Electronic Records & Electronic Signatures

When 21 CFR Part 11 was released on March 20, 1997, it was given an effective date of August 20, 1997. By any measure, Part 11 was a surprise to the healthcare manufacturing industry. Many of us had waited for the Agency's approval to use electronic signatures, and the concerns of industry proponents about electronic signatures centered on the belief that the Agency would allow for their use only after the incorporation of various complicated security biometrics. We expected that the provisions for electronic signatures would potentially include requirements for retinal scans, thumb prints, voice identification, etc.

When Part 11 was released, the security control requirements for electronic signatures were fairly straightforward and benign. The requirements for electronic signature manifestations and the use of a dual user's identification and password were very clear and reasonable. But the section of Part 11 that dealt with electronic records was anything but benign. That section required predicate rule-mandated records created and maintained electronically, to comply with the Part 11 requirements, i.e., audit trail, system security, system self-check, etc. There was no provision for grandfathering legacy systems into compliance with Part 11. This is a big deal, impacting literally thousands of legacy systems in the regulated industry. Furthermore there was no provision for a grace period.

Part 11 was not widely reviewed or discussed prior to its effective date, and many quality and regulatory professionals stumbled into the legacy system impact of Part 11 only after they began to read and study the rule in anticipation of pursuing the application of electronic signatures. In the last two years, the industry has begun to understand more fully the implications and impact of the final rule on its computerized systems. The rule does not create any new record or signature requirements. The use of electronic records as well as their submission to FDA is voluntary. The agency can use regulatory discretion and compliance expectations may be realized gradually.

The realities of Part 11 include the following facts: We are now more than four-and-a-half years past the effective date and Part 11 is not going to go away. Our booming e-commerce industry will only strengthen the need for controls of electronic records and signatures. The FDA provided for only a five-month implementation period so, as a result, the industry has been trying to work out of a state of noncompliance. We should be past grousing and complaining about Part 11 and well into trying to understand it and implementing remediation plans.

Definition and Field
An electronic record is defined as any combination of text, graphics, data, audio, pictorial or other information representation in digital form that is created, modified, maintained, archived, retrieved or distributed by a computer system, and is applicable to records required by any other FDA regulation and applicable to records submitted to FDA under the Food, Drug &Cosmetic Act or the Public Health Service Act, even if not required by FDA. The goal of the regulation is to provide a framework and set of rules for developing sound business practices to ensure the trustworthiness and reliability of electronic data, documents and signatures that are transmitted to FDA. It requires that industry demonstrate its ability to develop and maintain reliable and secure computer systems and sound business processes around these systems. Specifically, the rule applies to data captured in a computer system (electronic records) and signatures or authorizations generated by a computer (electronic signatures) as well as the security controls and business processes associated with them.

Electronic Records Provisions
Closed Systems: A closed system is defined as an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system. Controls for closed systems:

Establish minimum controls for all systems;
Are designed to assure authenticity, integrity and confidentiality (as appropriate);
Are designed to ensure that the signer cannot readily repudiate the signature as genuine;
Validate the systems to ensure accuracy, reliability, consistent intended performance and the ability to discern invalid or altered records;
Maintain the ability to generate accurate and complete records in human readable and electronic form so that FDA may inspect, review and copy the records;
Protect records so that they are readily retrievable throughout the retention period;
Limit system access to authorized individuals;
Use secure, computer-generated, time-stamped audit trails for operator entries and actions;
Do not obscure previous entries;
Use operational system checks to enforce sequencing steps;
Use authority checks to ensure that only authorized individuals can access and use the system;
Use device checks to determine the validity of data input or operational instructions;
Ensure appropriate training of users, developers and maintenance staff;
Establish and follow written policies that deter falsification of records and signatures;
Establish adequate controls over the distribution of, access to, and use of system documentation;
Establish adequate controls over revisions and changes and maintain audit trails of modifications to system documents.

Open Systems: An open system is defined as an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system. Controls for open systems:
Ensure authenticity, integrity and confidentiality (as appropriate) of records from point of creation to point of receipt
Employ all of the controls required for closed systems
Implement document encryption.
Implement digital signatures.

Hybrid System: A hybrid system is defined as a system for which handwritten signatures executed on paper and paper-based records (if applicable) are maintained in addition to electronic records. The controls for hybrid systems are a combination of the above two systems.

Signature/record linking:
Applies to electronic and handwritten signatures.
Must ensure that the signatures cannot be excised, copied or otherwise transferred to falsify an electronic record.

Signature Manifestations:
Signed electronic records must include:
- Printed name of the signer
- The date and time of the signature
- The meaning of the signature (e.g., review, approval, authorship)
Electronic signatures are subject to same controls as electronic records.
The information required must be included in any human-readable copy of the record.

Electronic Signatures Provisions
Part 11 defines specific requirements for the design, use and implementation of computer systems that create, modify, maintain, archive and retrieve electronic records with or without electronic signatures. These requirements can be achieved either by technical or procedural implementation. Some requirements may include both a technical solution in the design of the system and a procedural process. Procedural processes may be used also as interim solutions while technical solutions are being developed and implemented. The electronic signature must be unique to an individual and not reassigned, and the identity of the individual must be verified by organization. It must be certified. The FDA example is given below:

"This is to certify that {Company X} intends that all electronic signatures executed by our employees, agents or representatives, located anywhere in the world, are the legally binding equivalent of traditional handwritten signatures."

Electronic signature components and controls:
Non-biometric signatures must consist of two distinct components (e.g., an identification code and a password).
In one continuous session, the first signing must use all components; subsequent signings may use just one component.
Non-continuous session: use all components of the electronic signature.
Must be used only by their genuine owner.
Administered and executed to ensure that use by others is precluded and that any attempted use would require collaboration by two or more individuals.
Biometric signatures are a method of verifying identity based on measurement of an individual's physical feature(s) or repeatable action(s) where the features and/or actions are both unique to that individual and measurable.
Voice Prints, handprints, retinal scans

Controls for identification codes/passwords:
Ensure no two individuals have the same combination.
Ensure that identification codes and passwords are periodically checked, recalled or revised.
Electronically deauthorize lost, stolen, missing, or compromised tokens, cards and devices.
Subject replacements to rigorous controls.
Conduct initial and periodic tests of tokens and cards for function.
Use transaction safeguards to:
- Prevent unauthorized use of passwords and identification codes.
- Detect and report (in an immediate and urgent manner) attempts at unauthorized use.

Audit Trail
One of the biggest concerns regarding Part 11 compliance is defining when the audit trail begins. Take a pragmatic approach, proceduralize it, adhere to it and be prepared to defend it. Audit trail initiation requirements for data should be different from audit trail initiation requirements for textual materials, such as operating procedures, reports or guidelines. If you are generating, retaining, importing or exporting any electronic data, the audit trail begins from the instant the data hits durable media. This should be recognized as an operational and regulatory imperative. It needs to be absolutely and demonstrably inviolate in this regard. But if the electronic record is textual and subject to review and approval, the audit trail begins upon the approval of the document.

Retaining the pre-approval iterations in the audit trail is not value added. If an operating procedure, for example, is typed into a word processor (stored to durable media or not) and subsequently routed either in hard copy or electronically for review and approval, it is not versioned until it is approved by all required approvers. The following procedures are imperative:
The document is not used until it has been fully approved and released into the appropriate documentation system.
The document is not released for use until it has, in a post-altered or amended state, all of the required approvals.
The document is maintained via appropriate version control and retention requirements.

With these procedural controls in place, the textual document is not complete and usable until it has been formally approved and released. At this point, the 21 CFR Part 11 required audit trail is applicable. Obviously, the predicate rule drives the need for a document and subsequently the document's approval, versioning and retention requirements. If the predicate rule does not require the retention of the document's draft versions, Part 11 does not apply to draft versions. However, as I write that, I believe that, during the document's iterative draft stages, it is necessary to fully control the draft versions until the document has been approved for use. Upon approving and version controlling the final version, all electronic draft versions of the document can be deleted. An example of this is as follows:
1. An author writes a procedure/report/guideline/etc., and sends a draft copy to five different reviewers/ approvers.
2. Each reviewer/approver makes a change to the draft copy and sends his/her copy comments back to the original author for incorporation into a new draft version of the document.
3. The author then consolidates the comments and sends the document back to the reviewers/approvers as a new and controlled draft version.
4. The new and controlled draft version is approved by the reviewers/approvers, and the document is released as a controlled final version.
5. After the document has been released as a controlled final version, all draft versions can be deleted.
6. If the released document is subsequently revised, the above process is repeated and only the various final approved and released versions are retained. The current approved version is retained in an active status, and previous approved versions are retained in an archival status.

The draft version document described in Step 3 is controlled and saved only until the final version, described in step 4, is approved and version controlled. After the approval of the final document, any versions or copies of the draft document can be deleted.

Agency representatives have differed on the point at which the Part 11 audit trail becomes applicable. The perspectives within the agency have ranged from a very conservative umbrella statement of, "whenever anything is stored to durable media," to the more pragmatic approach previously described for audit trailing textual documents that are not available for use until approved, released, version controlled and retained per predicate rule requirements. With 21 CFR Part 11 requiring an audit trail for human-entered transactions, as opposed to those initiated by machine or computer, and not describing exactly when the audit trail begins, the industry and the FDA must develop a consistent and reasonable approach to resolving this issue.

Compliance Strategy

FDA References
Compliance Policy Guide 7153.7 May 1999
- Nature and extent of deviations
- Effect on product quality and data integrity
- Adequacy and timeliness of corrective actions
- Compliance history (especially data integrity)
Guidance - Computerized Systems in Clinical Trials - 1999

Systems Covered
Inventory all systems
- Proposed
- Current
All proposed systems should comply with Part 11
Determine threshold of risk the company is willing to accept

Plan
Develop plan for compliance of high risk systems with time frames
Demonstrate progress in implementing timetable
Determine what will be done with other systems—support or validate transcription
Document process

SOPs
System setup/installation
Data collection and handling
System maintenance
Data backup, recovery and contingency plans
Security
Change Control

Policies
Systems should clearly identify the electronic version of records as confidential
Any printout of records should be automatically marked as confidential
Establish e-mail and voice mail policies
Inform employees about the legal consequences of certification

Compliance Mission
Many companies have adopted the following Part 11 compliance approach, keeping in mind the following mission statement:

"To develop an action plan for addressing Part 11 requirements in existing systems and to support the preparation and training of business processes and procedures to assure the development, implementation and use of compliant systems in accordance with the FDA regulations."

Compliance Plan
Study and fully understand Part 11. Applies to electronic and handwritten signatures
Ensure that signatures cannot be excised, copied or otherwise transferred to falsify an electronic record
Identify and inventory all of the Part 11-applicable electronic systems
Develop and apply a Part 11 compliance checklist in order to create a Part 11 compliance gap analysis for systems
Develop and apply a systems criticality matrix that can be used to prioritize systems for Part 11 remediation
Develop and execute against a comprehensive Part 11 remediation schedule

In order to determine a remediation path, it is necessary to project accurately the remediation cost of each system. This will include determining whether the most effective course of action is to upgrade the existing system, buy a new system that can be brought into compliance, buy a system that is scheduled to be in compliance, or buy a system that is already in compliance with Part 11.

Interdisciplinary Remediation Planning
When Part 11 remediation plans are being developed, it is essential that Quality Assurance, Regulatory Affairs/Compliance, Operations, and Information Systems personnel are all jointly involved in the planning. The software, equipment and intended use have to be considered at the very outset of planning. Is the record required by a predicate rule? What is the actual application and use of the equipment/ software? What is the criticality of the system? What is the extent of the noncompliance? Can the program be brought into compliance? Is a compliant new system available? These questions are best answered from a multidisciplinary perspective.

Legacy Systems
Part 11 remediation is especially frustrating for older systems that have been validated to other standards and have been operating in an otherwise nonproblematic state. Legacy system remediation presents a unique dilemma because spending a significant amount of time and money to update an older system could appear to be of limited value. However, remaining in noncompliance while new and compliant systems are sought is fraud with regulatory peril and can't be taken lightly. It may be very costly to remediate these systems, but the fact remains that Part 11 does not provide for grandfathering legacy systems, and it does allow the industry to use electronic signatures.

Software and System Suppliers
Software and equipment suppliers have begun to understand that Part 11 represents a new set of expectations for their products, and many are trying to respond, but most are not there yet. It has become apparent that "buyer beware" is a term or concept that is very applicable to Part 11 compliance efforts. In a recent review of several well-known systems/ software packages that were advertised as "Part 11 compliant," it was evident that some aspects of Part 11 were addressed, but others were not. It is imperative that manufacturers understand the requirements of the final rule and are in a position to ask the right questions of their suppliers.

Laboratory Equipment
The remediation approach of replace or upgrade will need to be looked at on a system-by-system basis or at least a system-type basis. Laboratory equipment will need to be assessed after a gap analysis has determined the level of noncompliance. If an analyzer is not designed to store data to durable media, and it holds the analysis in RAM, prints out the analysis results, and subsequently deletes the results from RAM to make way for the next analysis, it is generally interpreted that Part 11 does not apply. The electronic typewriter concept pertains, with the paper copy becoming your raw data, subject to appropriate predicate rule retention requirements.

If an analyzer stores analysis data to durable media, Part 11 applies. The raw data in this case is the electronic data, and any subsequent hard-copy printout of the data is ancillary. The printout must be, as part of the systems validation, demonstrated to be the same as electronic raw data. But the presence of paper copy does not remove the Part 11 requirements that probably represent the easiest and most direct compliance approach. If the analyzer can't be readily upgraded, the new purchase option exists, but the vast majority of new analyzers themselves are noncompliant.

FDA-regulated industry is just one player in the overall laboratory analyzer market, and demands from the industry to make new analyzers Part 11 compliant can be much like the tail trying to wag the dog. The industry believes that, while this can eventually meet with positive results, it is more likely to be met with frustration in the short run.

Discuss your options and be creative and innovative in your remediation approach. If your analyzers can't be made Part 11 compliant, get a laboratory information management system (LIMS) or an external data control system that can. Treat your analyzers as second generation for your LIMS, and assure that your LIMS software is Part 11 compliant. The FDA is not prescriptive relative to where the data is retained, which file or database. You are required to validate your system and to be able to demonstrate that your system and its data acquisition, retention and Part 11 controls are solid and repeatable.

Solutions
Information systems professionals, when introduced to Part 11 requirements, have come up with innovative solutions to the remediation quandary. With Part 11 providing the capacity for audit trailing to be accomplished via the use of ancillary equipment or different databases, the industry has the opportunity to view entire interrelated and interconnected systems looking for the most opportune mechanism to fulfill the various Part 11 requirements. Examples of this are the use of Documentum's underlying Oracle database to record time/date transactions or the use of an NT server's security function to provide the required level of systems security for an application accessed on line utilizing the server.

Many commercially available software programs already have systems self-checks and alert database administrators to prevent entry attempts. Instead of being dismayed by the complexity and all-encompassing nature of 21 CFR Part 11, we need to accept the likelihood that we will probably not find an answer that does it all for every system. We must begin to look opportunistically at the systems, equipment and processes that we already have in place for resolution.

The pharmaceutical industry is actively working to develop plans to address full compliance with Part 11. It has already taken several steps toward adherence to the rule in preparing standards for the development, validation and use of computer systems. The industry has begun to oversee the remediation of business systems, business processes and the development of new business systems used to generate, store and authorize information delivered to the FDA. It will also be used to drive and support the use of good business practices around the development and use of computerized systems. Part 11 will remain with us, and organizations that have delayed remediation are falling further behind the compliance power curve. Investigators are trained on Part 11, FDA 483 citations are being issued, and Part 11 violations are being noted in warning letters. Part 11, whether you like it or not, whether you feel it's needed or not, is a released Final Rule in the Code of Federal Regulations governing our industry and must be adhered to.

It is "foolish" to try to wait it out. You will fall further behind your peers and your competition, and you will put your organization at risk. The industry, working with the FDA, must develop a consistent and reasonable approach to resolving the Part 11 issue. Understand the rule, understand your requirements, and by all means understand your opportunities. Keep track of your plan, your actions and accomplishments, your innovations and solutions, and your remediation expenses.

No comments: