21 CFR Part 11 : A Guide for Compliance with Electronic Signatures

In the regulated world of medical devices, document control is key. One of the aspects of document control is controlling the signatures on those documents and controlling records. These days, documentation has moved from paper to the digital world and so have the signatures on those documents and records. In this article we zoom in on one of the most commonly applied legislations when it comes to electronic signatures and records and that is 21 CFR Part 11. Even though 21 CFR Part 11 is under the control of the Food and Drug Administration (FDA) it is more widely used as basic requirements for electronic signatures and records.

What is 21 CFR Part 11?

Before diving in to the content of this piece of legislation, let's first decipher the 21 CFR Part 11 name

• 21 is short for "Title 21". This refers to the section of the CFR which applies to food and drugs. The CFR contains 50 titles.

• CFR is short for "Code of Federal Regulations". This is a set of laws, published by the federal government of the Unites States.The 21 CFR is subdivided in 3 Chapters

  • Chapter I is mainly based on the Food, Drug and Cosmetic Act from 1938

  • Chapter II is focused on Drug Enforcement Administration

  • Chapter III is focused on Drug Control

• Part 11 is part of Chapter I and more specifically of subchapter A of Chapter I. The scope of Part 11 is specific to electronic records and electronic signatures which includes electronic submissions to FDA.

The structure of 21 CFR Part 11 itself is organized into several key sections, each addressing specific aspects of electronic recordkeeping and signature requirements. Here is an overview of the main components:

1. Subpart A - General Provisions: This section provides the general scope and purpose of Part 11, defining terms and introducing the overarching principles of electronic records and signatures.

2. Subpart B - Electronic Records: This section details the requirements for electronic records, covering areas such as system validation, audit trails, and record retention. It outlines the criteria for ensuring the accuracy, integrity, and reliability of electronic records.

3. Subpart C - Electronic Signatures: This part addresses the use of electronic signatures, specifying the conditions under which electronic signatures are considered equivalent to traditional handwritten signatures. It includes requirements for authentication, biometric controls, and the use of unique identifiers.

Who needs to be compliant with 21 CFR Part 11?

21 CFR Part 11, issued by the U.S. Food and Drug Administration (FDA), sets forth regulations for electronic records and electronic signatures to ensure the integrity, confidentiality, and authenticity of electronic data in industries subject to FDA oversight. Primarily applicable to pharmaceutical, biotechnology, and medical device companies, compliance with 21 CFR Part 11 is crucial for entities engaged in the creation, modification, maintenance, retrieval, or transmission of electronic records and signatures. This regulation extends to organizations involved in clinical trials, manufacturing, distribution, and other activities falling within the FDA's regulatory purview.

21 CFR Part 11: Subpart A - General Provisions

§11.1 Scope: This paragraph defines the scope of this section. It basically says that the purpose of Part 11 is to ensure electronic records and electronic signatures can be trusted as much as paper records and ink signatures. It explains that all electronic records that are used for regulated purposes are subject to Part 11. One important note is that paper records that are transmitted through electronic means (e.g. email attachment) are not within scope of Part 11. Furthermore, this paragraph describes that organizations need to prove that their electronic signatures and records comply with Part 11 in order to be accepted by FDA. This proof needs to be readily available for inspection. Note that such proof often exists of the validation of the software involved to generate the signatures and records.

§11.2 Implementation: This paragraph makes a distinction between regulated records that are submitted to FDA and regulated records that are not submitted to FDA. When records are submitted to FDA, there needs to be proof they comply with Part 11 AND FDA needs to be able to accept the types of records electronically. In case of doubt, the specific agency can be consulted. For those regulated records that are not submitted to FDA, proof of compliance with Part 11 needs to exist.

§11.3 Definitions: This is a list of definitions used in the rest of Part 11

21 CFR Part 11: Subpart B - Electronic Records

§11.10 Controls for Closed Systems

A Closed System means: an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system.

An organization using a closed system needs to have procedures in place to ensure control over the electronic records. This means that there need to be controls established that safeguard the authenticity, integrity, confidentiality and irrefutability of those records. These procedures and controls need to cover:

• Validation: you need to prove the system(s) used and the data that is generated by it can be trusted

• Rendering records: records need to be accessible in a format that is readable by humans

• Storage and Retention: it needs to be ensured that records remain readable and available throughout the retention period

• System Access: it needs to be ensured that only the right people have access to each computer system

• Audit trails: the complete history of the record needs to be captured by the system and needs to be accessible by humans

• Operational system checks: it needs to be ensured that workflows function correctly

• Authority Checks: only the right people should have access and rights to create, change or sign a record

• Device Checks: the organization needs to ensure that equipment used is working properly

• Personnel Qualifications: People who develop, maintain or use electronic records/signatures systems need to have proper training or experience to do so

• Accountability: Policies needs to exist that hold people accountable for their actions related to the use/misuse of electronic records

• Document Control: Controls need to be established to ensure the proper distribution, access and use of the documentation for system operation and maintenance. Change control procedures need to exist related to the electronic records and the systems used.

§11.30 Controls for Open Systems

An Open System means: an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system.

For organizations using an open system, all requirements for closed systems apply. In addition, other measures such as document encryption and the use of appropriate digital signature standards should be implemented as neccessary to ensure authenticity, integrity and confidentiality.

§11.50 Signature Manifestations

Whenever an electronic record is signed, the following needs to be visible and human readable:

• Printed name of signer

• Date and time of signature

• Meaning of signature (e.g. review, approval, ...)

§11.70 Signature/Record Linking

Electronic signatures and handwritten signatures need to be linked with their electronic record forever. They cannot be removed, erased, covered over, transferred, copied, ...

21 CFR Part 11: Subpart C - Electronic Signatures

§11.100 General Requirements

There are a few general requirements for electronic signatures:

• Unique: each person needs to have a unique electronic signature that cannot be reused or reassigned to someone else

• Verification: before someone can use an electronic signature, his/her identity needs to be verified

• Notify FDA: an organization needs to notify the FDA of its intention to use electronic signatures as legally binding. In case FDA requests additional proof, it should be provided

§11.200 Electronic Signature Components and Controls

For electronic signatures which are NOT based on biometrics, they need to be designed as follows:

• There need to be at least two distinct identification components (e.g. id and password)

  • When signing multiple records/times during one continuous period of access to the system, the first time all components of the identification need to be provided. Afterwards, one is sufficient. That component needs to be unique to the individual.

  • When a user logs out and back in between multiple signatures, all components need to be provided.

• Electronic signatures can only be used by the genuine owners.

• If someone's electronic signature MUST be used by someone else, the system must require at least two people to work together to do so.

Electronic signatures base on biometrics should be designed to ensure they cannot be used by anyone but the genuine owner.

§11.300 Controls For Identification Codes/Passwords

For electronic signatures that are based on identification codes and passwords, need to employ the following controls:

• Unique combination: no two users can have the same combination of identification codes and passwords

• Periodical check: Passwords must be checked, recalled or revised periodically

• Loss Management: if a passcode token or device is lost, stolen, missing or otherwise potentially compromised, it has to be deauthorized following existing procedures

• Safeguards: unauthorized attempts to use passwords/identification codes need to be detected and reported 

• Testing of devices: passcode tokens or cards need to be tested before use and periodically tested to ensure they are working well.

Matrix Requiremens for 21 CFR Part 11 compliance

For any company using electronic signatures and records, 21 CFR Part 11 is one of the regulations to review. When creating technical documentation for regulatory submissions, or quality records linked to a certified Quality Management System, electronic signatures and electronic records are a must. Therefore it's important to have a system in place that is compliant with the above requirements from a technical point of view.

Matrix Requirements is a software solution that focuses both on the Technical Documentation part as well as on the Quality Management System. This is one platform that allows you to create documentation for both pillars of obtaining regulatory approval for your medical devices. Therefore, we consider it key to be compliant with 21 CFR Part 11 and provide you with a gap analysis against this regulation as part of our release documentation and validation project.

If you'd like to explore how Matrix can help you with creating compliant documentation and records, don't hesitate to request a demo!