Compliance with Regulation 21 CFR Part 11 on Electronic Records and Electronic Signatures
Part 11 of Title 21 of the US Code of Federal Regulations (21CFR11) sets out requirements that computer systems must meet to satisfy the Food and Drug Administration (FDA) that electronic records and electronic signatures provided by those systems are trustworthy and reliable to the same extent as paper counterparts. The regulation sets out controls and procedures which need to be established and followed for relevant computer systems in FDA-regulated environments. An FDA-regulated environment is a ‘GxP’ environment operated by an organisation involved in activities leading to the marketing of drugs or medical devices in the USA; examples are drug manufacturing sites, medical device manufacturing sites, analytical laboratories, clinical investigational sites, and nonclinical study laboratories.
21CFR11 applies to records that are required to be submitted to the FDA, or that are subject to FDA inspection, and that are in electronic form – that is, as computer files. It applies to all computer systems used to create, modify, maintain, archive, retrieve, or transmit such records – from a humble spreadsheet program to a complex information management system.
Companies that market or intend to apply for approval to market drugs or medical devices in the USA must comply with 21CFR11, whether or not they are based in the USA. Suppliers to such companies of materials, equipment, or data that are subject to FDA regulation must also comply.
Approximate Course Time: 1.5 hours
CPD Points: 1.5
Audience: Research, Regulatory, Manager, Other
Category: Information and Communication Technology
Who will benefit from this module?
This module provides essential training for all personnel who use computer systems in GxP environments.
- Define regulation 21CFR11 and explain its context and purpose
- Specify criteria to determine which environments, computer systems, electronic records, and electronic signatures must comply with the regulation
- Describe procedures and controls required by the regulation for electronic records and electronic signatures
- Describe the consequences of the FDA’s discretion in enforcing compliance with some of the provisions of the regulation
Module overview – An outline of the module’s scope and objectives, and notes on terminology.
21CFR11 and its scope – We define regulation 21CFR11 (‘Part 11’), explain its purpose, and set out criteria for identifying the environments, computer systems, electronic records, and electronic signatures to which it applies. We describe how underlying legal requirements are specified by predicate rules. We point out that it is not the type of computer system that determines whether Part 11 applies, but the use to which the system is put. Finally, we introduce the regulation’s distinction between closed and open systems.
Procedures and controls – We describe the procedures and controls that need to be established and followed to comply with Part 11. We identify those for which the FDA exercises enforcement discretion. We give examples of open systems and outline additional procedures and controls required for them.
Electronic signatures – We set out Part 11’s requirements for electronic signatures. We specify the information to be provided and we outline constraints on the way signatures are linked to records. We emphasise the importance of uniqueness of signatures and verification of the identity of signatories. We mention the need for one-off certification with the FDA. We outline components of non-biometric and biometric signatures. Finally, we set out procedures and controls required for user names and passwords.
FDA enforcement discretion – We describe the FDA’s narrow interpretation of Part 11, and its effect on the need to comply with some of the regulation’s provisions. We discuss the latest relevant FDA guidance for industry and the effect of the agency’s interpretation on its enforcement of compliance with requirements for validation, audit trails, record retention, and record copying. We also specify the exemption for legacy computer systems.
Assessment – Multiple-choice mastery assessment.