FDA regulation 21 CFR Part 11: Electronic Records; Electronic Signatures


This email message about 21 CFR Part 11 may interest some of you...


Date: Thu, 27 Jul 2000 14:42:32
Subject: Re: TLIB, compliance with FDA regulation 21 CFR Part 11

> I am currently carrying out work for a pharmaceutical company...
> I was wondering if your systems comply with a new Federal
> regulation 21 CFR Part 11. I would be interested in any
> information on Data interity, Password protection, Audit trail,
> version control, etc.
>
> Regards
>
> xxxxx xxxxx
> Director


Dear Mr. xxxxx,

There is little in 21 CFR Part 11 in the way of compliance
requirements for version control systems, the only direct
reference being this one:

--------- Begin document excerpt ----------
PART 11--ELECTRONIC RECORDS; ELECTRONIC SIGNATURES
...
Subpart B--Electronic Records
Sec. 11.10  Controls for closed systems.
    Persons who use closed systems to create, modify, maintain, or
transmit electronic records shall employ procedures and controls
designed to ensure the authenticity, integrity, and, when appropriate,
the confidentiality of electronic records, and to ensure that the
signer cannot readily repudiate the signed record as not genuine.
Such procedures and controls shall include the following:
...
    (k) Use of appropriate controls over systems documentation
including:
...
    (2) Revision and change control procedures to maintain an audit
trail that documents time-sequenced development and modification of
systems documentation.
--------- End document excerpt ----------

TLIB Version Control is a powerful, general-purpose revision
and change control system, which can be used to meet this
requirement.  It maintains complete revision histories for
documents of any type, storing even binary file types using an
efficient, adaptive, delta-based algorithm to conserve storage
while enabling retrieval of all prior versions.

The use of TLIB to control your documents will enable you to
generate complete and accurate copies of all current and prior
versions of your documents, and their revision histories, as
required by this provision:

--------- Begin document excerpt ----------
    11.10(b) The ability to generate accurate and complete
copies of records in both human readable and electronic form
suitable for inspection, review, and copying by the agency.
Persons should contact the agency if there are any questions
regarding the ability of the agency to perform such review and
copying of the electronic records.
--------- End document excerpt ----------


Central to 21 CFR Part 11 is the requirement for maintaining
digital signatures for your documents.  TLIB version control
will not do this for you.  However, you can put digitally
signed documents under version control with TLIB, storing
such documents in TLIB's version control library system.
The digital signatures would presumably be embedded within
the document files, and so would be stored with the documents
when they are checked into TLIB.  The use of digital signatures
is probably essential to meet the requirements of this
provision:

--------- Begin document excerpt ----------
    11.10(a) Validation of systems to ensure accuracy,
reliability, consistent intended performance, and the ability
to discern invalid or altered records.
--------- End document excerpt ----------


In addition, TLIB can be (and normally is) configured to
maintain a centralized, chronological, timestamped journal file
recording the version control operations done on all your
files.  This would appear to be at least a partial solution to
meeting the requirements of the following provision:

--------- Begin document excerpt ----------
   11.10(e) Use of secure, computer-generated, time-stamped
audit trails to independently record the date and time of
operator entries and actions that create, modify, or delete
electronic records.  Record changes shall not obscure
previously recorded information.  Such audit trail
documentation shall be retained for a period at least as long
as that required for the subject electronic records and shall
be available for agency review and copying.
--------- End document excerpt ----------

However, the FDA's explanation of that provision is confusing
to me.  They say:

--------- Begin document excerpt ----------
    78. Proposed Sec. 11.10(k)(ii) (Sec. 11.10(k)(2) in this
regulation) addresses electronic audit trails as a systems
documentation control.  One comment noted that this provision
appears to be the same as the audit trail provision of
proposed Sec. 11.10(e) and requested clarification.
    The agency wishes to clarify that the kinds of records
subject to audit trails in the two provisions cited by the
comment are different.  Section 11.10(e) pertains to those
records that are required by existing regulations whereas Sec.
11.10(k)(2) covers the system documentation records regarding
overall controls (such as access privilege logs, or system
operational specification diagrams).  Accordingly, the first
sentence of Sec. 11.10(e) has been revised to read "Use of
secure, computer-generated, time-stamped audit trails to
independently record and date the time of operator entries and
actions that create, modify, or delete electronic records."
--------- End document excerpt ----------

That leads me to wonder what ARE "those records that are
required by existing regulations"?  Perhaps you know the
answer to that question; if so, I would be grateful if you
would enlighten me.


TLIB library (archive) and journal files are intended to be
permanent.  The only way in which TLIB ever modifies these files
is by appending to them.  Existing data is never changed or
deleted.  For maximum data security, there is no "delete"
command in TLIB.

Because TLIB uses robust, efficient, forward-delta technology,
it need never modify existing library file data.  All updates
to a library file are made by appending additional new data, in
place, to the end of the file.  (Competing products based on
reverse-delta technology must completely rebuild and rewrite a
library/archive file whenever an update is made, which makes
these systems more vulnerable to data corruption.)

Nevertheless, as with all systems that maintain data in files
on computers, it is possible to delete or damage TLIB's
library files from outside the TLIB Version Control system.
Consequently, you should use your network file server's
password/user-id based access control, plus regular backup
procedures, to provide full data security.

In the event that some documents require different security
measures than other other documents, such as permitting access
by different groups of people, you can configure TLIB to
maintain its library files in multiple directories (folders) on
the network file server(s), and use your network's security
features to grant different people differing access to the
different directories.  TLIB supports configuring a "search
path" for its library archive files, so that they can be
distributed across multiple directories, to accommodate such
security requirements.


I hope this information is helpful.  Please feel free to call
or write if you have any questions or problems, either before
or after purchasing TLIB Version Control.


Sincerely yours,

-Dave Burton   
Burton Systems Software: http://www.burtonsys.com/
PO Box 4157, Cary, NC 27519-4157 USA
Makers of TLIB Version Control 5.51 for Windows-NT/95/98/3.1x/DOS/OS2.
Tel: 1-919-481-0149 or 481-6658   Fax: 481-3787


ref: http://www.fda.gov/ora/compliance_ref/part11/FRs/background/pt11finr.txt
(search for "is amended") 
or: http://www.fda.gov/ora/compliance_ref/part11/

[_no frames_]

Last modified: 21-Nov-02 (version 8)
Copyright © 2000-2001, Burton Systems Software.