21 CFR Part 11 is a set of regulations issued by the U.S. Food and Drug Administration (FDA) that pertain to electronic records and electronic signatures. The regulations establish the criteria under which electronic records and electronic signatures are considered to be trustworthy, reliable, and equivalent to paper records and handwritten signatures.
In section 11.10 Controls for closed systems, FDA requires:“
(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.”
section 11.10 of 21 CFR Part 11 specifies that procedures and controls of compliant systems shall include:
“(b) The ability to generate accurate and complete copies of records in both human-readable and electronic form suitable for inspection, review, and copying by the agency…”
In section 11.10 Controls for closed systems FDA specifies that the system should include:
“(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records.”
“(f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.”
Section 11.10 also states that the system should involve:
“(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.”
art 11 also dictates that all users with access to the system should have a proper education, training, and experience to perform their assigned tasks. More precisely, as stated in section 11.10, the system should have:
“(i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks.”
The electronic signature is one of the most common ways of reviewing and approving electronic records, that are compliant with the FDA 21 CFR Part 11 regulatory framework. In section 11.3 Definitions, FDA defines Digital signature in the following way:
“(5) Digital signature means an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.”
To summarize key requirements of 21 CFR Part 11:
- Electronic records must be trustworthy, reliable, and equivalent to paper records and handwritten signatures.
- Organizations must implement strict controls to ensure the authenticity, integrity, and confidentiality of electronic records, including implementing robust security protocols and access controls.
- Organizations must have procedures in place to ensure the authenticity and integrity of electronic signatures, including the use of secure digital signatures and role-based access controls.
- Organizations must validate any computer systems used to create, modify, maintain, or transmit electronic records to ensure that they are reliable and accurate.
- Organizations must have procedures in place for maintaining and archiving electronic records, including procedures for ensuring the integrity of the records over time, and for ensuring that records can be retrieved in a timely manner.
- Organizations must have procedures in place for the identification and documentation of electronic records, including procedures for verifying that electronic records accurately reflect the original paper records, and procedures for ensuring that electronic records are legible, readily accessible, and easily readable.
- Organizations must have procedures for establishing and verifying the identity of individuals who create, modify, or sign electronic records.
- Organizations must have procedures for ensuring that electronic records are secure from unauthorized access or alteration.
- Organizations must have procedures for ensuring that electronic records are backed up and recoverable in case of system failure.
Violations of 21 CFR Part 11 can result in penalties and fines, and non-compliance can also affect an organization’s ability to do business with the FDA and other regulatory agencies.