Code of federal regulations : 21 CFR Part 11

21 CFR Part 11 : When ?

21CFRpart11 is a regulation issued in 1997 by US FDA which identifies a number of requirements related to computer systems, electronic data, electronic signatures and their supporting documentation.

21 CFR Part 11 : Why ?

21 CFR part 11 was rolled out aiming at making paper records and handwritten signatures equivalent to electronic records and electronic signatures.

21 CFR Part 11 : Objectives ?

The key objectives of 21 CFR part 11 regulations:

Retention/documentation of records
Integrity/security of Records
FDA Access to Records
Authentication of Electronic Signatures
Accountability for Maintaining Records System
Validation of the electronic system

The tree :

CFR > 21 Food and Drugs > CHAPTER I > 11 Electronic records; electronic signatures (among some 1316 parts)

What is CFR : CFR is Code of federal regulations (United states of America). It is divided into 50 titles.

CFR Titles :
Title 1 General Provisions
Title 2 [Reserved]
Title 3 The President
Title 4 Accounts
Title 5 Administrative Personnel
Title 6 Homeland Security
Title 7 Agriculture
Title 8 Aliens and Nationality
Title 9 Animals and Animal Products
Title 10 Energy
Title 11 Federal Elections
Title 12 Banks and Banking
Title 13 Business Credit and Assistance
Title 14 Aeronautics and Space
Title 15 Commerce and Foreign Trade
Title 16 Commercial Practices
Title 17 Commodity and Securities Exchanges
Title 18 Conservation of Power and Water Resources
Title 19 Customs Duties
Title 20 Employees' Benefits
Title 21 Food and Drugs
Title 22 Foreign Relations
Title 23 Highways
Title 24 Housing and Urban Development
Title 25 Indians
Title 26 Internal Revenue
Title 27 Alcohol, Tobacco Products and Firearms
Title 28 Judicial Administration
Title 29 Labor
Title 30 Mineral Resources
Title 31 Money and Finance: Treasury
Title 32 National Defense
Title 33 Navigation and Navigable Waters
Title 34 Education
Title 35 Panama Canal
Title 36 Parks, Forests, and Public Property
Title 37 Patents, Trademarks, and Copyrights
Title 38 Pensions, Bonuses, and Veterans' Relief
Title 39 Postal Service
Title 40 Protection of Environment
Title 41 Public Contracts and Property Management
Title 42 Public Health
Title 43 Public Lands: Interior
Title 44 Emergency Management and Assistance
Title 45 Public Welfare
Title 46 Shipping
Title 47 Telecommunication
Title 48 Federal Acquisition Regulations System
Title 49 Transportation
Title 50 Wildlife and Fisheries

Why to comply with 21 CFR part 11 at different parts of the world other then United States of America >>> Most countries have issues with electronic submissions and hence may follow the FDA 21 CFR part 11 as their guidelines. Moreover in interest of business continuity it is mandatory to have 21 CFR part 11 compliance to do business with US.

Benefits of this regulation :
1. The approval process may be shorter than before in long run

2. Access to documentation will be faster and more productive.

3. Archival space is reduced

4. The source documents may be recreated in an event of Disaster

5. Modern day laboratory equipments/analyzers generate electronic data in thus makes it anyway mandatory to follow the regulation

How to comply ?

21 CRF Part 11 Compliance checklist
Based on "Computerized Systems Used in Clinical Investigations", by the Food and Drug Administration, May 2007.

1. Identify each step at which computer system will be used in written study protocol.

Standard Operating Procedures

1. Have specific written operating procedures in place.
2. Make document available to personnel on site either in hardcopy or electronically.
3. Make document available for inspection by FDA.

Source document retention (for data entered directly into computer system)

1. Treat electronic record as source document and retain as required under part 312, § 511.1(b).
2. When data is transmitted from one system to another or entered directly into a remote central computer system, maintain copy in another location as defined below (check one).
   At clinical site.
   Another location (e.g. a data storage facility).
3. Produce copies contemporaneously with data entry.
4. Preserve copies in appropriate format such as XML, PDF or hardcopy.

Internal Security - Access Limitations

   Password-protect individual accounts.
   Configure computer system to require manual login and logout.
   Automatically limit number of failed login attempts.
   Automatically record unauthorized login attempts.
   Do not share individual account access with other users.
   Do not log on to system to provide access to another user.
   Electronically require users to change their passwords at regular intervals.
   Automatically password protect computer systems when idle for short periods.
   Automatically log users off computer systems when idle for long periods.

Internal Security - Audit Trail

   Keep track of all creations, modifications, and deletions electronically.
   Maintain all entered data: Don't obscure original data when changes are made.
   Time stamp change automatically.
   Configure computer system to require user to record reason for change.
   Automatically record identity of individual who made change.
   Prevent users from being able to modify or delete audit trail.

Internal Security - Date and Time Controls

   Synchronize computer system to date and time provided by an international standards setting source like NIST. | List of  NIST Servers |
   Limit user's ability to change time.
   Document all date and time changes (except daylight savings time).
   Include year, month, day, hour, and minute in time stamp
   Include time zone in date and time stamp.
   Explain any time zone references and naming conventions in study documentation.

External Security

1. Restrict access to computer system and data via external software applications by encrypting data as it is transferred and/or using a firewall.
2. Maintain cumulative record that indicates names of authorized personnel, their titles, and a description of their access privileges.
3. Prevent, detect and mitigate effects

Others measures

1. Direct Entry of Data
   Use prompts, flags, and other help features to encourage consistent use of terminology.
   Use prompts for data out of the specified range. Specify valid vs. invalid ranges and alert user.
   Do not set up system to enter default data if field is bypassed.
   You may allow system to populate field with data duplicated from another field. However, analyze potential consequences very carefully before doing so.
2. Retrieving Data
   Design computer system to attribute data record to each individual subject.
   Be able to reconstruct source documentation for FDA review.
   Be prepared to fully describe to FDA how data were obtained and managed.
3. Document what software and hardware is used.
4. System Controls
   Set up a full backup and recovery system to protect against data loss if records are maintained only in electronic form.
   Ensure that backup system maintains data integrity.
   Store backup records at a secure offsite facility.
   Maintain backup and recovery logs.
5. Change controls
   Maintain data integrity when making changes to the computer system, such as software upgrades, security and performance patches, equipment repairs, etc.
   Carefully evaluate effects of any changes before and after making them.
   Validate changes that exceed previous operational limits.
   Document all computer system changes.
6. Training
   Ensure that individuals who develop, maintain and use computer system have sufficient education, training, and experience to perform tasks
   Document computer education, training, and experience of personnel.
   Provide training in the operation of the computer system led by qualified individuals as needed.
   Conduct training sessions as needed on a continuing basis in case of changes in personnel and the computer system.