21 CFR Part 11: You should know these requirements
In 21 CFR Part 11, the FDA establishes its requirements for electronic records and signatures, which also apply to medical device manufacturers.
A lot of companies print everything out on paper and then sign it by hand to circumvent the requirements of Part 11. Is this really necessary?
21 CFR Part 11: A source of fear?!
With Part 11 on Electronic Records; Electronic Signatures the FDA has given a lot of companies sleepless nights (and consultants good business), particularly in the pharmaceuticals sector.
Sometimes the requirements were interpreted in such an over-the-top manner that the FDA felt compelled to publish the Guidance document: “Part 11, Electronic Records; Electronic Signatures — Scope and Application” to provide clarification. In the end, it saw its own objective, namely to use Part 11 to provide a basis for the replacement of paper documents by electronic information, being thwarted.
But what does 21 CFR Part 11 really require? And which documents are affected?
21 CFR Part 11: Which systems and documents are affected?
21 CFR Part 11 applies whenever information is to be electronically generated, amended, stored, transferred or accessed. This can involve very different types of information, such as:
- Images, videos or
- Audio files
The requirements (for IT systems) must be met if the documents generated, stored, transmitted or amended are used to demonstrate compliance with regulatory requirements, such as:
- Release and test protocols
- Process and work instructions
- Design drawings, software architecture documentation
- Specifications, request documents
- Records, e.g. production records
- Review protocols
As a rule of thumb, you can say that systems are subject to 21 CFR Part 11 if the documents “managed” with the systems are
- Submitted to the FDA (e.g. for a 510(k) submission) or
- Relevant for an FDA inspection, i.e. the testing of the QM system to ensure it complies with 21 CFR Part 820.
The FDA does not require some systems to be “Part 11 compliant":
- Old systems that were in operation before 20 August 1997
- Systems that generate paper printouts.
So 21 CFR Part 11 is only applicable if electronic records are replacing paper records.
There is a gray area when a system can produce a paper printout but relies on electronic recording to generate it. For example, manufacturers often automatically generate thousands of pages of test reports, print them out and sign them. In this case, you would have to justify the decision not to apply Part 11.
The FDA requires the IT systems discussed above to be validated and in this context also refers to the “General Principals of Software Validation” guidance document. This leads to the discussion as to whether this is just about validation or about the complete software life cycle. Read more on the subject of computer system validation here.
Open and closed systems
The requirements for open and closed systems are different. A system is closed when the system is under the control of persons who are responsible for the electronic records managed by this system. Otherwise it is an open system.
An example of a closed system would be a build and test system on the intranet that only the testers or developers responsible can access.
A system that transmits data via the Internet is also considered an open system.
Requirements for closed systems
21 CFR Part 11.10 defines the requirements for closed systems. The idea behind the requirements is that the people who work with these systems must ensure the authenticity, integrity and, if necessary, confidentiality of the data. For this reason, the following are obligatory:
- System validation (performance, the ability to detect invalid or altered records).
- Generation (also) of human readable records.
- Ensuring the protection of records (must be available).
- Limiting system access to authorized individuals.
- Use of computer-generated, time-stamped audit trails that show who changed what and when. But here the FDA is rowing back, as you can read in the above mentioned Guidance Document.
- Operational system checks to ensure that (only) the permitted sequencing of steps and events is enforced - if necessary.
- Authority checks to ensure that only authorized users can use the system (e.g. electronically generate and sign documents), and access the operating system, computer or peripherals.
- Peripherals check to ensure that the inputs and outputs are correct.
- Training of the people who work with the system or develop it.
- Prevention of falsification so that people are liable in writing for what they sign.
- System documentation e.g. on who has access to the system, how this access is granted, whether it be for the use or maintenance of the system, and on who changed what in the system and when.
Requirements for open systems
21 CFR Part 11.30 places additional requirements on open systems. These include measures such as document encryption and the use of digital signature standards to ensure the authenticity, integrity and confidentiality of records.
Digital signature requirements
The requirements of 21 CFR Part 11 regarding digital signatures will seem familiar to anyone who has dealt with this issue before and, for example, the German Signature Act:
- Content: A digital signature must contain:
- The name of the signatory
- The date and time of the signature and
- The meaning of the signature (e.g. review, approval, author).
- Protection against falsification: It must not be possible to falsify the digital signature (21 CFR establishes the same de facto requirements as are in place for documents).
- Link to document: The signature must be linked to the document in such a way that it cannot be used on other documents.
- Uniqueness: Naturally, it must be possible to assign the signature to a specific individual.
- Biometric and non-biometric methods: The identification must be based on biometric methods or two distinct identification components such as an identification code and password.
When using identification codes (e.g. user name, initials or number) and passwords, 21 CFR Part 11 establishes the following requirements in 11.200 (a) and 11.300:
- Four-eyes principle: The electronic signature must be regulated in such a way that any attempted misuse of someone else's electronic signature requires the collaboration of two or more individuals.
- Unique combinations: The duplicate assignment of codes and passwords must not be possible.
- Updating: Both codes and passwords must be regularly checked regularly to ensure that they are still sufficiently secure.
- Loss management: In the event that codes, passwords, cards, etc. are lost, there must be a procedure that permits “deauthorization”.
- Security measures: Suitable measures must be in place to protect against and detect unauthorized access attempts.
- Testing: Input/output devices, including cards that bear or read authorization information, must be tested periodically to ensure that they are working correctly.
Frequently asked questions regarding 21 CFR Part 11
Are there any solutions that guarantee compliance with 21 CFR Part 11?
The simple answer is no. This is because 21 CFR Part 11 doesn’t just establish technical requirements; it also established organizational measures. And you can’t buy those.
However, manufacturers such as our sister company Medsoto have produced the products in such a way that the technical requirements for creating (technical) documentation are met.
You can also read which healthcare compliance rules you must comply with.
Do you have to comply with 21 CFR Part 11 if you print everything out and then sign it?
The answer (in most cases) is no. However, there are exceptions, such as the example of test documentation we described above.
Do I have to do without paper?
The FDA (increasingly) requires you to submit your documents electronically. However, you could also scan and submit printouts. This would allow you to ignore Part 11, except for the above exception.
Do I also have to document the signature in the audit trail?
Yes, you do. But please note that the FDA has relaxed the requirements for the audit trial slightly. The protests were too big.
How can the electronic signature be linked to a document?
A first option would be to scan a signature, insert it into the document and print it as a PDF. But that wouldn't meet the requirements of Part 11.70. You could export this graphic as a screenshot and insert it into another document.
In fact, a document check digit (hash code) is usually encrypted with the signer's private key. This encrypted hash value is the digital signature.
Practical implementation of 21 CFR Part 11
Most companies base their digital signatures on either a (document management) system or the digital signing of PDF documents.
We will take closer look at both options. You can find some quick introductory tips in this article on PDF-based electronic signatures.