Code of Federal Regulations Title 21 Part 11 Requirements
Updated on March 9, 2020
As part of the Food and Drug Administration (FDA) Modernization Act, in 2003, the Agency drafted a guidance document (Guidance for Industry Part 11, Electronic Records; Electronic Signatures — Scope and Application1). This guidance was intended to describe the FDA’s current thinking regarding the scope and application of part 11 of Title 21 of the Code of Federal Regulations; Electronic Records; Electronic Signatures (21 CFR Part 11). This guidance document was drafted in response to the pharmaceutical industries use of computerized systems to meet the requirements described in the Food, Drug and Cosmetic Act (FD&C Act).
The regulations in this part establish the criteria under which the FDA considers electronic records, electronic signatures, and handwritten signatures executed to electronic records to be trustworthy, reliable, and equivalent to paper records and handwritten signatures. It applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted, under any stated record requirements set forth in FDA regulations. It also applies to electronic records submitted to the agency under requirements of the FD&C Act and the Public Health Service Act, even if such records are not specifically identified in agency regulations. In other words if you submit an electronic record to the FDA it is required to meet the requirements of Part 11 regulations. However, this part does not apply to paper records that are, or have been, transmitted by electronic means like faxes and paper documents sent electronically via email. Where electronic signatures and their associated electronic records meet the requirements of this part, the Agency will consider the electronic signatures to be equivalent to full handwritten signatures, initials, and other general signings as required by Agency regulations. A good rule of thumb is that if your company reviews, signs off and approves the record electronically, part 11 requirements apply. Also covered under 21 CFR Part 11 are records stored electronically that are used to make regulatory decisions and that may later be accessed for modifications or used in conjunction with other electronic data to create a record that is required by the FD&C Act.
Impact on Industry
The FDA has received comments from the pharmaceutical industry on the scope, implementation and enforcement of 21 CFR Part 11. One of the comments has been that these requirements are so broad and cumbersome that it indeed would stifle innovation in the industry.
Recently in response to the feedback, the Agency has agreed to a narrow interpretation to the originally issued guidelines for Part 11 Electronic Records and Electronic Signatures. The latest iteration of these has become effective since April 1, 2011.
In these recent guidelines, the Agency states:
“As an outgrowth of its current good manufacturing practice (cGMP) initiative for human and animal drugs and biologics, FDA is re-examining part 11 as it applies to all FDA regulated products. FDA anticipates initiating rulemaking to change part 11 as a result of the re-examination. This guidance will explain how narrowly the FDA will interpret the scope of part 11. While the re-examination of part 11 is under way, we intend to exercise enforcement discretion with respect to certain part 11 requirements. That is, we do not intend to exercise enforcement action to enforce compliance with the validation, audit trail, record retention, and record copying requirements of part 11 as explained in this guidance. However, records must still be maintained or submitted in accordance with the underlying predicate rules, and the Agency can take regulatory action for noncompliance with such predicate rules. In addition, we intend to exercise enforcement discretion and do not intend to take (or recommend) action to enforce any part 11 requirements with regard to systems that were operational before August 20, 1997, the effective date of part 11 (commonly known as legacy systems) under the circumstances described in section III.C.3 of this guidance.”
One should note that the requirements set forth in part 11 still remain in effect but the Agency is exercising discretion in the enforcement. This means that companies should not completely abandon their efforts to comply with the requirements of part 11. While the Agency is deliberating, it is recommended that each company judiciously reviews its needs and implements reasonable procedures. The reasoning behind a company’s compliance strategy for part 11 should be well documented. The Agency still expects part 11 requirements to be met by companies that elect to use electronic records to satisfy the requirements of the regulations or predicate rules as these records are created, modified, archived, retrieved, or transmitted. Additionally, the Agency views electronic signatures executed on these electronic records to be trustworthy, reliable and generally equivalent to paper records and handwritten signatures executed on paper.
The Agency indicated in its most recent iteration of part 11, 01 April 2011, “We recommend that you determine, based on predicate rules, whether specific records are part 11 records. We recommend that you document such decisions.”
FDA in their enforcement of part 11 will consider the company business practice and will decide if the requirements of part 11 are applicable. Whenever you are using an electronic record instead of paper in making a decision required by predicate rule, that electronic record would need to meet the requirement set forth in part 11. All records submitted to the FDA in electronic form as part of a regulatory filing are expected to meet part 11 requirements.
As indicated earlier, companies are encouraged to determine which records they are keeping in electronic format to meet a predicate rule and document these in company procedures or in the validation documents. Once the rationale of what represents an electronic record and electronic signature is determined and documented, the company must validate these as required by part 11 and the predicate rules, mainly computer validation. System owner and user need to establish written procedures to manage and operate the system and protocols issued to validate the system. Validation should ensure accuracy, reliability, consistent intended performance and the ability to discern invalid and altered records. The implementation of audit trails is typically used to capture the latter criteria. Other aspects to consider during the system validation would be the generation of accurate copies in both human readable form and electronic form suitable for inspection, review and copying by the Agency. Also, the storage and retrieval of records from these systems is required to be validated in such a way that they are protected and accessible for the duration of the record retention period. Electronic records are required to clearly state the printed name of the signer, date and the meaning or role of the signer, be it while displayed or printed in human readable form.
Electronic signature is required to be addressed and validated by the company, who needs to ensure that these are unique to the person signing the record. Also, confidentiality and integrity of the electronic signature need to be maintained. The electronic signature shall be linked to the respective electronic record to ensure it cannot be copied or transferred to falsify an electronic record.
In order to address the requirements of part 11 it helps to create an inventory of the systems you have at your company that have software and is used to generate data or specific programs that are used to generate results or other type of information that is used by the company to meet the requirements of the predicate rule. These may be used to analyze samples or data generated from a test that will then be used to make decisions related to the predicate rule or used in a regulatory filing with the Agency. If the use of the equipment is for analysis of samples but the data is printed and verified and signed off by the person acquiring the data and by a person verifying results are correct, and the raw data files are not used at a later date for generating results, your system may not require to meet 21 CFR Part 11 requirements. The company still needs to evaluate the system and address any computer validation requirements that may apply.
It is important that these evaluations are carefully performed by the system owner and agreed upon by the company Quality Unit. These evaluations and reasons behind the decisions for the systems not requiring part 11 compliance need to be documented and adequately signed/approved. Any computer validation requirements need to be addressed via a Master Validation Plan or via a company policy or quality manual properly delineating companies approach and these have been approved by the company senior management. These need to be available if requested during an Agency audit of your facility
Figure 1 is a diagram with a layout of requirements needed for the validation of computerized systems including 21 CFR Part 11 requirements.
Many times, the Installation and Operational Qualifications are combined in a single protocol that serves to document that the functional specifications and the configuration specifications have been addressed during installation and can be verified after the installation and configuration stage of the project. The performance qualification assures that the user requirements have been met and the system does what it is supposed to do as specified in the user requirements. At the completion of these verification stages a validation report is issued and future system changes are documented/controlled under a formal change control system, where any changes to the system are proposed, documented, evaluated and approved by responsible individuals, including the Quality Unit, and if deemed necessary the changes undergo validation prior to making the system changes effective.
Companies that maintain electronic records to meet the requirements of FDA regulations may use these records in lieu of paper. The goal is that those companies implementing electronic records will benefit from across the board efficiencies, access to records, and better trending of data. Feedback to quality systems is readily achieved and compliance to procedures greatly enhanced.
These requirements were set forth to assure that subject data is adequately collected, protected and there is a permanent record of when collected, when approved and when reviewed and modified as well as who and when, through the use of electronic signature, accessed the record. Thus assuring that the original electronic record is always intact.