Transparency and fairness must prevail for electronic records and signatures to be considered valid which is where CFR Part 11 of the Code of Federal Regulations finds its relevance. While it gives companies the guidelines to do this successfully and succinctly, Oracle EnterpriseOne gives companies the platform and controls to implement it in just 15 steps.
Early civilization carved valued information on stone tablets. Today, we use aluminum tablets. And, while the world is moving towards being digitized, corporations are already there. The days of ink signings and transports of paper documents via the postal service's boxy Grumman LLV are almost behind us. Let's face it, the majority of the corporate world is electronic, which creates the necessity for federal regulations to ensure transparency and authenticity. The fast-paced evolution and digital dependence of humanity is the reason why a Federal law like 21 CFR11 gets passed.
Created in 1997, 21 CFR 11 refers to the section which defines the stipulations on the use of records and electronic signatures. This law pertains to pharmaceutical companies, medical device manufacturers, biotech companies and those that operate under the umbrella of the FDA. And, it is Part 11 of this regulation that focuses on electronic records and signatures which is the area of interest for this post.
Since the world is becoming a global village and business people no longer have to trot the globe for business meetings and transactions, it goes without saying that the nature of documentation has to shift from the traditional hard copies of memos and business reports to digital sources. Business deals and contracts can only be considered tenable when all parties involved have their signatures on documents making the issue of digital signature to become equally topical to this agency. Transparency and fairness must prevail for these electronic records and signatures to be considered valid. This is where part 11 of the Code of Federal Regulations finds its relevance.
As simple as this might look on paper, the rule has not been easy to implement. This is evident in the different updates and revisions that it has undergone from its launch in 1997 till the publication of the final guidelines in 2007. One of the grievances from in-house auditors was the fact that it was “very expensive and for some applications almost impractical”. Other problems also generated on the scope of the rule since even the 2003 guidelines were still too broad and vague on the segment. The revisions and additional clauses that were added in the meantime made the final publication more relevant and helpful. Critics of the rule still claim that the FDA could adopt an easier format that would be more efficient in terms of time and cost.
The implementation of rule 21 suggests that the government is accommodating the digital revolution by ensuring that records and signatures are filed correctly to guarantee authenticity, validity and reliability. The digital nature of our times makes it more cost effective to adopt electronic mediums of record keeping as well as signatures, but it is very important for a protocol to be put in place to avoid confusion and ambiguity. While CFR Part 11 gives companies the guidelines to do this successfully and succinctly, Oracle EnterpriseOne gives companies the platform and controls for implementing it. No plan is perfect but the modifications that the rule has seen since 1997 goes to show the agency desire to provide the best and most efficient method of electronic record keeping.
There are three major sections:
After comparing the Oracle solution for Governance, Risk and Compliance (GRC) with the inconsistent and ineffective 1997 version of the FDA model, the critics affirm that this protocol was not well thought out in the first place. Every electronic system gives room for improvement and the FDA can take credit for always working to make their guidelines proficient and relevant to the times.How to get effective Government, Risk and Compliance in E1
While the implementation is relatively easy, the behind the scenes is very complex and database intensive. There are some items that require planning. For example, turning on GRC will dramatically increase your database usage. Oracle recommends using the following formula to size your database post GRC activation.
"Database size increase per audited table = audit table record size x2 (before and after image) x number of transactions."
Whoa, that will be a massive increase. It's time to call the SAN vendor. Is this justifiable? Yeah, it sure is, because E1's auditing functionality is largely based on table triggers passing before and after data, time and date of the transaction and the name of the user who made the change.
A few general rules must be understood:
In addition, E1 will allow you to require an electronic signature approval when a user tries to alter the data in an application. The functionality can also be setup to require a signature before allowing a report to be submitted to the job queue.
There are 3 applications which help to control this functionality.
And, there are 3 reports which produce a printable report of the audit and signature information.
As each year passes, Cai Lun's invention of paper quickly moves towards obsolescence. Although I love writing on paper and reading printed books, I am grateful for the software companies who have added GRC functionality to their products. I say this because shortly after CFR stipulations were passed, as a young system administrator back in the late 90s when EnterpriseOne was known as Everest then OneWorld, our pharmaceutical customers required us to print a separate document, hand write the individual system change, endorse it and fax it to their CFR department. We had to do this for every single change, with the paperwork often taking more time to complete than the execution of the task.
Everyone wonders why prescription drugs and many of the items falling under the purview of the FDA cost so much. Even in today's digital environment, it's unbelievable to see the overhead these companies need to carry to bring their products to market. But I think anyone would agree that the cost of tracking CFR requirements on paper definitely justifies the cost of implementing Oracle's GRC functionality.
If you have any questions regarding the implementation of CFR functionality, please don't hesitate to contact us.