 23, 2019


Since 1997, the conversion rate of the hospitals, pharmaceutical, paper documented work regarding record keeping, records retrieval and storage, etc., to the electronic medium for maintaining and storing records have augmented at a very substantial rate. This credence of the industries on electronic storage has engendered mostly because of the faster and safer mode of data transactions happening across the globe. The CFR Part 11 under title 21 of the FDA regulatory compliances, also known as Title 21 CFR Part 11, ensures that the data transferred globally is safe and away from the malicious implications of bugs and unprotected data. 

The FDA considers an electronic record or any form of electronic data of the companies to be a reliable source, only if it has followed the Part 11 rules. The FDA 21 CFR Part 11 compliance requirements become mandatory for every organization, which works with the online data to store and maintain digital records, to maintain the accuracy, reliability, and consistent intended performance while dealing with online data transactions. This article discusses the major aspects that are looked over to be a diligent Part 11 compliant entity and why is it so important to adhere to the 21 CFR Part 11 statements.

Part 11 security compliance requirements for electronic records in Open and Closed systems

The FDA enforces the Part 11 regulations with compliance in electronic records and electronic signatures. Apart from the medical devices, the industries that are affected by these regulations include biotech, biologics developers, and other FDA-regulated industries. The regulatory requirements for both open and closed systems, used for storing the electronic records, differ imperceptibly based on security management norms defined considering the way the two systems work.

1. The security and validation feature in the open system contains the basic security requirements as the closed system, along with other added features. The open system can be accessed by a third vendor who designs the software and hands it to the companies dealing with the medical devices. The additional features can include encrypting the documents and the use of digital signature standards to ensure the integrity and confidentiality of the records.

2. Limited access to the electronic records and closed systems to the authorized person must be implemented by the companies who work on the electronic records, as this ensures data authenticity. The FDA considers the data as not unique when an organization fails to become part 11 compliant and fulfill the requirements to maintain the data veracity.

3. Maintaining the authority and regular device check policies is another compliance requirement. Also, implementing a secure 21 CFR part 11 validation feature for the record systems ensures there exists standardized data integrity and authenticity in the electronic record and the electronic record systems deliver authorized and secure data in the market.

Part 11 compliance for the electronic signatures administering the electronic record systems

The FDA has made it mandatory for the electronic record systems used by the medical devices to manifest the FDA electronic signatures in their corresponding records. This is called as record linking, as it integrates the authenticity and the security of the data and signifies the entity to whom the data belongs. This also means that the signatures cannot be copied or derived from unapproved sources. The FDA also establishes 21 CFR Part 11 compliant software validations to trace the signatures that are used in the online record-keeping systems. 

1. The FDA requires the organization to allocate the signature to a person rather than a department or a group and the identity of the person must be verified by the statutory norms. The medical device companies availing this signature must notify the FDA by mail. FDA makes sure that the signature on the records once updated on the system cannot be opposed.

2. Two components must be used in determining the electronic signature such as including an identification code and a password. The signatures can only be accessed by a single person whose identity is registered with the FDA. The system should not allow any user with inadequate permissions to effect a signature by copying a signature from one document and attaching it onto another.

3. The control of passwords needs special security measures as per the 21 CFR Part 11, such as the password must be changed periodically and fostering of transaction safeguards which prevent unauthorized use of passwords. Fostering loss management procedures to ensure the avoidance of compromised security tokens, cards or other devices to stop security breaches.

Since its inception, Part 11 guidance has grown a lot of confusion amongst the industries, medical device makers in particular, who use the medium of electronic records for their clinical research studies. However, the FDA released guidance clarifies several sections of the 21 Part 11 compliance requirements and what companies can do to be compliant with FDA regulations. It is still mandatory for the companies to still follow the part 11 guidelines to stay in terms with the FDA regulations.