In 21 CFR Part 11, the FDA establishes its requirements for electronic records and signatures, which also apply to medical device manufacturers.
A lot of companies print everything out on paper and then sign it by hand to circumvent the requirements of Part 11. Is this really necessary?
With Part 11 on Electronic Records; Electronic Signatures the FDA has given a lot of companies sleepless nights (and consultants good business), particularly in the pharmaceuticals sector.
Sometimes the requirements were interpreted in such an over-the-top manner that the FDA felt compelled to publish the Guidance document: “Part 11, Electronic Records; Electronic Signatures — Scope and Application” to provide clarification. In the end, it saw its own objective, namely to use Part 11 to provide a basis for the replacement of paper documents by electronic information, being thwarted.
But what does 21 CFR Part 11 really require? And which documents are affected?
21 CFR Part 11 applies whenever information is to be electronically generated, amended, stored, transferred or accessed. This can involve very different types of information, such as:
The requirements (for IT systems) must be met if the documents generated, stored, transmitted or amended are used to demonstrate compliance with regulatory requirements, such as:
As a rule of thumb, you can say that systems are subject to 21 CFR Part 11 if the documents “managed” with the systems are
The FDA does not require some systems to be “Part 11 compliant":
So 21 CFR Part 11 is only applicable if electronic records are replacing paper records.
There is a gray area when a system can produce a paper printout but relies on electronic recording to generate it. For example, manufacturers often automatically generate thousands of pages of test reports, print them out and sign them. In this case, you would have to justify the decision not to apply Part 11.
The FDA requires the IT systems discussed above to be validated and in this context also refers to the “General Principals of Software Validation” guidance document. This leads to the discussion as to whether this is just about validation or about the complete software life cycle. Read more on the subject of computer system validation here.
The requirements for open and closed systems are different. A system is closed when the system is under the control of persons who are responsible for the electronic records managed by this system. Otherwise it is an open system.
An example of a closed system would be a build and test system on the intranet that only the testers or developers responsible can access.
A system that transmits data via the Internet is also considered an open system.
21 CFR Part 11.10 defines the requirements for closed systems. The idea behind the requirements is that the people who work with these systems must ensure the authenticity, integrity and, if necessary, confidentiality of the data. For this reason, the following are obligatory:
21 CFR Part 11.30 places additional requirements on open systems. These include measures such as document encryption and the use of digital signature standards to ensure the authenticity, integrity and confidentiality of records.
The requirements of 21 CFR Part 11 regarding digital signatures will seem familiar to anyone who has dealt with this issue before and, for example, the German Signature Act:
When using identification codes (e.g. user name, initials or number) and passwords, 21 CFR Part 11 establishes the following requirements in 11.200 (a) and 11.300:
The simple answer is no. This is because 21 CFR Part 11 doesn’t just establish technical requirements; it also established organizational measures. And you can’t buy those.
However, manufacturers such as our sister company Medsoto have produced the products in such a way that the technical requirements for creating (technical) documentation are met.
You can also read which healthcare compliance rules you must comply with.
The answer (in most cases) is no. However, there are exceptions, such as the example of test documentation we described above.
The FDA (increasingly) requires you to submit your documents electronically. However, you could also scan and submit printouts. This would allow you to ignore Part 11, except for the above exception.
Yes, you do. But please note that the FDA has relaxed the requirements for the audit trial slightly. The protests were too big.
A first option would be to scan a signature, insert it into the document and print it as a PDF. But that wouldn't meet the requirements of Part 11.70. You could export this graphic as a screenshot and insert it into another document.
In fact, a document check digit (hash code) is usually encrypted with the signer's private key. This encrypted hash value is the digital signature.
Most companies base their digital signatures on either a (document management) system or the digital signing of PDF documents.
We will take closer look at both options. You can find some quick introductory tips in this article on PDF-based electronic signatures.