The FDA’s Title 21 CFR Part 11 regulation governs the way life sciences organizations are permitted to use electronic records and e-signatures in the place of, or in addition to, paper records. Let’s take a look at the requirements of this regulation, and how it impacts life sciences product developers!
In the digital era, it’s no wonder that Part 11 is a topic of widespread discussion in life sciences industries: while paper records are still widely used, digitalization is on the rise, and due to the scope of Title 21 CFR Part 11, regulations on electronic record keeping apply to more and more companies. First off, let’s find out who’s covered by 21CFR11!
Does Title 21 CFR Part 11 apply to you?
Any company operating in life sciences industries that chooses to maintain records or manage regulatory submissions in an electronic format will be covered by 21CFR11. The regulation may apply to pharmaceutical companies, developers of medical technology, biotech and biologics firms, as well as a variety of other life sciences companies.
Part 11 covers records that are maintained in an electronic format, either in addition to or replacing “regular” paper records. It also applies to regulatory submissions, e.g. records submitted to the FDA electronically. Finally, it covers electronic signatures that are intended to be equivalent to traditional “wet” (handwritten) signatures.
When in doubt about whether you are subject to Part 11, err on the side of caution: most companies that release products in the US are likely to be covered! In fact, if you use computer systems during the development of your product (and especially if any part of your Quality Management System is uploaded to a computer system), you can be almost certain that Title 21 CFR Part 11 applies to you.
Requirements of 21CFR11
Title 21 CFR Part 11 defines the criteria under which electronic records and electronic signatures are considered “trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper”.
Its first section, Subpart A, outlines general provisions including scope, implementation, and definitions of terms used in the regulation.
Subpart B--Electronic Records
Subpart B covers Electronic Records, including controls for both closed systems and open systems. In Title 21 lingo, ‘closed system’ (covered by section 11.10) refers to a digital environment in which the people responsible for the content of electronic records also control access to the software system.
Controls of closed systems include security management requirements including those governing access control & user authorization, workflows, audit trails, checks to verify the integrity of both data and e-signatures, and the validation of the closed system. Section 11.10 also calls for the definition of policies for accountability in system operation and the maintenance of security measures.
Section 11.30 covers controls for open systems, e.g. record-keeping systems that more people have access to, that is, where access is not controlled by the same persons responsible for the content managed in the system. In addition to all the requirements that apply to closed systems, this section calls for additional measures around document encryption and the use of appropriate digital signature standards to ensure the authenticity, integrity, and confidentiality of records.
Also part of Subpart B are some additional requirements on signature manifestations and signature/record linking. FDA requires that the signer’s printed name appears along the timestamped signature, as well as the meaning associated with the signature (e.g. review, approval, responsibility, or authorship). Finally, requirements on Signature record/linking stipulate that appropriate measures are taken (e.g. the use of adequate record-keeping software) to make sure unauthorized users aren’t able to simply copy signatures from one document to another.
Subpart C--Electronic Signatures
The three sections of Subpart C define requirements on electronic signatures:
- Section 11.100 General requirements
- Section 11.200 Electronic signature components and controls
- Section 11.300 Controls for identification codes/passwords.
The most fundamental general requirement pertaining to e-signatures is pretty straightforward:
- Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else.
The first section also stipulates that any organization using e-signatures has to first verify the identity of the individual whose e-signature they plan to use, and submit a certification about this in paper form (along with a handwritten signature) to FDA’s Office of Regional Operations in Rockville, MD.
Section 11.200 clarifies that FDA requires the use of at least two identification components with e-signatures (in most cases, this will likely be an ID code and a password). The section explicitly refers to individuals, stipulating that e-signatures may only be used by their genuine owners (in other words, teams can’t have FDA-compliant e-signatures).
The third section, 11.300, defines controls for said ID components. This part requires that each combination of identification code and password is unique and that they are periodically revised to protect against password aging. The section also calls for the appropriate protection of compromised tokens (lost, stolen, etc) via deauthorization and the issuance of replacements only under suitable controls. Finally, the section stipulates that organizations have to implement adequate safeguards to prevent unauthorized use, to detect and report security breaches, and need to conduct both initial and periodic testing of devices that generate or manage these tokens (ID codes or passwords).
As evidenced by the explanation above, compliance with FDA’s Title 21 CFR Part 11 is no rocket science, but it does require a careful approach. Using platforms that are 21CFR11-ready out of the box, such as codeBeamer ALM, dramatically reduces the effort going into asserting compliance. Download our fact sheet to learn more about how codeBeamer ALM's Title 21 CFR Part 11 Validation Kit can support you in adhering to FDA requirements!