21 CFR Part 11 is a regulation issued by the U.S. Food and Drug Administration (FDA) that establishes requirements for electronic records and electronic signatures in the context of FDA-regulated industries, including pharmaceuticals, biotechnology, medical devices, and food and beverage. The regulation is titled "Electronic Records; Electronic Signatures" and is intended to ensure the reliability, integrity, and authenticity of electronic records and signatures used in FDA-regulated activities.
2. Organizations operating in US
Describes how
Can use
Electronic quality & Digital
records Signatures
In place of
Paper based documentation
& wet signatures
In such a
way that
complies
with
FDA regulations
21 CFR Part 11
3. Title > Chapter > Sub chapter > Part > Subpart
The CFR is Organized as
Electronic & Electronic
records Signatures
on
US FDA regulations
establishes
21 CFR Part 11
Defines criteria under which
Considered
trustworthy,
reliable
Equivalent to paper records
3 chapters
Divided into
Chapter 1-Food and Drug Administration
Chapter 2-Drug Enhancement Administration
Chapter 3-Office of National Drug Central Policy
Falls
under
4. 21 CFR PART 11
Specific to electronic records & electronic signatures , which
includes electronic submissions to the FDA
Code of
Federal Regulations
Which is Coded (numbers & letters) set of laws published
by the federal government of the US
Title 21 Which is
Section of the CFR that applies to food & drugs
Divided into
3 sub parts
Subpart A-General Provisions
• 11.1-Scope
• 11.2-Implementation
• 11.3-Definitions
Subpart B-Electronic Records
• 11.10-Controls for Closed Systems
• 11.30-Controls for open systems
• 11.50-Signature manifestations
• 11.70-Signature/record linking
Subpart C-Electronic Signatures
• 11.100-General requirements
• 11.200-Electronic signature components
&controls
• 11.300-Controls for identification codes/
passwords
5. SUBPART A:GENERAL PROVISIONS
11.1 Scope:
• Electronic records to be trustfully ,reliable,& generally equivalent to paper records.
• Records in electronic form that are created , modified, maintained, archived, retrieved, or
transmitted.
• Electronic signatures to be equivalent to handwritten signatures,& other general signing.
• Electronic records may be used in place of paper records.
• Computer systems(including hardware & software),controls & attendant documentations
maintained under this part shall be readily available for & subject to FDA inspection.
6. 11.2-Implentation:
• For records required to be maintained but not submitted to the agency…………provided that the
requirements of this part are met.
• For record submitted to agency
1. The requirement of this part are met
2. Documents to be submitted have been identified in public
11.3-Definition:
1. Biometrics means a method of verifying an individuals identity based on measurements of the
individuals physical features or repeatable actions where those features & or actions are both
unique to that individual & measurable.
2. Digital signature means an electronic signature based upon cryptographic methods of originator
authentication , computed by using a set of rules & set of parameters such that the identify of the
signer & the integrity of the data can be verified.
3. Electronic Records means any combination of text, graphics , data, pictorial in digital form that is
created , modified , maintained, archived, retrieved, or distributed by a computer system.
4. Electronic signature means a computer data compilation of any symbol or series of symbols
executed, adopted or authorized by an individual to be legally binding equivalent of the
individuals handwritten signature.
7. SUBPART B-ELECTRONIC RECORDS
discusses
Requirements for administration of closed &open
electronic record keeping systems
Signature
manifestations
Requirements for establishing a link
between signature & records
EX of closed system
Intranet
Build & test system on intranet
that only testers or developers
responsible can access
EX of Open system
System that transmit data
via Internet
Must have Collection of
technological &
procedural controls to
protect data within
system
Must have
Controls to ensure that
all records are
authentic ,
incorruptible &
confidential
8. Organizations
using
Electronic
records
Must establish &
document
Procedures &
controls
Controls for closed
system
• Validation
• Human readable
records
• Protection of records
• Limiting system access
• Audit trails
• Operational system
checks
• Authority checks
• Determination of
persons & education
• Policies for signature
• System documents
Controls for
open system
Additional measures
• Document encryption
• Digital signature
standards
That ensures
Authenticity, integrity &
confidentiality (if
necessary) of data
9. Signature Manifestations
Must include
• Printed name of signer
• Date & time of signature
• Purpose of the signature
(Ex: review , approval etc)
Each of these must be
readable by display or
printout
Signature/record
linking
Electronic signature & handwritten
signatures must be linked to their
respective electronic records
To ensure
Signatures cannot be excised ,
copied , transferred or falsified
10. SUBPART C-ELECTRONIC SIGNATURES
Include
***********
Controls for identification
codes/passwords
GGeneral
requirements
EElectronic
signature
components &
controls
Organizations
Planning to use
Electronic signatures
Must
inform in
advance to
FDA
Person who will be using an electronic signature must:
• Have their identity confirmed &
• Use a unique signature that has never been & will
never be used by another individual
11. Unique
Verify the identity
Certify
11.100-General Requirements: UNIQUE
Each electronic signature shall be unique to one individual &
shall not be reused by or reassigned to anyone else
VERIFY THE IDENTITY • Before an organization establishes , assigns , certifies ,or otherwise individuals
electronic signature or any element of such electronic signature , the organization
shall verify the identity of the individual.
CERTIFY TO THE AGENCY: • The certification shall be submitted in paper form & signed with a traditional
handwritten signature, to the office of Regional Operations
• Persons using electronic signatures shall, upon agency request, provide
additional certification that a specific electronic signature is the legally
binding equivalent of the signers handwritten signature.
12. 11.200-Electronic signature components: • Non biometric
1
• Biometric
2
Non Biometric • Electronic signatures that are not based upon biometrics shall:
• (1) Employ at least two distinct identification components such as an identification
code and password
• When an individual executes a series of signings during a single, continuous period of
controlled system access, the first signing shall be executed using all electronic
signature components; subsequent signings shall be executed using at least one
electronic signature component that is only executable by, and designed to be used
only by, the individual
• Be used only by their genuine owners
• Be administered and executed to ensure that attempted use of an individual's
electronic signature by anyone other than its genuine owner requires collaboration of
two or more individuals.
• Electronic signatures based upon biometrics shall be designed to ensure that they
cannot be used by anyone other than their genuine owners.
Biometric
13. 11.300-Controls for identification codes/password:
Persons who use electronic signatures based upon use of identification codes in combination with passwords shall
employ controls to ensure their security and integrity. Such controls shall include:
Uniqueness
Maintaining the uniqueness of each combined identification code and password,
such that no two individuals have the same combination of identification code and
password.
Codes & Password
Periodically Checked
Ensuring that identification code and password issuances are periodically checked,
recalled, or revised (e.g., to cover such events as password aging)
Periodic testing of
devices
Initial and periodic testing of devices, such as tokens or cards, that bear or
generate identification code or password information to ensure that they function
properly and have not been altered in an unauthorized manner