Introduction of 21 CFR Part 11 Requirements
FDA 21 CFR Part 11 defines the requirements for the management of electronic records and electronic signatures. It is one among the best known parts of the Code of Federal Regulation and it plays a fundamental role in many different applications, from Electronic Document Management System to Clinical Study, passing through computer system validation.
The requirements for 21 CFR Part 11 have a broad application from quality management system to clinical trial operations, passing trough information security (ISO 27001) and computer system validation.
Guideline from FDA
FDA published specific deadline to further clarify and explain the requirements for 21 CFR Part 11. Specifically, one guideline refers to generate scope and applicability of 21 CFR Part 11 and deals with very important concepts such as validation activities and audit trail.
21 CFR Part 11: A Practical Approach
Here in this section I detail all the requirements for 21 CFR Part 11 and explains how these requirements should be covered. This is very important as this section could definitely help people working on validation activities against requirements for 21 CFR Part 11.
a) Requirements related to compliance to 21 CFR part 11: Electronic Records
| Section of the Regulation (21 CFR Part 11) | Requirement Description | Explanation and comments |
| 11.10 (a) | Compliant Electronic Document Management Systems must be validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. | Validation of the system shall be performed to ensure the fit for purpose of the SW system on these 21 CFR Part 11 requirements. Validation documents shall cover the whole lifecycle of the device. Requirements related to 21 CFR Part 11 can be checked within this checklist. |
| 11.10 (b) | Compliant Electronic Document Management Systems must have the ability to generate accurate and complete copies of records in both human readable and electronic form, suitable for inspection, review, and copying. | Here you need to evaluate wether records can be exported for viewing and printing in common electronic formats. Specific tests shall be performed to support the coverage of this requirements. |
| 11.10 (c) | Compliant Electronic Document Management Systems must protect documents, to enable their accurate and ready retrieval throughout the document retention period. | You need to ensure that the ability to modify or delete data is limited to specifically assigned privileged. Different user profiles shall be set up. One person shall be identified to assign privileges for user profile management. Once again, specific tests shall be performed to demonstrate compliance |
| 11.10 (d) | Compliant Electronic Document Management Systems must limit system access to authorised individuals. | Changes performed to the system shall be performed in a controlled way and handled through change control procedure. One person shall be identified to assign privileges for user profile management. |
| 11.10 (e) | Compliant Electronic Document Management Systems must use secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic documents. Document changes shall not obscure previously recorded information. Such audit trail shall be retained for a period at least as long as that required for the subject electronic documents, and shall be available for review and copying | The system shall be able to keep track of any modification, deletion or in general any activity performed on specific records. The system is able to keep track of previous values/records. Audit trail entries and record data shall not be deleted, and so the identity of operators entering, changing, confirming, or deleting data, including date and time. |
| 11.10 (f) | Compliant Electronic Document Management systems must use operational system checks to enforce the permitted sequencing of steps and events, as appropriate. | Dataflow shall be configurable and specific operational system checks shall be in place. |
| 11.10 (g) | Compliant Electronic Document Management Systems must use authority checks to ensure that only authorised individuals can use the system, electronically sign a document, access the operation or computer system input or output device, alter a record, or perform the operation at hand. | Authority checks to ensure that only authorized individuals can use the system or take action on data shall be implemented |
| 11.10 (h) | Compliant Electronic Document Management Systems must use device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction. | Checks to confirm that data are not altered shall be in place |
| 11.10 (i) | Implementers of compliant Electronic Document Management Systems must ensure that persons who develop, maintain, or use these systems have the education, training, and experience to perform their assigned tasks. | Training shall be performed on specific SOP and employees shall have an adequate level |
| 11.10 (j) | Implementers of compliant Electronic Document Management Systems must establish and adhere to written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification. | A policy for electronic signature shall be in place |
| 11.10 (k1) | Compliant Electronic Document Management Systems must implement adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. | Full control on distribution and access of electronic records shall be implemented through Access Control. Changes to the systems shall be performed through change control. The necessity to perform re-validation is evaluated through the change control system. |
| 11.10 (k2) | Compliant Electronic Document Management Systems must implement revision and change control procedures to maintain an audit trail that documents time-sequenced development, and modification of systems documentation. | Change Control process shall be implemented. |
| 11.50(a) | Compliant Electronic Document Management Systems ensure that signed electronic documents contain information associated with the signing, clearly indicating all of the following: (1) The printed name of the signer; (2) The date and time when the signature was executed; and (3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature. | The system shall have an audit trail in place. |
| 11.50(b) | Compliant Electronic Document Management Systems ensure that the signature name, the timestamp and the meaning of the signature are subject to the same controls as for electronic records, and shall be included as part of any human readable form of the electronic record (such as electronic display or printout). | The system shall be able to keep track of any modification performed on any specific records stored by identifying name, date and related information on the specific actions performed by the user |
| 11.70(a) | Compliant Electronic Document Management Systems ensure that electronic signatures, and handwritten signatures executed to electronic records, shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means. | Policy for electronic signature shall be implemented including the management of mixed types of signature |
b) Requirements related to compliance to 21 CFR part 11: Electronic Signatures
| Section of the Regulation (21 CFR Part 11) | Requirement Description | Explanation and comments |
| 11.100 (a) | Each electronic signature shall be unique to one individual, and shall not be reused by, or reassigned to, anyone else. | A policy for electronic signature shall be in place. |
| 11.100 (b) | Before an organization establishes, assigns, certifies, or otherwise sanctions an individual’s electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual. | The identity of all the employees of a company shall be checked before assign any credential for electronic signature |
| 11.100 (c) | Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures. | Letter of Non-Repudiation shall be documented to ensure that electronic signature has an equivalent value of traditional handwritten signature. |
| 11.200 (a) | Electronic signatures shall employ at least two distinct identification components, such as an identification code and password. | Electronic signature shall be characterised at least by two identification components. |
| 11.200 (a)(1)(i) | Compliant Electronic Document Management Systems ensure that, when an individual executes a series of signings during a single, continuous period of controlled system access, the first signing is executed using all electronic signature components; subsequent signings must be executed using at least one electronic signature component that is only executable by, and designed to be used only by, that individual. | Test shall be performed to ensure that multiple signings are performed at least by inserting one of the two identification components. Specific tests shall be performed to demonstrate compliance. |
| 11.200 (a)(1)(ii) | Compliant Electronic Document Management Systems ensure that, when an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components. | The same of the previous requirements. However, in this case, when multiple signatures are performed during separate sessions (period of controlled system), the signature shall be performed with all the electronic signature components. Specific tests shall be performed to demonstrate compliance. |
| 11.200 (a)(2) | Electronic signatures shall be used only by their genuine owners. | Policy for electronic signature shall cover this requirements. |
| 11.200 (a)(3) | Electronic signatures shall be administered and executed to ensure that attempted use of an individual’s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals. | Policy for electronic signature shall cover this requirements. This should cover the impossibility to share electronic signature credentials. |
| 11.300 (a) | Controls shall be in place to maintain the uniqueness of each combined identification code and password, such that no two individuals can have the same combination of identification code and password. | A system for generation of unique combination of username and password shall be in place. No same username shall be used for electronic signature. |
| 11.300 (b) | Compliant Electronic Document Management Systems ensure that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging). | Access control shall be under strict control, SOP shall be in place. Password shall be changed periodically. |
| 11.300 (c) | Compliant Electronic Document Management Systems follow loss management procedures to electronically de-authorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information password information, and issue temporary or permanent replacements using suitable, rigorous controls. | This requirements cover the possibility that other devices are used for access specific tools or to perform electronic signature. SOP shall be in place in case these devices are stolen, missed or lost. |
| 11.300 (d) | Compliant Electronic Document Management Systems use transaction safeguards to prevent unauthorized use of user ID’s and passwords, and detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and as appropriate, to organizational management. | Specific systems shall be in place to prevent the electronic signature to be performed by anauthorized individuals. For example, account lock after a certain number of login attempts. |
Subscribe to 4EasyReg Newsletter
4EasyReg is an online platform dedicated to Quality & Regulatory matters within the medical device industry. Have a look to all the services that we provide: we are very transparent in the pricing associated to these consulting services.
Within our WebShop, a wide range of procedures, templates, checklists are available, all of them focused on regulatory topics for medical device compliance to applicable regulations. Within the webshop, a dedicated section related to cybersecurity and compliance to ISO 27001 for medical device organizations is also present.
As one of the leading online platforms in the medical device sector, 4EasyReg offers extensive support for regulatory compliance. Our services cover a wide range of topics, from EU MDR & IVDR to ISO 13485, encompassing risk management, biocompatibility, usability, software verification and validation, and assistance in preparing technical documentation for MDR compliance.
Do not hesitate to subscribe to our Newsletter!
