What is FDA 21 CFR Part 11?
A specific focus of FDA 21 CFR is Part 11, which details regulations for the use of electronic records and electronic signatures. For many companies that rely on digital data for monitoring their goods, such as those within the pharmaceutical, food and healthcare sectors, ensuring 21 CFR Part 11 compliance is essential.
Learn more below about the FDA’s 21 CFR Part 11 requirements, as well as how to meet those standards.
With the advancement of technology in the 1980s and 1990s, many companies adopted digital recordkeeping. For almost all industries, the switch improved cost and time efficiency, as well as productivity. The downside, however, was these methods lacked the validity, reliability and authenticity of traditional pen-and-paper methods.
For the FDA, the loss of accuracy was problematic. It opened the opportunity for companies to provide falsified documents, hiding the mishandling of goods. That could then lead to an adverse effect on many consumers, such as patients receiving damaged, out-of-date vaccines or other medical treatments. That’s why, when the FDA established the guidelines of 21 CFR Part 11, it had three goals:
- Authenticate the validity of electronic records
- Confirm the authenticity of electronic signatures and records
- Validate the reliability of electronic records and signatures
To achieve these goals, 21 CFR Part 11 requires FDA-regulated companies that use digital records and signatures to implement, test and confirm their controls for ensuring the authenticity, reliability and validity of the software and systems processing their digital data.
What Are the Requirements for FDA 21 CFR Part 11 Compliance?
The most basic definition of 21 CFR Part 11 compliance is the submission of validation documents to the FDA. These materials contain a series of tests and reports to support the assessment that your systems and software are authentic, reliable and valid.
So, what are the complete requirements of 21 CFR Part 11? Proof of meeting the following statutes:
Section 11.10: Closed System Controls
Closed systems — which are defined by the FDA as environments with systems controlled by staff involved with the management of your electronic records — must feature several controls to maintain the integrity and authenticity of your data. Controls for closed systems include:
- Audit trails
- System validation
- Operational system checks
- Device checks
- Authority checks
- A security program
- Change-control procedures
Companies are also mandated to develop written policies for individuals supplying their digital signature. These agreements should place all accountability and responsibility on the signer to decrease the chance of fraudulent activity. The FDA also asks that your company ensures it can produce complete and accurate copies of your records for use.
Section 11.30: Open System Controls
Open systems — which are defined by the FDA as environments with systems controlled by a third party uninvolved with the management of your electronic records — must use a series of controls to guarantee the security and integrity of this information. Required controls include:
- Electronic-signature standards
- Audit trails
- Operational system checks
- System validation
- Device checks
- Authority checks
- Security program
- Change-control procedures
Like Section 11.10 of the 21 CFR Part 11 guidelines, companies with open systems must also create written policies that hold providers of electronic signatures responsible for their actions. It’s also noted in the statute that your facility generates complete and accurate electronic records for review and duplication.
Section 11.10(i): System Training
Without a skilled team, it’s difficult to ensure the validity, reliability and authenticity of a system. That’s why the FDA requires every staff member developing, maintaining or using your electronic record or signature system to receive the appropriate training for performing their day-to-day tasks.
Section 11.50: Electronic Signature Manifestations
Another 21 CFR Part 11 requirement for electronic signatures is that they include document-exclusive information. The date and time of signing, for example, must be included. The FDA also requires the signer’s printed name and an explanation for the signature’s meaning, such as approval, authorship, review or responsibility.
Section 11.70: Electronic Signature Linking
The risk of fraudulent documentation was a leading motivator for developing 21 CFR Part 11 guidelines. As a result, the regulations state that both handwritten and electronic signatures for digital documents must be linked to their respective record, thus preventing the copying of them to other files.
Section 11.100: General Electronic Signature Requirements
Due to the authenticity a signature lends to a document, validity must be confirmed. That’s why the FDA’s 21 CFR Part 11 compliance requirements include several basic standards for electronic signatures. For one, companies must verify the identity of an individual before allowing the use of that person’s signature.
Employees are also mandated to submit a certification to the FDA, confirming that their electronic signatures are the equivalent to handwritten ones. This confirmation also permits the FDA to request additional information or testimony from the signer.
Companies, meanwhile, must not reuse or reassign digital signatures. They are exclusive to the original provider.
Section 11.200: Electronic Signature Components and Controls
The FDA has established several controls for electronic signatures within its 21 CFR Part 11 guidelines. The purpose of these standards is to deter fraudulent activity, ensure signature validation and enhance the authenticity of signed documents.
A critical feature of electronic signature controls is the type of signature. Those that are biometrics-based must ensure that the digital sign-off is only usable by the original provider, while signatures without biometrics must meet several other standards.
Standards include the use of two identification components, like a password and identification code. In instances where employees are signing multiple documents in succession, they may provide their identification components once. Companies must also ensure that fraudulent attempts to access a signer’s signature require two parties.
Section 11.300: Controls for Identification Codes and Passwords
The following 21 CFR Part 11 requirements do not apply to organizations with biometrics-based signatures — only to companies with electronic signatures based on identification codes and passwords. Because these types of digital signatures are more vulnerable than biometric-based ones, the FDA requires the following:
- Unique combination of passwords and identification codes
- Routine inspection, revision or recall of identification codes and passwords
- Periodic testing of devices that use or generate electronic signature components
Companies must follow loss-management procedures for stolen, missing or compromised codes and passwords, as well as implement transaction safeguards to prevent, detect and report the unauthorized use of electronic signature components.
While the scope of 21 CFR Part 11 requirements is broad, understanding them is essential, as violation can result in substantial fines from the FDA. In fact, two years following the implementation of 21 CFR Part 11, the FDA fined Abbott Laboratories $100 million. And in 2002, Schering-Plough Corporation paid more than $500 million.
How to Meet FDA 21 CFR Part 11 Guidelines
Achieving 21 CFR Part 11 compliance is a multi-step process involving the following parties:
It’s critical to evaluate each of the above factors by themselves before monitoring their interactions with others, as you’ll be able to determine why or how issues are happening, plus deliver an appropriate change to your existing controls. Before you begin testing, follow these steps:
- Create your system validation plan: This phase is perhaps the most vital to your success. It serves as your foundation for meeting the compliance requirements of 21 CFR Part 11 by making you analyze every aspect of your project. Look at your resources, budget and deadline, as well as your verification activities and team roles to build a thorough and comprehensive system-validation plan.
- Identify your system requirements: The next step is to identify your systems, as well as the requirements they need to meet for 21 CFR Part 11. If you’re in the pharmaceutical industry, for example, you may consider your temperature data loggers and their software. Other processes to think about include training procedures, electronic-signature controls and security measures.
- Test your systems: With your system-validation plan developed and your system requirements outlined, you can begin the process of testing your systems and evaluating their responses. Before you start your analyses, ensure you’ve reviewed and shared your testing protocols with your team. If any test deviates from these rules, the results are void, which can cost your organization valuable time and resources.
- Compile your summary report: After assessing your company’s processes and their effect on the validity, authenticity and reliability of your digital-documentation processes, you can compose your summary report. This document is valuable to stakeholders and FDA inspectors. Ensure you and your team deliver a thorough summary that includes recommendations for improving your company’s existing controls.
- Modify your controls: While many organizations match the FDA’s 21 CFR Part 11 requirements, most search for ways to better their systems. Providing more comprehensive training, for example, is a common modification. If your team updates technical controls, such as your open or closed system, complete in-depth testing beforehand to prevent unwanted effects like downtime due to a coding error.
For many businesses, it’s a time-consuming and resource-draining process to achieve 21 CFR Part 11 compliance. That’s why many companies outsource the task to organizations that specialize in 21 CFR Part 11 compliance requirements. Doing so not only alleviates your company of responsibility but also ensures testing is completed by an unbiased third party.
How to Test for 21 CFR Part 11 Compliance
If you decide to do your assessment and testing in-house, there are 10 factors to focus on:
1. System Validation
Per 21 CFR Part 11 requirements, any system involved in the creation or modification of electronic records must undergo validation. Systems that deliver information to the FDA — or any other regulatory body — also require testing.
Systems that often undergo validation include:
- Software, such as that used for data management (e.g. OCEASOFT ThermoServer / ThermoClient suite)
- Mobile, cloud and web-based applications (e.g. OCEAView and CobaltView)
- Microsoft Excel
- Microsoft Access
Types of system-validation tests performed include:
- Functional Requirements Specification (FRS)
- System Design Specification (SDS)
- Test Protocols and Validation Summary Report (SR)
- Master/Project Specific Validation Plan (VP)
Every company’s approach to system validation is different. The critical factor is that you document your programs’ and applications’ operations, as well as demonstrate that they operate to your specifications and identify changes to electronic records.
2. System Accessibility
As one of the most critical 21 CFR Part 11 guidelines, system accessibility is also one of the easiest to meet and test. The goal of this FDA requirement is to ensure the integrity of your electronic data and confirm its reliability. Thus, there is a substantial focus on your electronic signature components and controls.
To assess your company’s system accessibility, evaluate the following factors:
- Physical and digital controls
- Authorization levels for users
- Two-tiered security measures, such as time-outs and passwords for program access
- User-specific passwords and identification numbers
- General passwords and identification numbers
After assessing these features, test them. Can unauthorized individuals access critical data via a public password? Are restricted areas of your facility without a security keypad? Do password-protected systems and programs time out after a designated period? Document your answers, and note where to make improvements.
3. System Operation
Another 21 CFR Part 11 requirement for closed and open systems is for operational system checks. The purpose of these evaluations is to ensure the authenticity and validity of your electronic records by requiring staff to follow a strict procedure for creating, signing, modifying, deleting and releasing a document.
During testing, you want to demonstrate the following:
- How your system prevents actions implemented in the incorrect order
- How your system permits actions completed in the correct order
As an example, you may have controls for preventing the premature release of batch orders, such as an electronic signature. You can test it by attempting to send the order out without a signature. Then, demonstrate its effectiveness by successfully sending the request with one.
4. Audit-Trail Confirmation
A significant component of 21 CFR Part 11 requirements is audit trails. The role of audit trails is that of the unbiased party, which is why the FDA requires confirmation of their implementation for 21 CFR Part 11 compliance. Audit trails provide information about the following:
- Creation, modification and deletion of electronic records
- Local date and time of actions
- Application or removal of electronic signatures
To meet the 21 CFR Part 11 requirements for audit trails, you must prove you’re unable to do the following:
- Modify audit trails
- Overwrite audit trails
You’ll also need to demonstrate that you keep audit trails for the life of their electronic record. Or, in other words, if you’re storing a digital file, you’re storing its audit trail. If you discover errors in your audit-trail processes, it is paramount you implement a fix as soon as possible, as an ineffective audit trail does significant damage to the validity, reliability and authenticity of your electronic records.
5. Record Generation
Record generation checks if your systems can produce complete and accurate digital documents and export them to a physical, printed format. It also confirms your audit trails. Test your record generation by completing the following:
- Verify that electronic records are retrievable
- Confirm that audit trails track modifications
- Validate printing and exportation of electronic records
While the FDA doesn’t cite a specific file format for exporting your electronic records, companies commonly convert their files to a PDF format. The advantage of a PDF format versus a text file is that you can ensure your data and formatting remains unaltered.
6. Record Modification
Another feature of 21 CFR Part 11 guidelines is the confirmation of a document-control system. The FDA requires that checks are in place for approving, revising and storing an electronic record. This requirement ties into system validation, accessibility and operation, as it includes controls for accessing documents.
In most cases, your system validation, accessibility and operation tests will confirm your use of a document-control system. As mentioned earlier, however, it’s essential to test each party that’s involved in the management of your electronic records.
Alongside a demonstration of your document-control system, include a copy of your system-specific or standard operating procedures (SOPs), which will show that your company maintains a document-control system and makes it available to all staff for reference.
7. Input Confirmation
In addition to documenting your company’s generation of valid and authentic digital records, you need to provide evidence that interactions with these electronic files are, in fact, legitimate. That means confirming that staff can see the effect of their keyboard, barcode reader or mouse on a document.
To test this 21 CFR Part 11 guideline, show how the devices used by team members input information into your company’s system. If your electronic records are receiving updates from an external device or system, such as a temperature data logger, you’ll want to confirm the input of that data as well.
While not required by the FDA, it’s recommended to create electronic records with limitations. A document solely for entering numeric data, for example, should have fields with limited ranges to prevent the accidental entry of inaccurate information. You can also use drop-down menus for non-numeric data.
8. Record Protection
It’s a straightforward process to meet the FDA’s 21 CFR Part 11 requirements for record protection. Your team’s mission is to demonstrate that your systems protect electronic records. It’s also essential for you to provide evidence that you store data for the appropriate amount of time, which varies by document type. Organizations tend to prove record protection by testing the following procedures:
- Data backup
- Data recovery
- Data archiving
- Disaster recovery
If you have a business continuity plan, check it during this step. Like audit trails, if you notice errors in your record-protection procedures, don’t wait to develop a plan for fixing them. Losing electronic records such as clinical research data, batch orders, manufacturing history and more can lead to extensive downtime and costs.
9. Authority Confirmation
This 21 CFR Part 11 compliance requirement is similar to system accessibility, except it focuses on authorization levels. With authority confirmation, you’re demonstrating the presence of those levels, as well as the privileges of specific user roles — which supports the validity and authenticity of your electronic records.
Provide evidence of your authority checks by demonstrating how different user levels can access, create, modify or delete electronic records. You should also show how unauthorized users are unable to complete some of these actions.
It’s advised that you have at least two user controls — a general and an administrator level. It’s not uncommon, however, for companies to maintain more. If you discover that your business could use more, note it in your summary report.
10. Training Validation
A critical compliance requirement for 21 CFR Part 11 is training. When you validate your company’s walkthroughs for handling electronic records, you’re confirming that your team carries the necessary skills, expertise and knowledge for their day-to-day interactions with these files.
For this standard, provide the FDA with a copy of your SOPs. Depending on the systems and devices your company uses, you can also include certifications demonstrating that your team underwent training for operating 21 CFR Part 11-compliant hardware.
Another technique many companies incorporate into their policies is issuing a training certification to employees. The signed certification acts as proof and confirmation that a staff member completed and succeeded in learning your organization’s operating procedures.
Following an in-depth examination of your system, as well as procedural and testing controls, your team will “certify” the validation of your company’s systems. If your controls require changes to meet the requirements of 21 CFR Part 11, make them before certification.
How 21 CFR Part 11 Guidelines Affect Data Logging
Many of the sectors affected by the 21 CFR Part 11 guidelines rely on data loggers. Pharmaceutical, food and healthcare organizations, for example, use temperature data loggers to monitor and ensure the viability of their products.
Due to the intense testing, resources and time required by 21 CFR Part 11, it’s critical for companies to have access to loggers that meet 21 CFR Part 11 compliance standards. Otherwise, your team is forced to commit more time and resources when validating your input sources, audit trails, system accessibility and more.
An example of a data logging solution designed to meet 21 CFR Part 11 requirements is the OCEASOFT Cobalt 2 and ThermoServer / ThermoClient software suite. While this versatile data logger tracks temperature, plus humidity, carbon dioxide, differential pressure and more, the ThermoServer / ThermoClient software suite allows data access, analyzing and reporting — and it’s been developed in accordance with 21 CFR Part 11 guidelines.
When you have a monitoring system approved for 21 CFR Part 11, you don’t have to worry about how the compliance requirements of 21 CFR Part 11 affect data logging. Your data-logger provider is already one step ahead, ensuring their products provide you with accurate, hassle-free information for your electronic records.
Learn More About 21 CFR Part 11 Guidelines and Compliant Data Loggers
OCEASOFT is an award-winning company that values innovation. Our wireless data-logging technology solutions provide industry leaders around the world a smart and reliable remedy for meeting the guidelines of not only 21 CFR Part 11, but also EN NF 12830, GxP, Installation Qualification (IQ), Operational Qualification (OQ), and more.