FDA 21 CFR Part 11 is a regulation that governs how Medical Device, Pharmaceutical, and other FDA-regulated companies should handle their electronic records and electronic signatures.
The Life Science Industry is known for a vast number of regulations and various sets of guidelines that organizations must comply with. However, to this day some companies find it difficult to fully comply with 21 CFR Part 11 requirements.
Here is what we will be discussing in this article:
- What Is 21 CFR Part 11?
- Who Does 21 CFR Part 11 Apply to?
- What Are the Requirements of 21 CFR Part 11?
- Benefits of 21 CFR Part 11 Compliance
- 21 CFR Part 11 Frequently Asked Questions
What Is 21 CFR Part 11?
Part 11 of Title 21 in the Code of Federal Regulations, or 21 CFR Part 11, more commonly referred to as “Part 11” is a set of rules that specify the requirements for electronic records and signatures.
In section 11.1 Scope (a), the regulation defines the criteria for electronic records and electronic signatures under which they are considered trustworthy, reliable, and equivalent to paper records and handwritten signatures. Put simply, the regulation outlines the handling of electronic records which are a part of Electronic Quality Management Systems (eQMS) and other quality-critical applications.
Who Does 21 CFR Part 11 Apply to?
In section 11.1 Scope, the FDA defines “scope” of the regulation in the following way:
“(b) 21 CFR Part 11 applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted, under any records requirements set forth by the FDA.”
Therefore, the regulatory framework applies to any company within the FDA-regulated industry that manages electronic records and electronic signatures.
But what if you have all your “master records” on a paper-format and nowhere else?
Then, of course, 21 CFR Part 11 does not apply to your company. However, if you have uploaded quality critical documents onto any computer system it is almost certain that the regulatory framework will apply to you.
Furthermore, in section 11.3 Definitions, the FDA defines “electronic record” as:
“(6) any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.”
This means that not only your documents are in scope but also:
- sound files;
- test records;
- source code;
- etc. is considered electronic records.
What Are the Requirements of 21 CFR Part 11?
These are the key requirements for a compliant eQMS described by the FDA that you must consider when implementing a document management solution.
In section 11.10 Controls for closed systems, FDA requires:
“(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.”
This means that regular system software validation checks must be conducted. This will ensure that all elements of your system work as intended. Additionally, you must record validation testing results.
Read more about QMS Software Validation – When is it Needed?
Measures related to operating the hardware, software and physical records involved in the Quality Management System of your company must be well documented.
Additionally, section 11.10 of 21 CFR Part 11 specifies that procedures and controls of compliant systems shall include:
“(b) The ability to generate accurate and complete copies of records in both human-readable and electronic form suitable for inspection, review, and copying by the agency…”
This means that the eQMS must have the ability to generate or export accurate and complete copies of records stored within the system. The eQMS must also be able to provide both electronic copies (export capabilities) as well as paper copies or printouts.
Clear audit trails are one of the most fundamental elements of any good document management system. Furthermore, it is a core requirement of 21 CFR Part 11.
In section 11.10 Controls for closed systems FDA specifies that the system should include:
“(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records.”
Therefore, every creation, modification, or deletion of any record should be automatically stored in an audit history file. Moreover, the file should not be modifiable. Such audit trail documentation should be retained for a period and shall be available for FDA-auditors to review and copy if required.
That is why it important to have proper Quality Assurance (QA) processes in place to ensure that all processes are well documented, easily traceable, with an associated audit history.
As stated in section 11.10, the system should include:
“(f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.”
Therefore, good Electronic Quality Management System Software should be able to monitor and control quality procedures via the phase-gate process. Such a workflow ensures that records are created, reviewed, if needed, and approved by specified personnel.
For instance, the illustration above shows how specifically, SimplerQMS allows to monitor and control any document. This is done through an automated workflow that follows a similar phase-gate approach.
In this example, the document cannot be edited after it has been approved. In case a change is needed, a new version of the document must then be drafted.
Section 11.10 also states that the system should involve:
“(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.”
Access to a system should be controlled by a unique login and password for every authorized system user. This can be achieved by using tools like Azure Active Directory. It maintains a list of users, their passwords, access levels, and so on. Hereby, your organization’s users will only need one password to login to their computers and to sign documents electronically.
Part 11 also dictates that all users with access to the system should have a proper education, training, and experience to perform their assigned tasks. More precisely, as stated in section 11.10, the system should have:
“(i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks.”
This means that each user of the system should be trained for their specific role. Furthermore, training should be well documented. This will allow auditors to review the operational audit trail and cross-reference with training logs, increasing the chance of having a successful audit outcome.
To learn more about common practices when preparing for an audit read our article on remote auditing best practices!
The electronic signature is one of the most common ways of reviewing and approving electronic records, that is compliant with 21 CFR Part 11 regulatory framework. In section 11.3 Definitions, FDA defines Digital signature the following way:
“(5) Digital signature means an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.”
To be compliant a digital signature must contain:
- The printed name of the signer
- The date and time when the signature was executed
- The meaning (e.g., authorship, review, or approval) associated with the signature
This is an example of how Part 11 Compliant eSignatures work in the SimplerQMS:
Benefits of 21 CFR Part 11 Compliance
Although the FDA’s 21 CFR Part 11 regulatory framework can be challenging to comply with at first, all the requirements were designed to satisfy the changing needs of Life Science companies. Also, Part 11 regulation can help to:
- Increase efficiency within operations
- Lower expenses
- Improve overall system security
- Increase the level of employee training
- Decrease the number of records with defects
21 CFR Part 11 Frequently Asked Questions
21 CFR Part 11, commonly referred to as “Part 11” is a set of rules that specifies what is required for the electronic records and signatures. The regulatory framework outlines the management of records in Electronic Quality Management Systems for Life Science and other FDA-regulated industries.
The main difference is how Annex 11 and Part 11 approaches risk management. Annex 11 lists risk assessment as the starting point of compliance activities. Part 11 has no references to risk or criticality but focuses on security for open and closed systems.
All computer systems which store quality critical data or are used to make decisions about quality must be compliant with 21 CFR Part 11. Furthermore, any system that is used for reporting data to the FDA must also be Part 11 Compliant.
For example, systems used in life science manufacturing such as the handling of Batch Master Records or systems that manage deviations and CAPAs (Corrective and Preventive Actions), or systems that are used for determining quality, safety, strength, efficacy, or purity in laboratory results.
As discussed in the article above, 21 CFR Part 11 is a set of rules that specifies what is required for the electronic records and signatures to be equivalent to paper records and handwritten signatures. The regulation specifically outlines the administration of records in Electronic Quality Management Systems (eQMS) for Life Science and other FDA-regulated industries.
Life Science companies will definitely gain from full compliance with 21 CFR Part 11 requirements discussed in this article. Not just because it will help to bring your product to market faster but also serve as a catalyst for the protection of confidential information.