21 CFR Part 11 ensure that electronic records and electronic signatures are treated the same as paper records and handwritten signatures.
21 CFR Part 11 is divided into three sub-parts:
The General Provisions section discusses the scope of the regulations, when and how it should be implemented, and defines some of the key terms used in the regulations.
The Electronic Records section sets forth the requirements for administration of closed and openelectronic record-keeping systems, then discusses signature manifestations and requirements for establishing a link between signatures and records.
The Electronic Signatures section is split into three parts: general requirements for electronic signatures, electronic signature components and controls, and controls for identification codes/passwords.
Below we see the three subsections with each section outlined:
SUBPART A - GENERAL PROVISIONS
Sec. 11.1 Scope
Sec. 11.2 Implementation
Sec. 11.3 Definitions
SUBPART B - ELECTRONIC RECORDS
Sec. 11.10 Controls for closed systems
Sec. 11.30 Controls for open systems
Sec. 11.50 Signature Manifestations
Sec. 11.70 Signature record/linking
SUBPART C - ELECTRONIC SIGNATURES
Sec. 11.100 General Requirements
Sec. 11.200 Electronic signature components and controls
Sec. 11.300 Controls for identification codes/passwords
7 Tips to Comply with 21 CFR Part 11
1.DETERMINE WHETHER 21 CFR PART 11 APPLIES TO YOUR COMPANY
While many companies do upload documents to a shared file or some place accessible on a server, they say that their 'master records" are paper-based. Whenever a document is uploaded to a server, the company is subject to 21 CFR Part 11.
2. FOLLOW 21 CFR PART 11 DATA SECURITY AND PASSWORD PROTECTION BEST PRACTICES
Data security is a big aspect of Part 11. All users with access need the right roles and permissions. When it comes to digital security, passwords are a major component. How will you access the system? 21 CFR Part 11's security is the most important concern because it's important to be sure that the right people have the right permissions.
3. ESTABLISH CLEAR AUDIT TRAILS FOR TRACEABILITY
The audit trail must be clear in order to view which user made a given change to your records, when, and at what time. What dates were records created, modified, deleted, or obsoleted?
4. FOLLOW 21 CFR PART 11 GUIDELINES ON ELECTRONIC SIGNATURES
Reviewing and approving information in accordance with 21 CFR Part 11 can be accomplished in several ways:
Signs are assigned unique usernames and passwords when using electronic signatures. Department usernames should not be generic. A username should not be linked to a group, but to a single individual. It is expected that you will notify the FDA if you intend to use electronic signatures.
5. DO NOT OUTSOURCE RESPONSIBILITY: YOU'RE IN CHARGE OF YOUR 21 CFR PART 11 COMPLIANCE
The medical device company is ALWAYS responsible for Part 11 compliance. You cannot absolve your company of responsibility if a software company says they've taken care of it all.
6. VALIDATE FOR IQ, OQ, and PQ
IQ, OQ, and PQ stands for installation qualification, operational qualification, and performance qualification. Originally, the acronyms referred to equipment since the regulation was written 20 years ago. This is how you can think about IQ, OQ, and PQ in software terms.
7. CONSIDER 21 CFR PART 11 COMPLIANCE WHEN CHOOSING A QMS SOLUTION
Throughout the project life cycle, you will need to ensure that you're handling electronic documents and signatures correctly. Compliance with CFR Part 11 will be determined by the QMS you choose.
Read also: Discussion Topics of FDA 21 CFR Part 211