21 CFR Part 11 Compliance

Title 21 CFR Part 11 is the regulation that governs the way drug makers, medical device manufacturers, biotech companies, biologics developers, contract research organizations (CROs), and other FDA-regulated organizations are allowed to use electronic records. It also regulates how electronic signatures (e-signatures) can be used in the place of, or in addition to, paper records. 

21 CFR Part 11 compliance applies to all aspects of the research, clinical study, maintenance, manufacturing, and distribution of medical products. It sets forth the criteria under which the FDA considers electronic records, electronic signatures, and handwritten signatures executed to electronic records to be “trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper.”

What is 21 CFR Part 11?

21 CFR Part 11 compliance requires organizations to follow the rules that govern the retention, submission, integrity, and confidentiality of digital records used by the life sciences organizations noted above. The regulation is broken into three subparts.

Subpart A—General Provisions
The General Provisions set forth in 21 CFR Part 11, Subpart A, explain that the purpose of the regulation is to ensure that electronic signatures and records can be trusted in the same way as traditional paper and ink. It also explains how and when electronic signatures and records can be used for regulated records that are and are not submitted to the FDA.

21 CFR Part 11 Subpart A also defines key terms, including digital signature, electronic record, and electronic signature.

According to the FDA:

• "Digital signature means an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.”
• "Electronic record means any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.”
• "Electronic signature means a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual’s handwritten signature.”

Subpart B—Electronic Records
21 CFR Part 11 Subpart B details the procedures and controls that must be documented and followed by organizations that use electronic records. The goal is to ensure the authenticity, integrity, and confidentiality of electronic records.

Controls for open and closed systems are specified in 21 CFR Part 11 Subpart B.

For closed systems, controls cover security management requirements, including those governing access and user authorization, workflows, audit trails, checks to verify the integrity of both data and e-signatures, and the validation of the closed system. It also requires that policies be in place for the accountability of system operations and the maintenance of security measures.

In addition, 21 CFR Part 11 Subpart B stipulates requirements related to signatures. When any electronic record is signed, it must include the following:

• Printed name of signer
• Date and time of signature
• The meaning associated with the signature (e.g., review, approval, responsibility, or authorship)

Subpart C—Electronic Signatures
21 CFR Part 11 Subpart C states that electronic signatures must be unique to individuals and may not be reused by, or reassigned. Because they are to be used by individuals only, teams cannot have e-signatures. Before using e-signatures, organizations must verify the identities of individuals who will use e-signatures and submit a certification of this with a handwritten signature, in paper form, to the FDA. 

To comply with 21 CFR Part 11 Subpart C, electronic signatures must be protected with either biometrics or a user ID and password combination. Strict rules must be followed to meet 21 CFR Part 11 compliance requirements for user ID and password protections.

Each combination of user ID and password must be unique and updated regularly. Compromised credentials (i.e., lost, stolen) must be deauthorized and replacements issued according to documented security protocols. Safeguards must be in place to prevent unauthorized use of credentials as well as to detect and report security breaches. 

Background and Context

21 CFR Part 11 was issued in March 1997 to provide criteria for the acceptable use of electronic records and electronic signatures. The FDA understood that new technologies had become so pervasive that the use of electronic records and signatures would inevitably become universal.

Why It’s Important

21 CFR Part 11 provides an FDA-approved set of rules for using electronic signatures and records. Using various controls and systems, organizations can take advantage of technology's productivity and operation benefits. 21 CFR Part 11 compliance helps to protect the integrity of data throughout the life sciences industry, which, ultimately, ensures the safety of products. 

Steps to 21 CFR Part 11 Compliance

21 CFR Part 11 specifies the steps that must be taken to meet compliance requirements:

• Validation
• Records availability
• Storage and retention
• Limits on system access
• Audit trails
• Workflows
• Authority checks
• Device checks
• Qualifications of personnel
• Accountability
• Controls over systems documentation

In addition, 21 CFR Part 11 compliance requires organizations to be sure that they:

• Maintain security and user access controls
• Comply with electronic signature requirements
• Use digital signatures and encryption to protect data

Who Must Comply?

Any company operating in life sciences industries that choose to use electronic signatures and maintain records or manage regulatory submissions in an electronic format is subject to 21 CFR Part 11 compliance. This includes drug makers, medical device manufacturers, biotech companies, biologics developers, contract research organizations (CROs), and other FDA-regulated organizations.

21 CFR 11 compliance requirements must be met when the following information is sent or stored electronically.

• Documents specifying product or raw material are sent electronically.
• Documents specifying product or raw material are stored electronically, and no paper copy exists.
• Documents specifying product or raw material are stored electronically, and a paper copy exists, but the electronic copy is the one used in practice.
• Data which will later be used to generate a Quality Record is stored electronically.
• Data which will later be used to make Quality related decisions is stored electronically.
• Any data or records sent electronically to the FDA.

Tips for Ensuring Compliance

Three key areas for consideration for 21 CFR Part 11 compliance are related to user IDs and passwords, electronic records, and electronic signatures. There are many rules to follow, but below are a few of the important ones.

21 CFR Part 11 compliance tips for user IDs and passwords

• No two individuals can have the same user ID or password.
• Passwords should be periodically updated.
• Procedures should be in place to manage the deauthorization and replacement of lost, stolen, or missing passwords.

21 CFR Part 11 compliance tips for electronic records

• Validate systems to ensure electronic records’ accuracy and to identify unauthorized access and changes.
• Be able to generate accurate and complete copies of records.
• Protect records to enable their accurate and easy retrieval throughout the record retention period.
• Follow the principle of least privilege for system access.
• Establish minimum qualifications for personnel who develop, maintain, or use electronic record and electronic signature systems.
• Control the distribution of, access to, and use of documentation for system operation and maintenance.
• Maintain an audit trail.

21 CFR Part 11 compliance tips for electronic signatures

• Create a unique electronic signature for each individual.
• Ensure that electronic signatures are not reused or reassigned.
• Verify the identity of the individuals before issuing an electronic signature.
• Implement safeguards to prevent unauthorized use of user IDs and passwords.
• Report any attempts at unauthorized use of user IDs and passwords.
• Consider basing electronic signatures on biometrics.

What to Look for in a Compliance Solution

Successful compliance programs require focus, consistency, and a methodical implementation process. Before looking for a solution, consider these questions:

• What are the objectives?
• What are the flaws with existing solutions and processes?
• What should be improved?

When evaluating compliance solutions, these standards apply:

• Supports corporate tracking
• Centralized document management
• Provides robust reporting  
• Uses a consistent assessment standard for all systems 
• Tracks and documents all remediation actions 
• Allows for post-remediation assessment of efficacy

More Benefits of 21 CFR Part 11 Compliance

While most larger organizations have solutions in place for 21 CFR Part 11 compliance, many smaller ones have yet to comply. It is an expensive and complex undertaking, but one that must be addressed as the penalties for noncompliance can be significant. Monetary penalties can be up to $10,000, or, if the issue is not remediated within the notice period, $10,000 per day of continuing noncompliance. 

The upside to 21 CFR Part 11 compliance is that the required systems and processes result in better process control, improved information transfer between related organizations, enhanced data integrity, and fewer data-related errors along with faster data analysis, capturing, and filtering.

Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.

Last Updated: 3rd October, 2021

Get started with Egnyte.

Request Demo