What is 21 CFR Part 11?

Act  means the Federal Food, Drug, and Cosmetic Act (secs. 201-903 (21 U.S.C. 321-393)).

 

(2) Agency  means the Food and Drug Administration.

 

(3) Biometrics  means a method of verifying an individual's identity based on measurement of the individual's physical feature(s) or repeatable action(s) where those features and/or actions are both unique to that individual and measurable.

 

(4) Closed system  means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system.

 

(5) Digital signature  means an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.

 

(6) Electronic record  means any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.

 

(7) Electronic signature  means a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual's handwritten signature.

 

(8) Handwritten signature  means the scripted name or legal mark of an individual handwritten by that individual and executed or adopted with the present intention to authenticate a writing in a permanent form. The act of signing with a writing or marking instrument such as a pen or stylus is preserved. The scripted name or legal mark, while conventionally applied to paper, may also be applied to other devices that capture the name or mark.

 

(9) Open system  means an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system.

 

Subpart B - Electronic Records

 

§ 11.10 Controls for closed systems.

 

Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following:

 

(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.

 

(b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records.

 

(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period.

 

(d) Limiting system access to authorized individuals.

 

(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.

 

(f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.

 

(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.

 

(h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.

 

(i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks.

 

(j) The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.

 

(k) Use of appropriate controls over systems documentation including:

 

(1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.

 

(2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.

 

§ 11.30 Controls for open systems.

 

Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in § 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality.

 

§ 11.50 Signature manifestations.

 

About Us

 

In 1997, the United States Food and Drug Administration (FDA) issued Part 11 of Title 21 that defines the criteria under which electronic records and signatures are considered equivalent to paper records and handwritten signatures. Despite the great controversy and confusion this regulation has caused over the years, it will actually make your life easier and clutter-free by creating a standard-compliant, paperless quality management system. .

 

Who is affected?

The 21 CFR Part 11 regulation applies to all industries regulated by the FDA, but primarily to any Life Sciences company that wants to research, manufacture and sell its products or services in the United States. Part 11 also applies to electronic records submitted to FDA under the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act.

 

Here's the FDA's 5-step approach to meeting Part 11 requirements:

 

Validation : In addition to meeting all applicable predicate rule requirements for validation, consider the impacts computerized systems will have on the accuracy, reliability, integrity, availability, and authenticity of required records and signatures.

Audit Trail : If there are no rule requirements to document (i.e. time, date, or sequence of events), FDA suggests providing an audit trail for other appropriate measures to ensure product quality and safety, as well as the integrity of the registry.

Legacy Systems : FDA does not intend to take compliance action for systems that were operational prior to August 20, 1997, as long as the system met the requirements prior to the effective date and there is documentation to indicate that it is suitable for intended use.

Copies of Records: All records are subject to inspection. Investigators should have access to the records during an inspection for review and copying.

Record Retention: FDA enforces the protection and availability of records throughout the record retention period. If the requirements are fully met and the content and meaning of the records are preserved and archived, the electronic version of the records may be deleted.