In 1997, the U.S. Food and Drug Administration (FDA) published part 11 of Title 21 of the Code of Federal Regulations (21 CFR Part 11). Part 11 specifically applies to all FDA regulated electronic records and electronic signatures (ERES) that are created, modified, archived, retrieved, or transmitted.
At the time, part 11 proved controversial because of its broad definitions and requirements. Organizations were concerned that information technology would be overly restricted, discouraging innovation and significantly increasing the costs for compliance. Then in 2003, the FDA published a Guidance Document for Part 11, which provided clarification on the scope and application of part 11 compliance.
FDA CFR Part 11 applies to the data records of these types of products:
- Animal & veterinary
- Biologics
- Cosmetics
- Dietary supplements
- Drugs
- Food & beverages
- Medical devices
- Radiation emitting products
- Tobacco
- Food & color additives
These FDA regulated products are manufactured or handled at nearly 270,000 facilities, more than half of which are overseas. The manufacturers of these products are required to maintain detailed reports at each site or at a reasonably accessible location. The FDA requires these records to be readily available for review and copy.
Records should include:
- Device specifications
- Production and process specifications
- Quality assurance procedures and specifications
- Packaging and labeling specifications
- Installation, maintenance, and servicing procedures
Excel spreadsheets are commonly used in many of these processes. However, Microsoft Excel was never designed to provide controls in regulated environments. The FDA expects spreadsheets to be compliant. Poor controls can result in warning letters, sanctions, and fines.
What are the FDA’s requirements for spreadsheet controls?
1. Security controls for user identification
Authentication of electronic records and signatures “must employ at least two distinct identification components such as an identification code and password.”
2. Detailed audit trail
When FDA regulators conduct inspections, an organization must provide a historical record of all operations, namely an audit trail. This means that the organization must be capable of keeping a running change log of each and every critical spreadsheet.
3. Electronic signatures
Changes and approvals to critical spreadsheets require a unique electronic “signature.”
How Apparity can help
Apparity controlled spreadsheets meet all of the FDA’s data integrity requirements, capturing security, audit trails, and electronic signatures. This allows organizations to continue to leverage Excel’s flexibility while meeting the FDA’s electronic record requirements.