Predicate Rules - Audit Trails - E-Signatures

COMPUTER SYSTEM VALIDATION (CSV) 21 CFR PART 11
1

Can you all help set me straight with a couple of questions I’m not
real clear on?

  1. What are the predicate rules? I believe they are anything that is
    in the CFR or USC but I have also seen people refer to guidances like
    the ICH docs. My understanding is that the FDA has recognized the ICH
    docs as good practice but has not made them enforceable by codifying
    them in the CFR - is that a correct interpretation?

  2. When do you need an audit trail? In my interpretation of part 11
    and the Aug 2003 guidance, one would only need to be considering any
    part 11 controls when records are related to predicate rule
    requirements. Anytime documents are created for predicate rule
    requirements it is expected that good doc practices will always be
    followed (crossing out and initial/date errors and corrections) and
    the guidance further says that audit trails are particularly
    appropriate whenever users create, modify, or delete a regulated
    record. If you need audit trails whenever a record is created (and in
    order for it to exist it must be created), doesn’t that mean you
    always need an audit trail when working with any part 11 records? The
    only exception I can see is if the records are being created,
    modified, or deleted programmatically and not by a human user. Of
    course in these cases you would need to validate the programming… Am
    I interpreting the audit trail assessment correctly?

  3. When do you need electronic signatures? Do you really only need an
    electronic signature in instances when the predicate rules
    specifically state to sign or initial a record? In my experience it
    is common to have any record required by predicate rules signed as I
    can’t imagine handing the FDA a bunch of unsigned documents like
    training records [§§211.25(a) and 820.25(a) require adequately trained
    personnel and §820.25(b) specifically says training has to be
    documented but does not say signed]. In these cases where the
    predicate rules say something needs to be documented but don’t state a
    signature or initial requirement is it acceptable to use electronic
    records to document without electronic signatures? Per question 2,
    I’m quite sure these would require an audit trail and perhaps that is
    enough to show the traceability and accountability for the documentation?

Any and all feedback is greatly welcome!

2

I think you’re on track regarding the predicate rules. Here’s a
segment from an internal document I wrote that surveys the Part 11
literature:

Although Part 11 mandates technical and procedural controls that
must be in place for the FDA to consider electronic records and
signatures equivalent to their paper counterparts, Part 11 does not
identify what records must be kept or signed, or how long to keep
them. These requirements are set forth in various regulations
regarding Good Manufacturing Practice (GMP), Good Clinical Practice
(GCP), and Good Laboratory Practice (GLP) (collectively referred to
as GxP), including:
• GMP: 21 CFR 110, 211, 820
• GCP: 50, 54, 56, 312, 812
• GLP: 58
These FDA regulations, which were written prior to Part 11 and took
a paper-based perspective, are referred to as predicate rules. Part
11 states that, when a computer system is used to satisfy any
regulatory requirement for recordkeeping or signatures, it must
comply with the requirements of Part 11. Consequently, Part 11 is
based on, or predicated by, all of the other regulations; which are
thus referred to as the predicate rules.

Refs:
Woodrum, 21 CFR Part 11: The Role of Predicate Regulations and
Associated Internal Policies, 2003, Drug Information Journal.
Complying with U.S. FDA Title 21 CFR Part 11 for the Life Sciences
Industry, 2004, SAP
Benze, Risk-Based Approach to SAS® Program Validation, 2005,
PharmaSUG

3
  1. When do you need an audit trail?
    Wrong question. When do YOU WANT an audit trail? When does it make
    sense for you and your business to track changes to electronic records?
    When does it add value? I fought this part of the rule for a long time
    and finally started adding audit trails to my apps. It is so very
    useful that I now add audit trails to every app I build. We have never
    had a case of attempted fraud (reason for the rule) but I use the audit
    trails all the time to help people understand what happened to a record
    and when (helps the business users). I also use it to identify places
    in my apps where the design isn’t clear. By seeing who did what and
    when and understanding why people are confused (ie, why can’t I sign
    this document - because person x did action y at time z which was
    allowed but unexpected) I can go back and either rework the workflows or
    clean up the UI so they become easier to use. Audit trails are awesome;
    use them!
  1. When do you need electronic signatures?
    When do need or want signatures and you want to take a process from
    paper to electronic? That’s when. Again; forget the regs for a minute
    and ask yourself about the business cases for and against sigs. Some
    times we want to know exactly who did something and we ask them to
    sign-predicate rule or not. Sometimes we’re not all that interested and
    we think that collecting the logged in user name is sufficient so we
    don’t use eSigs. Think outside the regulatory box.