The United States Food and Drug Administration (FDA) establishes regulations for electronic records and signatures in Title 21 CFR Part 11 of the Code of Federal Regulations.
Effective since 1997 and updated several times since, Part 11 applies to industries regulated by the FDA such as pharmaceuticals, biotechs, CROs, and medical device manufacturers.
- Part 11 specifies how these FDA-governed industries must handle electronic records and signatures and defines the criteria under which they are authentic, reliable, and equivalent to paper records.
- Part 11 requires implementing controls such as internal audits, audit trails, system validations, electronic signature protocols, and documentation for software involved in processing the electronic data that FDA rules require to be maintained.
Failure to comply with Part 11 can result in FDA citations and fines. An electronic record is defined by Part 11 as “any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.”
Part 11 exists to give the agency assurance that electronic records are the same as paper records.
An electronic signature is defined by Part 11 as “computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual's handwritten signature.” Part 11 contains requirements to assure the agency that electronic signatures have the legal standing equivalent to a person’s handwritten signature. This ensures data integrity while cutting down on fraud and security concerns.
From a Records and Information Management (RIM) perspective it is helpful to look at Part 11 through the lens of ARMAInternational’s Generally Accepted Recordkeeping Principles® (GARP).
The Principles most relevant to Part 11 are Integrity, Compliance, Retention, and Protection:
- Integrity – Part 11 demands that electronic records and information generated by or managed for the organization must have a reasonable guarantee and verification of authenticity and reliability.
- Compliance – In order to comply with regulatory authorities like the FDA, Life Sciences organizations must have a Records and Information Management department - and for larger companies an Information Governance program. There must be compliance must with an enterprise’s own policies as well as with laws and regulations.
- Retention – There must be a clear records retention policy backed up by validated tools and technologies that implement the policy. Part 11 does not expect companies to keep everything forever. Instead organizations must take into account the legal, regulatory, fiscal, operational, and historical requirements to determine retention with a records retention schedule then enforce it.
- Protection –A reasonable level of protection is necessary for private, confidential, privileged, secret, and classified records and information. Protection also includes disaster recovery and business continuity planning (backups, off-site storage, etc.) which are not only a Part 11 requirement but also good business practice in any industry.
RIM and Information Governance professionals in the Life Sciences must be aware and knowledgeable of Part 11 to ensure compliance with the FDA regulations for electronic records. Part 11 outlines the specific requirements and controls related to electronic records over the course of the information life cycle - planning, creation, modification, maintenance, retrieval and disposition/archiving. These guidelines and regulations differ from other industries, especially non-regulated ones where record keeping is primarily concerned with business use. Part 11 is applicable to records identified in predicate rules, such as Good Clinical Practices (GCP), Good Laboratory Practices (GLP), and Good Manufacturing Practices (GMP). RIM should be involved with the development and implementation of validated systems to ensure consistent intended performance, the ability to discern invalid or altered records, built-in retention management , accurate metadata can be created and saved in line with the corporate taxonomy, processes are automated where possible, and audit trails are captured to assure integrity, compliance, information protection, and appropriate retention.
Title 21 CFR Part 11 can be read in its entirety here.
About ARMA International and the Generally Accepted Recordkeeping Principles®
ARMA International (www.arma.org) is a not-for-profit professional association and the authority on information governance. Formed in 1955, ARMA International is the oldest and largest association for the information management profession with a current international membership of more than 10,000. It publishes Information Management magazine, and the Generally Accepted Recordkeeping Principles®. More information about the Principles can be found at www.arma.org/principles.