Title 21 CFR Part 11

From Wikipedia, the free encyclopedia
  (Redirected from 21 CFR 11)
Jump to navigation Jump to search

Title 21 CFR Part 11 is the part of Title 21 of the Code of Federal Regulations that establishes the United States Food and Drug Administration (FDA) regulations on electronic records and electronic signatures (ERES). Part 11, as it is commonly called, defines the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records (Title 21 CFR Part 11 Section 11.1 (a)).[1]


Practically speaking, Part 11 applies to drug makers, medical device manufacturers, biotech companies, biologics developers, CROs, and other FDA-regulated industries, with some specific exceptions.[2] It requires that they implement controls, including audits, system validations, audit trails, electronic signatures, and documentation for software and systems involved in processing the electronic data that FDA predicate rules require them to maintain. A predicate rule is any requirement set forth in the Federal Food, Drug and Cosmetic Act, the Public Health Service Act, or any FDA regulation other than Part 11. [3]

The rule also applies to submissions made to the FDA in electronic format (e.g., a New Drug Application) but not to paper submissions by electronic methods (i.e., faxes). It specifically does not require the 21 CFR Part 11 requirement for record retention for trackbacks by food manufacturers. Most food manufacturers are not otherwise explicitly required to keep detailed records, but electronic documentation kept for HACCP and similar requirements must meet these requirements.

Broad sections of the regulation have been challenged as "very expensive and for some applications almost impractical",[4] and the FDA has stated in guidance that it will exercise enforcement discretion on many parts of the rule. This has led to confusion on exactly what is required, and the rule is being revised. In practice, the requirements on access controls are the only part routinely enforced.[5] The "predicate rules", which required organizations to keep records in the first place, are still in effect. If electronic records are illegible, inaccessible, or corrupted, manufacturers are still subject to those requirements.

If a regulated firm keeps "hard copies" of all required records, those paper documents can be considered the authoritative document for regulatory purposes, and the computer system is not in scope for electronic records requirements—though systems that control processes subject to predicate rules still require validation.[6] Firms should be careful to make a claim that the "hard copy" of required records is the authoritative document. For the "hard copy" produced from electronic source to be the authoritative document, it must be a complete and accurate copy of the electronic source. The manufacturer must use the hard copy (rather than electronic versions stored in the system) of the records for regulated activities. The current technical architecture of computer systems increasingly makes the Part 11, Electronic Records; Electronic Signatures — Scope and Application for the complete and accurate copy requirement extremely mandatory.[7]


  • Subpart-A – General Provisions
    • Scope
    • Implementation
    • Definitions
  • Subpart-B – Electronic Records
    • Controls for closed systems
    • Controls for open systems
    • Signature manifestations
    • Signature/record linking
  • Subpart-C – Electronic Signatures
    • General requirements
    • Electronic signatures and controls
    • Controls for identification codes/passwords


Various keynote speeches by FDA insiders early in the 21st century (in addition to high-profile audit findings focusing on computer system compliance) resulted in many companies scrambling to mount a defense against rule enforcement that they were procedurally and technologically unprepared for. Many software and instrumentation vendors released Part 11 "compliant" updates that were either incomplete or insufficient to fully comply with the rule. Complaints about the wasting of critical resources, non-value added aspects, in addition to confusion within the drug, medical device, biotech/biologic and other industries about the true scope and enforcement aspects of Part 11 resulted in the FDA release of:

This document was intended to clarify how Part 11 should be implemented and would be enforced. But, as with all FDA guidances, it was not intended to convey the full force of law—rather, it expressed the FDA's "current thinking" on Part 11 compliance. Many within the industry, while pleased with the more limited scope defined in the guidance, complained that, in some areas, the 2003 guidance contradicted requirements in the 1997 Final Rule.

In May 2007, the FDA issued the final version of their guidance on computerized systems in clinical investigations. This guidance supersedes the guidance of the same name dated April 1999; and supplements the guidance for industry on Part 11, Electronic Records; Electronic Signatures — Scope and Application and the Agency’s international harmonization efforts when applying these guidances to source data generated at clinical study sites.

FDA had previously announced that a new Part 11 would be released late 2006. The Agency has since pushed that release date back. The FDA has not announced a revised time of release. John Murray, member of the Part 11 Working Group (the team at FDA developing the new Part 11), has publicly stated that the timetable for release is "flexible".

Benefits of 21 CFR Part 11[edit]

21 CFR Part 11 has the following benefits:

  • Increased data confidentiality, integrity, and accessibility
  • More paperless environments
  • Faster information exchange
  • Increased cost savings from reduced storage space, and
  • Reduced errors

See also[edit]


  1. ^ "CFR - Code of Federal Regulations Title 21". U.S. Food & Drug Administration. U.S. Food & Drug Administration. Retrieved 15 September 2016.
  2. ^ "Food and Drug Administration CFR Title 21 Part 11". Microsoft. Microsoft. Retrieved 15 September 2016.
  3. ^ "Part 11, Electronic Records; Electronic Signatures — Scope and Application". U.S Food & Drug Administration. U.S Food & Drug Administration. Retrieved 15 September 2016.
  4. ^ "21 CFR Part 11 - Electronic Records and Electronic Signatures". Lab Compliance. Lab Compliance. Retrieved 15 September 2016.
  5. ^ "The Role of Biometrics in Enterprise Security" (PDF). Dell. Dell. Retrieved 15 September 2016.
  6. ^ "Part 11, Electronic Records; Electronic Signatures — Scope and Application". U.S. Food & Drug Administration. U.S. Food & Drug Administration. Retrieved 15 September 2016.
  7. ^ "CFR - Code of Federal Regulations Title 21". U.S. Food & Drug Administration. U.S. Food & Drug Administration. Retrieved 15 September 2016.

External links[edit]