Introduction of 21 CFR Part 11 Requirements

FDA 21 CFR Part 11 defines the requirements for the management of electronic records and electronic signatures. It is one among the best known parts of the Code of Federal Regulation and it plays a fundamental role in many different applications, from Electronic Document Management System to Clinical Study, passing through computer system validation.

The requirements for 21 CFR Part 11 have a broad application from quality management system to clinical trial operations, passing trough information security (ISO 27001) and computer system validation.

Guideline from FDA

FDA published specific deadline to further clarify and explain the requirements for 21 CFR Part 11. Specifically, one guideline refers to generate scope and applicability of 21 CFR Part 11 and deals with very important concepts such as validation activities and audit trail.

Another guideline deals with the use of electronic records and signatures within clinical trial operations and it is currently in draft.

21 CFR Part 11: A Practical Approach

Here in this section I detail all the requirements for 21 CFR Part 11 and explains how these requirements should be covered. This is very important as this section could definitely help people working on validation activities against requirements for 21 CFR Part 11.

Section of the
Regulation
(21 CFR Part 11)
Requirement DescriptionExplanation and comments
11.10 (a)Compliant Electronic Document Management
Systems must be validated to ensure accuracy,
reliability, consistent intended performance, and the
ability to discern invalid or altered records.
Validation of the system shall be performed to ensure the fit
for purpose of the SW system on these 21 CFR Part 11 requirements.
Validation documents shall cover the whole lifecycle of the
device. Requirements related to 21 CFR Part 11 can be checked
within this checklist.
11.10 (b)Compliant Electronic Document Management
Systems must have the ability to generate accurate
and complete copies of records in both human
readable and electronic form, suitable for inspection,
review, and copying.
Here you need to evaluate wether records can be
exported for viewing and printing in common
electronic formats. Specific tests shall be performed to
support the coverage of this requirements.
11.10 (c)Compliant Electronic Document Management
Systems must protect documents, to enable their
accurate and ready retrieval throughout the
document retention period.
You need to ensure that the ability to modify or delete data is
limited to specifically assigned privileged. Different user
profiles shall be set up. One person shall be identified to
assign privileges for user profile management. Once again,
specific tests shall be performed to demonstrate compliance
11.10 (d)Compliant Electronic Document Management
Systems must limit system access to authorised
individuals.
Changes performed to the system shall be performed in a
controlled way and handled through change control
procedure. One person shall be identified to
assign privileges for user profile management.
11.10 (e)Compliant Electronic Document Management
Systems must use secure, computer-generated,
time-stamped audit trails to independently record the
date and time of operator entries and actions that
create, modify, or delete electronic documents.
Document changes shall not obscure previously
recorded information. Such audit trail
shall be retained for a period at least as long as that
required for the subject electronic documents, and
shall be available for review and copying
The system shall be able to keep track of any modification,
deletion or in general any activity performed on specific
records. The system is able to keep track of previous values/records.
Audit trail entries and record data shall not be deleted,
and so the identity of operators entering, changing, confirming,
or deleting data, including date and time.
11.10 (f)Compliant Electronic Document Management
systems must use operational system checks to
enforce the permitted sequencing of steps and
events, as appropriate.
Dataflow shall be configurable and specific operational
system checks shall be in place.
11.10 (g)Compliant Electronic Document Management
Systems must use authority checks to ensure that
only authorised individuals can use the system,
electronically sign a document, access the operation
or computer system input or output device, alter a
record, or perform the operation at hand.
Authority checks to ensure that only authorized individuals
can use the system or take action on data shall be implemented
11.10 (h)Compliant Electronic Document Management
Systems must use device (e.g., terminal) checks to
determine, as appropriate, the validity of the source
of data input or operational instruction.
Checks to confirm that data are not altered shall be in place
11.10 (i)Implementers of compliant Electronic Document
Management Systems must ensure that persons
who develop, maintain, or use these systems have
the education, training, and experience to perform
their assigned tasks.
Training shall be performed on specific SOP and employees
shall have an adequate level
11.10 (j)Implementers of compliant Electronic Document
Management Systems must establish and adhere to
written policies that hold individuals accountable and
responsible for actions initiated under their electronic
signatures, in order to deter record and signature
falsification.
A policy for electronic signature shall be in place
11.10 (k1)Compliant Electronic Document Management
Systems must implement adequate controls over the
distribution of, access to, and use of documentation
for system operation and maintenance.
Full control on distribution and access of electronic records
shall be implemented through Access Control. Changes to the
systems shall be performed through change control. The
necessity to perform re-validation is evaluated through the
change control system.
11.10 (k2)Compliant Electronic Document Management
Systems must implement revision and change
control procedures to maintain an audit trail that
documents time-sequenced development, and
modification of systems documentation.
Change Control process shall be implemented.
11.50(a)Compliant Electronic Document Management
Systems ensure that signed electronic documents
contain information associated with the signing,
clearly indicating all of the following:
(1) The printed name of the signer;
(2) The date and time when the signature was
executed; and
(3) The meaning (such as review, approval,
responsibility, or authorship) associated with the
signature.
The system shall have an audit trail in place.
11.50(b)Compliant Electronic Document Management
Systems ensure that the signature name, the
timestamp and the meaning of the signature are
subject to the same controls as for electronic
records, and shall be included as part of any human
readable form of the electronic record (such as
electronic display or printout).
The system shall be able to keep track of any modification
performed on any specific records stored by
identifying name, date and related information on the
specific actions performed by the user
11.70(a)Compliant Electronic Document Management
Systems ensure that electronic signatures, and
handwritten signatures executed to electronic
records, shall be linked to their respective electronic
records to ensure that the signatures cannot be
excised, copied, or otherwise transferred to falsify an
electronic record by ordinary means.
Policy for electronic signature shall be implemented
including the management of mixed types of signature

Section of the
Regulation
(21 CFR Part 11)
Requirement DescriptionExplanation and comments
11.100 (a)Each electronic signature shall be unique to one individual,
and shall not be reused by, or reassigned to, anyone else.
A policy for electronic signature shall be
in place.
11.100 (b)Before an organization establishes, assigns, certifies, or
otherwise sanctions an individual’s electronic signature, or
any element of such electronic signature, the organization
shall verify the identity of the individual.
The identity of all the employees
of a company shall be checked before
assign any credential for electronic signature
11.100 (c)Persons using electronic signatures shall, prior to or at the
time of such use, certify to the agency that the electronic
signatures in their system, used on or after August 20, 1997,
are intended to be the legally binding equivalent of traditional
handwritten signatures.
Letter of Non-Repudiation shall be documented
to ensure that electronic signature has an
equivalent value of traditional handwritten
signature.
11.200 (a)Electronic signatures shall employ at least two distinct
identification components, such as an identification code and
password.
Electronic signature shall be characterised at least
by two identification components.
11.200 (a)(1)(i)Compliant Electronic Document Management Systems
ensure that, when an individual executes a series of signings
during a single, continuous period of controlled system
access, the first signing is executed using all electronic
signature components; subsequent signings must be
executed using at least one electronic signature component
that is only executable by, and designed to be used only by,
that individual.
Test shall be performed to ensure that multiple
signings are performed at least by inserting one of
the two identification components.
Specific tests shall be performed to demonstrate compliance.
11.200 (a)(1)(ii)Compliant Electronic Document Management Systems
ensure that, when an individual executes one or more
signings not performed during a single, continuous period of
controlled system access, each signing shall be executed
using all of the electronic signature components.
The same of the previous requirements. However,
in this case, when multiple signatures are performed
during separate sessions (period of controlled system),
the signature shall be performed with all the electronic
signature components.
Specific tests shall be performed to demonstrate compliance.
11.200 (a)(2)Electronic signatures shall be used only by their genuine
owners.
Policy for electronic signature shall cover this requirements.
11.200 (a)(3)Electronic signatures shall be administered and executed to
ensure that attempted use of an individual’s electronic
signature by anyone other than its genuine owner requires
collaboration of two or more individuals.
Policy for electronic signature shall cover this requirements.
This should cover the impossibility to share electronic
signature credentials.
11.300 (a)Controls shall be in place to maintain the uniqueness of each
combined identification code and password, such that no two
individuals can have the same combination of identification
code and password.
A system for generation of unique combination of
username and password shall be in place.
No same username shall be used for electronic signature.
11.300 (b)Compliant Electronic Document Management Systems
ensure that identification code and password issuances are
periodically checked, recalled, or revised (e.g., to cover such
events as password aging).
Access control shall be under strict control, SOP shall be in
place. Password shall be changed periodically.
11.300 (c)Compliant Electronic Document Management Systems follow
loss management procedures to electronically de-authorize
lost, stolen, missing, or otherwise potentially compromised
tokens, cards, and other devices that bear or generate
identification code or password information password
information, and issue temporary or permanent replacements
using suitable, rigorous controls.
This requirements cover the possibility that other
devices are used for access specific tools or to
perform electronic signature. SOP shall be in place
in case these devices are stolen, missed or lost.
11.300 (d)Compliant Electronic Document Management Systems use
transaction safeguards to prevent unauthorized use of user
ID’s and passwords, and detect and report in an immediate
and urgent manner any attempts at their unauthorized use
to the system security unit, and as appropriate, to organizational management.
Specific systems shall be in place to prevent the
electronic signature to be performed by anauthorized
individuals. For example, account lock after a certain
number of login attempts.

Subscribe to QualityMedDev Newsletter

If you would like to stay updated with the last news and analysis from the regulatory world for medical device sector, do not forget to subscribe to our newsletter.

Leave a Reply

Your email address will not be published. Required fields are marked *