FDA Requirements to Electronic Signatures and Records in the Laboratory

On 5-6 October 2000 CONCEPT HEIDELBERG in cooperation with the European Compliance Academy (ECA) organised a conference where current FDA requirements of 21 CFR Part 11 1 were discussed.

The following Questions and Answers come from the Panel Discussion and were put together by one of the most famous expertsin this field, Dr. Ludwig Huber (Hewlett Packard).

The questions in part 1 were answered by David Selby, Hans Olthoff, Bob McDowall, Siri Segalstad, Ludwig Huber, MarkGonzalez

Part 1

Q:There is no definition of meta-data by FDA. The only use is in the preamble #70 and applied to paper record audit trail. There are, however, definitions used earlier by IT people "data about data" (identification of structure of information), The lack of clear definition is confusing. Is GAMP going to define it?

A: Dave Selby: I will take this to the GAMP forum.

Q: Part 11 preamble does not contain the word "durable media". This comes first from Paul Motise in a Q&A. There is a use later on in the FDA Industry Guide on "Using computerized systems for clinical trials,but that's not binding. Now Paul is talking about tangible media? Isn't this an expansion again? Is RAM Disk a non-durable media? Is this to tap the "RAM Disk Excuse"?

A: The definition of records in connection to tangible media has not been introduced by Paul Motise, he only made a reference to the US E-Sign Act,which is defines a record as: . The term `record' means information that is inscribed on a tangible medium or that is stored in an electronic or other medium and is retrievable in perceivable form.This definition is more in line with the spirit of part 11 and it could well be that we will see some changes from the FDA in future guidance documents.

Q: Could you please give examples on what is an electronic record and what is not. (What is a durable storage device, how is this defined?) Example: balances with storage registers. Normally it is printed onto a computer. It is not, but it can be connected to a computer.

A: There is not a clear cut and even not a clear definition. The original idea was to define a records when it's saved on something which keeps the information when the device is switched off. However, new technology is coming up where long lasting batteries keep the information in the RAM when the instrument is switched off. For example there are balances where you have up to 20 or more registers in the instruments memory which can bechanged without leaving trace. What we would recommend is

#1) to always look at the spirit of part11 and

#2) define and document things like this in your company's part 11 compliance guidance document.

Q:Is manual integration of chromatograms allowed? If yes, what are themeta-data?

A: You can do manual integration, the results together with a graphical presentation of the peak and the baseline should be saved and be available for retrieval. This and any further reintegration, either manually orautomated, should go in an audit trail.

Q: How can audit trails for Excel be done. Excel does not have this function. Perhaps we need signed paper print-outs?

A: Paper print-outs are no substitute for electronic records. There are companies which are developing  'add on' software to off-the-shelf products,for example, Excel. Include in your active implementation plan a statement that you are aware of such developments and will implement them as soon asthey are available.

Q:On PC's you can easily change date and time. How can I control this idsomebody changes the date and/or the time.

A: If the system allows to change time and date without leaving an audit trail, you can develop a procedural control which states that date and time must not be changed. And you must check and document if theprocedures are followed.

Q:Which type of records have to be signed? Results, reports, protocols?

A: What you have to sign is typically defined in the predicate rule (GLP, GMP). Sign everything what requires a review, approval, signature etc. Some companies have additional requirements for signatures. We would recommend to carefully review the need for these signatures.

Q:The preamble says you must use local time. I know the industry did ask to have a change. Is there any success and if so, does the regulation has to be changed?

A: It seems the FDA made a change here. According to some statements of FDA employees you will be able to use international times like Greenwich time or a company time, as long as there it is clearly defined on what is it.The preamble is not a regulation, therefore the regulation has not to be changed.

Q: If I understand part 11, there are different things: e-records,e-signatures. My question is: what about the hybrid systems. How can I be sure, that my hybrid systems are part 11 compliant.

A: Typical hybrid systems are the ones where signatures are made on paper and records kept electronically. They are accepted by the FDA, there is no indication of any time where they will not be accepted any more. The biggest problem is to link the handwritten signatures to the electronic records. There must be information in both the paper print out and the electronic record which link both records together. This could be file names together with date and time and/or hash or check sum number.

Q:.Can I archive my records following the regulation and print + hand sign +re-archive the signed paper through scanner? Could it be a "compliant"way to record electronically all what we need, even the signed documents.

A: You can do this as long as you save the original records in electronic form and as long as you the scan is an accurate and complete copy of the paper print out. This process also needs to be validated.

Q:Why is chromatographic ANDI data no alternative for long term archiving and ready retrieval?

A: Exactly the same question has been asked at last years conference withmore details and backgrounds and was answered by Paul Motise, US FDA

Part 2 - Answers from PAUL MOTISE, FDA, given during an ECA/CONCEPT HEIDELBERG Conference on 22 September 1999 in Berlin.

My question is regarding analytical instruments and, for example, chromatographic equipment, LC, GC whatever. In my department chromatographic data are electronically stored and archived in original format and are available for reprocessing any time when inspectors are coming in or whatever. However, after 10, 15 years or so maybe the vendor company of this equipment disappeared, the software or hardware is no more available. In all these cases we file all this original information as ANDI converted files, because we think that ANDI conversion has the broadest future and we can in 15 or 20 years from now get the data back into ANDI format but may be no more into the original raw data format, for a certain company which may be no more exists in 15 or 20 years. Unfortunately these ANDI data can no more be reprocessed, like theoriginal ones which can be. We will have these data on the screen,together with the sequence of injection, with the integration methods, with the operator's name and the audit trail. So we have everything in the ANDI format, but just for viewing, we can not reprocess the data anymore. I would like to get your interpretation whether these data will be accepted as original data in that sense of part11 in 12 or 15 years?

Answer from Paul Motise, US FDA

This is something where we are going to have to develop agency guidance toexplain our expectations a little bit more in more depth. In the preamble to part 11 we explained that the agency did NOT expect companies to save computer hardware and software for the sole purpose of recreating events. We anticipated that it would be possible to make an accurate and complete copy of those electronic records. Now there are a couple of things involved here, first of all the length of time: in a good manufacturing arena you would be required to keep data to one year after the expiration date, a typical expiration date might be 3 to 5 years. So a projection of 10, 15 years is probably more than what is required by FDA. Consider the nature of the record and the corresponding predicate regulation that regulation will tell you how long you have to keep that record. Part 11 says, if you keep it in electronic form, you must preserve it in electronic form. Now what does preserve mean: this is something that we will address in further guidance. My own perspective goes something like this: when you have an electronic file, you have data, straight numbers, you also have meta data, you have something that turns that information, that data, into knowledge, somthing that you can use. You have the hardware and software and operating systems. Add all of those pieces up, you have the bottom line: knowledge. This turns bits ones and zeros in something that makes sense. When you convert from one system into another as part of your archiving because a vendor may be going out of business its important to be able to preserve that knowledge. You want to take a look at the method of conversion to make sure that you are not making things look better or worse than they really are, to make sure that thatyou can still make sense of that information and use it the way you need to use it. In the GMP context GMP's require you to keep all laboratory data for as long as the batch record must be kept and that includes the chromatographic raw data itself. That's nothing new even aside from part11. Firms find it to their advantage to be able to keep that data in such a way that they could run the sample again and perhaps they find impurities in the future that they did not find before. There is real value in doing that. So I would tell companies to make every effort to preserve that ability for as long as they possibly can. Again we will address this further in an agency guidance. That's my impression from now, and I hope that makes sense.

Q:How to deal with findings of internal reviews? Should we make them available to the FDA? If not how can we prove that we did do the reviews?

A.: Don't make them available to the FDA. Document that the review has been made with some details on when, what, who an where, but don't provide the outcome to the FDA.

Q:I can understand, that raw data can be archived, how can raw data exist at two location at the same time?

A: Raw data may exist at two locations at the same time provided the data in the locations are identical. This includes not only the data itself, but also the meta-data. Backup is a good example of raw data existing in two places. Retrieving backup data is acceptable, otherwise the raw data would be “lost”.

For both backups and archived data, validating the procedures and the content of the data stored both places must be done and documented. Procedures that describe how to keep them identical in case of editing /recalculations / etc., must also be available and in use.

Q:Rather common situation: user A has a subtask: administrator, User A has two accounts: "userA" and "adminA" Of course both have different rights. Is this compliant?

A: Having discrete accounts for each jobtype is much more sensible than having one account with all the combined privileges, as the user will have to actively decide which “hatto wear” when logging in. It is compliant provided each account clearly gives the user’s identity in the audit trail. Having once account withthe user’s ID, and one account marked “admin” without identifying the user, is of course not compliant.

Q: If the operations of the network are out-sourced to a 3rd party,is the network than a closed or open system?

A: Closed system means an environmentin which system access is controlled by persons who are responsible for the content of electronic records that are on the system. So if this 3rd party works on-site (or remotely through the firewall of the company) on the network of the company and the access control still lies with the persons who are responsible for the content of electronic records that are on the system, then the system is considered to be a closed one.

Additional controls ought to be considered, such as periodic reviews of the access matrix and the access log files. Also FDA encourages firms to include in their internal audit programs periodic audits for compliance of computer systems with the rule (Part 11). This means that you should audit a 3rd party on a regular basis and focus among other issues on access management.

It will be more complex if this 3rd party is performing its operations from another network and the two networks are connected. Thenit will most likely to be open.

Q: Let's assume your network includes modules that are required to work under GLP/GMP and others not. How would you treat the modules that need not to becompliant in terms of


*other part 11 requirements

A.Treat every module the same and qualify them. This means that the network should be sufficiently documented: network drawings, technical specifications of all components, IQ/OQ documents.Together with the applicable procedures (e.g. access control, changecontrol) the network will be qualified for its task. The applications on top of the network should be validated (including Part 11requirements).

The effort of separating the network will be complex and the costs will be equal if not more, compared to treating it as one GXP network.

From a pure business point of view I would say it is essential that you are in control of such a vital part of your organisation like the network.

Q:Let's assume we have two computers for an analytical measurement system.Computer number 1 is used to control the instrument: method parameters and sequences. Method and sequence parameters are stored on this computer's hard disk. Computer number 2 is connected to the analytical instrument through an A/D converter, it acquires data and evaluates and stores raw data, evaluation parameters (meta data) and results. There is not doubt that computer number 2 falls under the scope of 21 CFR part 11 with all consequences. But what about computer number 1? Does it have to comply with all requirements of part 11, e.g., validation, audit trail, dataintegrity?

A:Think about what you do on paper: you make a print-out and save it. Isthis required by the FDA? It depends on the predicate rule. Instrument control parameters are necessary to reconstruct an analysis and are raw data (not meta-data) which may have to be archived or not. In the case ofdevices, the predicate rule and particularly the preamble to that rule (21CFR 820) does not require that all raw data be kept as long as the"results" are kept. If they have to be archived, which is the case for most predicate rules, and if you use a computer with a durable storage device for instrument control, then part 11 applies.

Go back

GMP Conferences by Topics