FDA 21 CFR Part 11 Compliance: Frequently Asked Questions

Many clinical trial sites want to use technology but worry about compliance, especially 21 CFR Part 11 compliance. Using technology that isn’t compliant can lead to audits and stressful communications with the FDA. You have to choose compliant technology to use technology in clinical trials.

Even clinical trial experts can get overwhelmed by the depth of FDA regulations, though. Part 11 can be especially confusing because it requires knowledge of technology as well as clinical trials. 

We’ve compiled this FAQ to help you learn what 21 CFR Part 11 means, why it exists, and how you can help your research organization remain compliant. You can also check out our Part 11 checklist to help you evaluate technology options. 

These are just general guidelines–always talk to a compliance specialist to understand how the regulations apply to your organization specifically. 

What is FDA 21 CFR Part 11 compliance?

FDA 21 Code of Federal Regulations (CFR) Part 11 refers to the FDA’s regulations on electronic records and electronic signatures for clinical trials. Since most sponsors and research sites now use electronic documents, Part 11 has become more important than ever. 

To comply with Part 11, you need to understand what features your electronic record system should have and what processes you should follow when using it. Your clinical trial vendor should provide proof that they are Part 11 compatible, and you shouldn’t use software that doesn’t follow those regulations. 

What is the main purpose of 21 CFR Part 11?

21 CFR Part 11’s main purpose is to ensure that electronic records and electronic signatures are trustworthy, reliable, and equivalent to paper records with handwritten signatures. The regulations ensure electronic records and signatures are authentic and users can’t later claim that the signature wasn’t theirs. 

The FDA first created guidelines for electronic records in 1997, but the regulations were so complicated that many research sites stuck to paper records. In 2003, the FDA issued guidance explaining their new risk-based approach. 

The new approach focused on making the regulations easier to follow while still mitigating the biggest security risks of electronic records. The FDA didn’t want to make it impossible for research sites to adopt new, more efficient digital processes, but they needed to make sure clinical trial regulations were followed. 

Who does 21 CFR Part 11 apply to?

21 CFR Part 11 applies to clinical trial sponsors, including pharmaceutical and medical device companies, who are conducting FDA-regulated research. It also applies to Clinical Research Organizations (CROs) and research sites. Whenever organizations are conducting research in the U.S, or submitting their drugs and devices to the FDA for approval, Part 11 comes into play. 

This means that clinical research assistants, coordinators, nurses, and principal investigators conducting FDA-regulated studies need to understand the basics of 21 CFR Part 11. So do the people who purchase technology. No clinical research team should purchase tech without ensuring it’s Part 11 compatible. 

Which records does 21 CFR Part 11 apply to? 

21 CFR Part 11 applies to any records that are required by the FDA that are being maintained electronically instead of on paper. Which records the FDA requires is outlined in the Predicate Rules. Electronic documents that the FDA doesn’t mention in the Predicate Rules don’t have to follow Part 11. 

Records that are printed off from an electronic system or maintained on paper have separate regulations. But if you want to maintain and sign your FDA documents online–as most research sites and sponsors now do–you’ll need to make sure you understand 21 CFR Part 11. 

What are the organizational requirements of 21 CFR Part 11?

21 CFR Part 11 has requirements for electronic records, electronic signatures, and the personnel who use them. The regulations start with the basics: Part 11-compliant technology either needs to be a closed system or follow very specific requirements for open systems. In a closed system, people have to log in to access the electronic records. 

Only authorized individuals should have usernames and passwords, and those individuals should have the education, training, and experience to perform tasks within the system. Your technology should also allow you to limit access to specific documents to authorized users. You don’t want people signing or viewing documents they shouldn’t have access to. 

You also must have written Standard Operating Procedures (SOPs) and training documents that hold individuals accountable for their actions in the electronic system. Before choosing technology, you might want to ask if the vendor provides help with training and SOPs. This leads to greater user adoption and less confusion about new processes. It also helps you maintain compliance. 

What are the requirements for electronic records under 21 CFR Part 11?

Before using electronic records, you must perform a validation of your records system to ensure it’s secure and reliable. Your technology vendor should help you with this. 

The clinical trial software you choose for your electronic documents should let you make certified copies, maintain audit trails, and archive records. 

Electronic records can be shared with sponsors or sites that use the same software as you, so you won’t need to make as many copies as you would for paper records. However, some workflows still require certified copies for version control. Ask if the software can create certified copies before you purchase it. 

Audit trails are also required to help with version control. Computer-generated, time-stamped audit trails will help you record any changes you’ve made to your documents. 

Finally, you should be able to store your documents in the electronic system long enough to comply with FDA regulations. 

What is an electronic signature under 21 CFR Part 11?

Part 11 sets standards for using electronic signatures during clinical trials. Signatures must include a printed name, the date and time, and the reason for the signature (review, approval, responsibility, authorship, etc.) 

Signatures need to have a unique login and unique password attached. That means you should enter your password every time you sign a document and never sign using someone else’s email address/login. 

Every clinical research team is responsible for making sure only authorized users can access the system. Each user must have a unique log-in (typically an email address) and a password that is updated regularly. Your software system should also record any unauthorized attempts to log in to the system. Your technology vendor can help you set up all of this. 

How do I start using electronic records or electronic signatures?

If you’re going to use electronic records and electronic signatures, you first have to send a paper non-repudiation letter to the FDA. (Yes, it’s a bit odd.) You’ll also need a validation plan, user requirements, and a validation report that shows you completed your plan. 

Once again, your technology vendor should assist you. If they don’t help with the non-repudiation letter, validation plan, user requirements, and validation report, they’re not fully dedicated to 21 CFR Part 11 compliance. 

What is the difference between 21 CFR Part 11 ready and 21 CFR Part 11 compliant?

If a software vendor says that they are 21 CFR Part 11 ready, it means their software meets the technical specifications of Part 11. However, there’s much more to 21 CFR Part 11 compliance than technical requirements. The regulations also include validation, SOP, and training requirements. 

If a technology vendor truly cares about Part 11 compliance, they’ll help you with validation procedures, SOP creation, non-repudiation letters, change control, and documentation of your user training. A vendor who’s not willing to help with those processes may be Part 11 ready, but they’re not truly Part 11 compatible. 

How do I check whether my technology is 21 CFR Part 11 compliant?

We offer an online checklist to help all research sites, sponsors, and CROs evaluate their 21 CFR Part 11 compliance. If you’re a Florence customer, you can also speak to our implementations and compliance teams about Part 11. 

We go beyond the minimum software requirements and help our customers with Part 11 in every way that we can. However, some responsibility will always fall on the site, sponsor, or CRO, and our FAQ and checklist can’t provide every fact you need to know about Part 11. For detailed, binding regulations, check the FDA’s guidelines

More information on 21 CFR Part 11 compliance

To keep learning about Part 11 compliance, download our 21 CFR Part 11 checklist or our Guide to eSignatures. You can also check out our Complete Library of FDA eSource and eRegulatory Guidance for more detailed information.