Software Simplifies Compliance with 21 CFR Part 11 and EudraLex Good Manufacturing Practice Volume 4 Annex 11

Section Overview

• Regulations Covered by 21 CFR Part 11 and Annex 11
• Controls for Closed Systems
• Signature Manifestations and Unique Signatures
• Validation Documentation
• Data Accuracy
• Software to Aid Compliance with Electronic Records and Signatures Regulations

Regulations Governing Electronic Records and Signatures: 21 CFR Part 11 and EudraLex Volume 4 Annex 11

The United States Food and Drug Administration (FDA) requires that records concerning important aspects of the drug manufacturing process be maintained to help ensure quality. To facilitate this process, Part 11 of Title 21 of the Code of Federal Regulations (21 CFR Part 11) established FDA regulations on electronic records and signatures in place of paper-based documentation. These regulations detail under what circumstances electronic records and signatures can be considered equivalent to paper records and handwritten signatures for FDA purposes.

The European Union’s EudraLex Volume 4 Annex 11 (Annex 11) is similar to FDA regulations and provides guidance for use of computerized systems within GMP-regulated activities. Annex 11 helps to ensure that when a computerized system is used, the same product quality and quality assurance can be achieved compared to a manual system with no increase in the overall risk.

Electronic record and signatures are considered as good as paper-based records, provided:

• Electronic records are created, maintained, and archived in a manner so that their authenticity and integrity is ensured.
• Electronic signatures are linked to individual users who created, modified, or approved records.
• Electronic signatures are unique to each user.
• The system used to create and manage electronic records and signatures is validated to ensure accuracy, reliability, and consistent intended performance.

The software used to support these initiatives offers a significant number of additional benefits including:

• Access Control: The software can define user roles and permissions to prevent an unauthorized user from taking actions they are not trained to perform.
• Immutable Audit Trail: The software automatically generates a secure, time-stamped electronic record of all relevant user actions relating to the creation, modification, or deletion of an electronic record, and record changes cannot hide previously recorded information.
• Data Integrity: Because data cannot be changed without leaving an electronic trace, electronic records can be more reliable and accurate because of their immutable audit trail.
• Search and Retrieval of Information for an Audit or for Investigation: Searching electronic records and finding information is much easier than searching through paper records stored in filing cabinets.
• Electronic Backups and Redundancies: once damaged paper-based records may be unusable.
• Easier Collaboration: Electronic documents can be shared instantly across many teams.

Regulations Covered by 21 CFR Part 11 and Annex 11

This page highlights some of the regulations covered by 21 CFR Part 11 and Annex 11 and provides key considerations that will help ensure alignment. As both sets of regulations have the same objectives, there are significant similarities between them.

Controls for Closed Systems

Among the key benefits of digitizing paper records is facilitating report generation and protection and ensuring that proper audit trails for skids and batches can be established. When performed using paper-based records, these tasks can be extremely time-consuming and labor-intensive.

The evolution to electronic records and signatures requires proper procedures and robust technical controls to collect data, produce and protect reports, and provide compliant and trustworthy audit information in a timely manner when requested by regulators.

21 CFR Part 11 defines the requirements related to reports and audit trails as follows: 

• The ability to generate accurate and complete copies of records in human readable and electronic form suitable for inspection, review, and copying by the FDA.
• The protection of records to enable their accurate and ready retrieval throughout the records retention period.
• The use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records.

21 CFR Part 11 outlines the need for controls for closed systems which refers to a system under the control of persons who are responsible for the electronic records managed by the system:

“Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine.”

The procedures and controls outlined in Section 11 begin with the need to validate software systems intended for the purpose of ensuring accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. Subsequent requirements relate to the need to limit system access to authorized individuals, and the need for authority checks to ensure only authorized individuals can access and use a particular system, electronically sign and alter records, and perform certain operations. 

21 CFR Part 11 also notes the need for individuals who develop, maintain, or use electronic record/electronic signature systems to have the education, training, and experience to perform their assigned tasks.

Similar requirements are defined in Part 7 of Annex 11 which covers data storage, protection, and backup. Data should be secured by both physical and electronic means against damage, and stored data should be checked for accessibility, readability, and accuracy. Access to data should be ensured throughout the retention period and regular backups should be completed. In addition, the integrity and accuracy of backup data and the ability to restore it should be checked during validation and monitored periodically.

Part 8 of Annex 11 states that it should be possible to obtain clear printed copies of electronically stored data, while Part 12 establishes requirements similar to 21 CFR Part 11 for access control, authorizations, and operator identification.

A key consideration when implementing electronic records and signatures is that while the software provides the framework for digitization, the user must play an active role in defining, verifying, and ensuring their processes are performing properly. For example, with regard to controls for closed systems, the user must:

• Define their record retention periods and ensure their implementation.
• Ensure that access to records databases is granted only to authorized individuals.
• Ensure access control.
• Verify the devices connected to their internal network for source of data input.
• Validate that input should be assured by procedural controls/SOPs.
• Ensure that administrators and users are qualified in accordance with their qualification process.

Signature Manifestations and Unique Signatures

It is essential that all signed electronic records associate the user’s login and password with the printed name of the signer, the date and time of the signature, and the meaning of the signature – whether review, approval, responsibility, or authorship – is associated with the signature. Each electronic signature must also be unique to one individual and not reused by anyone or reassigned to another person. Adherence to Annex 11 and 21 CFR Part 11 signature requirements is essential for establishing a proper audit trail. 

As noted above for closed systems, the user does have important responsibilities in terms of signatures. While the software will capture relevant information, it is the responsibility of the user to verify and validate requirements and provide each user with a unique login and password that will not be reused or reassigned.

Validation Documentation

Annex 11 emphasizes the importance of validation documentation and change controls.  A key component of this portion of Annex 11 is the need to ensure that the developer of the software used a regulatory-required quality management system and that the defined requirements have been fulfilled. At the same time, the user is accountable for installing and where required, validating the software and verifying that it is suitable for the intended use.

The validation documentation should also include change control records and report on any deviations observed during the validation process. Here, the user is accountable for validation of the system and change control documents for their installation.

Data Accuracy

Annex 11 also highlights the need for accuracy checks. For critical data that are entered manually, there should be an additional check on the accuracy of the data either by a second operator or by a validated electronic means.

Software to Aid Compliance with Electronic Records and Signatures Regulations

Bio4C ProcessPad™ software and Bio4C ACE™ software support compliance for electronic records as outlined in 21 CFR Part 11 and Annex 11. For a detailed list of how the software supports requirements for electronic records, please refer to the white paper Facilitating 21 CFR Part 11 Compliance with Bio4C ProcessPad™ Software and Facilitating 21 CFR Part 11 and EudraLex Volume 4 Annex 11 Compliance with Bio4C ACE™ Software.

Users have overall accountability for ensuring that their system is validated based on the intended use. Final compliance with 21 CFR Part 11 and Annex 11 based on the intended use is the responsibility of the user. In addition, the user must establish and implement documented operational processes covering areas such as archiving, business continuity planning, and others as needed.