Today, MedTech companies have largely moved to store and transmit records and documentation electronically. It’s also common to use electronic signatures for everything from reviews and approvals to patient consent during clinical trials.
But if you plan on submitting any of that data to the Food and Drug Administration (FDA) in the US, you should know that your data is subject to FDA regulations, specifically 21 CFR Part 11 - Electronic Records; Electronic Signatures.
As we’ll see, Part 11 applies to more than just a company’s QMS. Records held in other databases, such as electronic case report forms (eCRFs), must also be maintained in accordance with the regulation.
That means if you’re conducting clinical trials with the hope of using that data in your submission to FDA, tools you use to capture, maintain, and transmit that data need to be compliant with FDA’s 21 CFR Part 11.
So, let’s take a closer look at Part 11, its requirements, and what you’ll need to ensure your clinical records and electronic signatures stay compliant.
As a bonus resource, you can download our 21 CFR Part 11 Compliance Check-List for several compliance pointers.
21 CFR Part 11 is the FDA’s regulation for electronic documentation and electronic signatures. The regulation lays out the criteria that must be met for FDA to consider electronic records and electronic signatures to be “trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper.”
In other words, these regulations outline what procedures and controls you need in place for FDA to accept your electronic records instead of paper.
The regulation is broken up into three sections:
The General Provisions define the scope of the regulation, and provide the requirements for its implementation and the definitions of key terms used in the text. The General Provisions make it clear the regulation has a broad application:
"This part applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted under any record requirements set forth in agency regulations."
Some MedTech companies will claim to have a “master record” on paper, hiding in a filing cabinet somewhere—and also claim this means they don’t need to worry about Part 11.
But in section 11.3(a)(6) of the regulation, FDA defines “electronic record” as:
"Any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system."
Scanned versions of documents that are being maintained electronically still fall within the scope of “electronic records” and require compliance with Part 11. So, even if you have paper copies of eCRFs or other clinical records on hand, the electronic versions of these must be Part 11-compliant.
The data and records generated by clinical trials, as well as any electronic signatures (such as those used for e-consent) fall under the purview of 21 CFR Part 11. That means the system you use to capture and store that data, such as your electronic data capture (EDC) system, will need to comply with the requirements in Part 11.
There are a number of requirements in 21 CFR Part 11 that need to be in place for your clinical records to be compliant with the regulation—these can be found in Subpart B. The goal of the procedures and controls outlined in Subpart B are to ensure that electronic records maintain their:
Your EDC system needs to comply with all the provisions of Subpart B, but I want to use our space here to highlight some of the most important requirements.
Ensuring that only the people who are authorized to view and transmit electronic records can do so is one of the fundamental requirements of Part 11.
This is explicitly stated in Sections 11.10(d) and 11.10(g):
So, however you choose to store and manage clinical data from trials, you must have a means of setting permissions for who can access that data and ensuring it’s secure.
If you’re using an EDC system to collect and store data from clinical trials, that system must be validated to ensure its reliability and accuracy.
Section 11.10(a) of Part 11 requires:
"Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records."
If the platform or tool you’re using to collect and submit clinical records doesn’t come validated, you will have to validate it yourself to stay compliant with Part 11.
Without a way to track the creation of records, any changes to them, and their deletion, FDA cannot accept them as equivalent to paper records.
Section 11.10(e) requires:
"Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying."
The requirements for electronic signatures are found in both Subpart B and C.
Subpart B requires all electronic signatures to include the name of the signer, the date and time at which they signed, and the context or meaning of the signature (approval, review, authorship, etc.). It also requires signatures to be linked to their respective electronic records.
Subpart C expands on the requirements for electronic signatures, adding requirements that include:
The electronic signatures requirements will be particularly relevant to you if you use e-consent in your clinical trials. Clinical trial managers may find gathering information digitally is safer and simpler than using physical documents—but that means they need a way of meeting regulatory requirements for those digital signatures.
I’ve highlighted several of the requirements in Part 11 to help you understand what it takes for your clinical record-keeping and e-consent to be compliant with the regulation.
Part 11 does ask a lot of MedTech companies, but you don’t have to do it on your own. The simplest way to stay on the right side of the regulation is to start that way—by using an EDC system that can facilitate your Part 11 compliance like SMART-TRIAL by Greenlight Guru.
Our software is verified and validated to comply with applicable requirements FDA Part 11 by following the PIC/S Guidance, PI-011-3 Good Practices for Computerized Systems in Regulated “GxP” Environments.
What does that mean in practice?
Ready to learn more?