• 21 CFR Part 11
  • What are the requirements of 21 CFR Part 11?

    21 CFR Part 11 requires that closed computer systems must have a collection of technological and procedural controls to protect data within the system. Open computer systems must also include controls to ensure that all records are authentic, incorruptible, and confidential (where applicable).

  • What computer systems must be compliant with 21 CFR 11?

    All computer systems which store data which is used to make Quality decisions or data which will be reported to the FDA must be compliant with 21 CFR 11. In laboratory situations, this includes any laboratory results used to determine quality, safety, strength, efficacy, or purity. In clinical environments, this includes all data to be reported as part of the clinical trial used to determine quality, safety or efficacy. In manufacturing environments, this includes all decisions related to product release and product quality.

  • What is computer system validation?

    Validation is a systematic documentation of system requirements, combined with documented testing, demonstrating that the computer system meets the documented requirements. It is the first requirement identified in 21 CFR Part 11 for compliance. Validation requires that the System Owner maintain the collection of validation documents, including requirement specifications and testing protocols.

  • What is accurate record generation?

    Accurate record generation means that records entered into the system must be completely retrievable without unexpected alteration or unrecorded changes. This is generally tested by verifying that records entered into the system must be accurately displayed and accurately exported from the system.

  • How must records be protected?

    Electronic records must not be corrupted and must be readily accessible throughout the record retention period. This is usually performed through a combination of technological and procedural controls.

  • What is limited system access?

    System owners must demonstrate that they know who is accessing and updating their system data. When controlled technologically, this is commonly demonstrated by requiring all users have unique user IDs along with passwords to access the system.

  • What is an audit trail?

    An audit trail is an internal log in a program that records all changes to system data. This is tested by demonstrating that all changes made to data are recorded to the audit trail.

  • What are operational system checks?

    Operational system checks enforce sequencing of critical system functionalities. This is demonstrated by showing that business-defined workflows must be followed. For example, data must be entered before it can be reviewed.

  • What are device checks?

    Device checks are tests to ensure the validity of data inputs and operational instructions. If particular input devices are attached (optical scanners, laboratory equipment, etc.), these devices should be tested to ensure the accuracy of system inputs.

  • What are the training requirements for 21 CFR Part 11 compliant programs?

    Users must be documented to have the education, training and experience to use the computer system which can be documented in training program.

  • What are the requirements for electronic signatures?

    All electronic signatures must:

    • Include the printed name of the signer, the date/time the signature was applied, and the meaning of the electronic signature.
    • Be included in the readable form of the record. Electronic signatures must not be separable from their record.
    • Be unique for users and not used by anyone else.
    • Can use biometrics to uniquely identify the user. If biometrics is not used, they need at least two distinct identifiers (for example, the user ID and password).
  • Does 21 CFR Part 11 have any requirements for passwords or identification codes?

    Yes. Procedural controls should exist to ensure that:

    • Not two individuals have the same user ID.
    • Passwords expire after certain time frame and users must set new passwords.
    • Loss management procedures exist to de-authorize credentials which are no longer active.