21 CFR Part 11 i praksis: Krav til elektroniske signaturer

Introduktion

21 CFR Part 11 er FDA's regulering af elektroniske records og elektroniske signaturer. Det blev udstedt i 1997 - en evighed i teknologi-år - men er stadig fuldt gyldigt og håndhæves aktivt.

Enhver pharma-virksomhed der opererer på det amerikanske marked skal comply med Part 11 når de bruger elektroniske systemer til GxP-aktiviteter. Men reglerne er skrevet i bredt, ofte vagt sprog. Hvad betyder "secure, computer-generated, time-stamped audit trail" præcis i praksis?

I Hyperbolic implementerer vi Part 11-compliant systemer regelmæssigt. Her er en praktisk guide til hvad reglerne faktisk kræver og hvordan man implementerer dem.

Hvad er 21 CFR Part 11?

Part 11 har to hovedsektioner:

Subpart B - Electronic Records: Krav til hvordan elektroniske records skal skabes, modificeres, maintaines og arkiveres.

Subpart C - Electronic Signatures: Krav til elektroniske signaturer for at være ækvivalente til håndskrevne signaturer.

Scope: Part 11 gælder kun for records der er:

• Påkrævet af FDA-regulering (predicate rules)

• Brugt i stedet for papir records

• Submitted til FDA

Kritisk: Part 11 gælder IKKE automatisk for al software i pharma. Kun GxP-records.

Electronic Records krav (Subpart B)

§11.10 - Controls for closed systems

Dette er hjertestykket. "Closed system" betyder systemet hvor access er kontrolleret af de personer responsible for content.

Validation (§11.10(a)):

Kravet: "Validation of systems to ensure accuracy, reliability, consistent intended performance..."

I praksis: Computer System Validation (CSV) per GAMP 5 eller lignende framework. Dokumentér at systemet gør hvad det skal, konsistent.

Deliverables:

• Validation Plan

• Risk Assessment

• Test Scripts og Execution

• Validation Report

• Traceability Matrix

Audit Trail (§11.10(e)):

Kravet: "Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions..."

I praksis:

• Hvad logges: Al creation, modification, deletion af GxP-records

• Hvem: User ID af personen

• Hvornår: Date og timestamp

• Hvad: Hvad blev ændret, før/efter værdier

• Hvorfor: Reason for change (ofte required input)

Audit trail skal være:

• Immutable: Kan ikke slettes eller ændres

• Always on: Kan ikke disables

• Readily available: Kan reviewes ved audits

Best practice: Separate audit trail tabel i database, write-only access for application.

Authority Checks (§11.10(g)):

Kravet: "Determination that persons who develop, maintain, or use electronic record/signature systems have the education, training, and experience to perform their assigned tasks."

I praksis:

• Training records for all users

• Competency assessments

• Periodic retraining

• Role-based access aligned med qualifications

Device Checks (§11.10(h)):

Kravet: "Determination of, and appropriate controls for, authorized use of devices..."

I praksis:

• Authentication: User ID + password (minimum), better: MFA

• Session management: Auto-logout efter inactivity

• Device controls: Restrict access til authorized devices if needed

Electronic Signatures krav (Subpart C)

§11.50 - Signature manifestations

Kravet: "Signed electronic records shall contain information associated with the signing... name, date/time, meaning of signature."

I praksis:

En elektronisk signatur skal være permanent del af record og vise:

• Printed name: "John Smith"

• Date and time: "2024-02-18 14:32:15 UTC"

• Meaning: "Approved by Production Manager" eller "Reviewed by QA"

Implementation: Når dokument vises, signature skal være clearly visible, ikke bare i database.

§11.70 - Signature/record linking

Kravet: "Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records..."

I praksis: Signature kan ikke cut-and-paste eller copy-and-paste til andet record. Det skal være cryptographically bound til det specific record.

Implementation:

• Hash of document content + signature data

• Stored sammen

• Any change til document invalidates signature

§11.200 & §11.300 - Signature types

Part 11 tillader to typer elektroniske signaturer:

§11.200 - "Regular" electronic signatures:

• Minimum: User ID + password

• Må bruges for alle GxP-signaturer

§11.300 - Biometric eller token-based:

• Fingerprint, retina scan, smart card osv.

• Mere secure, men ikke påkrævet

I praksis: Langt de fleste bruger §11.200 (user/password). Biometrics er sjældne i pharma.

§11.300(d) - Password requirements

For user/password signatures kræver FDA:

• Unique: Hver user har unique ID

• Periodisk change: (FDA guidance siger "at least annually", men best practice er 90 days)

• Complexity: Ikke explicit i Part 11, men guidance foreslår minimum 8 characters, mix af types

• Reuse prevention: Kan ikke genbruge sidste X passwords

Implementation patterns

Pattern 1: Two-factor authentication for signature

Even hvis normal login er user/password, kan signature kræve re-authentication.

Implementation:

• User arbejder i systemet med normal session

• Når de skal signere, pop-up kræver re-entry af password (eller second factor)

• Signature kun applied hvis authentication succeeds

Benefit: Higher assurance, separates "I'm working" fra "I'm committing to this decision."

Pattern 2: Signature reason

FDA forventer ofte at vide hvorfor noget blev signeret.

Implementation:

• Signature action requires selection af predefined reason fra dropdown

• Eller free-text comment field

• Reason stored med signature i audit trail

Example: Document approval med reasons: "Approved as written", "Approved with comments", "Rejected - needs revision"

Pattern 3: Sequential signatures

Nogle workflows kræver multiple signatures i bestemt rækkefølge.

Implementation:

• Workflow engine enforcer sequence

• Document "locked" efter første signature (no edits)

• Next signer kan only approve eller reject, ikke edit

• If rejected, returns til previous step

Example: Batch record review: Supervisor → QA → QP (Qualified Person). Each must sign in order.

Common compliance pitfalls

Pitfall 1: Inadequate audit trail

Problem: System logger nogle actions, men ikke alle.

Example: User edits critical parameter, men audit trail viser kun "record modified", ikke før/efter værdier.

Solution: Log ALL GxP-relevant actions med complete before/after state.

Pitfall 2: Audit trail kan slettes

Problem: System har admin function til at "clean up old logs" der inkluderer audit trail.

Example: IT department sletter gamle data inkl. audit trail for at spare storage.

Solution:

• Separate audit trail storage med NO delete capability

• Archive til read-only media for long-term retention

• Access controls: NOBODY kan slette audit trail

Pitfall 3: Generic user accounts

Problem: Shared logins som "production1" eller "QAreviewer".

Example: Multiple operators bruger samme login. Når error opstår, kan ikke determine hvem faktisk gjorde det.

Solution: Unique user ID for every individual. No shared accounts for GxP systems.

Pitfall 4: Weak password policy

Problem: Passwords som "password1" eller "123456" accepteres.

Example: Easy to guess, højrisiko for unauthorized access.

Solution:

• Minimum complexity (8+ chars, mix af character types)

• Password expiry (90 days)

• Account lockout efter X failed attempts

• Prevent password reuse

Pitfall 5: Signatures ikke linked til record

Problem: Signature stored separat, kan flyttes til andet dokument.

Example: QA signature på én batch record cut-paste til anden.

Solution: Cryptographic binding af signature til exact record content via hash.

Audit readiness

Under FDA audits vil inspectors specifikt checke Part 11 compliance:

Hvad de vil se:

Documentation:

• Validation documentation for system

• SOPs for electronic signatures and records

• Training records for users

• Password management procedures

System demonstration:

• Create og modify record, show audit trail

• Demonstrate signature process

• Show access controls

• Demonstrate audit trail review process

Records review:

• Pull random elektroniske records

• Verify signatures present og valid

• Check audit trail completeness

• Verify before/after values for changes

Preparation:

• Run internal mock audits

• Verify audit trail review er done periodically

• Ensure all SOPs er up-to-date og followed

• Training records complete

Case: LIMS Part 11 compliance

Scenario: Lab implementerer nyt LIMS med elektroniske lab notebooks og test results.

Challenges:

• Legacy LIMS var not compliant (no audit trail, weak passwords)

• 50+ lab analysts skal trænes

• FDA audit planlagt i 12 måneder

Our approach:

Phase 1 - Gap analysis:

• Assessed new LIMS mod Part 11 requirements

• Identified gaps: Audit trail konfiguration, password policy, signature workflow

Phase 2 - System configuration:

• Enabled comprehensive audit trail (all field changes)

• Configured strong password policy (10 chars, complexity, 90-day expiry)

• Built approval workflow: Analyst enters → Supervisor reviews → QA approves

Phase 3 - Validation:

• Full CSV per GAMP 5

• Specific test cases for Part 11: Audit trail accuracy, signature binding, access controls

Phase 4 - Training og cutover:

• Role-based training for analysts, supervisors, QA

• Parallel run: Paper og LIMS simultaneously for 1 month

• Cutover med full backup plan

Outcome:

• FDA audit: Zero Part 11 findings

• Inspector specifically commended audit trail completeness

• Lab efficiency increased (faster test result availability)

Konklusion

21 CFR Part 11 compliance er ikke optional for pharma. Det kræver:

1. Robust audit trails der logger everything

2. Secure electronic signatures med proper authentication

3. Validation af systemer per CSV best practices

4. Training af alle users

5. Ongoing compliance monitoring

Det behøver ikke at være enormt komplekst, men det skal tages seriøst og implementeres systematisk.

I Hyperbolic sikrer vi Part 11 compliance i alle GxP-systemer vi bygger eller implementerer. Vi kombinerer regulatory ekspertise med teknisk know-how for at levere løsninger der både complier og er user-friendly.

Kontakt os for hjælp med Part 11 compliance i jeres systemer.