What is 21 CFR PART 11?
21 CFR Part 11 is a section in the Code of Federal Regulations (CFR) that sets out the United States Food and Drug Administration’s (FDA) guidelines on using electronic records and electronic signatures.
Each title of the CFR addresses a different regulated area.
The title Title 21 relates to Pharmaceutical and Medical Devices with “Part 11” being applicable to electronic records and electronic signatures specifically.
At a high level, Part 11 is a law that ensures that companies and organizations implement good business practices by defining the criteria under which electronic records and signatures are considered to be accurate, authentic, trustworthy, reliable, confidential, and equivalent to paper records and handwritten signatures on paper.
Part 11 therefore allows any paper records to be replaced by an electronic record, and allows any handwritten signature to be replaced by an electronic one.
In fact, there is a requirement under 21 CFR Part 11, that manufacturers implement procedures and checks, including audits, system validations, audit trails, electronic signatures, and documentation for software and systems involved in processing electronic data.
Quote from the standard……FDA regulation 21 CFR 11.10(a)
“Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following:
11.10(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.”
Computer systems which are used in the creation or transmission of electronic records which are used to meet regulatory requirements must have a collection of technological and procedural controls to protect data within the system.
Validation is required for computer systems or process control systems that are involved in the creation or transmission of electronic records which are used to meet regulatory requirements. This may include process control PC’s, line control PLC’s & HMI’s, Excel spread-sheets, databases etc.
The validation requirements for a computerised system which is used to create, store or transmit electronic records of the type referenced in 21 CFR part 11, may include testing that demonstrates that the system is adequately protected against unauthorised changes (access control) and that the system can protect against or identify any changes made to a record.
Computer systems that control processes may however not be subject to the 21 CFR 11 regulations where paper documents are considered the authoritative document for regulatory purposes however these systems will still require validation.
In order to determine what features a particular computerised control system may need in order to allow an organisation to comply with 21 CFR 11 the following should be considered:
- Determine if the system is used to create or report any electronic data required by FDA Predicate Rules.
- Where electronic records are used they must be treated identically to paper records; they must be retained for up to seven years and an appropriate data back-up procedure in place.
- Confirm if “hard copies” of all FDA required records are kept by the organisation (if so then those paper documents can be considered the “authoritative document” for regulatory purposes and the computer system is not in scope for electronic records requirements).
- Verify if the computer system allows data-records to be modified by the user.
Using an example of a Tray Packer. If the user is recording data from a machine (such as reading glue setting temperatures etc.) the control system would be acting only as an instrument, therefore, 21 CFR 11 would not apply (this does not effect the usual requirement for validation & calibration procedures). If however, the controller was recording temperature trend and storing the records for transmission to another system or for printing out at later date then that would be a different matter and the technical requirements of 21 CFR part 11 may apply.
In this example, 21 CFR part 11 is only relevant if the packer has to calculate, record or transmit specific critical data that has to be retained as an electronic record. 21 CFR 11 mainly deals with areas such as:
- Controls for password/user ID,
- Storage/retrieval/transmission of the electronic records, to ensure that the record cannot be changed or interfered with,
- Time stamping and electronic confirmation signatures.
21 CFR 11 refers to both procedural and administrative controls that have to be put in place by the end-user in addition to the technical elements that a machine control system must have. Therefore, as the machine is only one part of the process, it cannot be claimed that any machine is compliant with the provisions of 21 CFR Part 11. You can however say that the machine can be configured to have the required technical features needed as part of a 21 CFR part 11 compliant system.
Additional features that can be configured on all Tekpak automated packaging systems where 21CFR part 11 may apply are as follows:
- Access controls to prevent modification or resetting of date records or modification of critical parameters.
- 3 level password hierarchy with password management, cyclical password expiry and duplicated user names etc.
- Data logging with audit trails
- Electronic signature facility
- Electronic transmission or printed data reports
- Date/time synchronisation with host system
- Automatic backup, storage and retrieval
- Password authentication and management by connection to clients ‘active directory’
Tekpak can help
For more information, the full Title 11 can be read on the FDA site at the link below. If you have any questions on compliance in relation to this article, please contact us on email@example.com