21 cfr part 11_1997_2003-1
TRANSCRIPT
-
7/25/2019 21 cfr part 11_1997_2003-1
1/7
P a g e | 1
21 CFR part 11_1997
PART 11ELECTRONIC RECORDS &ELECTRONIC SIGNATURES
Subpart AGeneral Provisions Subpart Ele!troni! Re!or"s Subpart CEle!troni! Si#natures
11.1 Scope. 11.10 Controls for closed systems 11.100 General requirements
11.2 Implementation. 11.0 Controls for open systems 11.200 !lectronic si"nature components andcontrols.
11. #efinitions 11.$0 Si"nature manifestations 11.00 Controls for identification codes%
pass&ords
11.70 Si"nature%record lin'in".
(a) *+e re"ulations in t+is part set fort+ t+e criteria, under &+ic+ t+e a"ency considers electronic records, electronic
si"natures, and +and&ritten si"natures e-ecuted to electronic records to e trust&ort+y, reliale, and "enerally equi/alent to
paper records and +and&ritten si"natures e-ecuted on paper.
$b%111 S!ope *+is part applies to records inelectronic form t+at are
1. Created,2. modified, (CR*)
. aintained, rc+i/ed,
$. Retrie/ed, or transmitted.
*+is part does not apply to paper records t+at are, or +a/e een, transmitted y electronic means .c) 3+ere electronic si"natures and t+eir associated electronic records meet t+e requirements of t+is part, t+e a"ency &ill
consider t+e electronic si"natures to e equi/alent to full +and&ritten si"natures, initials, and ot+er "eneral si"nin"s as
required y a"ency re"ulations, unless specifically e-cepted y re"ulation(s) effecti/e on or after u"ust 20, 1997.
d) !lectronic records t+at meet t+e requirements of t+is part may e used in lieu of paper records, in accordance &it+ 4 11.2,
unless paper records are specifically required.
(e) Computer systems (includin" +ard&are and soft&are), controls, and attendant documentation maintained under t+is part
s+all e readily a/ailale for, and su5ect to, F# inspection.
' 11( I)ple)entation
(a) For records required to e maintained ut not sumitted to t+e a"ency, persons may use electronic records in lieu
of paper records or electronic si"natures in lieu of traditional si"natures, in &+ole or in part, pro/ided t+at t+e
requirements of t+is part are met.
() For records sumitted to t+e a"ency, persons may use electronic records in lieu of paper records or electronic
si"natures in lieu of traditional si"natures, in &+ole or in part, pro/ided t+at6
(1) *+e requirements of t+is part are met and
(2) *+e document or parts of a document to e sumitted +a/e een identified in pulic doc'et 8o. 92S 02$1 as ein" t+etype of sumission t+e a"ency accepts in electronic form. *+is doc'et &ill identify specifically &+at types of documents or
parts of documents are acceptale for sumission in electronic form &it+out paper records and t+e a"ency recei/in" unit(s)
(e."., specific center, office, di/ision, ranc+) to &+ic+ suc+ sumissions may e made. #ocuments to a"ency recei/in"unit(s) not specified in t+e pulic doc'et &ill not e considered as official if t+ey are sumitted in electronic form paper
forms of suc+ documents &ill e considered as official and must accompany any electronic records. :ersons are e-pected to
consult &it+ t+e intended a"ency recei/in" unit for details on +o& (e."., met+od of transmission, media, file formats, andtec+nical protocols) and &+et+er to proceed &it+ t+e electronic sumission.
(e) Computer systems (includin" +ard&are and soft&are), controls, and attendant documentation maintained under t+is part
s+all e readily a/ailale, for, and su5ect to, F# inspection.
' 11* De+initions
()Biometrics means a met+od of /erifyin" an indi/idual;s identity ased on measurement of t+e indi/idual;s p+ysical
feature(s) or repeatale action(s) &+ere t+ose features and%or actions are ot+ unique to t+at indi/idual and measurale.
-
7/25/2019 21 cfr part 11_1997_2003-1
2/7
P a g e | 2
() Closed system means an en/ironment in &+ic+ system access is controlled y persons &+o are responsile for t+e
content of electronic records t+at are on t+e system.
($)Digital signature means an electronic si"nature ased upon crypto"rap+ic met+ods of ori"inator aut+entication,
computed y usin" a set of rules and a set of parameters suc+ t+at t+e identity of t+e si"ner and t+e inte"rity of t+e data
can e /erified.
(
-
7/25/2019 21 cfr part 11_1997_2003-1
3/7
P a g e | 3
' 11*, Controls +or open s-ste)s
:ersons &+o use open systems to create, modify, maintain, or transmit electronic records s+all employ procedures and
controls desi"ned to ensure t+e aut+enticity, inte"rity, and, as appropriate, t+e confidentiality of electronic records from t+e
point of t+eir creation to t+e point of t+eir receipt. Suc+ procedures and controls s+all include t+ose identified in 4 11.10,
as appropriate, and additional measures suc+ as document encryption and use of appropriate di"ital si"nature standards to
ensure, as necessary under t+e circumstances, record aut+enticity, inte"rity, and confidentiality.
' 11., Si#nature )ani+estations
(a) Si"ned electronic records s+all contain information
associated &it+ t+e si"nin" t+at clearly indicates all
of t+e follo&in"6
(1) *+e printed name of t+e si"ner
(2) *+e date and time &+en t+e si"nature &as e-ecuted
and() *+e meanin" (suc+ as re/ie&, appro/al,
responsiility, or aut+ors+ip) associated &it+ t+e
si"nature.
() *+e items identified in para"rap+s (a)(1), (a)(2), and (a)()
of t+is section s+all e su5ect to t+e same controls as for
electronic records and s+all e included as part of any +uman
readale form of t+e electronic record (suc+ as electronic
display or printout).
' 11/, Si#nature0re!or" linin#
!lectronic si"natures and +and&ritten si"natures e-ecuted to electronic records s+all e lin'ed to t+eir respecti/e electronic
records to ensure t+at t+e si"natures cannot e e-cised, copied, or ot+er&ise transferred to falsify an electronic record y
ordinary means.
Subpart CEle!troni! Si#natures
' 111,, General re2uire)ents
(a) !ac+ electronic si"nature s+all e unique to one indi/idual and s+all not e reused y, or reassi"ned to, anyone
else.() efore an or"ani=ation estalis+es, assi"ns, certifies, or ot+er&ise sanctions an indi/idual;s electronic si"nature, or
any element of suc+ electronic si"nature, t+e or"ani=ation s+all /erify t+e identity of t+e indi/idual.
(c) :ersons usin" electronic si"natures s+all, prior to or at t+e time of suc+ use, certify to t+e a"ency t+at t+e electronic
Si"natures in t+eir system, used on or after u"ust 20, 1997, are intended to e t+e le"ally indin" equi/alent of traditional+and&ritten si"natures.
(1) *+e certification s+all e sumitted in paper form and si"ned &it+ a traditional +and&ritten si"nature, to t+e Dffice of
Re"ional Dperations (EFC100), $
-
7/25/2019 21 cfr part 11_1997_2003-1
4/7
P a g e | 4
11.300 Controls for identification codes/ passwords.
:ersons &+o use electronic si"natures ased upon use of identification codes in comination &it+ pass&ords s+all employ
controls to ensure t+eir security and inte"rity. Suc+ controls s+all include6
(a) aintainin" t+e uniqueness of eac+ comined identification code and pass&ord, suc+ t+at no t&o indi/iduals +a/e t+esame comination of Identification code and pass&ord.
() !nsurin" t+at identification code and pass&ord issuances are periodically c+ec'ed, recalled, or re/ised (e."., to co/ersuc+ e/ents as pass&ord a"in").
(c) Follo&in" loss mana"ement procedures to electronically deaut+ori=e lost, stolen, missin", or ot+er&ise potentially
compromised to'ens, cards, and ot+er de/ices t+at ear or "enerate identification code or pass&ord information, and toissue temporary or permanent replacements usin" suitale, ri"orous controls.
(d) Ase of transaction safe"uards to pre/ent unaut+ori=ed use of pass&ords and%or identification codes, and to detect and
report in an immediate and ur"ent manner any attempts at t+eir
Anaut+ori=ed use to t+e system security unit, and, as appropriate, to or"ani=ational mana"ement.
(e) Initial and periodic testin" of de/ices, suc+ as to'ens or cards, t+at ear or "enerate identification code or pass&ord
information to ensure t+at t+ey function properly and +a/e not een altered in an unaut+ori=ed manner.
Guidance for Industry Part 11 Electronic !ecords" Electronic #ignatures $ #cope and %pplication 2003
1&I'(!)*+C(I)'.
F# is reBe-aminin" part 11 as itapplies to all F# re"ulatedproducts.
3&*I#C+##I)'
%. ),erall %pproac- to Part 11 !euirements
2&%CG!)+'* . *etails of %pproac- #cope of Part 11
1. Narrow Interpretation of Scope 2. Definition of art 11 !ecords.
C. %pproac- to #pecific Part 11 !euirements % 4 C !5
1. "alidation 2. #udit $rail %. &egacy Systems '. Copies of !ecords (. !ecord !etention
%. ),erall %pproac- to Part 11 !euirements.
1. @imitin" system access to aut+ori=ed indi/iduals2 use of operational system c+ec's uses of aut+ority c+ec's uses of de/ice c+ec's
$ #etermination t+at persons, &+o de/elop, maintain, or use electronic systems +a/e t+e education,trainin", and e-perience to perform t+eir assi"ned tas's.< !stalis+ment of and ad+erence to &ritten policies t+at +old indi/iduals accountale for actionsinitiated under t+eir electronic si"natures.7.ppropriate controls o/er systems documentation.>. Controls for open systems correspondin" to controls for closed systems ulleted ao/e (11.0)
9. Requirements related to electronic si"natures (e."., 44 11.$0, 11.70, 11.100, 11.200, and 11.00)
. *etails of %pproac- #cope of Part 11
1. Narrow Interpretation of Scope) *e understand t+at t+ere is some confusiona,out t+escope of part 11. Some +a-e understood t+e scope of part 11 to ,e -ery ,road. *e ,elie-e t+at some of
t+ose ,road interpretations could lead to unnecessary controls and costs and could discourage
inno-ation and tec+nological ad-ances wit+out pro-iding added ,enefit to t+e pu,lic +ealt+. #s a
result we want to clarify t+at t+e #gency intends to interpret t+e scope of part 11 narrowly.
/nder t+e narrow interpretation of t+e scope of part 11 wit+ respect to records re0uired to ,e
maintained under predicate rules or su,mitted to D# w+en persons c+oose to use records in
electronic format in place of paper format part 11 would apply. On t+e ot+er +and w+en persons use
computers to generate paper printouts of electronic records and t+ose paper records meet all t+e
re0uirements of t+e applica,le predicate rules and persons rely on t+e paper records to perform t+eir
-
7/25/2019 21 cfr part 11_1997_2003-1
5/7
P a g e | 5
regulated acti-ities D# would generally not consider persons to ,e using electronic records in lieu
of paper records under 33 11.24a5 and 11.24,5. In t+ese instances t+e use of computer systems in t+e
generation of paper records would not trigger part 11.
2. Definition of art 11 !ecords
!ecords t+at are re0uired to ,e maintained under predicate rule re0uirements and t+at are
maintained in electronic format in place of paper format. On t+e ot+er +and records 4and any
associated signatures5 t+at are not re0uired to ,e retained under predicate rules ,ut t+at are
nonet+eless maintained in electronic format are not part 11 records.
*e recommend t+at you determine ,ased on t+e predicate rules w+et+er specific records are
part 11 records. *e recommend t+at you document suc+ decisions.
!ecords t+at are re0uired to ,e maintained under predicate rules t+at are maintained in
electronic format in addition to paper format and t+at are relied on to perform regulated
acti-ities.
In some cases actual ,usiness practices may dictate w+et+er you are using electronic recordsinstead of paper records under 3 11.24a5. or e6ample if a record is re0uired to ,e maintained
under a predicate rule and you use a computer to generate a paper printout of t+e electronic
records ,ut you nonet+eless rely on t+e electronic record to perform regulated acti-ities t+e
#gency may consider you to ,e using t+e electronic record instead of t+e paper record. $+at is
t+e #gency may ta7e your ,usiness practices into account in determining w+et+er part 11
applies.
#ccordingly we recommend t+at for eac+ record re0uired to ,e maintained under predicate
rules you determine in ad-ance w+et+er you plan to rely on t+e electronic record or paper
record to perform regulated acti-ities. *e recommend t+at you document t+is decision 4e.g. in a
Standard Operating rocedure 4SO5 or specification document5.
!ecords su,mitted to D# under predicate rules 4e-en if suc+ records are not specifically
identified in #gency regulations5 in electronic format 4assuming t+e records +a-e ,een identified
in doc7et num,er 82S9:2(1 as t+e types of su,missions t+e #gency accepts in electronic format5.Howe-er a record t+at is not itself su,mitted ,ut is used in generating a su,mission is not a
part 11 record unless it is ot+erwise re0uired to ,e maintained under a predicate rule and it is
maintained in electronic format.Electronic signatures t+at are intended to ,e t+e e0ui-alent of +andwritten signatures initials
and ot+er general signings re0uired ,y predicate rules. art 11 signatures include electronic
signatures t+at are used for e6ample to document t+e fact t+at certain e-ents or actions
occurred in accordance wit+ t+e predicate rule 4e.g. appro-ed re-iewed and -erified5.
C. %pproac- to #pecific Part 11 !euirements
1. "alidation?alidation of computeri=ed systems (4 11.10(a) and correspondin" requirements in 4 11.0).lt+ou"+ persons must still comply &it+ all applicale predicate rule requirements for /alidation
(e."., 21 CFR >20.70(i)), eet predicate rule. ou s+ould also consider t+e impact t+ose systems mi"+t +a/e on t+e accuracy,reliaility,inte"rity, a/ailaility, and aut+enticity of required records and si"natures. !/en if t+ere is no
predicate rule requirement to /alidate a system, in some instances it may still e important to
/alidate t+e system.
3e recommend t+at you ase your approac+ on a 5ustified and documented ris' assessment and a
determination of t+e potential of t+e system to affect product quality and safety, and record
inte"rity. For instance, /alidation &ould not e important for a &ord processor used only to
"enerate SD:s
-
7/25/2019 21 cfr part 11_1997_2003-1
6/7
P a g e | 6
2. #udit $rail6 computerB"enerated, timeBstamped audit trails (4 11.10 (e), (')(2) and any
correspondin" requirement in 411.0). date (e."., 4 $>.10(e)), time, or sequencin" of e/ents as
&ell as any requirements for ensurin" t+at c+an"es to records do not oscure pre/ious entries.
3e recommend t+at you ase your decision on &+et+er to apply audit trails, or ot+er appropriate
measures, on t+e need to comply &it+ predicate rule requirements, a 5ustified and documented ris' assessment,and a determination of t+e potential effect on product quality and safety and record inte"rity.
3e su""est t+at you apply appropriate controls ased on suc+ an assessment. udit trails can e particularly
appropriate &+en users are e-pected to create, modify, or delete re"ulated records durin" normal operation.
. &egacy Systems) Existing system whose validation does not necessarily meet
current compliance requirements
*+e "ency intends to e-ercise enforcement discretion &it+ respect to all part 11 requirements for systems t+atot+er&ise &ere operational prior to u"ust 20, 1997, t+e effecti/e date of part 11, under t+e circumstances
specified elo&.*+is means t+at t+e "ency does not intend to ta'e enforcement action to enforce compliance &it+ any part 11requirements if all t+e follo&in" criteria are met for a specific system6
t+e system &as operational efore t+e effecti/e date.t+e system met all applicale predicate rule requirements efore t+e effecti/e date.t+e system currently meets all applicale predicate rule requirements.you +a/e documented e/idence and 5ustification t+at t+e system is fit for its intended use (includin" +a/in" an
acceptale le/el of record security and inte"rity, if applicale).
If a system +as een c+an"ed since u"ust 20, 1997, and if t+e c+an"es &ould pre/ent t+e system from meetin"predicate rule requirements, :art 11 controls s+ould e applied to :art 11 records and si"natures pursuant to t+eenforcement policy e-pressed in t+is "uidance.
'. Copies of !ecords)*+e "ency intends to e-ercise enforcement discretion &it+ re"ard to specific part 11 requirementsfor "eneratin" copies of records (4 11.10 () and any correspondin" requirement in 411.0). ous+ould pro/ide an in/esti"ator &it+ reasonale and useful access to records durin" an inspection.ll records +eld y you are su5ect to inspection in accordance &it+ predicate rules (e."., 44
211.1>0(c), (d), and 10>.$(c) () (ii)).3e recommend t+at you supply copies of electronic records y6
H :roducin" copies of records +eld in common portale formats &+en records are maintained in t+ese
formats.
Asin" estalis+ed automated con/ersion or e-port met+ods, &+ere a/ailale, to ma'e copies in a more
common format (e-amples of suc+ formats include, ut are not limited to, :#F, @, or SG@)
In eac+ case, &e recommend t+at t+e copyin" process used produces copies t+at preser/e t+e content
and meanin" of t+e record. If you +a/e t+e aility to searc+, sort, or trend part 11 records, copies "i/en
to t+e "ency s+ould pro/ide t+e same capaility if it is reasonale and tec+nically feasile. ou
s+ould allo& inspection, re/ie&, and copyin" of records in a +uman readale form at your site usin"
your +ard&are and follo&in" your estalis+ed procedures and tec+niques for accessin" records.
$. !ecord !etention*+e "ency intends to e-ercise enforcement discretion &it+ re"ard to t+e part 11 requirements fort+e protection of records to enale t+eir accurate and ready retrie/al t+rou"+out t+e records
retention period (4 11.10 (c) and any correspondin" requirement in 411.0). :ersons must stillcomply &it+ all applicale predicate rule requirements for record retention and a/ailaility (e.". 44
211.1>0(c),(d), 10>.2$("), and 10>.$(+)).
-
7/25/2019 21 cfr part 11_1997_2003-1
7/7
P a g e | !
3e su""est t+at your decision on +o& to maintain records e ased on predicate rule requirements
and t+at you ase your decision on a 5ustified and documented ris' assessment and a determination
of t+e /alue of t+e records o/er time.
F# does not intend to o5ect if you decide to arc+i/e required records in electronic format to
nonelectronic media suc+ as microfilm, microfic+e, and paper, or to a standard electronic file
format (e-amples of suc+ formats include, ut are not limited to, :#F, @, or SG@). :ersons
must still comply &it+ all predicate rule requirements, and t+e records t+emsel/es and any copies
of t+e required records s+ould preser/e t+eir content and meanin". s lon" as predicate rule
requirements are fully satisfied and t+e content and meanin" of t+e records are preser/ed and
arc+i/ed, you can delete t+e electronic /ersion of t+e records. In addition, paper and electronic
record and si"nature components can coBe-ist (i.e., a +yrid> situation) as lon" as predicate rule
requirements are met and t+e content and meanin" of t+ose records are preser/ed.