What is 21 CFR part 11?
- 21 CFR Part 11 is the FDA’s regulations for electronic documentation and electronic signatures. It outlines the administration of electronic records in a medical device company’s quality management system.
- In March of 1997, the United States FDA issued regulations that established the criteria for acceptance by the FDA of electronic records, electronic signatures, and handwritten signatures executed to electronic documents. While our focus is on medical device companies and the compliance of their quality systems with this regulation, the rules also apply to companies in pharma, biotech, biologics developers, and other FDA-regulated industries. These laws are codified as Part 11 of Title 21 in the Code of Federal Regulations, or 21 CFR Part 11, or Part 11 for shorthand.
Three sub-parts of CFR part 11:
- General Provisions Section: General Provisions Section discusses the scope of the regulations, when and how it should be implemented, and defines some of the key terms used in the rules.
- The Electronic Records Section: The Electronic Records Section sets forth the requirements for the administration of closed and open electronic recordkeeping systems, then discusses signature manifestations and requirements for establishing a link between signatures and records.
- The electronic Signatures Section: The electronic Signatures Section is split into three parts: general requirements for electronic signatures, electronic signature components and controls, and controls for identification codes/passwords.
The goal of part 11 :
- Determine whether 21 CFR part 11 applies to your company.
- Maintain data safely and securely to ensure data is not corrupted or lost.
- To Trace changes to data.
- To prevent and detect falsified records.
- Ensure that approval and review signatures do not dispute.
- To help companies know how to use computer systems and software, mainly when it is not working correctly.
- Follow 21 CFR part 11, data security, and password protection best practices.
- Establish clear audit trails for traceability.
- Follow 21 CFR part 11 guidelines on electronic signatures.
- Do not outsource responsibility: you oversee your 21 CFR part 11 compliance.
- Validate for Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ).
- Consider 21 CFR part 11 compliance when choosing a Content Management System (CMS) solution.
- Records must be readily retrievable throughout the retention period.
- System access must be limited to authorized individuals.
- The system should ensure that only authorized individuals can use it, electronically sign records, alter a record, or perform other operations.
- Input data or instructions can only come from specific input devices into the system.
- Data should be encrypted.
- Digital signatures must be attested.
Audit trail for every document:
- There must be a secure, computer-generated, time-stamped audit trail that records the date and time of operator entries and actions that create, modify, or delete electronic records.
- Upon making a change to an electronic record, previously recorded information should still be available.
- An electronic records audit trail must be retrievable throughout the record’s retention period.
- The audit trail must be available for review and download a copy by the FDA.
- The audit trail must include the User ID, sequence of events, original and new values, a changelog, and revision and change controls.
- Signed electronic records must contain the printed name of the signer.
- Signatures must be linked to their respective electronic records to ensure that they cannot be cut, copy, or otherwise transfer by ordinary means for falsification.
- There should be a formal change control procedure for system documentation that maintains a time-sequenced audit trail for those changes made by the pharmaceutical organization.
- Electronic signatures should be unique to an individual.
- Electronic signatures should never be reused by or reassigned to anyone else.
- The identity of an individual must be verified before an electronic signature is allocated.
- The signature must have at least two components, such as an identification code and password, or an id card and password.
- Controls must be in place to maintain the uniqueness of each combined identification code and password, such that no individual can have the same combination of identification code and password.
- Procedures must be in place to ensure that the validity of identification codes is periodically checked.
- Passwords must periodically expire, and it should be revised.
- There must be a procedure for recalling identification codes and passwords if a person leaves or is transferred.
- There must be a procedure for electronically disabling an identification code or password if it is potentially compromised or lost.
- There must be a procedure for detecting attempts at unauthorized use and for informing security.
- There must be a procedure for reporting repeated or severe attempts at unauthorized use to management.
- Testing should check whether there have been any unauthorized alterations.