Computer systems validation is the process of providing documented evidence that an electronic system or technology will perform as specified. In the life sciences industry (i.e., pharmaceuticals, biotechs, CROs, and medical device manufacturers), regulations for computer systems validation are dictated in the US by the Food and Drug Administration's (FDA) rule on Electronic Records/Signatures (21 CFR Part 11) and in the EU by the European Medicine Agency's (EMEA) Guidelines to Good Manufacturing Practice (GMPs) - Annex 11. These regulations establish guidelines for computer systems, electronic records, and electronic signatures. Validation requires evidence that is clear, repeatable, and able to stand up to audits in order to be compliant. Records Management, Information Governance, Validation and Quality professionals in life sciences must be aware and knowledgeable of both regulations, as pharmaceutical companies have a large global footprint and export/manufacture drugs in the US and Europe.
Title 21 CFR Part 11 and Annex 11 are similar and cover several common areas but there are noted distinctions outlined below.
Similarities and Differences Between Part 11 and Annex 11
Part 11 and Annex 11 both state that electronic records can be signed with electronic signatures, and that e-signatures have the legal standing equivalent to a person’s handwritten signature. However, Part 11 goes beyond Annex 11 by requiring signature manifestations that include information (printed name of signer, author, responsibility, and review/approval) related to the signed electronic record. Part 11 also states that e-signatures not based on biometrics must have at least two different identification components such as an ID code and a password.
Part 11 and Annex 11 cover similar territory but there are a few key differences. Annex 11 has a broader scope, as it includes computerized systems as part of GMP regulated activities while Part 11 outlines the specific requirements and controls related to electronic records and signatures over the course of the information life cycle (planning, creation, modification, maintenance, retrieval and final disposition/archiving). Part 11 simply lists the requirements that must be followed, while Annex 11 states how to follow its requirements―therefore Annex 11 provides more guidance than Part 11.
Risk Management Approach
The Risk management approach to criticality in Annex 11 emphasizes a systems approach to timely evaluations. This is a contrast to Part 11, which has no reference to risk or criticality beyond the need for open systems to have increased security.
Records Management and Information Governance
From a Records and Information Governance perspective, it is helpful to look at Annex 11 and Part 11 through the lens of ARMA International’s Generally Accepted Recordkeeping Principles® (GARP). The Principles most relevant to Annex 11 and Part 11 are Integrity and Compliance:
Integrity – Annex 11 and Part 11 both demand that electronic records and information generated by or managed for the organization must have a reasonable guarantee and verification of authenticity and reliability. Integrity is related to provenance, a fundamental component of archival science. Provenance refers to the individual or group that originally created the records, as well as the records’ subsequent chain of custody. Records from a common source should be kept and grouped together with a clear chain of custody from creator to current custodian.
Compliance – In order to comply with regulatory authorities like EMEA and the FDA, life sciences organizations must have a Records and Information Management department (and for larger companies, an Information Governance program). There must be compliance not only with laws and outside regulatory bodies, but also an enterprise’s own policies for records retention, digital records, etc.
Read: What Do You Know About Title 21 CFR Part 11 and Records Management?
Records and Information Management professionals should be involved with the development and implementation of validated systems to ensure the ability to discern invalid or altered records, chain of custody, built-in records retention management and accurate metadata that can be created and saved in line with the corporate taxonomy. They should also confirm that processes are automated where possible, and audit trails are captured to assure integrity, compliance, information protection, and appropriate retention.
Despite their similarities and differences, Annex 11 and Part 11 complement each other and remain important guides to compliance for validation professionals in life sciences.
To further reference these requirements, see the following links:
Part 11: http://www.ecfr.gov/cgi-bin/text-idx?SID=cacabef650ed55c3cf269f4b0edee853&mc=true&node=pt21.1.11&rgn=div5
Annex 11: http://ec.europa.eu/health//sites/health/files/files/eudralex/vol-4/annex11_01-2011_en.pdf