What is 21 CFR Part 11?

21 CFR Part 11 establishes US FDA regulations on Electronic Records & Electronic Signature (ERES) which includes electronic submissions to the FDA. 21 CFR Part 11 defines the criteria under which ERES is considered Trustworthy, Reliable and Equivalent to paper records. Title 21 is the portion of Code of Federal Regulations (CFR) which governs Food and Drugs within the United States.

Decoding 21 CFR Part 11 – 10 steps to achieving compliance

21 CFR Part 11 is divided into 3 Sub parts – A, B and C

Subpart A – General Provisions

  1. Subpart A discusses the scope of regulations, when and how it should be implemented.
  2. It also defines some key terms used in regulations.
  3. Part 11 applies to all electronic records that fall under FDA Regulations. FDA will accept Electronic submissions instead of Paper submissions, if those submissions adhere to Part 11 requirements and are included among the types of documents that FDA accepts electronically.

Subpart B – Electronic Records

  1. Subpart B discusses the requirements for administration of closed and open systems.
    1. Closed system
      • System that can be built and tested i.e. a system on intranet that only testers and developers responsible can access.
      • It would be a build and test system on the intranet.
      • According to 21 CFR Part 11, a closed system must have a collection of procedural and technological controls to protect data within system
    2. Open System
      • System that transmits data via the Internet.
      • Open computer system must have controls to ensure that all records are authentic, incorruptible and confidential where applicable.
    3. Subpart B discusses Signature manifestations and requirements for establishing a link between signature and records.
    4. It also explains that the organizations using electronic records must establish and document procedures and controls – that includes “CSV, Record Rendering, Document storage and record retention, System access, Audit Trails, Workflows, Authority checks, Device checks, personnel qualifications and personal accountability and document control” that ensure Authenticity, Integrity and Confidentiality.

Subpart C – Electronic Signatures

  1. This section includes general requirements for:
    • Electronic Signature component and controls
    • Controls for identification codes and passwords
  2. A person using an electronic signature must have their identity confirmed and should use a unique signature.
  3. Subpart C also includes special design requirements for digital signatures that are biometric and non-biometric.


When does CFR Part 11 apply?

  • 21 CFR Part 11 is applicable, when an organization,
    • Maintains electronic records instead of paper records or if the record is maintained in an electronic format in addition to paper records.
    • Relies on electronic records on a computerized system to perform any regulated activities required by FDA, though they still make printouts.
    • Submits records to the FDA in electronic format (even though the records are not specifically identified in FDA regulations).
    • Requires Electronic Signatures to be the equivalent of handwritten signatures, initial and other general signings required by rules.
  • 21 CFR Part 11 applies to all the steps from data acquisition to evaluation. Primarily you have to perform a risk assessment for all processes or activities required. In order to manage risks, you will we need to understand your business and the goals of your business so that you will be able to identify how to reduce / mitigate those risks using Part 11 controls. This can be achieved by the Part 11 – Gap Analysis – “to document the system’s compliance status in relation to all the requirements of Part 11”. The gap analysis checklist included consideration for:
    • Part 11 applicability
    • Process and procedures related to use of electronic records and electronic signatures
    • Electronic Audit Trails
    • Logical security, user permissions and work flow enforcement
    • Documentation procedures and training management
    • Implementation of electronic / digital signatures.

The Gap Analysis provides the company with insight to identify the gaps that might exists and remediate those gaps in the system. The Part 11 Gap Analysis also helps to create new requirements to comply with Part 11 regulations and it can also help improve to access the existing system.

Why is Part 11 required?

The core intention of Part 11 is to help any organization that is planning to use electronic records to replace paper records. In other words, this is an excellent tool and method to ensure that electronic records and signatures used in your work and organization are as authentic as the physical records and signatures.

Thus 21 CFR Part 11 ensures,

  • Reliability of electronic records and signatures
  • Accuracy
  • Authenticity
  • Integrity
  • Confidentiality

10 Steps to achieve compliance:

1.    Validated Systems with complete documentation including change control

Computer System Validation (CSV) is a formal process of testing or qualifying to ensure that systems operates consistently as intended.

What is expected by FDA?

  1. Procedures/SOPs should be put in place to ensure that the systems used in regulated activities are validated and maintained in a validated state through effective change control. Also, the person(s) validating must have adequate training and experience.
  2. A risk based approach should be taken to validate. The actions should be determined by the risk a specific system or system functionality can have on data integrity, product quality and patient safety. The risk assessment should ensure that the system functionalities with the highest risk receives the highest extent of validation.
  3. Data Integrity principles ALCOA+ (Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, Available) should be in place.
  4. Version control and change control procedures should be in place for system documentation.
  5. An extensive Validation Plan which states the scope of the validation, approach, strategy, schedule, tasks to be performed, etc should be created along with Validation Summary Report which provides an overview and results for the activities mentioned in Validation Plan. Both documents should be reviewed and approved.
  6. Traceability Matrix should be created and should be maintained as part of change control (it is a living document).
    • It should clearly indicate which requirements were tested with which scripts – IQ, OQ, and PQ.
    • Requirements can also be traced to SOPs, i.e., few requirements can even be achieved through implementing procedures or having SOP in place to train the employees.
    • It should also reference Functional Specification and Design Specification for custom built systems.
    • It should be structured to enable the performance of an Impact assessment.
    • The Traceability Document is very useful and significantly facilitates system management and inspection of system documentation

2.    System should generate accurate and complete copies of electronic records for review / inspection

  • The system should be enabled to easily search records (through Indexing) and print the records in portable format (pdf, xml) in case of inspection along with the associated Audit Trail or E-signature information
  • Document Version has to clear and well maintained.


3.    Record protection and easy retrieval throughout their retention

  • A Retention policy or SOP should be in place.
  • The system should be fully backed up regularly as per the SOP or policy.
  • Regular backup Restoration Tests have to also be performed. The records should be in portable format (pdf, xml).
  • Disaster Recovery Plan should be available for all the systems.


4.    Appropriate Access Management – Security controls

  • The system should have a security procedure based on user security profiles which can be applied up to document access level.
  • The system should enforce sequencing of events based on document status.
  • Each User must have a unique username and password to access the system. And, the password should be changed periodically.
  • The system should ensure all the approved or final records should be Read-only.
  • Controls should be in place to detect security breaches.

5.    Audit Trail – to discern changes to records throughout

  • Audit Trails are very important and should be applied to all records in the system – documents, metadata and signatures. Ensure when working with a 3rd party, all electronic record should be shared along with Audit Trail.
  • The Audit Trail should be computer generated and non-modifiable and should include details of “who,” “what,” “when,” “where,” and “why” of activity on an electronic record. Audit Trail should have both old and new values.

6.    Encryption for Open Systems

  • According to CFR, “An Open system means an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system”.
  • In other words, if the system is hosted or being used by an individual outside of the organization thus transmitting information over the internet, then it may be considered as open system.
  • Records from Open systems should ensure Authenticity, Integrity and Confidentiality.
  • Encryption such as VPN can also be used to ensure Confidentiality and Digital Signatures can be help to show integrity and authenticity.


7.    Linking Electronic Signature to Records

  • As per CFR, “Electronic signatures and handwritten signatures executed to electronic records should be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means”.
  • A proper Version control procedures should be in place to maintain system documentation and record.

8.    Electronic Signature – controls and components

Electronic Signature should have the following controls or components:

  1. E-signature should have at-least two identification elements to sign and should be unique to an individual.
  2. The person who performs E-signature has to be trained to E-Sign and should sign a non-repudiation form which clearly identifies them.
  3. The E-signature should become invalid if a record updates after being signed.
  4. The E-signature should have the following components:
    • Full Name of the Signer
    • Reason for signature (Author, review, approve)
    • Date and Time of signature (Unambiguous Timestamp)

9.    Trained and qualified people

  • There should be a clear job description and training matrix in place to indicate qualifications and required trainings for each role – to develop, install, validate, maintain and use of the system.
  • There should be a formal training to use the system along with SOP trainings.

10.    SOPs in place

There should formal and regularly updated SOPs in place for the following:

  1. Software Development
  2. Computer System Validation (CSV)
  3. Physical and Logical security and data protection
  4. System Maintenance and administration
  5. Disaster Recovery and Business Continuity
  6. System change control
  7. Record Management (Backup, Recovery, Record Retention, Archival)
  8. Electronic and Digital Signatures
  9. System Management
  10. Any other regulated process.

How does eLeaP help you with 21 CFR Part 11:

eLeaP is a web-based e-learning solution with a simple but sophisticated user interface, allowing both technical and non-technical training managers to create, manage and track interactive training courses and learning programs for all levels of users. eLeaP’s training tracking software can also be used to register and track classroom training or instructor-led training as well as deliver continuing education credits.

Let’s say you are using a general-purpose e-learning (LMS) system to manage your trainings. Given the fact it’s a general purpose means you have to spend a considerably high amount of time and effort to engineer the system you want. Also, it includes lots of risks because regulatory LMS best practice won’t be built in. Our learning management software system is flexible, validated, adaptable and customizable – and so easy to use it can be up and running in a matter of minutes with no special training