High-performance liquid chromatography, or HPLC, is a vital part of analytical chemistry and is used in a broad range of life science businesses. However, analytical laboratories using electronic systems to record, store, and manage data are now required to comply with FDA rules and regulations. The 21 CFR Part 11 for HPLC means your organization needs a validated LMS to comply with the regulation.
How does 21 CFR Part 11 for HPLC affect your organization? In this guide, we’ll answer some of the most frequently asked questions from operators of analytical laboratories regarding 21 CFR Part 11 and the FDA’s rules.
Does 21 CFR Part 11 Apply to Your Laboratory?
In a nutshell, yes, it does. The only way these rules would not apply to your organization is if you did not use any type of electronic system to manage electronic records (software handling test results, for instance). Because almost every single life science organization today relies on digital technology, virtually every organization in the industry must comply with these rules and regulations.
What Does 21 CFR Part 11 for HPLC Focus On?
While 21 CFR itself covers an incredible range of federal regulations, Part 11 is much more specific. For 36 pages, the FDA spells out the requirements for organizations in terms of how electronic systems should operate to:
- Protect sensitive data
- Limit access to information and systems in general
- Ensure accountability and transparency
- Make electronic signatures as trusted and legally binding as handwritten signatures
Does 21 CFR Part 11 Apply to Legacy Systems?
Yes and no. If your legacy system does not handle electronic records in any way, then, no, the rule does not apply. However, if your legacy system does handle electronic records, then the rule does apply. All such systems must be validated, and if they cannot be validated, they cannot be used and will need to be replaced.
What Does the Rule Say?
The rule itself comprises just three of the 36 pages in Part 11. The other 33 pages include discussion from the FDA on the rule itself, as well as other information that life science organizations and other businesses that fall under the purview of the FDA need to know. The rule itself is comprised of just a few parts, which are as follows:
- System validation: “All computer systems used to generate, maintain, and archive electronic records must be validated to ensure accuracy, reliability, consistent independent performance, and the ability to discern invalid or altered records.”
- Secure retention of electronic records to instantly reconstruct analyses: “Procedures should be in place to generate accurate and complete copies of records in both human-readable and electronic form suitable for inspection, review, and copying by the agency. Records must be protected to enable their accurate and ready retrieval throughout the records retention period.”
- Limited access: “Procedures should be in place to limit the access to authorized users.”
- User-independent, computer-generated, time-stamped audit trails: “Procedures should be available to use secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit-trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.”
- Use of secure electronic signatures for closed and open systems: “The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to determine record and signature falsification.”
- Use of digital signatures for open systems: “Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified for closed systems, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality.”
What Types of Electronic Signature Control Components Can Be Used?
The FDA allows both non-biometric and biometric electronic signature control components. These can include usernames and passwords, such as those used to log into conventional software, such as email accounts and the like. It can also include two-factor authentication, or the use of physical components, like an ID card with a scannable barcode.
Biometric control elements can include a wide range of components, such as fingerprints, iris scans, and even DNA. There is no mandate on which types your organization uses, only that access to sensitive information and systems is controlled and that there are SOPs in place to ensure accountability and responsibility.
With that being said, biometric controls have greater flexibility, as the FDA states that “electronic signatures that are not based upon biometrics shall: (1) employ at least two distinct identification components, such as an identification code and password.”
Don’t Neglect Your Learning Management System
For life science companies, having a viable, modern LMS is essential. However, because these systems include, record, and manage data, they’re subject to 21 CFR Part 11 for HPLC/laboratories. What that means is they must be validated for use and comply with FDA guidelines or you risk being out of compliance.
At eLeaP, our LMS has been fully validated and is fit for use. It is one of the few such systems on the market that offers compliance with 21 CFR Part 11 “out of the box” while delivering powerful capabilities and flexibility. Contact us today to learn more about our system or to schedule your custom consultation.