What is 21 CFR Part 11?
In March of 1997, FDA issued final 21 Code of Federal Regulations Part 11 (21 CFR Part 11) that establishes criteria for acceptance by FDA, under certain circumstances, of electronic records, electronic signatures, and handwritten signatures executed to electronic records as equivalent to paper records and handwritten signatures executed on paper. These records are then considered to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper. 21 CFR Part 11 applies to records required to be submitted to FDA or to be maintained under predicate rules when persons choose to use records in electronic format in place of paper format. Predicate rules are the requirements set forth in the Federal Food, Drug, and Cosmetic Act (FD&C Act), the Public Health Service Act, and FDA regulations (other than 21 CFR Part 11) that require maintaining and submitting records. For more information, please visit FDA's Guidance on 21 CFR Part 11, Electronic Records; Electronic Signatures - Scope and Application .
What does being compliant with 21 CFR Part 11 mean?
A computerized system being 21 CFR Part 11 compliant means it affirms electronic records and digital signatures used in place of paper-based documentation and hard copy (hand written) signatures follow this regulation. FDA does not certify systems or processes, and compliance with the provisions of 21 CFR Part 11 is the basis for FDA's acceptance of the system. To reach compliance, methods are developed and activities conducted for system validation, record generation, audit trails, operational and security controls, digital signatures and training. These methods and activities must be maintained through change control and management procedures to retain a compliant status. For more information, please visit FDA's Use of Electronic Records and Electronic Signatures in Clinical Investigations Under 21 CFR Part 11 – Questions and Answers | FDA .
How do I approach an electronic system being compliant with 21 CFR Part 11?
The following is an outline of an approach when considering validating a computer system:
- Decide if research records fall under the FDA Guidance Definition of 21 CFR Part 11 Records and uses an electronic system to document those records in lieu of paper records.
- Determine if you are a sponsor, sponsor-investigator or regulatory entity responsible for ensuring 21 CFR Part 11 compliance. If not, this obligation would fall on one of those named bodies and you should communicate with the sponsor or regulatory entity about a compliance status. Note that sponsors may require or request an institution ensure its own computerized system(s) is 21 CFR Part 11 complaint before allowing the site to participate in the study, or the sponsor may favor an institution during site selection if it has a 21 CFR Part 11 compliant system.
- If your institution will be ensuring a computerized system's 21 CFR Part 11 compliance, decide on what systems may need to be validated. Computer systems used to create, modify, and maintain electronic records and to manage electronic signatures are subject to the validation requirements (See 21 CFR §11.10(a)). Such computer systems must be validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. This decision should also carefully consider whether the selected system(s) will integrate with other, non-compliant systems that should also be rendered 21 CFR Part 11 compliant. FDA Guidance: Approach suggests decisions to validate computerized systems, and the extent of the validation. As noted, one should take into account the impact the systems have on your ability to meet predicate rule requirements, and on the accuracy, reliability, integrity, availability, and authenticity of required records and signatures. FDA recommends basing your approach on a justified and documented risk assessment and a determination of the potential of the system to affect product quality and safety, and record integrity.
- Develop and execute a plan to validate the system. This involves assuring the integrity of the computerized system, as well as establishing processes and procedures for initial and ongoing compliance. While individual validation plans and processes may vary, general application of several broad areas can be used successfully as guidance in building a comprehensive approach to software verification and validation. Some of these areas include Quality Planning; Risk Assessment; System Requirements, Specification, Installation, Code, Security, Data Transfer, Audit Trails, Electronic Signatures, Testing and Maintenance; SOPs – Operation, Support and Training. To ensure ongoing compliance with validation, quality management and change control procedures should be in place to analyze system changes, and determine and document their impact on the system and its validated state. For more information, please visit FDA's General Principles of Software Validation; Final Guidance for Industry and FDA Staff .