What is 21 CFR part 11?
- 21 CFR Part 11 is the FDA’s regulations for electronic documentation and electronic signatures. It outlines the administration of electronic records in a medical device company’s quality management system.
- In March of 1997, the United States FDA issued regulations that established the criteria for acceptance by the FDA of electronic records, electronic signatures, and handwritten signatures executed to electronic documents. While our focus is on medical device companies and the compliance of their quality systems with this regulation, the rules also apply to companies in pharma, biotech, biologics developers, and other FDA-regulated industries. These laws are codified as Part 11 of Title 21 in the Code of Federal Regulations, or 21 CFR Part 11, or Part 11 for shorthand.
Three sub-parts of CFR part 11:
- General Provisions Section: The General Provisions Section addresses the scope of the regulations, implementation timelines, methods, and defines key terms used within the rules.
- The Electronic Records Section: The Electronic Records Section sets forth the requirements for the administration of closed and open electronic recordkeeping systems, then discusses signature manifestations and requirements for establishing a link between signatures and records.
- The electronic Signatures Section: The Electronic Signatures Section divides into three parts: general requirements for electronic signatures, electronic signature components and controls, and controls for identification codes/passwords.
The goal of part 11 :
- Determine whether 21 CFR part 11 applies to your company.
- To ensure data is not corrupted or lost, maintain data safely and securely.
- To Trace changes to data.
- To prevent and detect falsified records.
- Ensure that approval and review signatures do not dispute.
- To help companies know how to use computer systems and software, mainly when it is not working correctly.
Best Practices:
- Follow 21 CFR part 11, data security, and password protection best practices.
- Establish clear audit trails for traceability.
- Follow 21 CFR part 11 guidelines on electronic signatures.
- Do not outsource responsibility: you oversee your 21 CFR part 11 compliance.
- Validate for Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ).
- Consider 21 CFR part 11 compliance when choosing a Content Management System (CMS) solution.
Validation:
- Records must be readily retrievable throughout the retention period.
- Limit system access to authorized individuals..
- The system should ensure that only authorized individuals can use it, electronically sign records, alter a record, or perform other operations.
- Input data or instructions can only come from specific input devices into the system.
- Encrypt data.
- Attest digital signatures.
Audit trail for every document:
- There must be a secure, computer-generated, time-stamped audit trail that records the date and time of operator entries and actions that create, modify, or delete electronic records.
- Upon making a change to an electronic record, previously recorded information should still be available.
- An electronic records audit trail must be retrievable throughout the record’s retention period.
- The audit trail must be available for review and download a copy by the FDA.
- The audit trail must include the User ID, sequence of events, original and new values, a changelog, and revision and change controls.
- Signed electronic records must contain the printed name of the signer.
- We must ensure that we link signatures to their respective electronic records to prevent them from being cut, copied, or otherwise transferred by ordinary means for falsification.
- There should be a formal change control procedure for system documentation that maintains a time-sequenced audit trail for those changes made by the pharmaceutical organization.
- Electronic signatures should be unique to an individual.
- We should never reuse or reassign electronic signatures to anyone else.
- The identity of an individual must be verified before allocating an electronic signature.
- The signature must have at least two components, such as an identification code and password, or an id card and password.
Record Retention:
- Controls must be in place to maintain the uniqueness of each combined identification code and password, such that no individual can have the same combination of identification code and password.
- We must establish procedures to periodically check the validity of identification codes.
- Passwords must expire periodically, and we should revise them accordingly.
- We must establish procedures to recall identification codes and passwords if a person leaves or is transferred.
- Additionally, we must establish procedures to electronically disable an identification code or password if it is potentially compromised or lost.
- There must be a procedure for detecting attempts at unauthorized use and for informing security.
- There must be a procedure for reporting repeated or severe attempts at unauthorized use to management.
- Testing should verify whether there have been any unauthorized alterations.