Compliant v. Compatible: Understanding FDA 21 CFR Part 11

It’s not always easy to figure out whether your software is 21 CFR Part 11 compliant or compatible. Regulations for 21 CFR Part 11 state that electronic records, electronic signatures, and handwritten signatures converted into digital copies are all trustworthy, reliable, and equal to handwritten signatures on paper.

Computerized systems – including hardware and software – that produce electronic records are also directly linked to Part 11: All controls and documentation produced and maintained under this part can be subject to FDA inspection at any time.

Computer systems and related software need to be Part 11 compliant before being deployed in the lab space. Often, the two terms – compliant and compatible – are used interchangeably to describe off-the-shelf (COTS) software. But it’s up to the user to understand if the software meets Part 11 requirements in their environment and for their intended use. Because the words compliant and compatible are not mentioned in 21 CFR Part 11, understanding the difference is crucial.

Part 11 Compliant Software:

Part 11 compliance is not achieved by a single laboratory system; it’s achieved through an overarching data integrity program. Strong corporate policies are the backbone of this approach. Processes, workflows, and standard operating procedures (SOPs) that govern the lifecycle of electronic records and signatures, followed by an effective training program, result in a Part 11 compliant environment.

Part 11 compliance involves a computerized system that seamlessly integrates into a lab’s processes and workflows. This integration is possible with total automation of the electronic record compliance activities relating to this system. A Part 11 compliant system does not only meet current standards and regulations, but it also meshes well with the company’s data integrity program and processes.

Part 11 Compatible Software:

Unfortunately, computerized systems that do not seamlessly integrate with the corporate data integrity program are sometimes acquired, commissioned, and deployed. So how do companies implement these systems without risking compliance?

While some third-party software products are available to address this issue, many of them suffer from compatibility problems and are difficult to fix. These compliance risks are often mitigated procedurally – that means special procedures are created or system operation/administration SOPs are updated in order to reduce the risk associated with the compliance gap. Often these are manual, paper-based procedures.

For example, a process may be created mandating the creation and use of a paper instrument log book in order to mitigate the risk associated with a noncompliant audit trail on a new software. In this way, Part 11 compatible systems can be shoe-horned into compliance. While this is a common and accepted approach, it is not efficient for the following reasons:

1. Creating and maintaining additional procedures requires significant effort
2. Staff must be trained on the procedures, which requires time
3. Complying with and executing the procedures interferes with other work

As mentioned, the procedural mitigations are often manual and paper based. By nature, these procedures are more prone to human error and can create new risks. The FDA encourages companies to ensure that new systems are evaluated for Part 11 before automating as many aspects of data integrity as possible.

Companies can significantly increase the likelihood of acquiring only Part 11 compliant systems by incorporating a best practice in their approach.

1. Use a Draft User Requirement Specification (URS) document to guide system selection. The minimum requirements for basic Part 11 capability should be well defined in this document and should narrow down the list of vendors.
2. Develop and deploy a specialized system supplier qualification form. This has emerged as a best practice in the industry. The form goes by many names such as Data Integrity Questionnaire or System Part 11 Evaluation. Documents like this solicit information from the vendor on the Part 11 capabilities of a specific software, comprehensively covering the software’s abilities and management around:
   1. Data Archival and Retrieval / Back-up and Restore
   2. Audit Trails and System Logs
   3. Data Availability, Management, and Protection
   4. Date and Time Security
   5. Electronic Signatures
   6. Reports
   7. User Access and Roles
   8. Security

Implementing a preliminary screening procedure before selecting a new system can ensure a smooth process for commissioning and deployment. The time saved by eliminating the need to develop and maintain risk-mitigating procedures is worth the upfront effort.

When selecting a new system, keep the following points in mind:

• Candidate systems should be evaluated for Part 11 compliance and alignment with corporate policies.
• If a system is acquired that is not considered data integrity compliant, you may develop procedural controls to meet the compliance requirements for that system. This is considered a more complex approach and requires additional training for end users.
• Training personnel to prevent and detect data integrity issues is consistent with the personnel requirements for Part 11 compliance, sections 211.25 and 212.10.