Compliance Services: Searching for a Bit of Common Sense

Sept. 15, 2009
enKap seeks to be a community of, by, and for compliance professionals. We talk with Glenn Melvin, and provide sage 21 CFR Part 11 advice.

There’s no shortage of information and advice out there on pharmaceutical compliance—magazines and web sites wholly devoted to covering the topic do a bang-up business, pharmaceutical media (such as our publications) regularly offer how-to’s and best practices, and compliance consultants abound, replete with advice, free and otherwise.

At least one new site,, is trying to bring some harmony to the compliance cacophony. enKap—short for Engaged Knowledge Application—is the venture of Glenn Melvin, a compliance expert and founder of the Institute of Validation Technology (a business which he sold). The site aims to become an “FDA compliance learning community,” a place for pharma professionals to access white papers, webinars, etc., but also to share war stories and build a better collective compliance understanding. And it’s a place where professionals can market their expertise, foster partnerships, or locate “how to” GMP, GCP and GLP “how to” training information.

There are plenty of web-savvy compliance professionals that can benefit, Melvin says, as well as a few “dinosaurs” that could stand to get networked a bit more. “There are a lot of opportunities for e-learning that people still haven’t taken full advantage of,” he says.

Melvin is trying to keep his information current and of a certain standards. His webinars, for instance, rely on presenters from major pharmaceutical and device manufacturers (i.e., the site’s members) rather than just consultants.

He also understands the realities of building web communities these days. No site exists in isolation, and Melvin has established parallel communities on LinkedIn for each of the four areas of compliance he targets: GMP, GLP, GCP, and computer validation training content. He has built up a combined membership of more than 1,100 professionals. In November, enKap will launch a new web-based publication, FDA Compliance Digest ($199 for the six annual issues) that will showcase enKap’s content. 

Is enKap revolutionary? No. There are certainly plenty of other communities out there (ISPE, for instance) where professionals can get their compliance fix. But enKap should be commended for its emphasis on both community and quality, and deserves at least a visit from professionals engaged in compliance.

As a sample of the enKap content, Melvin offers up some 21 CFR Part 11 advice from one enKap member, Jasmin Nuhic, Part 11 Subject Matter Expert with the firm MPCQuality, who regularly answers the community’s questions.

I keep electronic records, but have signatures on paper (hybrid systems). Is there a deadline for converting to electronic signatures?
There is no deadline for converting to electronic signatures. As a matter of fact, there is no requirement that you must have an electronic signature system in place. Having handwritten signatures on paper is acceptable if the signature is linked to the electronic records so signers cannot repudiate their associative responsibility.

When using a hybrid system approach to e-signatures, how do you link the handwritten signature to the e-record?
Since 21 CFR Part 11 does not require that electronic records be signed by using only electronic signatures, e-records may be signed with handwritten signatures that are applied to electronic records or with handwritten signatures that are applied to a piece of paper. If the handwritten signature is applied to a piece of paper, it must link to the electronic record. FDA will publish guidance on how to achieve this link in the future, but for now, it is suggested that you include in the paper as much information as possible to accurately identify the unique electronic record. For example and at the least, include: file name, size in bytes, creation date, and a hash or checksum value. However, the master record is still the electronic record. Thus, signing a printout of an electronic record does not exempt the electronic record from Part 11 compliance.

What do you mean by linking e-records to e-signatures?
Regulation 21 CFR 11.70 states that electronic signatures and handwritten signatures executed to electronic records must be linked (i.e., verifiably bound) to their respective records to ensure that signatures cannot be excised, copied, or otherwise transferred to falsify another electronic record. The agency does not, however, intend to mandate use of any particular linking technology. FDA recognizes that, because it is relatively easy to copy an electronic signature to another electronic record and thus compromise or falsify that record, a technology-based link is necessary. The agency does not believe that procedural or administrative controls alone are sufficient to ensure that objective, because such controls could be more easily circumvented than a straightforward technology-based approach.

Are e-mails controlled documents?
This is a most interesting question. From the controls standpoint, an email can be a document and be used as such; however, from the Part 11 compliance standpoint, it does not meet the regulation. Please note that if the text in an email supports such activities as change control approvals or failure investigations, then the e-mails have to be managed in a compliant way.

Can a single restricted login suffice as an electronic signature?
No, the operator has to indicate intent when signing a document. The user has to re-enter the user ID or password, which shows awareness that he or she is executing a signature, and indicate the meaning for the e-signature. To support this, 21 CFR 11.50, states that signed e-records shall contain information associated with the signing that indicates the printed name of the signer, the date and time, the meaning for the e-signature, and that these items shall be included in any humanly readable form of the record.

Does outsourcing of a computer make the system an open system? Additionally, would external access by an external vendor for maintenance work to a computer system (e.g., using a modem) make that an open system?
According to the Rule, the definition of a closed system is an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system. The agency agrees that the most important factor in classifying a system as closed or open is whether the persons responsible for the content of the electronic records control access to the system containing those records.

A system is closed if persons responsible for the content of the records control access. If those persons do not control such access, then the system is open because the records may be read, modified, or compromised by others to the possible detriment of the persons responsible for record content. Hence, those responsible for the records would need to take appropriate additional measures in an open system to protect those records from being read, modified, destroyed, or otherwise compromised by unauthorized and potentially unknown parties.

Could you define and provide examples of systems that are critical to data integrity?
For Part 11, data integrity is related to the trustworthiness of the electronic records generated or managed by critical systems. The FDA is most concerned about systems that are involved with drug distribution, drug approval, manufacturing, and quality assurance because these systems pose the most risk in terms of product quality and public safety.

Is there such a thing as a turnkey Part 11 supplier-provided system?
Even though I am not aware of such a system, there are suppliers that do provide significant amounts of information and direction with their systems, which if followed, would lead you to compliance with Part 11. Remember, implementation of the system is one of the keys to compliance. Unless you hire the same supplier for implementation that you used to obtain the system, implementation might be more challenging than you bargained for.