The 21 CFR Part 11 Electronic Records; Electronic signature final rule has been effective since August 1998. While much attention has been given to the electronic signature technical controls included within the final rule, less attention has been focused on the electronic records component. Before we continue with this discussion, it is important to establish common ground as to what is an electronic record. According to Part 11, “… an Electronic Record is any information (text, graphics, data, audio, pictorial) created, modified, maintained, archived, retrieved, distributed, or reported in electronic form within a computer system…” As you may have gleaned from the definition, this is anything that is on your computer/desktop/servers. All systems subject to 21 CFR Part 11 must be VALIDATED. The application scope of systems subject to 21 CFR Part 11 in life sciences companies are highlighted in the figure below.
As you can see, all types of systems from document management, ERP, CRM, LIMS, MES, QMS, as well as electronic records management systems themselves are subject to this regulation. The purpose of this blog post is to discuss why records management is an important topic for life sciences companies to consider and how do we validate such systems.
UNDERSTANDING ELECTRONIC RECORDS MANAGEMENT
There is much discussion in the news today about the new EU General Data Protection Regulation also known as “GDPR”. This regulation focuses on data protection of information that can uniquely identify individuals as well as how to manage and protect this personal data while respecting individual choice—no matter where data is sent, processed, or stored. This is a game-changer since the failure to manage such information now comes with stiff financial penalities up to 4% of turnover for serious violations.
Predicate rules require the retention of certain records over time. Sarbanes-Oxley also imposes the need to have a defined records management policy in place to prevent the destruction of records related to investigations or other government inquiries. When looking at the EU GDPR and other regulations, it is important to understand and review the principles of electronic records management. Records management deals with the following:
- Indexing
- Classification
- Long/Short Term Archival
- Storage
- Control
- Move/Transfer
- Hold (legal/regulatory)
- Delete/Destroy
The typical lifecycle of a record is shown in the figure below. At the time records are created, they are classified and indexed. They are promoted through a lifecycle workflow until the record is expired or ultimately destroyed. There is a lot of overlap between electronic records management systems and document/content management systems. They have often the same features/functionality but records management systems have distinct capabilities to manage electronic records.
Life sciences companies must establish a taxonomy and retention policies for the management and control of electronic records. In order to achieve compliance with existing predicate rule requirements, life sciences organizations must establish policies and procedures governing electronic records and ensure that all requisite documentation is retained as long as required by the applicable retention schedule as mandated by predicate rule requirements.
Life sciences companies must come to grips with the realities of electronic records management in cloud and on-premise environments. Issues with respect to data integrity, consistency and transparency are crucial. These systems must be validated to confirm that the systems can sustain electronic records over time.