21 CFR Part 11
The Title 21 Code of Federal Regulations Part 11 (21 CFR Part 11) provides compliance information regarding the U.S. Food and Drug Administration's (FDA) guidelines on electronic records and electronic signatures. Within this part, requirements are created to help ensure security, integrity, and confidentially of electronic records and to ensure electronic signatures are as legally binding as hand-written signatures.
Practically speaking, Part 11 requires drug makers, medical device manufacturers, biotech and biologics companies, contract research organizations, and other FDA-regulated industries, with some specific exceptions, to implement controls, including audits, system validations, audit trails, electronic signatures, and documentation for closed and open software and systems involved in processing specific electronic data. This primarily includes data to be maintained by the FDA predicate rules and data used to demonstrate compliance to a predicate rule. (A predicate rule is any requirement set forth in the Federal Food, Drug and Cosmetic Act, the Public Health Service Act, or any FDA regulation other than Part 11.) The rule also applies to submissions made to the FDA in electronic format, but not to paper submissions by electronic methods, though paper submissions may eventually be prohibited by the FDA.
By the early 1990s, food and drug manufacturers approached the U.S. Food and Drug Administration (FDA) about the possibility of electronic submissions with electronic signatures. However, at that time the government did not allow for digital signatures. In July 1992, the FDA began soliciting comments about the process of using electronic signatures.
In March 1997, the FDA issued Part 11 regulations which, in the words of the FDA, were "intended to permit the widest possible use of electronic technology, compatible with FDA's responsibility to protect the public health." Various keynote speeches by FDA insiders early in the 21st century (in addition to compliance guides and draft guidance documents) as well as strong efforts by the FDA to motivate industry to move to e-filing resulted in many companies like Eli Lilly, Agilent Technologies, and other businesses rapidly being forced to change their methods and systems to adapt to the new standards.
However, many entities expressed concerns about the Title 11 conditions, including concerns the regulations would "unnecessarily restrict" the use of technology, add significant compliance costs beyond what was intended, and stifle technological innovation while reducing public health benefit. In November 2002, the FDA released the guidance document "Guidance for Industry 21 CFR Part 11; Electronic Records; Electronic Signatures, Electronic Copies of Electronic Records" to the public for commenting. On February 3, 2003, the FDA withdrew that document, stating "we wanted to minimize industry time spent reviewing and commenting on the draft guidance when that draft guidance may no longer represent our approach under the [current good manufacturing practice] initiative," adding it would afterwards "intend to exercise enforcement discretion with regard to certain Part 11 requirements." Further guidance documents were withdrawn later that month, culminating in a final guidance document in August 2003 stating the government body would re-examine Part 11 and make necessary changes. However, the FDA reiterated despite its retraction of the guidance documents "21 CFR Part 11 is not going away, and neither is the agency's demand for electronic record integrity." The retraction of guidance and change in policy, however, led many IT members in the pharmaceutical and life sciences industry in late 2004 to state one of the key problems they face as the lack of clear guidelines from the FDA about what is required for compliance.
The FDA had indicated it would produce a revised version of Part 11 by the end of 2006, after its Third Annual FDA Information Management Summit had concluded. Those revisions never arrived, and little in the way of updates on the topic arrived. On July 8, 2010, the FDA announced it would begin to audit facilities working with drugs "in an effort to evaluate industry's compliance and understanding of Part 11 in light of the enforcement discretion," leaving some to wonder if this was an indicator the regulation and/or its guidance would finally see a revision.
With an increase in violations of data integrity in current good manufacturing practice (CGMP) inspections in the mid-2010s, the U.S. Food and Drug Administration eventually issued draft guidance in April 2016 for implementing the data integrity requirements of 21 CFR Parts 210–212, as well as clarifying how electronic signature and record-keeping requirements in 21 CFR Part 11 apply. That guidance was finalized in December 2018, encouraging firms to "implement meaningful and effective strategies to manage their data integrity risks based on their process understanding and knowledge management of technologies and business models."
The structure of Part 11 is as follows:
Subpart A — General Provisions
Subpart B — Electronic Records
- § 11.10 Controls for closed systems
- § 11.30 Controls for open systems
- § 11.50 Signature manifestations
- § 11.70 Signature/record linking
Subpart C — Electronic Signatures
- § 11.100 General requirements
- § 11.200 Electronic signature components and controls
- § 11.300 Controls for identification codes/passwords
This is essentially the preamble of the regulations, explaining to what and who the regulations apply as well as how they'll apply. Definitions of common terms appearing in the regulations can also be found here, including a clarification in the difference between a digital and electronic signature.
This section covers the requirements applicable to electronic records and their management. Several requirements are addressed, including "how to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records"; what content a signature should contain; and how electronic records and their signatures should be linked. It also covers topics like system validation, data traceability, audit control, and version control.
This final section addresses the requirements specific to electronic signatures and their use. General requirements for electronic signatures, their components and controls, and password controls are all addressed. Additionally, this section addresses requirements for more advanced biometric-based signatures.
Audit guidelines and checklist
For those auditing computer systems and IT environments for their compliance with 21 CFR Part 11 and other regulations, a set of guidelines and checklist items may be useful.
Click the link above for the full set of guidelines and checklist items.
- "Electronic Code of Federal Regulations - Title 21: Food and Drugs - Part 11: Electronic Records; Electronic Signatures". U.S. Government Printing Office. https://www.ecfr.gov/current/title-21/part-11.
- "CFR - Code of Federal Regulations - Title 21 - Part 11 Electronic Records; Electronic Signatures". U.S. Food and Drug Administration. https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/cfrsearch.cfm?cfrpart=11.
- Huber, L. (15 November 2012). "Tutorial: 21 CFR Part 11 - Electronic Records and Electronic Signatures". LabCompliance. Archived from the original on 03 January 2020. https://web.archive.org/web/20180103191244/http://www.labcompliance.com/tutorial/part11/.
- "Electronic Code of Federal Regulations - Title 21: Food and Drugs - Part 11: Electronic Records; Electronic Signatures". U.S. Government Printing Office. 13 April 2020. https://www.ecfr.gov/current/title-21/part-11. Retrieved 07 January 2022.
- "Part 11, Electronic Records; Electronic Signatures — Scope and Application". U.S. Food and Drug Administration. August 2003. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/part-11-electronic-records-electronic-signatures-scope-and-application. Retrieved 15 April 2020.
- Huber, L. (15 November 2012). "Tutorial: 21 CFR Part 11 - Electronic Records and Electronic Signatures". LabCompliance. Archived from the original on 03 January 2020. https://web.archive.org/web/20180103191244/http://www.labcompliance.com/tutorial/part11/. Retrieved 15 April 2020.
- Jackson, W. (1 June 2000). "FDA offers electronic option". GCN. https://gcn.com/2000/06/fda-offers-electronic-option/276201/. Retrieved 07 January 2022.
- Greenemeier, L. (25 February 2002). "FDA Moving To E-Filing". InformationWeek. https://www.informationweek.com/it-life/fda-moving-to-e-filing. Retrieved 07 January 2022.
- Greenemeier, L. (18 February 2002). "Lilly Cures Inefficiency With IT". InformationWeek. https://www.informationweek.com/it-life/lilly-cures-inefficiency-with-it. Retrieved 07 January 2022.
- "Agilent Introduces Security Pack for Analytical Laboratories". Laboratory Network. 20 June 2000. https://www.laboratorynetwork.com/doc/agilent-introduces-security-pack-for-analytic-0001. Retrieved 15 April 2020.
- Harrold, D. (1 April 2002). "'I'm from the Government, and I'm Here to Help You!'". Control Engineering. https://www.controleng.com/articles/im-from-the-government-and-im-here-to-help-you/. Retrieved 15 April 2020.
- Control Engineering Staff (3 January 2003). "FDA releases 21 CFR Part 11 guidance document". Control Engineering. https://www.controleng.com/articles/fda-releases-21-cfr-part-11-guidance-document/. Retrieved 15 April 2020.
- "FDA plans to amend 21 CFR Part 11 rules". Outsourcing-Pharma. 4 September 2003. https://www.outsourcing-pharma.com/Article/2003/09/05/FDA-plans-to-amend-21-CFR-Part-11-rules. Retrieved 15 April 2020.
- June, T.M. (July 2003). "Quality Assurance, Safety and 21 CFR Part 11: These three old friends are here to stay". Quality Digest. https://www.qualitydigest.com/july03/articles/04_article.shtml. Retrieved 15 April 2020.
- "Complying with US Food and Drug Administration(FDA) data regulations is proving a struggle for IT departments in pharmaceutical and life science companies". Storage Networking Solutions. 17 November 2004. http://snseurope.info/article/12833/Complying-with-US-Food-and-Drug-Administration(FDA)-data-regulations-is-proving-a-struggle-for-IT-departments-in-pharmaceutical-and-life-science-companies. Retrieved 06 April 2013. [dead link]
- Reymond, E. (24 October 2006). "FDA to review electronic signature regulation". Outsourcing-Pharma. https://www.outsourcing-pharma.com/Article/2006/10/24/FDA-to-review-electronic-signature-regulation. Retrieved 15 April 2020.
- Miller, George (13 November 2009). "Don't sweat the Part 11 stuff". FierceBiotechIT. Archived from the original on 22 February 2010. https://web.archive.org/web/20100222094358/http://www.fiercebiotechit.com/story/dont-sweat-part-11-stuff/2009-11-13. Retrieved 15 April 2020.
- "FDA To Conduct Inspections Focusing on 21 CFR 11 (Part 11) requirements relating to human drugs". U.S. FDA. 8 July 2010. Archived from the original on 15 November 2017. https://web.archive.org/web/20171115154911/https://www.fda.gov/AboutFDA/CentersOffices/OfficeofMedicalProductsandTobacco/CDER/ucm204012.htm. Retrieved 15 April 2020.
- Barsky, Emma; Grunbaum, Len (25 July 2010). "Part 11: How Will FDA Enforce?". GxP Perspectives. http://gxpperspectives.com/2010/07/25/part-11-how-will-fda-enforce/. Retrieved 06 April 2013. [dead link]
- Appel, Ken (28 July 2010). "Audit Alert! - Clarity on e-Records: FDA to Re-Evaluate 21 CFR 11". Pharmaceutical Processing. http://www.pharmpro.com/blogs/2010/07/audit-alert-clarity-e-records-fda-re-evaluate-21-cfr-11. Retrieved 06 April 2013. [dead link]
- U.S. Food and Drug Administration (April 2016). "Data Integrity and Compliance with CGMP Guidance for Industry - Draft Guidance" (PDF). U.S. Food and Drug Administration. https://www.fda.gov/files/drugs/published/Data-Integrity-and-Compliance-With-Current-Good-Manufacturing-Practice-Guidance-for-Industry.pdf. Retrieved 15 April 2020.
- U.S. Food and Drug Administration (December 2018). "Data Integrity and Compliance With Drug CGMP Questions and Answers Guidance for Industry". U.S. Food and Drug Administration. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/data-integrity-and-compliance-drug-cgmp-questions-and-answers-guidance-industry. Retrieved 15 April 2020.