Introduction to 21 CFR Part 11 for Electronic Records of Cell Culture

Cell-culture laboratories are increasingly relying on electronic systems for data management, making compliance with FDA regulations crucial. The 21 CFR (code of federal regulations) Part 11 [1] outlines the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records. This article will focus on two critical aspects: audit trail and user management [1-3].

The 21 CFR Part 11 was introduced by the FDA to establish the recommendations for electronic records and electronic signatures. The guidance applies to all aspects of the pharmaceutical and biotechnology industries where electronic documentation is used. Key areas covered include system validation, audit trails, record retention, and user access controls.

In order to promote innovation and technological advances for the benefit of public health and to avoid unnecessary controls and costs, the FDA intends to interpret the scope of part 11 narrowly [1]. This means that for records which are required to be maintained or submitted to the FDA, part 11 would apply when these records are used in electronic format rather than paper format. However, this fact does not apply to paper printouts of electronic records when the paper records are already used to meet all the requirements of applicable FDA statues and regulations.

Part 11 is applicable to the following electronic records [1]​​​​​​​:

1. Records that are maintained in electronic format either in place of or in addition to paper format.
2. Records submitted to the FDA in electronic format.
3. Electronic records which are used to perform regulated activities, in addition to documents in paper format.
4. Electronic signatures which replace handwritten signatures and other ways of signing.

N.B.: It is recommended for records which need to be maintained that users determine in advance how regulated activities will be performed, i.e., whether in electronic or paper form. This decision should be clearly documented.

Following 21 CFR Part 11 recommendations can be essential for cell-culture laboratories in the biotech and pharma industries to ensure data integrity, traceability, and accountability. Not following the recommendations could result in significant penalties, including product recalls, legal consequences, and loss of market trust.

The decision to validate computerized systems should take into account whether users are able to meet requirements and ensure the accuracy, authenticity, and integrity of the records and signatures [1]. The FDA recommends that the approach be based on a documented risk assessment to determine how the system may affect product quality, safety, and record integrity.

Definition

An audit trail is a secure, computer-generated, time-stamped electronic record that allows for the reconstruction of events relating to the creation, modification, or deletion of an electronic record.

According to 21 CFR Part 11, audit trails should:

• Record the date and time of operator entries and actions;
• Be secure and protected from unauthorized access;
• Be stored in a manner that allows for easy retrieval and review;
• Capture changes to critical data, such as cell-culture conditions and results.
   

To implement an effective audit trail:

• Use software that automatically records all user actions;
• Ensure time-stamped entries for all modifications;
• Regularly review and audit the record trail for inconsistencies or unauthorized changes.

Compliance with all requirements regarding documentation, such as date and time, should be observed [1]. In the case there are no such requirements, audit trails or other physical, logical, or procedural security measures may still be important to ensure the trustworthiness and reliability of the records. The decision should be made based on the defined requirements, a risk assessment, record integrity, and product quality/safety.

Additionally, audit trails can be useful when creation, modification, or deletion of regulated records occurs.

Appropriate access to records should be given to investigators during inspection [1]. Copies of electronic records should be supplied in common electronic formats (PDF, XML, or SGML) using established software conversion or export methods. The copying process used should produce copies that preserve the content and meaning of the record. Inspection, review, and copying of records in a form that is readable by a person should be allowed on the organization’s site using its hardware.

The decision of how to maintain records should be based on defined requirements and a documented risk assessment, including a determination of the record’s value over time [1]. It is important that any copies of the required records should preserve their content and meaning. Records can be archived in either non-electronic formats, such as on microfilm, microfiche, and paper, or in a standard electronic file format (e.g. PDF, XML, or SGML). Moreover, electronic and non-electronic records and signatures can co-exist, i.e., a hybrid situation.

Definition

User management involves controlling and monitoring access to electronic systems to ensure that only authorized individuals can perform specific tasks.

21 CFR Part 11 mandates:

• Unique user IDs and passwords for all individuals accessing the system;
• Assignment of roles and permissions based on job responsibilities;
• Regular review and updating of user access rights;
• Immediate revocation of access for terminated or transferred employees.

Effective user management can be achieved by:

• Implementing role-based access controls (RBAC);
• Conducting regular training sessions on security protocols;
• Periodically auditing user access logs;
• Utilizing multi-factor authentication (MFA) for additional security.

System validation

Validate all electronic systems to ensure they meet the requirements of 21 CFR Part 11, including verifying that audit trails and user management features are functioning correctly.

Maintain comprehensive documentation of all compliance activities, including user access reviews, system validations, and audit trail audits.

Conduct regular internal audits to identify and rectify any compliance gaps. Involve third-party auditors for an unbiased assessment.

Provide ongoing training for all personnel on the importance of 21 CFR Part 11 compliance, focusing on audit trail and user management.

To help users follow the recommendations of 21 CFR part 11, the Mateo FL microscope offers the following:

• Concerning validation, audit trails, and user management (sections 4, 5, and 8 above)
  • Built-in, detailed audit trails and integrated user management functionalities for easier and more secure data management;
  • Effortless tracking and managing of samples with a bar code reader function;
• Concerning copies of records and record retention (sections 6 and 7 above)
  • Easier sharing of data to any mobile device with QR codes;
  • Secure data tracking and seamless data transfer;
  • More practical management of file storage - store up to 3 million images with 500 GB of storage space, so spend less time transferring or deleting files.

Examples of how Mateo FL can help users meet the 21 CFR part 11 recommendations for validation, audit trails, copies of records, record retention, and user management are shown below in figures 2 and 3.

Agreement with 21 CFR Part 11 is essential for ensuring the integrity and reliability of electronic records in biotech and pharma cell-culture laboratories. By focusing on robust audit trail and user management practices, organizations can meet regulatory requirements and maintain the highest standards of data security and traceability. The advantage of using a digital microscope approach for cell culture, in terms of electronic records compared to a paper-based one, is more consistent and efficient documentation of results.

1. What is 21 CFR Part 11 and why is it important?

   21 CFR Part 11 is an FDA guidance for electronic records and electronic signatures. It helps users to ensure that electronic records are as trustworthy as paper records, critical for maintaining data integrity and traceability in regulated environments like biotech and pharmaceuticals.

2. How does the Mateo FL microscope help with 21 CFR Part 11 compliance?

   Mateo FL provides audit trail and user management features required for compliance. It automatically logs all user actions and tracks any modifications made to records, ensuring secure and traceable data management.

3. What features of Mateo FL contribute to secure data management?

   Mateo FL allows a detailed audit trail. Additionally, it offers seamless data transfer via QR codes and supports long-term data storage, which is crucial for compliance.

4. Is the audit trail feature of the Mateo FL microscope customizable?

   The audit trail in Mateo FL is built-in and captures all relevant actions. An administrator can review the audit trails to verify that operations are done in accordance with regulatory standards. When enabled, it logs and secures all data for full traceability, supporting compliance with 21 CFR Part 11.

5. How does Mateo FL handle data storage and retention for compliance?

   Mateo FL includes a generous 500 GB of storage, capable of storing up to 3 million images, ensuring that data is retained securely without the need for frequent transfers, which reduces compliance risks.

6. What are the consequences of not following 21 CFR Part 11 recommendations?

   Not following the 21 CFR Part 11 recommendations could lead to non-compliance with FDA regulations for the biotech and pharms industries, possibly resulting in significant penalties, including fines, product recalls, legal actions, and loss of market trust. Implementing Mateo FL offers the potential benefit of helping your lab meet regulatory requirements.

The overview of 21 CFR part 11 provided in this document does not and is not intended to constitute legal advice, or any other advice, of a binding nature. All information contained in this overview is for general informational purposes only. Readers of this overview should contact their advisors or attorney to obtain advice with respect to any particular matter. Only the individual advisor or attorney can provide assurance that the information contained in this overview is applicable or appropriate to a particular situation. No representation is made that the content of the overview is complete or error-free.