21 CFR Part 11 Compliance: Tracking Time, Processes and Procedures

The spring of 1997 was a significant time for theFood and Drug Administration (FDA). An overhaul of the Agency’s Good Manufacturing Processes (GMP) brought changes that had not been seen for a quarter of a century.

This overhaul resulted in FDA regulation 21 Code of Federal Regulations (CFR) Part 11, which places certain demands on drug makers, medical device manufacturers, biotech companies, biologics developers, and other FDA-regulated industries regarding their use of technology — specifically, defining the criteria under which electronic records and electronic signatures are considered to be trustworthy, reliable and equivalent to paper records.

FDA regulation 21 CFR Part 11 is a strategic initiative launched by the federal government to modernize the regulation of the pharmaceutical industry with respect to allowing audibility and validation of electronic signatures for manufacturing and product quality procedures. One of the areas this regulation impacts is employee time tracking for project accounting on drug research and manufacturing.

Capturing and Preserving Data

21 CFR Part 11 is the FDA’s primary regulation on electronic records. Since pharmaceutical companies must be compliant, it governs much of how they document their processes and procedures — from research to marketing of the product. There is a considerable amount of information on this regulation on the FDA’s Web site.

In order for employee time tracking software (my particular area of expertise) to meet the same requirements that paper timesheets do for this regulation, the software must exhibit several qualities.

First, it must meet the most critical requirements of the standard: audit trail generation and storage functionality. The historical information is a key functionality of an application associated with audit trails. The software must capture and preserve all the data associated with adding, changing and deleting time-related information in a real-time database that can be audited.

Second, as with all technical controls, there still must be a management and operational component that ensures compliance with the regulatory standards. There must be established policies and procedures that provide guidance, as well as control implementation details associated with the authenticity, integrity — and, in many cases, the confidentiality — of electronic records, aka timesheet audit trails.

In other words, software alone will not solve your 21 CFR Part 11 compliance problem, just as it doesn’t solve Sarbanes-Oxley or compliance issues by itself. There must also be a third-party validation for the system, as well as documentation and configuration to ensure that the processes, policies, procedures and technical controls are in place — and are effective, based on the regulatory requirements of the organization.

Finding timesheet software that contains all of these features is very important for complying with Part 11 regulations. The right vendor “can offer an application containing the requiredtechnical requirements of a compliant system.” It can help you look toward the future and make the switch to electronic records and signatures in the easiest way possible.

Procedural, Administrative Controls

Sometime in 2007, the FDA will release its amendments to 21 CFR Part 11, and this will change the way laboratories manage their electronic records. The goal is to create and thoroughly document a pragmatic process by which regulatory compliance initiatives can be prioritized while still maintaining overall productivity.

The deliverable is a careful, thorough, risk-based methodology that enables companies to build quality into their processes based on qualified regulatory risks and identification of key areas for increasing efficiency.

Although this regulation has been around for 10 years, there is still confusion about it, which is sometimes caused by software vendors selling into the space. For example, it is not possible for any vendor to offer a turnkey “Part 11 compliant system.” Any vendor who makes such a claim is incorrect.

Part 11 requires both procedural controls — that is, notification, training, standard operating procedures and administration — and administrative controls to be put in place by the user in addition to the technical controls that the vendor can offer.

At best, the vendor can provide an application that contains the technical requirements to maintain a compliant system.

Another area of confusion concerns handwritten signatures. Having handwritten signatures on paper is acceptable if signatures are linked in some reliable way to electronic records so signers cannot repudiate records.

What this means is that electronic signatures and handwritten signatures executed electronically must be verifiably bound to their respective records to ensure that signatures could not be excised, copied, or otherwise transferred to falsify another electronic record. Technology solutions typically do this better than paper-based ones.

If you use electronic signatures in any way, then you must be in compliance with all provisions of 21 CFR Part 11, according to the FDA.