QMS Architecture 21 CFR Part 11 Compliance
Understanding 21 CFR Part 11 Requirements
The basis of all guidelines under 21 CFR Part 11 is that electronic data integrity is accurate and reliable. As part of FDA guidelines for drug-related software, 21 CFR Part 11 established the expectations the FDA has for software that is used for managing documents, or records, electronically. Ultimately, once a document or record or any form of data is made available electronically, there are certain inherent risks that were not a factor for storing records and data on hardcopies.
Along with compliance with related guidances, such as ISO 9001, 21 CFR 820, ICH, and numerous others, Part 11 defines the functionality a software platform should provide in order to be considered qualified for use in FDA-regulated environments, or in other words, for use with businesses who are subject to audits by the agency. The software should have the following features on top of also being compliant in all other functions that contribute to this list:
Part 11 Highlights
- Save and manage final versions of quality documentation and deliverables.
- Allow and/or prevent users from accessing files in the system based on their roles. This is commonly known as role-based permissions.
- Prevent Admin users from accessing, distributing, and/or transmitting electronic records they have access to but are not members of the teams or roles included in the workflow of the contents of those records.
- Ensure signatures are captured by the system upon final approval by all listed Approvers in the document with the date stamp captured at that time.
- Enforce a Read and Understand process that captures confirmations by all members of the organization who are directly or indirectly affected by the creation and/or change of the electronic record.
- The eDMS (electronic Data Management System), commonly known throughout the industry as a QMS (Quality Management System), should have processes and procedures describing the workflow that the organization follows in using and managing the system as the first collection of electronic records to flow through the system.
- Provide a document manager role(s) to facilitate the flow of documents through the system per the approved operating procedures, which should ultimately match the actions performed by the role(s) involved in reviewing, approving, revising, and reading electronic records.
Validation
Of course, before the QMS can operate as software in FDA-regulated environments, it is first tested for three protocols are used to measure if the software qualifies (performance, operation, and installation qualifications), and upon successful completion of the quality assurance testing, it is considered validated.
An interesting point here is that an organization can perform all the procedures internally, from creating to validating a product. Therefore, the exact requirements for the content of the document is covered in other guidances, while the system's ability to provide assurance of quality and data integrity is covered in 21 CFR Part 11.
FDA Loophole for Part 11
Another interesting aspect of this guidance is that it does not explicitly state that the electronic records list which other records reference it. This applies specifically to quality documentation. Quality documents must list any other documents it references throughout its content. However, there is no guidance dictating that the same document list which other records make reference to it within its content.
Importance of Internal References Being Bilateral
So why is it so important to have documents list their references in both directions? By both directions, we are referring to references from other documents to the record as well as references from the record to other quality documents. The answer is because, when it comes to navigating audits, the ability to see the direction of workflow both forwards and backwards is hindered for the auditing agency only, not the organization being audited, since they can only view a complete list of references out of a record, but not into it. This gives the organization an advantage if their quality system documentation is structured so that they can view their documents in a complex chart, offering them the ability to shape the directions of audits with information the auditors are not obligated to receive.
Risks of Complacency
Obviously, a lot of work goes into building a content management system and the content it will be housing. Add the complexity and detail required of a quality management system and the additional workflow functionality of capturing approval signatories electronically, and the risk of error begins to compound until it is almost guaranteed. Having a trick with a minor loophole will not prevent auditors from identifying gaps or omissions from the requirements provided in the guidances.
While knowing how to shift the odds in your favor may offer some relief, it is by no means a free pass to cut corners or reduce the level of effort in ensuring the system is compliant. With the chart needed to view all references in the library and not required to be provided during an audit by a regulatory body, it can still be referenced behind closed doors and used to provide answers when necessary without revealing any of the other documents referencing the electronic record under audit at that time, which would undoubtedly be of interest as the review by auditors fails to uncover any inconsistencies or compliance issues.
21 CFR Part 11 Compliant Systems
This might sound confusing, but for those who have undergone audits by the FDA, it should make a lot of sense. The biggest concern when reviewing an organization's compliance with the standards is if the processes and instructions dictating the methods in which a Quality Control policy is implemented match the actual procedures and workflows the organization and its personnel follow.
Focusing on that one main aspect of compliance is in itself a substantial undertaking. Electronic records must be secure, safe, accessible, and consistent. The records must be protected from unauthorized access or modifications. They must at the same time be accessible to all authorized parties
Keep in mind, this is not an opportunity to cut corners or omit required records or the content of records. But it does offer an opportunity to reduce the chances of auditors finding issues with the overall processes and policies at a high level. Breaking up procedures and policies above them into smaller, digestible records may seem counterintuitive, but given this shortcoming in the guidelines of Part 11, it can become an advantage during audits.