FDA 21 CFR Part 11 Compliance...

Medical Devices, Pharmaceuticals and API. FDA 21 CFR Part 11

Information | Understanding | Best Practice.

There are a range of benefits to be gained by adhering to the FDA 21 CFR Part 11 compliance requirements. In addition to meeting essential regulatory requirements, it allows an organization to take advantage of the latest technology, facilitates the elimination of paper, permits changes to be effected to processes more easily & efficiently. We can automate some of the most mundane & repetitive tasks in our day to day jobs. Compliance permits faster access to the “intellectual capital” of a business.

When considering electronic signatures, we normally consider two types, namely
– Electronic
– Biometric


What is an electronic / biometric signature?

• It is a compilation of symbols adopted by an individual to be the legally binding equivalent of the individual’s handwritten signature. Affixing an electronic signature to electronic data is equivalent to an individual’s traditional handwritten signature or initials. Example of a non-biometric electronic signature, is a user identification code and password.

When considering a biometric signature we are considering a proof of identity which is unique to the individual and is measurable. Examples of biometric signatures are finger prints, retina scans and voice prints.


Questions and Answers related to the FDA’s 21 CFR Part 11 compliance:
Electronic Signature
Q: Many companies today have the user ID entered as the person’s full name. Is this an appropriate ID, since it could be guessed relatively easily?
Q: Will users need to have a user ID that is not easily guessed?

A: You are confusing an ID with a password. The ID doesn’t have to be confidential. You may need it for a mail system. What has to be unique is the combination of ID code and password. No two people should have the same combination. The ID portion doesn’t have to be confidential. [Motise/Chapman Q&A]

Q: Is a non-biometric E-signature security process acceptable if the user name is automatically displayed, prompting the need for a unique password to complete the security check?
A: Yes. What gets entered is both the ID and password. It is by default. If you have your system power up in the morning, and the name comes up by default, that is fine. [Motise/Chapman Q&A]

FDA 21 CFR Part 11

Medical Device – Validation. Classification. Regulation. Requirements. …
Information | Understanding | Best Practice   >>>

Q: What about having individual certification for different divisions within an organization? Should firms delay sending the certifications until all of their personnel have been trained in Part 11?
A: That is not necessary. I would encourage you to keep the certification at a global level. If you do that (individual certifications), you are setting a precedent for yourself. Have the actual certification statement signed by as high a person in the organization as possible. That signature says that an organization considers an electronic signature the same as a hand-written one. Training can be provided after the certification has been issued. [Motise/Chapman Q&A]

Electronic Signature Requirements
In summary to ensure compliance, the signature must be:
– Unique to an individual.
– Date/Time stamped.
– Associated to their meaning (e.g. review, approval, authorship).
– Bounded to the master document with protection against unauthorized copying or alteration. (unequivocally “linked” to the records being signed)
– Appearing in full on printed copies of electronic records.

Electronic Records. What is an Electronic Record:
Any information (text, graphics, data, audio, pictorial) created, modified, maintained, archived, retrieved, distributed, or reported in electronic form within a computer system.

What is a Closed System?
• Closed System means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system.


There is a requirement for compliant audit trails. What is necessary for trail compliance?
The computer system must be able to demonstrate:

• Who did what, wrote what, and when (date/time).
• Can not be paper-based.
• Can be part of the e-record or a record by itself.
• Use of time-stamped audit trails, 21 CFR 11.10(e), must be computer-generated and saved in chronological order.
• Created when the operator creates, modifies, or deletes electronic records
• An audit trail shall not be modified by the person whose action creates it.

Q: Can an audit trail be paper?
A: No, it must be a computer generated e-record. [Motise/Chapman Q&A]

Q: Can a firm that creates batch production records in electronic form archive them as paper only?
A: No. Part 11 requires that electronic records be archived in electronic form. The electronic records must be protected to enable their accurate and ready retrieval throughout the relevant retention period set by the rule that applies to those records. In this case, 21 CFR 211.180 requires batch records to be kept for at least one year past the batch expiration date, or, for certain OTC products, three years after batch distribution. Part 11 also requires that firms be able to generate accurate and complete copies of electronic records in electronic as well as human readable form suitable for agency review, inspection, and copying. [Motise/Chapman Q&A]

Q: Does Title 21 Part 11 apply to the following situation: In our HPLC usage we use computer software to analyze data. We take the printout as a permanent record. We do not save the file, but all the data including peaks and calculations are available in the form of a printout for the investigator to see. Is this acceptable? (We consider the computer as transient storage).

A: Part 11 applies to the electronic file used to generate the printout. It would not be acceptable to discard the electronic file and retain only the printout because the printout is not an accurate and complete copy of the electronic record. The reliability and trustworthiness of the paper derives from controls applied to the electronic record; information such as comments, audit trails and time stamps would not necessarily convey in the paper. See comment para 22 to the Part 11 final rule preamble, as well as the rule itself at section 11.10(b) and (c). [Motise/Chapman Q&A]

Q: If analytical instruments are computerized, such as the Hitachi Chemistry Autoanalyzer, will the E-signature rule apply when GLP data are created and maintained electronically?
A: Yes, it does if a particular instrument is generating data. One approach is to attach the instrument to the broad lab instrument system. This would be easier to comply to Part 11. The idea is to have the record that is created on a system under your control. An LIMS system doesn’t necessarily have to be really elaborate. [Motise/Chapman Q&A]

Q: Explain further “the retention of computer systems for reading electronic records”?
(Many companies may think that the only reason they would be retaining an older computer system to read electronic records would be to satisfy the FDA.)
A: In the proposed rule, people read into “true copy” the concept of file format. In the final rule, we changed “true copy” to “accurate and complete”. No, you do not necessarily have to keep the old hardware and software to make an electronic copy that we could walk away with. For archiving purposes, it is a different issue. The answer for the short-term speaks to transcription. Whenever you have a change to a new technology, make sure you can make a complete transcription. [Motise/Chapman Q&A]

Hybrid Systems
• Hybrid Systems are semi-automated systems that contain both electronic and paper-based records.
• At present many batch records and laboratory chromatography systems are hybrids.

Compliance Policy Guide• Represent the agency’s current thinking on how to comply with the regulations for electronic records and electronic signatures.
• Regulatory actions will be based on a case-by-case evaluation.

“Legacy Systems”
As explained in the preamble to the final rule, Part 11 does not grandfather legacy systems and FDA expects that firms using legacy systems will have taken steps to achieve full compliance.

Medical Device:

Product and Process Validation Full Details

Product and Process Validation.

  • The Validation Master Plan. Performing a Gap Analysis. Validation in the Design Process. Etc..
  • How to ensure Validation efforts are aligned with potential Risks.
  • How to ensure that Validation activity is appropriately documented, reviewed and aligned with requirements.
  • Information | Understanding | Best Practice   >>>