Think of 21 CFR Part 11 as a business issue

An expert advises how to best comply

Slipping away are the days of pen-and-paper record keeping. Here to stay are electronic records and electronic signatures

"In 2004, technology plays a huge role — you can’t exist without a computer system anymore, so you employ automated systems to process data, payroll information, etc.," says Leonard Grunbaum, president of META Solutions of Warren, NJ. META Solutions provides regulatory consulting services for the pharmaceutical and related industries, and Grunbaum speaks at professional conferences about the regulations governing electronic data collection.

The 21 CFR Part 11 provides the control objectives that must be met when clinical trials data are collected in an electronic format, Grunbaum says.

He advises clinical trials managers and investigators to consider the electronic processes the same way they consider designing protocols and methods by asking these sorts of questions:

  • How do we do this?
  • What do we write in the plan?
  • What process or system do we use?
  • How does this process meet our needs?
  • What are we hoping to show and how do we show it?
  • How do we test the system?
  • Is the system tired, true, and tested?

The 21 CFR Part 11 is chiefly concerned with allowing FDA to trust and rely upon the information collected.

"Part of what you need to do regardless of whether you have paper-based or an electronic system is to check records and make certain they are safely stored and have backup systems," says Grunbaum.

"With a computer system, what’s different is that you have to make sure people can’t get into a computer system, steal the data, or that it won’t be corrupted or lost," he says. "Firewalls and those kinds of concepts are the means whereby you can protect your records with an electronic system."

Another aspect of 21 CFR Part 11 involves electronic signatures, which must be designed in such a way that they cannot easily be forged, Grunbaum says.

Electronic signatures could be protected through identifications and passwords or through biometrics and thumbprints, he says.

"There should be controls in place to make sure no other person has your password," Grunbaum says. "When a form or document is generated, it says this was signed electronically by XX on this date, and this signature means XX approved it as reviewed — so there’s meaning to the signature."

Six basic requirements

Grunbaum explains the basic requirements of the regulations under Part 11 this way:

1. There must be an ability to generate accurate and complete copies of records. "The purpose here is that when the inspector comes in, he or she needs to be able to touch and feel the data; just because you can see the data on a screen doesn’t mean the data exist," he explains.

The Food and Drug Administration will need to confirm that there are accurate and complete copies in readable form, Grunbaum adds.

"Any system you employ should be designed so that any and all records can be copied," he says. "There need to be accurate and complete copies because the way systems are designed, sometimes you don’t get all of the related information, such as meta-data, explanations of codes, and dictionaries."

The copies may be obtained electronically or in printouts, and the system needs to be tested to make certain the copies can be obtained, Grunbaum adds.

"Any system built for regulatory purposes should be done according to a formal methodology, meaning that you know exactly what the system is supposed to do, see how it’s designed, how it’s tested," Grunbaum says. "The testing should be done in your own environment to make sure it meets all requirements."

2. Protect records. Computer firewalls and similar systems should protect the electronic system from unauthorized access into the network, he says.

Another aspect is physical security, making certain people can’t walk into a computer room and access data or walk off with a laptop computer, Grunbaum says.

"Deal with the physical security first, making sure computers are secure and can’t be tampered with, can’t be destroyed or stolen," he explains. "And then deal with logical security, which is the identification information, passwords, so not everyone has access to the system."

3. Generate systems controls. "When you build a system to do certain things, you build in certain controls," Grunbaum says. "For example, if you have a double data entry process, you can’t allow a second entry before you have a first entry."

Also, it’s a good idea to have edit checks for the purpose of eliminating bad or invalid data, he notes.

"Build those kinds of things to maximize getting valid data and minimize getting invalid data," Grunbaum says. "Make sure that these functions are specified as requirements and then build or buy to these requirements."

4. Validate the process. "People get hung up on the term validation,’ when validation is simply providing evidence that a system is doing what it’s supposed to do and that it will continue to do it," he explains. "Part of what you need to be able to show if someone wants to rely on your information is that this is your process; this is how you get information; this is how you rely on it and then provide evidence that it works."

This is good business practice, even though the clinical regulations do not spell it out this clearly, Grunbaum says.

When a clinical trial manager or investigator validates the process, he or she is providing evidence that the system works, he says.

"When you develop and test the system the evidence is available for inspection, and if an inspector comes in from a potential sponsor or the FDA or business partner, the evidence can be viewed," Grunbaum adds.

Sometimes companies will decide to save money and they won’t test their systems adequately in the beginning, he says.

"What happens then is they don’t work sometimes, and the company has to go back and redo the system or redo the studies," Grunbaum says. "We knew of one company who had seven different systems, a clinical trials system, a system to capture lab information, a system that did statistical analysis, and others, and they didn’t validate any of it, and they couldn’t use the information and had to start a remediation effort that cost over a million dollars."

5. Provide an audit trail. "This allows you to reconstruct any part of your study process," he says. "Almost every regulation requires that you show what happened, when it happened, who did what, and whether anything was changed and who changed it and why it was changed."

The audit trail makes it possible to go back and figure out what happened throughout any aspect of the study, Grunbaum notes.

"The system should be designed to collect it as a by-product," he says. "Just put in a subject with data and then go back and make changes without erasing the original record."

By the end of study, there undoubtedly will be a massive amount of data that include the audit trail of any changes, Grunbaum adds.

6. Train personnel. "Every regulation will talk about people being qualified to do their assigned activities," Grunbaum says. "What Part 11 does is say specifically that people who develop and maintain systems need to have the training."

So anyone who is developing or maintaining a computer system needs to be trained to do so, he adds.

"You have to verify the fact that the vendor has training and qualifications to develop and maintain the system," Grunbaum explains. "You need to know the activity, and you need to know who is doing it on the organizational chart and what the person’s job description is and match against the person’s curriculum vitae and training records."