Beginner’s Guide to 21 CFR Part 11 Compliance

As electronic documentation usage increases in clinical trials, organizations must make sure they’re still protecting participants’ health and safety without sacrificing quality or efficacy. One way to do so is to ensure the software platforms you are using to conduct research are in line with federal regulations. Computer systems used for clinical trials fall under Food and Drug Administration (FDA) 21 CFR Part 11. While Part 11 is widely known, this blog explains how it fits in with your research software.

What is 21 CFR Part 11?

In 1997, FDA released regulations providing guidance on the use of electronic systems. These regulations provide criteria in which electronic signatures, records, and handwritten signatures captured for an electronic record are considered “equivalent to paper records and handwritten signatures executed on paper.” This casts the widest net possible for electronic technology usage while still fulfilling FDA’s responsibility to protect public health. This applies to electronic data and signatures submitted under records requirements under other regulations such as:

• Federal Food, Drug, and Cosmetic Act
• Public Health Service Act
• Un-specified identified Agency regulations

Essentially, Part 11 applies to electronic records and electronic signatures. Electronic records aren’t just limited to documents – they can be records in a database such as electronic case report forms (eCRFs). Since these signatures are used electronically on an electronic record, they must meet specific, regulation-outlined criteria if they are going to fulfill Part 11 requirements.

What does Part 11 Affect?

There are many factors in how Part 11 regulations affect software. Consider the following:

• Data integrity: Ensuring processes and procedures are implemented to ensure authenticity, integrity, and confidentiality
• Data retrieval: Having tools in place to easily access documentation
• Validation: Documenting how a system is expected to work and completing tests to make sure the system functions as expected
• Audit trails: Traceability to understand what changed, when it changed, and who made the change
• Operational controls: Create automated workflows to ensure processes are followed in a logical sequence
• Security controls: Ensuring activities are restricted to the appropriate users for each activity within your platform.

Part 11 also affects electronic signatures. Replacing a wet ink signature, eSignatures include the printed name, a time stamp, and the meaning of the signature. Through an eSignature process, you’ll need to ensure proper identification to avoid falsification. This requires highly regulated workflows and documentation control.

Do all Technology Platforms Need Validation?

The short answer: No. In order to understand if your platform needs validation, it’s important to define how you will qualify the various technology platforms in use at your company. Many companies use good automated manufacturing practice (GAMP), while others choose to focus on the Part 11 requirements and write validation procedures for their company to follow. The key to determine if any platform in use at your company requires validation is to ask important questions directly from the Part 11 regulations:

• What activities will this platform cover?
• Will this platform create, modify, maintain, archive, retrieve, or transmit records under any requirement set forth in agency regulations?
• Will this platform use electronic signatures?

After platform review, if a decision is made to validate, staff should generate documentation to ensure Part 11 compliance. This documentation should also define the requirements for the platform’s intended use.

As the first requirement in Part 11 compliance, validation is systematic documentation for a system’s requirements. Additionally, validation includes documented testing – proving the computer meets the requirements it says it does.

Knowing this, if you submit data to the FDA from your computer system to fulfill a reporting requirement under any other FDA regulation, the platform needs to be Part 11-compliant.

Do Systems Come Pre-validated?

Validation is just as much about the site’s process as the technology itself, and so, systems do not come pre-validated. Rather, staff can leverage testing and documentation to meet the needs of system validation.

Many software vendors provide documentation and proof of testing to demonstrate their platform’s function as designed and meet the 21 CFR Part 11 technical requirements around user account controls, audit trails, and electronic signatures. Working with a software vendor that understands the ins and outs of the regulations can greatly reduce your testing burden, allowing you to adopt a risk-based approach and incorporate the vendor’s test documentation into your computer system validation. A documented review of the vendor’s validation package will allow your company to decrease its burden of validation. This review can be documented in a vendor’s audit or within your own validation package. The approach you take can be developed as part of your company’s 21 CFR Part 11 compliant validation procedure.

Back to Resources