21 CFR Part 11 is a section in the Code of Federal Regulations (CFR) that details the United States Food and Drug Administration’s (FDA) guidelines on using electronic records and electronic signatures for pharmaceuticals and medical devices. Issued in 1997, the final rule was followed by several guidance papers and a final guidance was published in 2007.
All companies that plan to sell products in the US must ensure that their studies comply with this regulation to ensure the validity of digitized records and signatures to help ensure that trial results are reliable. For trial sponsors and CROs success depends on fully understanding the requirements, challenges, and importance of 21 CFR Part 11.
Why is 21 CFR Part 11 Important?
21 CFR Part 11 provides a way for sponsors and CROs to manage study records and content electronically. In return, it requires that they implement controls around the various systems that are involved in processing electronic data for studies, ultimately leading to sound records to support trial results. Since public health and safety can be impacted directly by new therapies, regulatory bodies take these controls very seriously.
- 21 CFR Part 11 establishes the standard criteria under which the FDA considers electronic records, electronic signatures, and handwritten signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper
- It is meant to ensure the authenticity, integrity, and confidentiality of electronic records
- These rules and regulations help to ensure robust and reliable study data that will stand up to the scrutiny of regulation and help to ensure future patient safety and effective medicines
Industry benefits of the standard include:
- Assured protection and retrieval of electronic records
- Improved study efficiency and consistency through digitization
- Minimized handling of paper in the study process
- Facilitation of electronic submissions to the FDA
Which Records are in Scope for 21 CFR Part 11?
The FDA has documented what is in scope for 21 CFR Part 11 for electronic records:
- Generated as part of Current Good Manufacturing Practice (cGMP) for human and animal drugs and biologics
- Maintained as part of the statutory requirements for submitting information to the FDA in an electronic format, even if they have not been specifically identified in the regulations
- Maintained or submitted as part of predicate rules
Making a 21 CFR Part 11 Compliance Plan
But how do you set up your electronic systems for 21 CFR Part 11 compliance? There are many aspects of 21 CFR Part 11 including record and data security and protection, ensuring authenticity of data and records, and creating audit trails for traceability. Achieving 21 CFR Part 11 compliance is complex, but here are some basic requirements that must be addressed in your plan.
Each electronic signature should:
- Be unique to one individual
- Employ at least two distinct identification components such as an identification code and password if not based on biometrics
- Use at least one electronic signature component that is only executable by the individual (e.g. password) if used within the same session
- Use a unique identification code and password combination
- Be periodically revised
- Ensure lost or stolen tokens can be de-authorized and replaced with new tokens
- Have safeguards to prevent unauthorized use of passwords and identification codes
Electronic records should:
- Limit system access to authorized individuals
- Be held on validated systems to ensure accuracy, reliability, and the ability to discern invalid or altered records
- Have copies that are suitable for inspection in both human readable and electronic form
- Be readily retrievable throughout the records retention period
- Use secure, computer-generated, time-stamped audit trails
In planning for 21 CFR Part 11 compliance, it is advisable to create a matrix of requirements and document how each is addressed within your system. This process will highlight gaps that need to be addressed, from which you can generate an action plan.
What Are the Key Challenges to 21 CFR Part 11 Compliance?
The regulation is complex and considering the pace of technological development that constantly happens in clinical systems and processes, is often open to interpretation in terms of how to comply. The history of the regulation itself echoes this constant change. In the years immediately after the final rule was published in 1997, there was some uncertainty in the industry about how to interpret the rule, what was in scope, and how to implement the requirements.
In 2003, the FDA revoked CPG 7153.17 Enforcement Policy, withdrew five Part 11 guidance documents, then published a new 21 CFR Part 11 Guidance Document. Reasons given for issuing new guidance included that industry interpretation of the regulation was resulting in restricted use of electronic technology in order to avoid compliance issues.
The FDA has stated that a re-examination of the regulation is underway and a new version forthcoming – but as of early 2020, the industry is still . Sponsors and CROs are challenged with making their best determination in many areas. This is yet another reason why being fully informed about the regulation and being able to demonstrate that your compliance plan has evaluated and addressed all requirements is so important.
Conclusion - Understand the Cost of Not Complying
Remember, all organizations producing electronic records that fall within the scope outlined above must meet 21 CFR Part 11 compliance regulations.
- During their inspections, the FDA regularly scrutinizes whether companies understand and are compliant to requirements
- If compliance issues are found during an inspection, the FDA may issue an FDA-483 observation or a
- Failure to comply can result in
21 CFR Part 11 is an important regulation with costly consequences if breached, therefore it is key to understand your responsibilities as a sponsor or CRO in upholding the regulation. Taking a structured approach to evaluating system compliance and addressing any gaps is essential.
Software technology and services can help - an investment in 21 CFR Part 11 compliant systems, like Longboat, is an investment in future success.
Look for Part 2 where we will dive deeper into other parts of 21 CFR and discuss the part they play in the overall compliance picture.