How to Comply with 21 CFR Part 11: Download the Checklist and Best Practices
This guidance is intended to describe the Food and Drug Administration's (FDA's) current thinking regarding the scope and application of part 11 of Title 21 of the Code of Federal Regulations; Electronic Records; Electronic Signatures (21 CFR Part 11).2
This document provides guidance to persons who, in fulfillment of a requirement in a statute or another part of FDA's regulations to maintain records or submit information to FDA3, have chosen to maintain the records or submit designated information electronically and, as a result, have become subject to part 11. Part 11 applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted under any records requirements set forth in Agency regulations. Part 11 also applies to electronic records submitted to the Agency under the Federal Food, Drug, and Cosmetic Act (the Act) and the Public Health Service Act (the PHS Act), even if such records are not specifically identified in Agency regulations ( 11.1). The underlying requirements set forth in the Act, PHS Act, and FDA regulations (other than part 11) are referred to in this guidance document as predicate rules.
download 21 cfr part 11
As an outgrowth of its current good manufacturing practice (CGMP) initiative for human and animal drugs and biologics,4 FDA is re-examining part 11 as it applies to all FDA regulated products. We anticipate initiating rulemaking to change part 11 as a result of that re-examination. This guidance explains that we will narrowly interpret the scope of part 11. While the re-examination of part 11 is under way, we intend to exercise enforcement discretion with respect to certain part 11 requirements. That is, we do not intend to take enforcement action to enforce compliance with the validation, audit trail, record retention, and record copying requirements of part 11 as explained in this guidance. However, records must still be maintained or submitted in accordance with the underlying predicate rules, and the Agency can take regulatory action for noncompliance with such predicate rules.
In addition, we intend to exercise enforcement discretion and do not intend to take (or recommend) action to enforce any part 11 requirements with regard to systems that were operational before August 20, 1997, the effective date of part 11 (commonly known as legacy systems) under the circumstances described in section III.C.3 of this guidance.
In March of 1997, FDA issued final part 11 regulations that provide criteria for acceptance by FDA, under certain circumstances, of electronic records, electronic signatures, and handwritten signatures executed to electronic records as equivalent to paper records and handwritten signatures executed on paper. These regulations, which apply to all FDA program areas, were intended to permit the widest possible use of electronic technology, compatible with FDA's responsibility to protect the public health.
After part 11 became effective in August 1997, significant discussions ensued among industry, contractors, and the Agency concerning the interpretation and implementation of the regulations. FDA has (1) spoken about part 11 at many conferences and met numerous times with an industry coalition and other interested parties in an effort to hear more about potential part 11 issues; (2) published a compliance policy guide, CPG 7153.17: Enforcement Policy: 21 CFR Part 11; Electronic Records; Electronic Signatures; and (3) published numerous draft guidance documents including the following:
Throughout all of these communications, concerns have been raised that some interpretations of the part 11 requirements would (1) unnecessarily restrict the use of electronic technology in a manner that is inconsistent with FDA's stated intent in issuing the rule, (2) significantly increase the costs of compliance to an extent that was not contemplated at the time the rule was drafted, and (3) discourage innovation and technological advances without providing a significant public health benefit. These concerns have been raised particularly in the areas of part 11 requirements for validation, audit trails, record retention, record copying, and legacy systems.
How to download 21 cfr part 11 pdf
Download 21 cfr part 11 guidance for industry
Download 21 cfr part 11 electronic records electronic signatures
Download 21 cfr part 11 scope and application
Download 21 cfr part 11 compliance checklist
Download 21 cfr part 11 validation requirements
Download 21 cfr part 11 audit trail
Download 21 cfr part 11 training course
Download 21 cfr part 11 software solutions
Download 21 cfr part 11 data integrity
Download 21 cfr part 11 best practices
Download 21 cfr part 11 summary
Download 21 cfr part 11 regulations for medical devices
Download 21 cfr part 11 implementation guide
Download 21 cfr part 11 risk assessment template
Download 21 cfr part 11 frequently asked questions
Download 21 cfr part 11 examples of electronic records
Download 21 cfr part 11 electronic signature components and controls
Download 21 cfr part 11 general requirements
Download 21 cfr part 11 controls for closed systems
Download 21 cfr part 11 controls for open systems
Download 21 cfr part 11 signature manifestations
Download 21 cfr part 11 signature record linking
Download 21 cfr part 11 controls for identification codes passwords
Download 21 cfr part 11 legacy systems
Download 21 cfr part 11 copies of records
Download 21 cfr part 11 record retention
Download 21 cfr part 11 inspection readiness
Download 21 cfr part 11 gap analysis tool
Download 21 cfr part 11 remediation plan
Download 21 cfr part 11 cloud computing
Download 21 cfr part 11 mobile devices
Download 21 cfr part 11 artificial intelligence
Download 21 cfr part 11 blockchain technology
Download 21 cfr part 11 internet of things
Download 21 cfr part 11 machine learning
Download 21 cfr part 11 biometrics authentication
Download 21 cfr part 11 digital transformation
Download eCFR title_21 chapter_I subchapter_A Part_11
Free download of eCFR title_21 chapter_I subchapter_A Part_11
Where to download eCFR title_21 chapter_I subchapter_A Part_11
How to download eCFR title_21 chapter_I subchapter_A Part_11 in word format
How to download eCFR title_21 chapter_I subchapter_A Part_11 in excel format
How to download eCFR title_21 chapter_I subchapter_A Part_11 in html format
How to download eCFR title_21 chapter_I subchapter_A Part_11 in xml format
How to download eCFR title_21 chapter_I subchapter_A Part_11 in json format
How to download eCFR title_21 chapter_I subchapter_A Part_11 in csv format
How to download eCFR title_21 chapter_I subchapter_A Part_11 in txt format
How to download eCFR title_21 chapter_I subchapter_A Part_11 in epub format
As a result of these concerns, we decided to review the part 11 documents and related issues, particularly in light of the Agency's CGMP initiative. In the Federal Register of February 4, 2003 (68 FR 5645), we announced the withdrawal of the draft guidance for industry, 21 CFR Part 11; Electronic Records; Electronic Signatures, Electronic Copies of Electronic Records. We had decided we wanted to minimize industry time spent reviewing and commenting on the draft guidance when that draft guidance may no longer represent our approach under the CGMP initiative. Then, in the Federal Register of February 25, 2003 (68 FR 8775), we announced the withdrawal of the part 11 draft guidance documents on validation, glossary of terms, time stamps,5 maintenance of electronic records, and CPG 7153.17. We received valuable public comments on these draft guidances, and we plan to use that information to help with future decision-making with respect to part 11. We do not intend to re-issue these draft guidance documents or the CPG.
We are now re-examining part 11, and we anticipate initiating rulemaking to revise provisions of that regulation. To avoid unnecessary resource expenditures to comply with part 11 requirements, we are issuing this guidance to describe how we intend to exercise enforcement discretion with regard to certain part 11 requirements during the re-examination of part 11. As mentioned previously, part 11 remains in effect during this re-examination period.
It is important to note that FDA's exercise of enforcement discretion as described in this guidance is limited to specified part 11 requirements (setting aside legacy systems, as to which the extent of enforcement discretion, under certain circumstances, will be more broad). We intend to enforce all other provisions of part 11 including, but not limited to, certain controls for closed systems in 11.10. For example, we intend to enforce provisions related to the following controls and requirements:
We understand that there is some confusion about the scope of part 11. Some have understood the scope of part 11 to be very broad. We believe that some of those broad interpretations could lead to unnecessary controls and costs and could discourage innovation and technological advances without providing added benefit to the public health. As a result, we want to clarify that the Agency intends to interpret the scope of part 11 narrowly.
Under the narrow interpretation of the scope of part 11, with respect to records required to be maintained under predicate rules or submitted to FDA, when persons choose to use records in electronic format in place of paper format, part 11 would apply. On the other hand, when persons use computers to generate paper printouts of electronic records, and those paper records meet all the requirements of the applicable predicate rules and persons rely on the paper records to perform their regulated activities, FDA would generally not consider persons to be "using electronic records in lieu of paper records" under 11.2(a) and 11.2(b). In these instances, the use of computer systems in the generation of paper records would not trigger part 11.
Records that are required to be maintained under predicate rule requirements and that are maintained in electronic format in place of paper format. On the other hand, records (and any associated signatures) that are not required to be retained under predicate rules, but that are nonetheless maintained in electronic format, are not part 11 records.
In some cases, actual business practices may dictate whether you are using electronic records instead of paper records under 11.2(a). For example, if a record is required to be maintained under a predicate rule and you use a computer to generate a paper printout of the electronic records, but you nonetheless rely on the electronic record to perform regulated activities, the Agency may consider you to be using the electronic record instead of the paper record. That is, the Agency may take your business practices into account in determining whether part 11 applies.
The Agency intends to exercise enforcement discretion regarding specific part 11 requirements for validation of computerized systems ( 11.10(a) and corresponding requirements in 11.30). Although persons must still comply with all applicable predicate rule requirements for validation (e.g., 21 CFR 820.70(i)), this guidance should not be read to impose any additional requirements for validation.
The Agency intends to exercise enforcement discretion regarding specific part 11 requirements related to computer-generated, time-stamped audit trails ( 11.10 (e), (k)(2) and any corresponding requirement in 11.30). Persons must still comply with all applicable predicate rule requirements related to documentation of, for example, date (e.g., 58.130(e)), time, or sequencing of events, as well as any requirements for ensuring that changes to records do not obscure previous entries.
Even if there are no predicate rule requirements to document, for example, date, time, or sequence of events in a particular instance, it may nonetheless be important to have audit trails or other physical, logical, or procedural security measures in place to ensure the trustworthiness and reliability of the records.6 We recommend that you base your decision on whether to apply audit trails, or other appropriate measures, on the need to comply with predicate rule requirements, a justified and documented risk assessment, and a determination of the potential effect on product quality and safety and record integrity. We suggest that you apply appropriate controls based on such an assessment. Audit trails can be particularly appropriate when users are expected to create, modify, or delete regulated records during normal operation.