This is the final post on the series dedicated to decoding the mystical “21 CFR Part 11” regulation that governs IT systems in the life sciences industry. How does it feel to have made it all the way through?
I hope that, by now, you’re feeling much more comfortable with the purpose, organization, and content of 21 CFR Part 11, and that you’ve been able to impress your friends and family time and time again with your newfound knowledge and insights.
As we wrap up our investigation of this topic, I wanted to take a couple of minutes to summarize the key points that we’ve learned about 21 CFR Part 11.
General
- “21 CFR Part 11” refers to a particular chunk of the Code of Federal Regulations issued by the United States to regulate drugs. Specifically, it means: Title 21 > Chapter 1 > Subchapter A > Part 11.
- 21 CFR Part 11 consists of three Subparts:
Subpart A – General Provisions
- Part 11 applies to all electronic records that fall under FDA regulations.
- If an organization can prove to an auditor that their electronic records/signatures are as trustworthy as paper records/ink signatures, the FDA will accept electronic instead of paper.
- The FDA will accept electronic submission instead of paper IF those submissions 1) adhere to Part 11 requirements and 2) are included among the types of documents that the FDA accepts electronically.
Subpart B – Electronic Provisions
- Organizations using electronic records must establish and document procedures and controls that ensure the following qualities in their electronic records:
- Authenticity
- Integrity
- Confidentiality (when appropriate)
- Irrefutability (i.e., no way to deny that a record is genuine)
- The following topics must be addressed in documented procedures and controls: computer systems validation (CSV), record rendering, document storage and record retention, system access, audit trails, workflows, authority checks, device checks, personnel qualifications, personnel accountability, and document control.
- Systems that fall into the category of “Open” (as defined in Subpart A) require additional procedures/controls.
- Electronic signatures must include the printed name of the signer, the date and time of the signature, and the meaning of the signature.
- Electronic signatures must be forever linked to their respective records.
Subpart C – Electronic Signatures
- Organizations who wish to use electronic signatures must inform the FDA in writing prior to making the switch.
- Each individual who will be using an electronic signature must 1) have their identity confirmed and 2) use a unique signature that has never been and will never be used by another individual.
- There are specific design requirements for electronic signatures that are biometric (e.g., fingerprint scan) and those that are not (e.g., user ID and password).
- For electronic signatures that make use of user IDs and passwords/passcodes, there are specific requirements for passwords and for passcode-generating devices.
And, that’s it, folks! We’ve finished decoding the entire Part 11 regulation and even survived a short review. Great work! Now, it’s time to tuck away your trusty decoder rings and return to your daily lives, knowing more about the complexity of IT projects in the life sciences industry and having a deeper understanding of what makes the use of technology in our industry so unique.
If you have any questions about how to apply 21 CFR Part 11 to your IT projects, contact us and we’ll help you through it.
