Electronic records and their management have transformed how organizations collect, organize, and use a variety of information formats in any organization, not only pharmaceutical, biotechnology, and medical companies.
The United States Food and Drug Administration (FDA) established regulations for electronic records and signatures in Title 21 CFR Part 11 of the Code of Federal Regulations. Effective since 1997 and updated several times since, Part 11 applies to industries regulated by the FDA such as pharmaceuticals, biotechnology companies, contract research organizations (CROs), and medical device manufacturers.
Part 11 specifies how these FDA governed industries must handle electronic records and signatures and defines the criteria under which they are authentic, reliable, and equivalent to paper records. The regulation requires implementing controls such as internal audits, audit trails, system validations, electronic signature protocols, and documentation for software involved in processing the electronic data that FDA rules require to be maintained. Failure to comply with Part 11 can result in FDA citations and fines.
Records and Information Management is considered as a companion discipline with enterprise data management, and shares many aspects of EDM / EIM.
Electronic Record and Electronic Signature Definitions
An Electronic Record is defined by Part 11 as “any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.” This definition ensures that electronic records are the same as paper records.
An Electronic Signature is defined by Part 11 as “computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual’s handwritten signature.” Part 11 contains requirements to ensure that electronic signatures have the legal standing equivalent to a person’s handwritten signature. Doing so ensures data integrity while reducing fraud and security concerns.
From a Records & Information Management (RIM) perspective, it is helpful to look at this regulation through the lens of ARMA International’s Generally Accepted Recordkeeping Principles® (GARP). The principles most relevant to Part 11 are Integrity, Compliance, Retention, and Protection:
Electronic Records Management Principles
- Integrity – Part 11 demands that electronic records and information generated by or managed for the organization must have a reasonable guarantee and verification of authenticity and reliability.
- Compliance – In order to comply with regulatory authorities like the FDA, Life Sciences organizations must have a Records & Information Management department (and for larger companies, an Information Governance program). There must be compliance with an enterprise’s own policies as well as with laws and regulations. In many organizations, policies may be coordinated with the organization’s data governance program.
- Retention – There must be a clear records retention policy supported with validated tools and technologies that implement the policy. Part 11 does not expect companies to keep everything forever. Instead, organizations must consider the legal, regulatory, fiscal, operational, and historical requirements to determine retention with a records retention schedule, and then enforce it.
- Protection – A reasonable level of protection is necessary for private, confidential, privileged, secret, and classified records and information. Protection also includes disaster recovery and business continuity planning (backups, off-site storage, etc.) which are not only a Part 11 requirement but also good business practice in any industry.
Implementing Electronic Records
RIM and Information Governance professionals in the Life Sciences must be aware and knowledgeable of Part 11 and other regulations to ensure compliance with the FDA regulations for electronic records. Part 11 outlines the specific requirements and controls related to electronic records over the course of the information life cycle (planning, creation, modification, maintenance, retrieval and disposition/archiving). These guidelines and regulations differ from other industries, especially non-regulated ones where record keeping is primarily concerned with business use, however the requirements listed in Part 11 can be used as guidelines for non-regulated organizations.
The Part 11 regulation is applicable to records identified in predicate rules, such as Good Clinical Practices (GCP), Good Laboratory Practices (GLP), and Good Manufacturing Practices (GMP). Records and Information Management professionals should be involved with the development and implementation of validated systems to ensure consistent intended performance, the ability to discern invalid or altered records, built-in retention management are characteristics of electronic records developed using the requirements found in Part 11. Benefits from the use of the regulation include accurate metadata management that is consistent with the corporate taxonomy, automation of processes where possible, and the development and implementation of audit trails that assure integrity, compliance, information protection, and appropriate retention.
Every organization should consider the design, development, and implementation of appropriate electronic records to manage records and other content. Using the requirements found in the US FDA’s Title 21 Part 11 can give any organization the guidelines necessary to create and maintain appropriate electronic records.