The US Food and Drug Administration's Title 21 CFR Part 11 is a set of stringent regulations that govern the use of electronic records and signatures in the scientific industries.
Compliance is mandatory even if your lab doesn't directly operate in an FDA-regulated space, and failure to abide by the rules may lead to legal repercussions.
In this blog post, we will take a closer look at what 21 CFR Part 11 entails, who is required to comply with it, and how the FDA enforces it. This information is essential for companies looking to operate in the pharmaceutical industry and stay on the right side of the law.
We will also discuss the specific requirements for electronic records and signatures under 21 CFR Part 11, which are designed to ensure the authenticity, integrity, and confidentiality of these records.
How does the FDA enforce 21 CFR Part 11?
The FDA has established the criteria for its acceptance of electronic signatures as a legal equivalent to physical signatures, and reserves the right to decide when it will take regulatory or enforcement action in cases of non-compliance.
Regulatory action includes, but is not limited to:
- Notices of inquiry
- Warning letters
- Notices of initiation of disqualification proceedings
- Untitled letters citing violations
- Orders of retention
- Recall, destruction and cessation of manufacturing
Enforcement action includes, but is not limited to:
- Warning letters listing any violations or non-compliance
- Seizure of FDA-regulated product(s)
- Injunctions from a competent court
- Criminal prosecution
- Criminal fines
Who is required to comply with 21 CFR Part 11?
In addition to foods, cosmetics, and tobacco, 21 CFR Part 11 applies to the following industries:
- Biotechnology, such as medical devices (e.g., tongue depressors and bedpans), complex technologies (e.g., heart pacemakers, dental devices), and surgical implants and prosthetics;
- Electronic products that emit radiation (such as x-ray equipment, laser products, and ultrasonic therapy equipment);
- Veterinary products (including food, drug, and animal devices);
- Drugs and pharmaceutical-active products (both prescription and over-the-counter drugs; anything intended for use in the diagnosis, cure, mitigation, treatment, or prevention of disease, or intended to affect the structure or any function of the body of man or other animals);
- Biologics (such as vaccines for humans, blood and blood products, blood donor screening tests, allergens, cellular and gene therapy products, tissue and tissue products, human tissue, embryos, human plasma, and medical devices for use in blood banking operations); and
- Other FDA-regulated entities and companies providing support to FDA-regulated entities.
The FDA also has regulatory authority over "companies providing support to FDA-regulated entities."
For example, Lab A produces a novel chemical compound with multiple uses. The typical use of the novel compound is basic research in academic institutions, which may not be subject to FDA regulation. But one of the uses of the novel compound is the stimulation of mRNA expression in E. coli. A pharmaceutical company utilizes the novel compound to produce a coronavirus vaccine. To distribute the novel compound to the pharmaceutical company, Lab A will need to comply with 21 CFR Part 11.
Most labs are thus subject to 21 CFR Part 11 requirements.
What are the specific requirements of 21 CFR Part 11?
The FDA allows records to be stored and maintained in either electronic format or paper form. If a user elects to store and maintain records in an electronic format, then 21 CFR Part 11 requires that said electronic records include controls to ensure the authenticity, integrity, and confidentiality (when relevant) of the electronic record.
This means that an electronic record must:
- Be validated. Validation means that the computer system utilized to maintain electronic records complies with all requirements of 21 CFR Part 11 and that the system has been tested to ensure said compliance.
- Generate accurate and complete records. The electronic records system must be able to store, print, and transmit a complete and accurate copy of any electronic record stored on the system. A copy is accurate if the record is entered without alterations, deletions, or additions. The system must detect any invalid or altered records. And the system must retain records for the applicable period.
- Have controlled access to electronic records. Each authorized user should be provided with an ID that is unique to them. Providing password protection for each authorized user would be a starting point. Additionally, automatically logging out an authorized user after a specified period of inactivity would reduce unauthorized access to electronic data.
- Creation of an audit trail. The system software must automatically generate an audit trail to ensure records are accurate and have not been tampered with, including an audit trail to record the date and time of operator entries and any actions to create, modify, or delete records. The audit trail should list the date and local time of any entry to an electronic record, including the person making the entry. Any additions, deletions, or amendments to a previously entered record should not overwrite the record. Instead, any changes to a previously-entered document should be reflected as a new document so that both documents can be viewed independently of each other. The original and amended documents should be stored for the required retention period.
- Maintain digital signature standards. All digital signatures of an electronic record shall include the printed name of the person signing the record, the date and time when the digital signature was entered, and the "meaning" of the digital signature. The "meaning" of the signature is the relationship of the person signing the record to the electronic record, such as the author, the responsible party, the person reviewing the record, or the person approving the record. Digital signatures entered on electronic records should be linked to the electronic record to prevent the digital signature from being removed, copied, or transferred to another record by ordinary means.
A user should be educated and trained on the proper use of electronic records. Written policies should be established and implemented to ensure the authenticity and integrity of records and deter record and signature falsification.
Does my electronic lab notebook (ELN) meet 21 CFR Part 11 requirements?
The FDA does not regulate or approve electronic record providers or individual electronic record systems. The burden of 21 CFR Part 11 compliance is placed on each entity subject to FDA regulation. Each regulated entity must ensure that it is in compliance with 21 CFR Part 11 and that each contractor or entity providing it with goods or services is also in compliance with 21 CFR Part 11.
Entities subject to FDA regulation may want to implement system-wide testing of electronic record software to ensure that the software is installed correctly and is impervious to hacking or electronic attacks. If an ELN is utilized, the ELN provider should certify that the ELN is compliant with 21 CFR Part 11, and the ELN should be updated as threats emerge.
And yes, Colabra is fully compliant with FDA 21 CFR Part 11, so you can be confident about meeting all legal requirements if you use our electronic lab notebook and scientific project management software!
What should I look for when purchasing an ELN?
Any ELN utilized by an FDA-regulated entity must comply with 21 CFR Part 11. The following questions may be helpful when choosing an ELN:
- Ask the ELN provider for their attestation that their program complies with the requirements of 21 CFR Part 11. Educate yourself on 21 CFR Part 11 so that you can identify any issues that might arise with your chosen ELN.
- Ask if there is a free trial to evaluate the ELN before purchase. Is the ELN easy to use? Will it be easy to train lab personnel on the ELN?
- Discuss the needs of the lab and if the ELN meets these needs. For example, does the ELN allow a user to upload chromatograms from the GC-MS utilized by the lab? Is the ELN software compatible with other software utilized in the lab?
- Does the ELN assist in protecting the lab concerning legal issues that might arise? Educate yourself on legal issues surrounding FDA requirements, patent infringement, patent first-to-file requirements, and other state and federal legal requirements.
What can happen if I fail to maintain records that the FDA requires to be maintained?
Failure to maintain complete records as required by the FDA can lead to sanctions such as the inability to receive approval on a new drug application. In Mehta v. Ocular Therapeutix, Inc., Ocular filed a new drug application for its proprietary hydrogel. The FDA denied Ocular's new drug application stating that Ocular failed to comply with FDA reporting requirements, arguing that "[l]aboratory records do not include a complete record of all data secured in the course of each test, including all spectra from laboratory instrumentation, properly identified to show the lot tested and drug product tested." See 21 CFR §§ 211.180, 211.194(a). Id. at 199.
The Court noted Ocular’s failure to maintain spectra from laboratory instrumentation supporting the purity of each drug sample tested. The Ocular case highlights the importance of electronically storing and maintaining all data from all testing performed at the laboratory level, including data from chromatograms (HPLC, GC, GC-MS, LC-MS, LC-MS-MS, confocal Raman spectroscopy, etc.), so that the FDA can analyze the spectra if the FDA desires to do so. Failure to retain chromatograms can be a basis for the FDA to reject an application for a new drug. In this case, an ELN that allowed lab personnel to store each chromatogram performed might have protected the lab during the FDA inspection.
Can my 21 CFR Part 11 records be used against me in Court?
Yes, records maintained and stored under 21 CFR Part 11 may be business records that can be utilized in contested legal proceedings. But, in cases wherein patent infringement is alleged, a safe harbor exception may prevent some electronic records from being used in court proceedings.
In Momenta Pharms., Inc. v. Amphastar Pharms., Inc., Momenta sought to use FDA batch records filings made by Amphastar under 21 CFR § 211.180 to show that Amphastar had utilized their technology and infringed on their patent. The Court found that batch records could not be used to show infringement. The Court stated that “submissions to the FDA are anything but ‘routine.’” Although lab records may seem routine to the lab technician performing “routine” tests, the records of these tests are of critical importance to the FDA, the lab performing the tests, and the Court in a contested legal proceeding.
Does 21 CFR Part 11 compliance protect me in a lawsuit?
Any electronic records maintained and stored under 21 CFR Part 11 may be admissible in federal agency proceedings or federal legal proceedings.
21 CFR Part 11 requires that electronic records include an audit trail. This audit trail may be utilized in a patent derivation proceeding to show that an inventor named in an earlier-filed patent application derived his invention from you.
Electronic records maintained under 21 CFR Part 11 may be utilized to defend the lab in an action brought by shareholders wherein shareholders assert that clinical results were overstated to investors.
Electronic records may also be used to defend against patent infringement wherein a patented product or process is utilized by someone other than the entity owning the patent rights to the product or process.
Typically, any entity that utilizes a patented product or process is subject to a penalty for infringement for its use of the patented product or process. However, the Hatch-Waxman Act provides a safe harbor rule that protects an entity from being sued for patent infringement if the entity utilizes a patented process “solely for uses reasonably related to the development and submission of information under a Federal law which regulates the manufacture, use, or sale of drugs....”. 35 U.S.C. § 271(e)(1).
For example, the safe harbor provision of the Hatch-Waxman Act may be utilized by a patent owner’s competitor to expedite market access for a generic drug.
Are my electronic records subject to FOIA requests?
Generally speaking, all records submitted to the FDA, or any other federal agency, can be released under a FOIA (Freedom of Information Act) request.
Material that constitutes trade secrets and commercial or financial information contained within the electronic record is required to be redacted before the production of the electronic record. 5 U.S.C. §522(b)(4).
So, your competitor is entitled to receive the record minus the necessary redactions.
What if my lab is based in the European Union?
If your lab is based in the EU, 21 CFR Part 11 will not apply to you directly. Instead, you will need to comply with the Annex 11 regulation, which sets out requirements for the use of electronic records and signatures for scientific R&D based in the European Union.
This regulation is similar to 21 CFR Part 11. Some of the key requirements of the EU Annex 11 regulation include:
- Validation of computer systems used to maintain electronic records
- Ensuring that electronic records are accurate, complete, and legible
- Use of secure electronic signatures that are unique to the individual user
- Ensuring that electronic records can be easily and accurately reproduced
- Implementing controls to prevent unauthorized access to electronic records
We're here to help!
If you'd like to learn more about how all this applies to your research, please shedule a Colabra demo and mention 21 CFR Part 11. We'll give you a quick overview of your legal responsibilities and how you can meet them with Colabra. If you have more advanced requirements, we'd also be happy to introduce you to a specialized lawyer or auditor.
Get your whole lab on the same page today.Learn more