21 CFR Part 11 overview

21 CFR Part 11 is a section of the 21st Code of Federal Regulations (CFR) which is embodied in a 38 page document (252Kb).

A brief summary of the document follows:

Electronic Records

Validation.
All computer-related systems must be validated.

Retention of records.
Electronic records must be retained (and be retrievable) for the same duration of time as applied to the equivalent paper records.

Security.
Access to electronic records must be restricted to authorized personnel only.

Audit Trails.
All operator entries that create, modify or delete an electronic record must be recorded in a secure, computer-generated audit trail identifying who did what and when they did it.

Electronic Signatures

Signature form.
Both biometric (e.g. fingerprint, retinal scan) and non-biometric (ID/Password entry) signatures are acceptable. Part 11 lists many specific requirements for ID code/password signatures.

Signature content.
The e-signature should contain the signer's printed name, significance of signature (e.g. approval, rejection etc) as well as the date and time of the signature execution.

Signature/Record Link.
The e-signature must be linked to the e-record to which it applies. This is to ensure that the e-signature cannot be fraudulently detached or transferred to other records.

Non repudiation of signatures.
A key requirement of digital signatures is that they cannot be repudiated by the signer.

Where does Part 11 Apply?

Part 11 applies to all computer systems that create, modify, maintain, archive or retrieve electronic records required by the FDA for inspection or submission under a predicate rule. Part 11 does not require that records be stored or submitted in electronic form. If a paper-based system is in place, Part 11 does not apply.

Where applicable, Part 11 affects all electronic records created or modified since the rule came into force on the 20th August 1997. There is no grandfathering of legacy systems.