Tips for Ensuring Your Clinical Data Complies with FDA's 21 CFR Part 11

Today, MedTech companies have largely moved to store and transmit records and documentation electronically. It’s also common to use electronic signatures for everything from reviews and approvals to patient consent during clinical trials.

But if you plan on submitting any of that data to the Food and Drug Administration (FDA) in the US, you should know that your data is subject to FDA regulations, specifically 21 CFR Part 11 - Electronic Records; Electronic Signatures. 

As we’ll see, Part 11 applies to more than just a company’s QMS. Records held in other databases, such as electronic case report forms (eCRFs), must also be maintained in accordance with the regulation. That means if you’re conducting clinical trials with the hope of using that data in your submission to FDA, tools you use to capture, maintain, and transmit that data need to be compliant with FDA’s 21 CFR Part 11.

So, let’s take a closer look at Part 11, its requirements, and what you’ll need to ensure your clinical records and electronic signatures stay compliant.

BONUS RESOURCE: If you want to learn more about staying Part 11 compliant, then download our 21 CFR Part 11 Compliance Checklist.

What is the FDA 21 CFR Part 11 and what does it apply to?

21 CFR Part 11 is the FDA’s regulation for electronic documentation and electronic signatures. The regulation lays out the criteria that must be met for FDA to consider electronic records and electronic signatures to be “trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper.”

In other words, these regulations outline what procedures and controls you need in place for FDA to accept your electronic records instead of paper.

The regulation is broken up into three sections:

1. General Provisions discusses the scope of the regulations, when and how it should be implemented, and defines some of the key terms used in the regulations.
2. Electronic Records sets forth the requirements for administration of closed and open electronic record-keeping systems, then discusses signature manifestations and requirements for establishing a link between signatures and records.
3. Electronic Signatures is split into three parts: general requirements for electronic signatures, electronic signature components and controls, and controls for identification codes/passwords.

The General Provisions define the scope of the regulation, and provide the requirements for its implementation and the definitions of key terms used in the text. The General Provisions make it clear the regulation has a broad application:

''This part applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted under any record requirements set forth in agency regulations.''

Some MedTech companies will claim to have a “master record” on paper, hiding in a filing cabinet somewhere—and also claim this means they don’t need to worry about Part 11.

But in section 11.3(a)(6) of the regulation, FDA defines “electronic record” as:

Any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.

Scanned versions of documents that are being maintained electronically still fall within the scope of “electronic records” and require compliance with Part 11. So, even if you have paper copies of eCRFs or other clinical records on hand, the electronic versions of these must be Part 11-compliant.

What are 21 CFR Part 11’s requirements for clinical records and e-consent?

The data and records generated by clinical trials, as well as any electronic signatures (such as those used for e-consent) fall under the purview of 21 CFR Part 11. That means the system you use to capture and store that data, such as your electronic data capture (EDC) system, will need to comply with the requirements in Part 11.

There are a number of requirements in 21 CFR Part 11 that need to be in place for your clinical records to be compliant with the regulation—these can be found in Subpart B. The goal of the procedures and controls outlined in Subpart B are to ensure that electronic records maintain their:

• Authenticity
• Integrity
• Confidentiality (when appropriate)
• Irrefutability (i.e. “the signer cannot readily repudiate the signed record as not genuine”)

Your EDC system needs to comply with all the provisions of Subpart B, but I want to use our space here to highlight some of the most important requirements.

BONUS RESOURCE: If you want to learn more about staying Part 11 compliant, then download our 21 CFR Part 11 Compliance Checklist.

Managing user permissions and authentications

Ensuring that only the people who are authorized to view and transmit electronic records can do so is one of the fundamental requirements of Part 11.

This is explicitly stated in Sections 11.10(d) and 11.10(g):

• Limiting system access to authorized individuals.
• Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.

So, however you choose to store and manage clinical data from clinical trials, you must have a means of setting permissions for who can access that data and ensuring it’s secure.

Performing validation (computer software assurance)

If you’re using an EDC system to collect and store data from clinical trials, that system must be validated to ensure its reliability and accuracy.

Section 11.10(a) of Part 11 requires: 

Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.

If the platform or tool you’re using to collect and submit clinical records doesn’t come validated, you will have to validate it yourself to stay compliant with Part 11.

Maintaining an audit trail

Without a way to track the creation of records, any changes to them, and their deletion, FDA cannot accept them as equivalent to paper records.

Section 11.10(e) requires: 

Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.

BONUS RESOURCE: If you want to learn more about staying Part 11 compliant, then download our 21 CFR Part 11 Compliance Checklist.

Managing electronic signature requirements

The requirements for electronic signatures are found in both Subpart B and C. 

Subpart B requires all electronic signatures to include the name of the signer, the date and time at which they signed, and the context or meaning of the signature (approval, review, authorship, etc.). It also requires signatures to be linked to their respective electronic records.

Subpart C expands on the requirements for electronic signatures, adding requirements that include:

• Individuals who sign a document electronically need their identities confirmed and must use a signature that has not been used, and never will be used, by another individual.
• Electronic signatures based on biometrics (such as fingerprints) must be designed to ensure they can only be used by the correct individual.
• Electronic signatures that are not based on biometrics must use two distinct identification components, like an ID code and password.
• The controls for identification codes and passwords are listed in Section 11.300.

The electronic signatures requirements will be particularly relevant to you if you use e-consent in your clinical trials. Clinical trial managers may find gathering information digitally is safer and simpler than using physical documents—but that means they need a way of meeting regulatory requirements for those digital signatures. 

BONUS RESOURCE: If you want to learn more about staying Part 11 compliant, then download our 21 CFR Part 11 Compliance Checklist.

What makes an EDC system 21 CFR Part 11 compliant?

I’ve highlighted several of the requirements in Part 11 to help you understand what it takes for your clinical record-keeping and e-consent to be compliant with the regulation. 

Part 11 does ask a lot of MedTech companies, but you don’t have to do it on your own. The simplest way to stay on the right side of the regulation is to start that way—by using an EDC system that can facilitate your Part 11 compliance like Greenlight Guru Clinical.

Our software is verified and  validated to comply with applicable requirements FDA Part 11 by following the PIC/S Guidance, PI-011-3 Good Practices for Computerized Systems in Regulated “GxP” Environments.

What does that mean in practice?

• For one thing, our EDC platform comes with permission-based access and two-step authentication to keep data secure. That security also extends to Greenlight Guru Clinical's electronic patient reported outcomes (ePRO) service, which requires the authentication of every user's identity.
• It also means that every public release of the software platform is validated—meaning you don’t have to validate the platform yourself.
  
  
• Greenlight Guru Clinical also automatically maintains the requisite audit trail. So every action, such as viewing, creating, updating, or deleting elements is logged and traceable.