Starting in April 2016, AlvaMed incorporated Docusign’s 21 CFR Part 11 compliant service into our service offering for our clients. This allows AlvaMed to effectively manage quality records for our clients while maintaining the efficiency and convenience of electronic signatures and electronic file storage.
The following article explains 21 CFR Part 11 – some background and a review of the essential requirements.
What is 21 CFR Part 11?
Title 21 CFR Part 11 is the part of Title 21 of the Code of Federal Regulations that establishes the United States Food and Drug Administration (FDA) regulations on electronic records and electronic signatures. It sets forth the criteria under which the FDA considers electronic records, electronic signatures, and handwritten signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper.
Essential Requirements for Electronic Records
- Validate systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.
- Generate accurate and complete copies of records suitable for inspection, review, and copying by FDA.
- Protect records to enable their accurate and easy retrieval throughout the record retention period.
- Limit system access to authorized individuals.
- Secure, computer generated, time-stamped audit trials to independently record the date and time of operator entries and actions that create, modify, or delete electronic records.
- Authority checks to ensure that only authorized individuals can
- use the system,
- electronically sign a record,
- access the operation or computer system input or output device,
- alter a record, or
- perform the operation.
- Device checks to determine, as appropriate, the validity of the source of data input or operational instruction.
- Persons who develop, maintain, or use electronic record/electronic signature systems have demonstrated education, training, and experience to perform their assigned tasks.
- Establish and adhere to written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures.
- Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.
- Revisions and change control procedures to maintain an audit trail.
Essential Requirements for Electronic Signatures
- Each electronic signature must be unique to one individual and may not be reused by or reassigned to anyone else.
- Before an organization establishes, assigns, certifies, or otherwise sanctions an individual’s electronic signature, the organization must verify the identity of the individual.
- Signatures that are not based upon biometrics must employ at least 2 distinct identification components, such as an identification code and password, and may only be used by their genuine owners.
- No two individuals may have the same combination of identification code and password.
- Identification code and password issuances are periodically checked, recalled, or revised.
- Loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised cards or devices that contain identification code or password information must be followed.
- Transaction safeguards to prevent unauthorized use of passwords and/or identification codes and to report any attempts at their unauthorized use.
- Electronic signatures based upon biometrics must be designed to ensure that they cannot be used by anyone other than their genuine owners.