FDA 21 CFR Part 11 - Electronic Records; Electronic Signatures
Overview
21 CFR Part 11 establishes criteria under which the FDA considers electronic records, electronic signatures, and handwritten signatures executed to electronic records trustworthy, reliable, and equivalent to paper records and handwritten signatures.
Effective Date: March 20, 1997
Current Through: December 24, 2024
Who Must Comply
Part 11 applies across ALL FDA-regulated industries when electronic records substitute for paper records required by predicate rules:
Applicable Industries
- Pharmaceutical Drug Manufacturing (human and animal drugs)
- Medical Devices (Class I, II, and III)
- Biologics and Biosimilars (vaccines, blood products, cellular/gene therapy)
- Clinical Research (sponsors, CROs, investigators, IRBs)
- Food Manufacturing (additives, infant formula, dietary supplements)
- Testing Laboratories (analytical, microbiological, stability)
Applies Regardless of Company Size
- No exemptions based on number of employees, revenue, or small business status
- All entities using electronic records to satisfy predicate rule requirements must comply
When Compliance Required
- Electronic records substitute for paper records required by predicate rules
- Electronic records submitted to FDA (regulatory submissions)
- Electronic signatures used in place of handwritten signatures
- Electronic records used to conduct regulated activities
FDA's Narrow Interpretation (2003 Guidance)
Part 11 does NOT apply when:
- Computers merely generate paper printouts that become official record
- Electronic records maintained in addition to compliant paper records (unless electronic version relied upon)
- Systems predate August 20, 1997 (subject to enforcement discretion)
Key Requirements
Subpart B: Electronic Records
Closed System Controls (Sec.11.10)
Required controls include:
- System Validation (Sec.11.10(a))
- Ensure accuracy, reliability, consistent intended performance
- Ability to discern invalid or altered records
- Risk-based approach acceptable per 2003 guidance
- Audit Trails (Sec.11.10(e))
- Secure, computer-generated, time-stamped audit trails
- Record date/time of operator entries and actions that create, modify, or delete records
- Must capture: who, what, when, why, previous value
- Access Controls (Sec.11.10(d), (g))
- Limit system access to authorized individuals
- Authority checks to ensure only authorized users can modify records
- Unique user IDs and strong passwords required
- Record Retention (Sec.11.10(b), (c))
- Generate accurate and complete copies (human readable and electronic)
- Protect records for accurate retrieval throughout retention period
- Operational System Checks (Sec.11.10(f))
- Enforce permitted sequencing of steps and events
- Training (Sec.11.10(i), (j))
- Personnel qualified by education, training, experience
- Written policies holding individuals accountable
- Documented training records
- Documentation Controls (Sec.11.10(k))
- Control access to system documentation
- Change control procedures with audit trail
Open System Controls (Sec.11.30)
For systems where access not controlled by record owners:
- All closed system controls PLUS
- Document encryption
- Digital signature standards
Subpart C: Electronic Signatures
Signature Requirements (Sec.11.50, Sec.11.70, Sec.11.100)
- Signature Manifestation (Sec.11.50)
- Must display: printed name of signer, date/time, meaning (review/approval)
- Information subject to same controls as electronic records
- Signature Linking (Sec.11.70)
- Signatures linked to records to prevent excision, copying, or transfer
- Unique and Non-Reusable (Sec.11.100)
- Each signature unique to one individual
- Cannot be reused or reassigned
- Identity verification required before assignment
- FDA certification required (Form FDA 3881 or equivalent)
Electronic Signature Components (Sec.11.200, Sec.11.300)
Non-Biometric Signatures (Sec.11.200):
- At least TWO distinct identification components (e.g., user ID + password)
- Used only by genuine owners
- Designed to prevent unauthorized use
Password Controls (Sec.11.300):
- Unique combination of ID code and password for each user
- Periodic password changes (password aging)
- Lost password deauthorization procedures
- Transaction safeguards to prevent unauthorized use
- Immediate reporting of unauthorized use attempts
Biometric Signatures (Sec.11.200(b)):
- Must uniquely identify individual
- Cannot be used by anyone other than genuine owner
Data Integrity (ALCOA+ Principles)
Part 11 compliance requires data integrity throughout data lifecycle:
- Attributable: Traceable to individual who created it
- Legible: Readable and permanent
- Contemporaneous: Recorded when work performed
- Original: Original records or certified copies maintained
- Accurate: Error-free, reflects actual observations
- Complete: All data captured
- Consistent: Follows established procedures
- Enduring: Maintained throughout retention period
- Available: Readily retrievable for review
Enforcement and Penalties
Enforcement Authority
- Primary Agency: U.S. Food and Drug Administration (FDA)
- Enforcement Offices: Office of Inspections and Investigations, Center-specific offices (CDER, CBER, CDRH, CFSAN, CVM)
Enforcement Mechanisms
- Form FDA 483: Inspectional observations
- Warning Letters: Publicly posted, require corrective action
- Import Alerts: Detention without physical examination
- Consent Decrees: Court-monitored compliance
- Injunctions: Court orders to stop violations
- Product Seizures: Physical removal from commerce
- Criminal Prosecution: Referred to Department of Justice
Penalties (Federal Food, Drug, and Cosmetic Act)
Criminal Penalties (First Offense):
- Misdemeanor: Up to 1 year imprisonment + fines
Criminal Penalties (Subsequent/Intent to Defraud):
- Felony: Up to 3 years imprisonment + significant fines
Civil Monetary Penalties:
- Section 303(f): Up to $10,000 per violation
Massachusetts Considerations
FDA Field Operations
- Regional Coverage: Massachusetts under Office of Human Foods Inspectorate - East Division I
- OCI Boston Office: 401 Edgewater Place, Suite 530, Wakefield, MA 01880
High Inspection Frequency
- Boston/Cambridge biotech corridor is FDA priority area
- Frequent inspections due to concentration of pharmaceutical, device, and biotech companies
- Academic medical centers conducting clinical trials require Part 11 compliance
State Collaboration
- Massachusetts DPH collaborates with FDA on pharmacy inspections
- State and federal oversight overlap for compounding pharmacies
Implementation Steps
Phase 1: Assessment
- Identify all electronic systems creating/modifying/maintaining records required by predicate rules
- Conduct Part 11 applicability assessment for each system
- Perform gap analysis against Part 11 requirements
- Develop risk-based remediation roadmap
Phase 2: Policies and Procedures
- Establish electronic records and electronic signature policies
- Create SOPs for validation, access control, audit trail review, change control
- Develop training program
Phase 3: Technical Implementation
- Implement system controls (authentication, access controls, audit trails)
- Configure electronic signature functionality (two-factor minimum)
- Enable data encryption for open systems
- Validate systems using risk-based approach (GAMP 5 recommended)
Phase 4: Training
- Train all users on Part 11 requirements and data integrity
- Document training and maintain records
- Establish competency requirements
Phase 5: Ongoing Compliance
- Conduct periodic audit trail reviews
- Review user access rights regularly
- Perform revalidation after system changes
- Maintain continuous improvement program
Related Frameworks
Part 11 intersects with multiple FDA regulations:
- 21 CFR 210/211: Drug cGMP
- 21 CFR 820: Medical Device QSR
- 21 CFR 58: Good Laboratory Practice (GLP)
- 21 CFR 312, 812: Clinical Trial Regulations
- 21 CFR Part 4: Electronic Submissions
International Standards:
- EU GMP Annex 11: European equivalent
- ICH E6(R2): Good Clinical Practice
- GAMP 5: Industry best practice for validation
Official Resources