21 CFR Part 11 – Electronic Records
Part 11 of the Code of Federal Regulations applies to drug makers, medical device manufacturers, biotech companies, biologics developers, CROs, and other FDA-regulated industries, with some specific exceptions in regards to electronic record keeping. [1] It requires that they implement controls, including audits, system validations, audit trails, electronic signatures, and documentation for software and systems involved in processing the electronic data that FDA predicate rules require them to maintain. A predicate rule is any requirement set forth in the Federal Food, Drug and Cosmetic Act, the Public Health Service Act, or any FDA regulation other than Part 11. [2]
Broad sections of the regulation have been challenged as “very expensive and for some applications almost impractical”, [3] and the FDA has stated in guidance that it will exercise enforcement discretion on many parts of the rule. This has led to confusion on exactly what is required, and the rule is being revised. In practice, the requirements on access controls are the only part routinely enforced. The “predicate rules”, that required organizations to keep records in the first place, are still in effect. If electronic records are illegible, inaccessible, or corrupted, manufacturers are still subject to those requirements.
When it comes down to the real situation either firms have authoritative “hard copies” of all required records, or they have all files on an electronic system. Depending on which of the two sources has all required documents, it will be deemed the authoritative source. Firms should be careful to make a claim that the “hard copy” of required records is the authoritative document. For the “hard copy” produced from electronic source to be the authoritative document, it must be a complete and accurate copy of the electronic source. The manufacturer must use the hard copy (rather than electronic versions stored in the system) of the records for regulated activities. The current technical architecture of computer systems increasingly makes the Part 11, Electronic Records; Electronic Signatures — Scope and Application for the complete and accurate copy requirement extremely high.
Which leads us to Private Cloud Systems…
Cloud Systems can be 21 CFR Part 11 compliant, cost effectively deployed to meet accelerated timelines, more secure than in-house deployments, and can assure potential investors/acquirers of the integrity of your firm’s data. These goals can be achieved by creating a qualified private cloud in an agreement with a cloud vendor.
The cloud Software as a service (SaaS) business is a fast-growing and evolving market with multiple options and prices that can get expensive quickly if not managed properly. Please be aware, there are no “out of the box” (free or discounted) cloud solutions will be 21 CFR Part 11 compliant. Below are some of the critical components to ensure that your system is compliant:
- Open and Closed system differentiation – need to define what is inside network or intranet (which needs to be encrypted and protected as such), and what is outside the intranet and available to share on global internet.
- Cloud systems are rigorously validated –just like an on-premise software validation, a cloud validation is mandatory and includes many stages:
- The creation of a Validation Plan
- The User Requirements Specification (URS) describes the business needs for what users require from the system.
- Then follows the System Configuration Specification (SCS) and Software Design Specification (SDS), which needs to be exhaustively documented.
- Once the frameworks have all been developed and validated, then the System Build can begin, as the system develops it must go through iteration of the IQ > OQ > PQ cycle
- Installation Qualification (IQ): Verifies the installation of the software in the selected environments and its documentation.
- Operational Qualification (OQ): Verifies that the software will function according to its operational specifications in the selected environment.
- Performance Qualification (PQ): Verifies that the software consistently performs to the specification for its day to day use (routine).
- Validation Report: Summarizes the executed validation process, documents any deviations and their remediation, and acts as a final sign off on the validation of the system.
- By leveraging a regulated cloud, the cloud software can conduct all validation steps (including IQ and OQ), leaving only the PQ to the customer. [4]
- Open for inspection – All Validated Cloud SOPs and non-customer-specific documentation are fully auditable, as is the host’s data center.
Risks & Costs to consider:
Of course, no solution is without problems and learning experiences, setting up a cloud system can become more complicated in real world situations with multiple cloud environments, different data sources, internal and acquired content and well as security challenges and other integration issues. In addition, any firm will need to expect large expenditures to make a cloud system a reality. Below is an estimation of costs for a medium sized firm employing about 50-200 to run and maintain a cloud system (these figures might vary greatly from real costs and depend on vendor and solutions purchased):
| Required Component | Estimated Annual Cost |
| Personnel | $200 – 300,000 |
| Hardware/Infrastructure | $100 – 150,000 |
| Backup & Support | $15 – 20,000 |
| Apps & Software Licenses | $15 – 30,000 |
| Est. Total Price Range: | $330,000 – 500,000 |
However, given the other option which is on premise software database, these costs can be doubled or tripled for a couple reasons. First, there is the constant need to upgrade and replace old hardware, usually faster than it depreciates and at greater cost than the cloud vendors. Second, there is much more technical and personnel experience required, greatly increasing costs and having to compete with the likes of Google and Amazon for cloud engineers and other talent. Another reason is scalability and flexibility, as cloud solutions can scale or decrease depending on the businesses data volume and demand. For an on-premise software solution, a firm would have to purchase more high cost equipment to expand capacity and size, instead of a cloud data provider renting out a few more instances in their data center for the firm.
If a firm has the need to migrate or create an electronic record system to comply with 21 CFR Part 11 and understands the risks and costs, it is usually the best course of action to research and look into right solution for your firms needs. Some firms to explore for potential storage solutions may include: Box, DropBox, Google Cloud, RegDocs365 or AWS Cloud.
Sources
- “CFR – Code of Federal Regulations Title 21”. U.S. Food & Drug Administration. U.S. Food & Drug Administration. Retrieved 15 September 2016.
- ^“Food and Drug Administration CFR Title 21 Part 11”. U.S. Food & Drug Administration. U.S. Food & Drug Administration. Retrieved 15 September 2016.
- ^“Part 11, Electronic Records; Electronic Signatures — Scope and Application”. U.S Food & Drug Administration. U.S Food & Drug Administration. Retrieved 15 September 2016.
- ^”https://www.veeva.com/blog/a-validated-system-in-the-cloud-its-not-a-myth-2/ “. Veeva.com Blog. Written 16 January 2013 by Steve Harper.