21 CFR Part 11 Electronic Records and Signatures Regulation – 20 Years On

This year is the 20th anniversary of the publication of Title 21 Code of Federal Regulations Part 11 (21 CFR Part 11 or just Part 11), the US Food and Drug Administration (FDA) regulation about control of electronic records and electronic signatures for computerised systems used by pharmaceutical and medical device companies. This is a relatively small regulation (less than 2 complete pages of the Federal Register) that has had and continues to have a big impact on regulated organisations and software suppliers.

When implementing computerised systems, the requirements of Part 11 need to be fully understood. To help this, I want to explore the following areas in this blog post:

  • What is Part 11?
  • Interpretation of Part 11 by the applicable predicate rule
  • Understanding the technical, procedural and administrative controls of the regulation
  • What is software validation?
  • Why do I need to validate my LMS?


What is Part 11?

Part 11 is a regulation that mandates controls for electronic records generated during the course of regulated activities or for records that are submitted to the FDA even if there is no stated requirement for the record in agency regulations. In addition, it permits the use of electronic signatures (most typically in the form of a unique combination of user identity and password) to sign electronic records instead of traditional handwritten signatures.

The regulation consists of three sub-parts:

  1. Scope and Definitions
  2. Electronic Records
  3. Electronic Signatures

The main regulations are found in sub-parts B and C. However, do not be misled into thinking that there is a division between records and signatures – far from it. Part 11 is an integrated regulation. Sub-part B contains requirements for electronic signatures and sub-part C contains controls to ensure the integrity of electronic records as well as electronic signatures.


Technical, Procedural and Administrative Controls of Part 11

Reading the Part 11 regulations you can divide the requirements into three types of control:

  • Technical controls: functions built into the software e.g. application security, access control, audit trail
  • Procedural controls: for training how to use a system, how and when to use electronic signatures, assignment of user identities
  • Administrative controls: verifying the identify of individuals using electronic signature / record systems, informing the FDA that the company is using electronic signatures and that they are the legal equivalent to handwritten signatures

Looking at the three types of control means that there are two parties involved in ensuring Part 11 compliance:

  • Software supplier: responsible for ensuring the technical controls required by Part 11 in conjunction with an interpretation of the applicable predicate rules are incorporated in the application
  • Regulated user: responsible for the procedural and administrative controls required by the regulations

Only when the regulated user and the supplier work together can there be Part 11 compliance. From this a supplier cannot state that the application is 21 CFR Part 11-compliant as they can only provide technical controls.


Interpretation of Part 11 by the Applicable Predicate Rule

In itself, Part 11 only mandates the controls that need to be in place for electronic records and electronic signatures. However, there is no statement in the regulation of what records need to be generated or maintained or where signatures need to be applied. This is the role of the applicable predicate rule.

What you may ask is a predicate rule? Quite simply this is a term referring to the existing GXP regulations that are applicable to healthcare and life sciences organisations. These are Good Laboratory Practice (GLP), Good Clinical Practice (GCP) and Good Manufacturing Practice (GMP) and collectively shortened to GXP where the X can refer to one or more of these three regulations.

The predicate rules that an organisation works to have explicit (stated directly) or implicit (implied) requirements for records and signatures. For example, the GLP regulation for staff training mandates that there are records providing evidence of that training.

In contrast, the pharmaceutical GMP regulation requires that staff are trained but does not state – but implies – that records are needed. However, for GMP-regulated organisations can they contemplate an inspection without up-to-date training records?

Similarly, there are very few explicit regulated requirements for signatures, but read the applicable predicate rule carefully as there are implicit requirements e.g. review, verify and approve will mean a signature is required.


Why Do I Need to Validate my LMS?

One of the explicit or implicit requirements of any pharmaceutical and medical device regulations is for validation of computerised systems to demonstrate that the software is fit for purpose and can meet its intended uses.

This is applicable to a Learning Management System (LMS) as it is a key component of any regulated organisation’s quality management system. If you cannot demonstrate that staff have the appropriate combination of education, training and experience, then an inspection starts to run off the rails.

Of course, this raises the question of what is software validation?


What is Software Validation?

In essence, to demonstrate that the software is fit for intended use it requires the following main documents to be written:

  • System risk assessment to record if the LMS needs to be validated or not
  • Validation plan to define the work to be performed, the documents to be written and the roles and responsibilities of all involved
  • User requirements specification defining the functions of the software
  • Configuration specifications that record the application settings that are also part of the intended use of the system
  • The requirements and configuration settings need to be uniquely numbered so that they are traced throughout the rest of the work
  • Documents to show that the computer and application have been installed correctly
  • Testing of the system to demonstrate that the system meets its intended use against the user
  • requirements and configuration specifications
  • Writing procedures to use the system and training of users
  • Validation summary report that collates the work done and highlights any issues during the work

Understanding 21 CFR Part 11 and its implications on LMS software and software validation is essential when implementing a Learning Management System in pharmaceutical, biotech or medical device companies.




dr-bobDr Bob McDowall is an analytical chemist with over 40 years experience, including over 30 years experience implementing and validating informatics solutions in regulated environments. He has a PhD in forensic toxicology and 15 years experience working in the pharmaceutical industry.

He has been a consultant for 24 years and is currently the Director of R D McDowall Limited and was Visiting Research Fellow at the University of Surrey, UK from 1991 to 2001. Bob also trains and writes on the subject of computerised system validation, data integrity and is the author of a book on the validation of chromatography data systems, the second edition of which has just been published. Bob provides consulting services for NetDimensions Learning to be validated in client environments for intended use along 21 CFR Part 11 and GXP requirements.

Leave a Reply

Your email address will not be published. Required fields are marked *



This site uses Akismet to reduce spam. Learn how your comment data is processed.