Difference between revisions of "21 CFR Part 11"

From LIMSWiki
Jump to navigationJump to search
(→‎History: Added CGMP stuff)
(26 intermediate revisions by 2 users not shown)
Line 1: Line 1:
The '''Title 21 Code of Federal Regulations Part 11''' ('''21 CFR Part 11''') provides [[Regulatory compliance|compliance]] information regarding the U.S. Food and Drug Administration's (FDA) guidelines on electronic records and [[Electronic signatures|electronic signatures]]. Within this part, requirements are created to help ensure security, integrity, and confidentially of electronic records and to ensure electronic signatures are as legally binding as hand-written signatures.<ref name="21CFR11@ecfr">{{cite web |url=http://www.ecfr.gov/cgi-bin/retrieveECFR?gp=&SID=04a3cb63d1d72ce40e56ee2e7513cca3&r=PART&n=21y1.0.1.1.8 |title=Electronic Code of Federal Regulations - Title 21: Food and Drugs - Part 11: Electronic Records; Electronic Signatures |publisher=U.S. Government Printing Office |accessdate=02 March 2012}}</ref>
The '''Title 21 Code of Federal Regulations Part 11''' ('''21 CFR Part 11''') provides [[Regulatory compliance|compliance]] [[information]] regarding the U.S. Food and Drug Administration's (FDA) guidelines on electronic records and [[Electronic signatures|electronic signatures]]. Within this part, requirements are created to help ensure security, integrity, and confidentially of electronic records and to ensure electronic signatures are as legally binding as hand-written signatures.<ref name="21CFR11@ecfr">{{cite web |url=https://www.ecfr.gov/cgi-bin/retrieveECFR?gp=&SID=04a3cb63d1d72ce40e56ee2e7513cca3&r=PART&n=21y1.0.1.1.8 |title=Electronic Code of Federal Regulations - Title 21: Food and Drugs - Part 11: Electronic Records; Electronic Signatures |publisher=U.S. Government Printing Office |date=13 April 2020 |accessdate=15 April 2020}}</ref>


Practically speaking, Part 11 requires drug makers, medical device manufacturers, biotech and biologics companies, contract research organizations, and other FDA-regulated industries, with some specific exceptions, to implement controls, including audits, system validations, audit trails, electronic signatures, and documentation for closed and open software and systems involved in processing specific electronic data. This primarily includes data to be maintained by the FDA predicate rules and data used to demonstrate compliance to a predicate rule. A predicate rule is any requirement set forth in the Federal Food, Drug and Cosmetic Act, the Public Health Service Act, or any FDA regulation other than Part 11.<ref name="RegInfo_Part11_FDA">{{cite web |url=http://www.fda.gov/regulatoryinformation/guidances/ucm125067.htm |title=Part 11, Electronic Records; Electronic Signatures — Scope and Application |publisher=U.S. Food and Drug Administration |date=August 2003 |accessdate=06 April 2013}}</ref> The rule also applies to submissions made to the FDA in electronic format, but not to paper submissions by electronic methods, though paper submissions may eventually be prohibited by the FDA.<ref name="Tut21CFR11">{{cite web |url=http://www.labcompliance.com/tutorial/part11/ |title=Tutorial: 21 CFR Part 11 - Electronic Records and Electronic Signatures |author=Huber, Ludwig |publisher=LabCompliance |date=15 November 2012 |accessdate=10 April 2013}}</ref>
Practically speaking, Part 11 requires drug makers, medical device manufacturers, biotech and biologics companies, contract research organizations, and other FDA-regulated industries, with some specific exceptions, to implement controls, including audits, system validations, audit trails, electronic signatures, and documentation for closed and open software and systems involved in processing specific electronic data. This primarily includes data to be maintained by the FDA predicate rules and data used to demonstrate compliance to a predicate rule. (A predicate rule is any requirement set forth in the Federal Food, Drug and Cosmetic Act, the Public Health Service Act, or any FDA regulation other than Part 11.<ref name="RegInfo_Part11_FDA">{{cite web |url=https://www.fda.gov/regulatory-information/search-fda-guidance-documents/part-11-electronic-records-electronic-signatures-scope-and-application |title=Part 11, Electronic Records; Electronic Signatures — Scope and Application |publisher=U.S. Food and Drug Administration |date=August 2003 |accessdate=15 April 2020}}</ref>) The rule also applies to submissions made to the FDA in electronic format, but not to paper submissions by electronic methods, though paper submissions may eventually be prohibited by the FDA.<ref name="Tut21CFR11">{{cite web |url=http://www.labcompliance.com/tutorial/part11/ |archiveurl=https://web.archive.org/web/20180103191244/http://www.labcompliance.com/tutorial/part11/ |title=Tutorial: 21 CFR Part 11 - Electronic Records and Electronic Signatures |author=Huber, L. |publisher=LabCompliance |date=15 November 2012 |archivedate=03 January 2020 |accessdate=15 April 2020}}</ref>


==History==
==History==


By the early 1990s, food and drug manufacturers approached the U.S. Food and Drug Administration (FDA) about the possibility of electronic submissions with electronic signatures. However, at that time the government did not allow for digital signatures. In July 1992, the FDA began soliciting comments about the process of using electronic signatures.<ref name="GCN00Art">{{cite web |url=http://gcn.com/Articles/2000/06/01/FDA-offers-electronic-option.aspx?Page=2 |title=FDA offers electronic option |author=Jackson, William |publisher=GCN |date=01 June 2000 |accessdate=06 April 2013}}</ref>
By the early 1990s, food and drug manufacturers approached the U.S. Food and Drug Administration (FDA) about the possibility of electronic submissions with electronic signatures. However, at that time the government did not allow for digital signatures. In July 1992, the FDA began soliciting comments about the process of using electronic signatures.<ref name="GCN00Art">{{cite web |url=https://gcn.com/Articles/2000/06/01/FDA-offers-electronic-option.aspx?Page=2 |title=FDA offers electronic option |author=Jackson, W. |publisher=GCN |date=01 June 2000 |accessdate=15 April 2020}}</ref>


In March 1997, the FDA issued Part 11 regulations which, in the words of the FDA, were "intended to permit the widest possible use of electronic technology, compatible with FDA's responsibility to protect the [[Public health informatics|public health]]."<ref name="RegInfo_Part11_FDA" /> Various keynote speeches by FDA insiders early in the 21st century (in addition to compliance guides and draft guidance documents)<ref name="RegInfo_Part11_FDA" /> as well as strong efforts by the FDA to motivate industry to move to e-filing<ref name="IWEfilingFDA">{{cite web |url=http://www.informationweek.com/fda-moving-to-e-filing/6500937 |title=FDA Moving To E-Filing |author=Greenemeier, Larry |publisher=InformationWeek |date=25 February 2002 |accessdate=06 April 2013}}</ref> resulted in many companies like Eli Lilly<ref name="IWLillyPart11">{{cite web |url=http://www.informationweek.com/lilly-cures-inefficiency-with-it/6501017 |title=Lilly Cures Inefficiency With IT |author=Greenemeier, Larry |publisher=InformationWeek |date=18 February 2002 |accessdate=06 April 2013}}</ref>, [[Agilent Technologies, Inc.|Agilent Technologies]]<ref name="LabNetAgilent00">{{cite web |url=http://www.laboratorynetwork.com/doc/Agilent-Introduces-Security-Pack-for-Analytic-0001 |title=Agilent Introduces Security Pack for Analytical Laboratories |publisher=Laboratory Network |date=20 June 2000 |accessdate=06 April 2013}}</ref>, and other businesses rapidly being forced to change their methods and systems to adapt to the new standards.<ref name="RegInfo_Part11_FDA" /><ref name="CEPart11Art">{{cite web |url=http://www.controleng.com/single-article/i-m-from-the-government-and-i-m-here-to-help-you/61fedbc69297fc6965c6d8840871e085.html |title='I'm from the Government, and I'm Here to Help You!' |author=Harrold, Dave |publisher=Control Engineering |date=01 April 2002 |accessdate=06 April 2013}}</ref>
In March 1997, the FDA issued Part 11 regulations which, in the words of the FDA, were "intended to permit the widest possible use of electronic technology, compatible with FDA's responsibility to protect the [[Public health informatics|public health]]."<ref name="RegInfo_Part11_FDA" /> Various keynote speeches by FDA insiders early in the 21st century (in addition to compliance guides and draft guidance documents)<ref name="RegInfo_Part11_FDA" /> as well as strong efforts by the FDA to motivate industry to move to e-filing<ref name="IWEfilingFDA">{{cite web |url=https://www.informationweek.com/fda-moving-to-e-filing/d/d-id/1013809? |title=FDA Moving To E-Filing |author=Greenemeier, L. |publisher=InformationWeek |date=25 February 2002 |accessdate=15 April 2020}}</ref> resulted in many companies like Eli Lilly<ref name="IWLillyPart11">{{cite web |url=https://www.informationweek.com/lilly-cures-inefficiency-with-it/d/d-id/1013731? |title=Lilly Cures Inefficiency With IT |author=Greenemeier, L. |publisher=InformationWeek |date=18 February 2002 |accessdate=15 April 2020}}</ref>, [[Agilent Technologies, Inc.|Agilent Technologies]]<ref name="LabNetAgilent00">{{cite web |url=https://www.laboratorynetwork.com/doc/agilent-introduces-security-pack-for-analytic-0001 |title=Agilent Introduces Security Pack for Analytical Laboratories |publisher=Laboratory Network |date=20 June 2000 |accessdate=15 April 2020}}</ref>, and other businesses rapidly being forced to change their methods and systems to adapt to the new standards.<ref name="RegInfo_Part11_FDA" /><ref name="CEPart11Art">{{cite web |url=https://www.controleng.com/articles/im-from-the-government-and-im-here-to-help-you/ |title='I'm from the Government, and I'm Here to Help You!' |author=Harrold, D. |work=Control Engineering |date=01 April 2002 |accessdate=15 April 2020}}</ref>


However, many entities expressed concerns about the Title 11 conditions, including concerns the regulations would "unnecessarily restrict" the use of technology, add significant compliance costs beyond what was intended, and stifle technological innovation while reducing public health benefit.<ref name="RegInfo_Part11_FDA" /> In November 2002, the FDA released the guidance document "Guidance for Industry 21 CFR Part 11; Electronic Records; Electronic Signatures, Electronic Copies of Electronic Records" to the public for commenting.<ref name="CEGuideDocFDA1">{{cite web |url=http://www.controleng.com/search/search-single-display/fda-releases-21-cfr-part-11-guidance-document/5edbb001e1.html |title=FDA releases 21 CFR Part 11 guidance document |publisher=Control Engineering |date=03 January 2003 |accessdate=06 April 2013}}</ref> On February 3, 2003, the FDA withdrew that document, stating "we wanted to minimize industry time spent reviewing and commenting on the draft guidance when that draft guidance may no longer represent our approach under the [current good manufacturing practice] initiative," adding it would afterwards "intend to exercise enforcement discretion with regard to certain Part 11 requirements."<ref name="RegInfo_Part11_FDA" /> Further guidance documents were withdrawn later that month, culminating in a final guidance document in August 2003 stating the government body would re-examine Part 11 and make necessary changes.<ref name="RegInfo_Part11_FDA" /><ref name="inPharmaFDAFinal03">{{cite web |url=http://www.in-pharmatechnologist.com/Drug-Delivery/FDA-plans-to-amend-21-CFR-Part-11-rules |title=FDA plans to amend 21 CFR Part 11 rules |publisher=in-Pharma Technologist |date=05 September 2003 |accessdate=06 April 2013}}</ref> However, the FDA reiterated despite its retraction of the guidance documents "21 CFR Part 11 is not going away, and neither is the agency's demand for electronic record integrity."<ref name="QDPart11StillEnforced">{{cite web |url=http://www.qualitydigest.com/july03/articles/04_article.shtml |title=Quality Assurance, Safety and 21 CFR Part 11: These three old friends are here to stay |author=June, Tamar M. |publisher=Quality Digest |date=July 2003 |accessdate=10 April 2013}}</ref> The retraction of guidance and change in policy, however, led many IT members in the pharmaceutical and life sciences industry in late-2004 to state one of the key problems they face as the lack of clear guidelines from the FDA about what is required for compliance.<ref name="SNSSurveyUKIT">{{cite web |url=http://snseurope.info/article/12833/Complying-with-US-Food-and-Drug-Administration(FDA)-data-regulations-is-proving-a-struggle-for-IT-departments-in-pharmaceutical-and-life-science-companies |title=Complying with US Food and Drug Administration(FDA) data regulations is proving a struggle for IT departments in pharmaceutical and life science companies |publisher=Storage Networking Solutions |date=17 November 2004 |accessdate=06 April 2013}}</ref>
However, many entities expressed concerns about the Title 11 conditions, including concerns the regulations would "unnecessarily restrict" the use of technology, add significant compliance costs beyond what was intended, and stifle technological innovation while reducing public health benefit.<ref name="RegInfo_Part11_FDA" /> In November 2002, the FDA released the guidance document "Guidance for Industry 21 CFR Part 11; Electronic Records; Electronic Signatures, Electronic Copies of Electronic Records" to the public for commenting.<ref name="CEGuideDocFDA1">{{cite web |url=https://www.controleng.com/articles/fda-releases-21-cfr-part-11-guidance-document/ |title=FDA releases 21 CFR Part 11 guidance document |author=Control Engineering Staff |work=Control Engineering |date=03 January 2003 |accessdate=15 April 2020}}</ref> On February 3, 2003, the FDA withdrew that document, stating "we wanted to minimize industry time spent reviewing and commenting on the draft guidance when that draft guidance may no longer represent our approach under the [current good manufacturing practice] initiative," adding it would afterwards "intend to exercise enforcement discretion with regard to certain Part 11 requirements."<ref name="RegInfo_Part11_FDA" /> Further guidance documents were withdrawn later that month, culminating in a final guidance document in August 2003 stating the government body would re-examine Part 11 and make necessary changes.<ref name="RegInfo_Part11_FDA" /><ref name="inPharmaFDAFinal03">{{cite web |url=https://www.outsourcing-pharma.com/Article/2003/09/05/FDA-plans-to-amend-21-CFR-Part-11-rules |title=FDA plans to amend 21 CFR Part 11 rules |work=Outsourcing-Pharma |date=04 September 2003 |accessdate=15 April 2020}}</ref> However, the FDA reiterated despite its retraction of the guidance documents "21 CFR Part 11 is not going away, and neither is the agency's demand for electronic record integrity."<ref name="QDPart11StillEnforced">{{cite web |url=https://www.qualitydigest.com/july03/articles/04_article.shtml |title=Quality Assurance, Safety and 21 CFR Part 11: These three old friends are here to stay |author=June, T.M. |work=Quality Digest |date=July 2003 |accessdate=15 April 2020}}</ref> The retraction of guidance and change in policy, however, led many IT members in the pharmaceutical and life sciences industry in late 2004 to state one of the key problems they face as the lack of clear guidelines from the FDA about what is required for compliance.<ref name="SNSSurveyUKIT">{{cite web |url=http://snseurope.info/article/12833/Complying-with-US-Food-and-Drug-Administration(FDA)-data-regulations-is-proving-a-struggle-for-IT-departments-in-pharmaceutical-and-life-science-companies |title=Complying with US Food and Drug Administration(FDA) data regulations is proving a struggle for IT departments in pharmaceutical and life science companies |publisher=Storage Networking Solutions |date=17 November 2004 |accessdate=06 April 2013}}{{Dead link|April 2020}}</ref>


The FDA had indicated it would produce a revised version of Part 11 by the end of 2006, after its Third Annual FDA [[Informatics (academic field)|Information Management]] Summit had concluded.<ref name="inPharmaFDA2006">{{cite web |url=http://www.in-pharmatechnologist.com/Regulatory-Safety/FDA-to-review-electronic-signature-regulation |title=FDA to review electronic signature regulation |author=Reymond, Emilie |publisher=in-Pharma Technologist |date=24 October 2006 |accessdate=06 April 2013}}</ref> Those revisions never arrived, and little in the way of updates on the topic arrived.<ref name="FBFDA09">{{cite web |url=http://www.fiercebiotechit.com/story/dont-sweat-part-11-stuff/2009-11-13 |title=Don't sweat the Part 11 stuff |author=Miller, George |publisher=FierceBiotechIT |date=13 November 2009 |accessdate=06 April 2013}}</ref> On July 8, 2010, the FDA announced it would begin to audit facilities working with drugs "in an effort to evaluate industry's compliance and understanding of Part 11 in light of the enforcement discretion,"<ref name="FDAAnnounceJul8">{{cite web |url=http://www.fda.gov/AboutFDA/CentersOffices/OfficeofMedicalProductsandTobacco/CDER/ucm204012.htm |title=FDA To Conduct Inspections Focusing on 21 CFR 11 (Part 11) requirements relating to human drugs |publisher=U.S. FDA |date=08 July 2010 |accessdate=06 April 2013}}</ref> leaving some to wonder if this was an indicator the regulation and/or its guidance would finally see a revision.<ref name="GxPEnforce">{{cite web |url=http://gxpperspectives.com/2010/07/25/part-11-how-will-fda-enforce/ |title=Part 11: How Will FDA Enforce? |author=Barsky, Emma; Grunbaum, Len |publisher=GxP Perspectives |date=25 July 2010 |accessdate=06 April 2013}}</ref><ref name="PharmProcEnforce">{{cite web |url=http://www.pharmpro.com/blogs/2010/07/audit-alert-clarity-e-records-fda-re-evaluate-21-cfr-11 |title=Audit Alert! - Clarity on e-Records: FDA to Re-Evaluate 21 CFR 11 |author=Appel, Ken |publisher=Pharmaceutical Processing |date=28 July 2010 |accessdate=06 April 2013}}</ref>
The FDA had indicated it would produce a revised version of Part 11 by the end of 2006, after its Third Annual FDA [[Informatics (academic field)|Information Management]] Summit had concluded.<ref name="inPharmaFDA2006">{{cite web |url=https://www.outsourcing-pharma.com/Article/2006/10/24/FDA-to-review-electronic-signature-regulation |title=FDA to review electronic signature regulation |author=Reymond, E. |work=Outsourcing-Pharma |date=24 October 2006 |accessdate=15 April 2020}}</ref> Those revisions never arrived, and little in the way of updates on the topic arrived.<ref name="FBFDA09">{{cite web |url=http://www.fiercebiotechit.com/story/dont-sweat-part-11-stuff/2009-11-13 |archiveurl=https://web.archive.org/web/20100222094358/http://www.fiercebiotechit.com/story/dont-sweat-part-11-stuff/2009-11-13 |title=Don't sweat the Part 11 stuff |author=Miller, George |publisher=FierceBiotechIT |date=13 November 2009 |archivedate=22 february 2010 |accessdate=15 April 2020}}</ref> On July 8, 2010, the FDA announced it would begin to audit facilities working with drugs "in an effort to evaluate industry's compliance and understanding of Part 11 in light of the enforcement discretion,"<ref name="FDAAnnounceJul8">{{cite web |url=http://www.fda.gov/AboutFDA/CentersOffices/OfficeofMedicalProductsandTobacco/CDER/ucm204012.htm |archiveurl=https://web.archive.org/web/20171115154911/https://www.fda.gov/AboutFDA/CentersOffices/OfficeofMedicalProductsandTobacco/CDER/ucm204012.htm |title=FDA To Conduct Inspections Focusing on 21 CFR 11 (Part 11) requirements relating to human drugs |publisher=U.S. FDA |date=08 July 2010 |archivedate=15 November 2017 |accessdate=15 April 2020}}</ref> leaving some to wonder if this was an indicator the regulation and/or its guidance would finally see a revision.<ref name="GxPEnforce">{{cite web |url=http://gxpperspectives.com/2010/07/25/part-11-how-will-fda-enforce/ |title=Part 11: How Will FDA Enforce? |author=Barsky, Emma; Grunbaum, Len |publisher=GxP Perspectives |date=25 July 2010 |accessdate=06 April 2013}}{{Dead link}}</ref><ref name="PharmProcEnforce">{{cite web |url=http://www.pharmpro.com/blogs/2010/07/audit-alert-clarity-e-records-fda-re-evaluate-21-cfr-11 |title=Audit Alert! - Clarity on e-Records: FDA to Re-Evaluate 21 CFR 11 |author=Appel, Ken |publisher=Pharmaceutical Processing |date=28 July 2010 |accessdate=06 April 2013}}{{Dead link}}</ref>
 
With an increase in violations of data integrity in current good manufacturing practice (CGMP) inspections in the mid-2010s, the U.S. Food and Drug Administration eventually issued draft guidance in April 2016 for implementing the data integrity requirements of 21 CFR Parts 210–212, as well as clarifying how electronic signature and record-keeping requirements in 21 CFR Part 11 apply.<ref name="FDAData16">{{cite web |url=https://www.fda.gov/files/drugs/published/Data-Integrity-and-Compliance-With-Current-Good-Manufacturing-Practice-Guidance-for-Industry.pdf |format=PDF |title=Data Integrity and Compliance with CGMP Guidance for Industry - Draft Guidance |author=U.S. Food and Drug Administration |publisher=U.S. Food and Drug Administration |date=April 2016 |accessdate=15 April 2020}}</ref> That guidance was finalized in December 2018, encouraging firms to "implement meaningful and effective strategies to manage their data integrity risks based on their process understanding and knowledge management of technologies and business models."<ref name="FDAData18">{{cite web |url=https://www.fda.gov/regulatory-information/search-fda-guidance-documents/data-integrity-and-compliance-drug-cgmp-questions-and-answers-guidance-industry |title=Data Integrity and Compliance With Drug CGMP Questions and Answers Guidance for Industry |author=U.S. Food and Drug Administration |publisher=U.S. Food and Drug Administration |date=December 2018 |accessdate=15 April 2020}}</ref>


==Structure==
==Structure==
Line 18: Line 20:


'''Subpart A — General Provisions'''
'''Subpart A — General Provisions'''
:§ 11.1 [http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?fr=11.1 Scope]
:§ 11.1 [https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?fr=11.1 Scope]
:§ 11.2 [http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?fr=11.2 Implementation]
:§ 11.2 [https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?fr=11.2 Implementation]
:§ 11.3 [http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?fr=11.3 Definitions]
:§ 11.3 [https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?fr=11.3 Definitions]


'''Subpart B — Electronic Records'''
'''Subpart B — Electronic Records'''
:§ 11.10 [http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?fr=11.10 Controls for closed systems]
:§ 11.10 [https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?fr=11.10 Controls for closed systems]
:§ 11.30 [http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?fr=11.30 Controls for open systems]
:§ 11.30 [https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?fr=11.30 Controls for open systems]
:§ 11.50 [http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?fr=11.50 Signature manifestations]
:§ 11.50 [https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?fr=11.50 Signature manifestations]
:§ 11.70 [http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?fr=11.70 Signature/record linking]
:§ 11.70 [https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?fr=11.70 Signature/record linking]


'''Subpart C — Electronic Signatures'''
'''Subpart C — Electronic Signatures'''
:§ 11.100 [http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?fr=11.100 General requirements]
:§ 11.100 [https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?fr=11.100 General requirements]
:§ 11.200 [http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?fr=11.200 Electronic signature components and controls]
:§ 11.200 [https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?fr=11.200 Electronic signature components and controls]
:§ 11.300 [http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?fr=11.300 Controls for identification codes/passwords]
:§ 11.300 [https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?fr=11.300 Controls for identification codes/passwords]
 
==Audit guidelines and checklist==


The following guidelines and checklist items provide a frame of reference for vendors and auditors to better determine potential compliance issues.
===Subpart A===


All items in the checklist for general IT controls should also be checked for individual systems - especially where those systems use different control measures (e.g., they have an independent authentication system).
This is essentially the preamble of the regulations, explaining to what and who the regulations apply as well as how they'll apply. Definitions of common terms appearing in the regulations can also be found here, including a clarification in the difference between a digital and electronic signature.


If this checklist is used by software vendors, then certain elements may or may not apply depending on the circumstances.  For instance, validation is technically the responsibility of the entity acquiring the software.  However, in the case of SaaS, a greater practical responsibility to validate the system may lie with the vendor.  In all cases, the vendor should assume responsibility for ensuring that their software operates as intended within the targeted environments.  Failure to do so may result in a lack of willingness of potential customers to obtain the system.
===Subpart B===


===General IT===
This section covers the requirements applicable to electronic records and their management. Several requirements are addressed, including "how to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records"; what content a signature should contain; and how electronic records and their signatures should be linked. It also covers topics like system validation, data traceability, audit control, and version control.


Following is a list of questions that either apply to the larger IT environment, or to both the larger environment and to individual systems.  The auditor must be sure to evaluate both where necessary.  For instance, an organization may have a robust password policy which is managed by a centralized identity management tool.  This is important evaluate in terms of general security around the systems in scope.  At the same time, the specific system may or may not leverage the corporate IDM and thus it’s identity management should be evaluated on its own merits.
===Subpart C===


====Computer Systems Validation====
This final section addresses the requirements specific to electronic signatures and their use. General requirements for electronic signatures, their components and controls, and password controls are all addressed. Additionally, this section addresses requirements for more advanced biometric-based signatures.
*Does a defined computer system validation policy exist?
*Are all computer systems involved in activities covered by predicate regulations validated?
*Does the computer system validation cover the current deployed version of the system?
*Validation Assessment
**Does the software developer have a defined SDLC?
**Does the SDLC reflect a generally recognized life cycle approach?
**Is the SDLC followed?
**Is the software well documented from a design/implementation perspective?
**Is there evidence of design review activities (what this entails will depend on the nature of the SDLC - for instance, Agile methodologies will involve daily standup  meetings,while a waterfall approach may reflect formal design review steps)?
**Does the level of validation coverage reflect the risk from system failure?
**Is there sufficient level of independence in the validation/verification activities?
**Are sufficient resources and personnel provided for software development and validation?
**Are records maintained of defects and failures identified in the development process?
**For any software system, is there a set of approved requirements which drove the design (note:  the name can vary based on the SDLC in use).
**For iterative development approaches, are previous versions of deliverables (such as requirements lists) archived in some fashion?
**Is there an audit trail for modifications to system documentation?
**For COTS (Commercial Off The Shelf), has the vendor been evaluated for its quality systems?
**Is there some form of traceability that permits tracking of test results and verification activities to specific requirements?
**Are adequate user documents available for the system?
**Are adequate change control systems in place during the development and implementation processes?
**For each of the other elements of this checklist that apply directly to an electronic record system, has appropriate validation work been undertaken to establish that the system complies with the checklist item?


====Identity Management Systems====
==Audit guidelines and checklist==
*Do any identity management systems have minimum password complexity/strength requirements?  Do these minimums seem reasonable?
*Do these id systems have policies regarding password change frequency?
*Do identity management systems prevent the creation of duplicate user ID’s?
 
====Access Controls====
*Do formal procedures exist governing user account creation for electronic records systems.
*Do formal procedures exist governing access to network and server resources that are used to operate electronic records systems?
 
====Cloud Computing Policies====
*Are policies in place governing the selection and use of cloud vendors for electronic record systems?
*Do policies governing record retention specifically apply to cloud vendors?
*Are systems for transmitting electronic records configured to do so in a secure manner?
 
====Training Programs====
*Is there a defined training program around authentication practices?  Electronic signatures?
*Are system administrators and developers trained in part 11 and related regulations?
*Are users trained on the use of electronic records systems?
 
====Change Control Systems====
 
====Electronic Signature Certification====
 
====Records Retention Policy====
 
===System Specific===
 
====Fraud Detection====
 
====Audit Trails====
 
====Access Controls====
 
====Open Systems Controls====
 
====Electronic Signatures====


====Export of Records for Agency Review====
{{Main|21 CFR Part 11/Audit guidelines and checklist}}


====Records Retention Support====
For those auditing computer systems and IT environments for their compliance with 21 CFR Part 11 and other regulations, a set of guidelines and checklist items may be useful.
<br />


====Process Controls====
Click the link above for the full set of guidelines and checklist items.


==Further reading==
==Further reading==


* {{cite web |url=http://www.ecfr.gov/cgi-bin/retrieveECFR?gp=&SID=04a3cb63d1d72ce40e56ee2e7513cca3&r=PART&n=21y1.0.1.1.8 |title=Electronic Code of Federal Regulations - Title 21: Food and Drugs - Part 11: Electronic Records; Electronic Signatures |publisher=U.S. Government Printing Office}}
* {{cite web |url=https://www.ecfr.gov/cgi-bin/retrieveECFR?gp=&SID=04a3cb63d1d72ce40e56ee2e7513cca3&r=PART&n=21y1.0.1.1.8 |title=Electronic Code of Federal Regulations - Title 21: Food and Drugs - Part 11: Electronic Records; Electronic Signatures |publisher=U.S. Government Printing Office}}


* {{cite web |url=http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/cfrsearch.cfm?cfrpart=11 |title= CFR - Code of Federal Regulations - Title 21 - Part 11 Electronic Records; Electronic Signatures |publisher=U.S. Food and Drug Administration}}
* {{cite web |url=https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/cfrsearch.cfm?cfrpart=11 |title= CFR - Code of Federal Regulations - Title 21 - Part 11 Electronic Records; Electronic Signatures |publisher=U.S. Food and Drug Administration}}


* {{cite web |url=http://www.labcompliance.com/tutorial/part11/ |title=Tutorial: 21 CFR Part 11 - Electronic Records and Electronic Signatures |author=Huber, Ludwig |publisher=LabCompliance |date=15 November 2012}}
* {{cite web |url=http://www.labcompliance.com/tutorial/part11/ |archiveurl=https://web.archive.org/web/20180103191244/http://www.labcompliance.com/tutorial/part11/ |title=Tutorial: 21 CFR Part 11 - Electronic Records and Electronic Signatures |author=Huber, L. |publisher=LabCompliance |date=15 November 2012 |archivedate=03 January 2020}}


==References==
==References==
<references />
{{Reflist|colwidth=30em}}


[[Category:Regulatory information]]
[[Category:Regulatory information]]

Revision as of 20:15, 15 April 2020

The Title 21 Code of Federal Regulations Part 11 (21 CFR Part 11) provides compliance information regarding the U.S. Food and Drug Administration's (FDA) guidelines on electronic records and electronic signatures. Within this part, requirements are created to help ensure security, integrity, and confidentially of electronic records and to ensure electronic signatures are as legally binding as hand-written signatures.[1]

Practically speaking, Part 11 requires drug makers, medical device manufacturers, biotech and biologics companies, contract research organizations, and other FDA-regulated industries, with some specific exceptions, to implement controls, including audits, system validations, audit trails, electronic signatures, and documentation for closed and open software and systems involved in processing specific electronic data. This primarily includes data to be maintained by the FDA predicate rules and data used to demonstrate compliance to a predicate rule. (A predicate rule is any requirement set forth in the Federal Food, Drug and Cosmetic Act, the Public Health Service Act, or any FDA regulation other than Part 11.[2]) The rule also applies to submissions made to the FDA in electronic format, but not to paper submissions by electronic methods, though paper submissions may eventually be prohibited by the FDA.[3]

History

By the early 1990s, food and drug manufacturers approached the U.S. Food and Drug Administration (FDA) about the possibility of electronic submissions with electronic signatures. However, at that time the government did not allow for digital signatures. In July 1992, the FDA began soliciting comments about the process of using electronic signatures.[4]

In March 1997, the FDA issued Part 11 regulations which, in the words of the FDA, were "intended to permit the widest possible use of electronic technology, compatible with FDA's responsibility to protect the public health."[2] Various keynote speeches by FDA insiders early in the 21st century (in addition to compliance guides and draft guidance documents)[2] as well as strong efforts by the FDA to motivate industry to move to e-filing[5] resulted in many companies like Eli Lilly[6], Agilent Technologies[7], and other businesses rapidly being forced to change their methods and systems to adapt to the new standards.[2][8]

However, many entities expressed concerns about the Title 11 conditions, including concerns the regulations would "unnecessarily restrict" the use of technology, add significant compliance costs beyond what was intended, and stifle technological innovation while reducing public health benefit.[2] In November 2002, the FDA released the guidance document "Guidance for Industry 21 CFR Part 11; Electronic Records; Electronic Signatures, Electronic Copies of Electronic Records" to the public for commenting.[9] On February 3, 2003, the FDA withdrew that document, stating "we wanted to minimize industry time spent reviewing and commenting on the draft guidance when that draft guidance may no longer represent our approach under the [current good manufacturing practice] initiative," adding it would afterwards "intend to exercise enforcement discretion with regard to certain Part 11 requirements."[2] Further guidance documents were withdrawn later that month, culminating in a final guidance document in August 2003 stating the government body would re-examine Part 11 and make necessary changes.[2][10] However, the FDA reiterated despite its retraction of the guidance documents "21 CFR Part 11 is not going away, and neither is the agency's demand for electronic record integrity."[11] The retraction of guidance and change in policy, however, led many IT members in the pharmaceutical and life sciences industry in late 2004 to state one of the key problems they face as the lack of clear guidelines from the FDA about what is required for compliance.[12]

The FDA had indicated it would produce a revised version of Part 11 by the end of 2006, after its Third Annual FDA Information Management Summit had concluded.[13] Those revisions never arrived, and little in the way of updates on the topic arrived.[14] On July 8, 2010, the FDA announced it would begin to audit facilities working with drugs "in an effort to evaluate industry's compliance and understanding of Part 11 in light of the enforcement discretion,"[15] leaving some to wonder if this was an indicator the regulation and/or its guidance would finally see a revision.[16][17]

With an increase in violations of data integrity in current good manufacturing practice (CGMP) inspections in the mid-2010s, the U.S. Food and Drug Administration eventually issued draft guidance in April 2016 for implementing the data integrity requirements of 21 CFR Parts 210–212, as well as clarifying how electronic signature and record-keeping requirements in 21 CFR Part 11 apply.[18] That guidance was finalized in December 2018, encouraging firms to "implement meaningful and effective strategies to manage their data integrity risks based on their process understanding and knowledge management of technologies and business models."[19]

Structure

The structure of Part 11 is as follows:

Subpart A — General Provisions

§ 11.1 Scope
§ 11.2 Implementation
§ 11.3 Definitions

Subpart B — Electronic Records

§ 11.10 Controls for closed systems
§ 11.30 Controls for open systems
§ 11.50 Signature manifestations
§ 11.70 Signature/record linking

Subpart C — Electronic Signatures

§ 11.100 General requirements
§ 11.200 Electronic signature components and controls
§ 11.300 Controls for identification codes/passwords

Subpart A

This is essentially the preamble of the regulations, explaining to what and who the regulations apply as well as how they'll apply. Definitions of common terms appearing in the regulations can also be found here, including a clarification in the difference between a digital and electronic signature.

Subpart B

This section covers the requirements applicable to electronic records and their management. Several requirements are addressed, including "how to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records"; what content a signature should contain; and how electronic records and their signatures should be linked. It also covers topics like system validation, data traceability, audit control, and version control.

Subpart C

This final section addresses the requirements specific to electronic signatures and their use. General requirements for electronic signatures, their components and controls, and password controls are all addressed. Additionally, this section addresses requirements for more advanced biometric-based signatures.

Audit guidelines and checklist

For those auditing computer systems and IT environments for their compliance with 21 CFR Part 11 and other regulations, a set of guidelines and checklist items may be useful.

Click the link above for the full set of guidelines and checklist items.

Further reading




References

  1. "Electronic Code of Federal Regulations - Title 21: Food and Drugs - Part 11: Electronic Records; Electronic Signatures". U.S. Government Printing Office. 13 April 2020. https://www.ecfr.gov/cgi-bin/retrieveECFR?gp=&SID=04a3cb63d1d72ce40e56ee2e7513cca3&r=PART&n=21y1.0.1.1.8. Retrieved 15 April 2020. 
  2. 2.0 2.1 2.2 2.3 2.4 2.5 2.6 "Part 11, Electronic Records; Electronic Signatures — Scope and Application". U.S. Food and Drug Administration. August 2003. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/part-11-electronic-records-electronic-signatures-scope-and-application. Retrieved 15 April 2020. 
  3. Huber, L. (15 November 2012). "Tutorial: 21 CFR Part 11 - Electronic Records and Electronic Signatures". LabCompliance. Archived from the original on 03 January 2020. https://web.archive.org/web/20180103191244/http://www.labcompliance.com/tutorial/part11/. Retrieved 15 April 2020. 
  4. Jackson, W. (1 June 2000). "FDA offers electronic option". GCN. https://gcn.com/Articles/2000/06/01/FDA-offers-electronic-option.aspx?Page=2. Retrieved 15 April 2020. 
  5. Greenemeier, L. (25 February 2002). "FDA Moving To E-Filing". InformationWeek. https://www.informationweek.com/fda-moving-to-e-filing/d/d-id/1013809?. Retrieved 15 April 2020. 
  6. Greenemeier, L. (18 February 2002). "Lilly Cures Inefficiency With IT". InformationWeek. https://www.informationweek.com/lilly-cures-inefficiency-with-it/d/d-id/1013731?. Retrieved 15 April 2020. 
  7. "Agilent Introduces Security Pack for Analytical Laboratories". Laboratory Network. 20 June 2000. https://www.laboratorynetwork.com/doc/agilent-introduces-security-pack-for-analytic-0001. Retrieved 15 April 2020. 
  8. Harrold, D. (1 April 2002). "'I'm from the Government, and I'm Here to Help You!'". Control Engineering. https://www.controleng.com/articles/im-from-the-government-and-im-here-to-help-you/. Retrieved 15 April 2020. 
  9. Control Engineering Staff (3 January 2003). "FDA releases 21 CFR Part 11 guidance document". Control Engineering. https://www.controleng.com/articles/fda-releases-21-cfr-part-11-guidance-document/. Retrieved 15 April 2020. 
  10. "FDA plans to amend 21 CFR Part 11 rules". Outsourcing-Pharma. 4 September 2003. https://www.outsourcing-pharma.com/Article/2003/09/05/FDA-plans-to-amend-21-CFR-Part-11-rules. Retrieved 15 April 2020. 
  11. June, T.M. (July 2003). "Quality Assurance, Safety and 21 CFR Part 11: These three old friends are here to stay". Quality Digest. https://www.qualitydigest.com/july03/articles/04_article.shtml. Retrieved 15 April 2020. 
  12. "Complying with US Food and Drug Administration(FDA) data regulations is proving a struggle for IT departments in pharmaceutical and life science companies". Storage Networking Solutions. 17 November 2004. http://snseurope.info/article/12833/Complying-with-US-Food-and-Drug-Administration(FDA)-data-regulations-is-proving-a-struggle-for-IT-departments-in-pharmaceutical-and-life-science-companies. Retrieved 06 April 2013. [dead link]
  13. Reymond, E. (24 October 2006). "FDA to review electronic signature regulation". Outsourcing-Pharma. https://www.outsourcing-pharma.com/Article/2006/10/24/FDA-to-review-electronic-signature-regulation. Retrieved 15 April 2020. 
  14. Miller, George (13 November 2009). "Don't sweat the Part 11 stuff". FierceBiotechIT. Archived from the original on 22 february 2010. https://web.archive.org/web/20100222094358/http://www.fiercebiotechit.com/story/dont-sweat-part-11-stuff/2009-11-13. Retrieved 15 April 2020. 
  15. "FDA To Conduct Inspections Focusing on 21 CFR 11 (Part 11) requirements relating to human drugs". U.S. FDA. 8 July 2010. Archived from the original on 15 November 2017. https://web.archive.org/web/20171115154911/https://www.fda.gov/AboutFDA/CentersOffices/OfficeofMedicalProductsandTobacco/CDER/ucm204012.htm. Retrieved 15 April 2020. 
  16. Barsky, Emma; Grunbaum, Len (25 July 2010). "Part 11: How Will FDA Enforce?". GxP Perspectives. http://gxpperspectives.com/2010/07/25/part-11-how-will-fda-enforce/. Retrieved 06 April 2013. [dead link]
  17. Appel, Ken (28 July 2010). "Audit Alert! - Clarity on e-Records: FDA to Re-Evaluate 21 CFR 11". Pharmaceutical Processing. http://www.pharmpro.com/blogs/2010/07/audit-alert-clarity-e-records-fda-re-evaluate-21-cfr-11. Retrieved 06 April 2013. [dead link]
  18. U.S. Food and Drug Administration (April 2016). "Data Integrity and Compliance with CGMP Guidance for Industry - Draft Guidance" (PDF). U.S. Food and Drug Administration. https://www.fda.gov/files/drugs/published/Data-Integrity-and-Compliance-With-Current-Good-Manufacturing-Practice-Guidance-for-Industry.pdf. Retrieved 15 April 2020. 
  19. U.S. Food and Drug Administration (December 2018). "Data Integrity and Compliance With Drug CGMP Questions and Answers Guidance for Industry". U.S. Food and Drug Administration. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/data-integrity-and-compliance-drug-cgmp-questions-and-answers-guidance-industry. Retrieved 15 April 2020.