The United States Code of Federal Regulations (CFR) includes regulations for electronic records and electronic signatures (21 CFR Part 11). This regulation ensures that electronic records and signatures are equivalent to and as trustworthy and reliable as paper records and handwritten signatures. The main aspects of this regulation are access controls, audit trails, and system validation.
To help interpret these regulations the FDA released a guidance that contains nonbinding recommendations on how to comply with the regulations in 21 CFR Part 11. The FDA also has a draft guidance that clarifies the implementation of 21 CFR Part 11 in medical product clinical investigations (IND/IDE). Although this second guidance is still under review and not yet implemented, it provides FDA’s current thinking on the application of this regulation in clinical investigations.
This regulation applies to any electronic record or signature submitted to the FDA. The FDA defines electronic record as “any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system” (21 CFR 11.3(b)(6)).
Here are some examples of electronic records under 21 CFR Part 11:
Electronic record process
Electronic case report forms (eCRFs)
Removing protected health information (PHI) from an image
Data from paper CRFs or other source documents that have been entered (manually or automatically) into a computer system
Scanned paper CRFs stored on a hard drive
Lab equipment transmitting data directly to a computer or the Cloud
Sending source documents for adverse event
This regulation does not apply to paper records and handwritten signatures transmitted electronically. For example, if you are scanning or faxing documents and storing hardcopies with no other digital modification, then 21 CFR Part 11 does not apply.
The requirements of 21 CFR Part 11 focus on access controls, audit trails, and system validation. The following are the requirements for electronic records in closed systems (“an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system”). If your company uses an open system (“an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system”), then additional documentation is necessary.
Examples of compliance
11.10a) “Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.”
Documentation validation process including plan, test results, and final report
11.10b) “The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records.”
- Use established, automated conversion or export methods
- Save files in a common format (PDF, XML, or
- Original records and source documents limited to read-only
11.10c) “Protection of records to enable their accurate and ready retrieval throughout the records retention period.”
11.10d) “Limiting system access to authorized individuals.”
- Grant access only after documented training
- Maintain a list of users with access (and previous access) and their role
11.10e) “Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.”
- Check system documentation to see what audit information is captured
- Store audit information along with the
11.10f) “Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.”
- Require password before viewing or editing
11.10g) “Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.”
11.10h) “Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.”
Conduct validation testing when creating and finalizing records
- Update software/hardware as needed
11.10i) “Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks.”
- Limit access granting to project leadership or IT
- Grant access only after documented training and qualifications (CV, certifications)
11.10j) “The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.”
- Document electronic signature policies
- Grant access only after signed agreement to
electronic signature policies
- Complete signature manifest
Many vendors who provide services that involve electronic records and signatures such as electronic data capture systems may have records documenting that their system meets the technical requirements of 21 CFR Part 11. However, validation must be completed in the context of user-specific processes. For example, popular electronic signature programs such as DocuSign and Adobe Acrobat provide “validation packages” of template documents that users can modify according to their internal procedures.
If you are already familiar with a certain system, you can perform a gap analysis and create your own validation documents.
Closed system – an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system (21 CFR 11.3(b)(4))
Electronic record – any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system (21 CFR 11.3(b)(6))
Electronic signature – a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual’s handwritten signature (21 CFR 11.3(b)(7))
Open system – an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system (21 CFR 11.3(b)(9))
Process validation – establishing by objective evidence that a process consistently produces a result or product meeting its predetermined specifications (21 CFR 820.3(z)(i))
Systems documentation – Such documentation should provide an overall description of computerized systems and the relationship of hardware, software, and physical environment… Measures should be in place to ensure that versions of software used to generate, collect, maintain, and transmit data are the versions that are stated in the systems documentation… readily available at the site where clinical trials are conducted. (FDA Guidance for Industry – Computerized Systems Used in Clinical Trials)
Validation – confirmation by examination and provision of objective evidence that the particular requirements for a specific intended use can be consistently fulfilled (21 CFR 820.3(z))
Verification – confirmation by examination and provision of objective evidence that specified requirements have been fulfilled (21 CFR 820.3(aa))
We offer a variety of clinical trial services and are a full-service CRO. We have over 40 years of experience designing and executing clinical trials, ranging from early feasibility studies to multinational, controlled pivotal trials to post-market registries.
Contact us today to start your project discussion. 855.463.1633 | email@example.com | medinstitute.com.
Get email about news, services, and events from MED Institute.
We are committed to consistently performing services with high quality, that deliver exceptional results, and add value to the client’s business.
For client surveys sent in the last two quarters, we received ratings of 4.80/5 points (4).