FDA 21 CFR Part 11: The Definitive Guide

What is 21 CFR Part 11?

21 CFR Part 11 is a regulatory framework designed by the FDA to guide drugmakers on how to create, manage, and maintain electronic records and electronic signatures. It also says under what conditions drug makers become eligible for compliance with this regulation.

The term comes from Title 21 of the Code of Federal Regulations (CFR). In effect since January 2007, 21 CFR Part 11 governs electronic records and signatures in regulated industries like pharmaceuticals, biotech, medical devices, etc.

Totally, the CFR has 50 titles. Out of them, Title 21 deals with food and drugs. Again, Title 21 has 3 chapters.

1. Chapter I – Food and Drug Administration
2. Chapter II – Drug Enforcement Administration
3. Chapter III – Office of National Drug Control Policy

Chapter I includes 3 Subchapters named A, B, C, and so on.

SUBPART A - GENERAL PROVISIONS

■ Sec. 11.1 Scope

■ Sec. 11.2 Implementation

■ Sec. 11.3 Definitions

SUBPART B - ELECTRONIC RECORDS

■ Sec. 11.10 Controls for closed systems

■ Sec. 11.30 Controls for open systems

■ Sec. 11.50 Signature Manifestations

■ Sec. 11.70 Signature record/linking

SUBPART C - ELECTRONIC SIGNATURES

■ Sec. 11.100 General Requirements

■ Sec. 11.200 Electronic signature components and controls

■ Sec. 11.300 Controls for identification codes/passwords

21 CFR Part 11 Compliance Checklist:

SUBPART A - GENERAL PROVISIONS:

Sec. 11.1 Scope -

This is the first section of 21 CFR Part 11, and its goal is to establish what this regulation does and when it should be applied. The regulations in 21 CFR Part 11 set forth the criteria under which the FDA considers electronic records and signatures to be trustworthy, dependable, and equivalent to paper-based records. 21 CFR Part 11 applies to records in electronic form that are created, modified, maintained, archived, retrieved, and/or transmitted under any records requirement set forth by the FDA.

Sec. 11.2 Implementation -

This section explicitly states that medical device companies can use paperless record-keeping systems if they are following this regulation. For medical device companies who wish to transmit electronic records to the FDA, they may do so if they comply with this regulation and if the documentation, they wish to submit is identified in docket No. 92S-0251 as a type of submission that the agency accepts in electronic form.

Sec. 11.3 Definitions -

The FDA provides definitions for some of the terminology that will be used later in Part 11. One example would be the difference in definitions between closed systems and open systems. A closed system is a record-keeping system where system access is controlled by persons who are responsible for the content of electronic records on the system. In an open system, access is not controlled by persons who are responsible for the contents of the electronic records on the system.

SUBPART B - ELECTRONIC RECORDS:

Sec. 11.10 Controls for closed systems -

This section sets forth 11 separate and distinct security management requirements for companies that wish to keep electronic records using a closed software system. Some of the requirements include limiting system access to authorized individuals, authority, and device checks to verify the integrity of data and signatures, the establishment of written accountability policies for maintaining system security, and the appropriate validation of the record-keeping system to ensure consistency in its intended performance. The FDA also establishes the audit trail requirements in this section. Companies must maintain appropriate control over systems documentation, including revision and change control procedures to maintain an audit trail that documents change in the system. An audit trail ensures that every activity which happens in the record-keeping system generates a record and can be reviewed later.

Sec. 11.30 Controls for open systems -

Open systems typically mean that more people have access to the record-keeping system, so the security requirements should be slightly more comprehensive to help ensure that the records kept are accurate and reliable. This section recommends that open systems are subject to the same 11 security requirements as closed systems, along with any additional appropriate measures such as document encryption and the use of digital signature standards to ensure the integrity and confidentiality of the records.

Sec. 11.50 Signature Manifestations -

This section deals with how signatures should appear on electronic records. The FDA expects to see the printed name of the signer, the date and time that the signature was executed, and the meaning of the signature (approval, review, authorship, etc.) subjected to the same controls as the records themselves and included on any human readable form of the electronic record.

Sec. 11.70 Signature record/linking -

A section so short, we can quote it: Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.

SUBPART C - ELECTRONIC SIGNATURES:

Sec. 11.200 Electronic signature components and controls -

The FDA wants electronic signatures to use at least two identifying components - such as including an identification code and a password. Electronic signatures should be assigned to individual persons - not to groups or departments - such that each electronic signature can only be executed by a single person to whom it is assigned and whose identity was verified in compliance with this part. The FDA really wants to make sure that approval and review signatures cannot be disputed once they are entered into the system.

Sec. 11.300 Controls for identification codes/passwords -

21 CFR Part 11 requires special security measures for the control of passwords. No two individuals should use the same identification/ password to access the system, and passwords should be changed periodically to protect against password aging. Medical device companies must establish transaction safeguards that prevent the unauthorized use of passwords. Loss management procedures should be established to ensure that compromised security tokens, cards, or other devices are deauthorized to prevent security breaches.

Sec. 11.100 General Requirements -

This section sets forth some of the requirements for personal accountability in electronic signatures that are central to this regulation. It requires organizations to verify the identity of any individual who is assigned an electronic signature on the system and that medical device companies who wish to use electronic signatures must notify the FDA in writing by mail. The agency’s Rockville, MD address is provided. Sec. 11.200 Electronic signature components and controls - The FDA wants electronic signatures to use at least two identifying components - such as including an identification code and a password. Electronic signatures should be assigned to individual persons - not to groups or departments - such that each electronic signature can only be executed by a single person to whom it is assigned and whose identity was verified in compliance with this part. The FDA really wants to make sure that approval and review signatures cannot be disputed once they are entered into the system.

Frequently Asked Questions and Answers

What is 21 CFR Part 11 compliance?

Any regulated information generated, accessed, stored, modified, or transferred; 21 CFR Part 11 compliance is required. It means you must satisfy the FDA’s regulations in terms of managing your electronic records and electronic signatures.

How to decide if we require compliance with 21 CFR Part 11?

The best way to decide is to:

1. Create an assessment form as a question-answer sheet.
2. Attach this form as an Annexure to the relevant SOP.
3. Put key questions in the form. Answers should be “Yes or No”.
4. If any of the answers is “Yes”, you need to comply with 21 CFR Part 11.
5. The recorded form is now documented evidence of your decision. So, maintain this record for inspections.

Shall we customize the Audit Trail Reports?

You may find pre-formatted custom audit reports built into the system. Each moment of access (log-in, log-out, lock-out, activities) should be recorded and reported in an easy-to-understand format. The FDA may view these records during the inspection and that’ll help them quickly find what they are looking for. Keeping audit trails in raw format will waste your as well as the auditor’s time.

Part 11 doesn’t talk about lock-out, log-out? Why?

Some best practices automation experts use:

1. Automatically log-out the user after 5-10 mins. of inactivity.
2. System locks out the user after 3 failed password attempts and if the user is continuously inactive for specific days.
3. Setting up password complexity. At least, 1 Capital, 1 Special Character, 8 Characters, 1 Number etc.

You see, the regulations don’t mention these. But they do communicate one thing. Consider additional controls to make your systems more secure. That’s why right interpretation is the key to compliance.

We do every activity on paper. Shall we comply with 21 CFR Part 11?

Simply No. However, there are instances when electronically generated reports like test reports, trends, etc. that are printed and then ink-signed. For such instances, you need to have a documented rationale for not considering 21 CFR Part 11.

It also applies to the paper records being shared electronically, uploaded on QMS, e-mails, etc. So, you probably don’t know but with such things, you may unknowingly become eligible to comply with 21 CFR Part 11.

That’s why you see above an Assessment checklist to find out whether you need to comply with the regulation.

How E-sign can be linked to a document?

Signs must be encrypted with a private key assigned to each signer. Such digital signatures are considered safe and secure. Following are the non-compliances.

1. Scanning the signature and putting it into the record.
2. Screenshot manipulation of the physical signature.

These are violations under section 11.70 which interprets as “If an electronic record is signed (ink or electronic), the signature must remain associated with the record. No action can be taken to erase, copy, or transfer it.“

How to Validate Electronic Systems under 21 CFR Part 11?

For this, the FDA recommends reading the following references.

1. General Principles of Software Validation; Final Guidance for Industry and FDA Staff
2. The Good Automated Manufacturing Practice (GAMP) Guide for Validation of Automated Systems, GAMP 4 (ISPE/GAMP Forum, 2001)