FDA Rule on Electronic Records and Electronic Signatures (21 C.F.R. Part 11)

content">In 1997, the U.S. Food and Drug Administration (FDA) issued 21 C.F.R. Part 11, which consists of regulations that provide criteria for the acceptance of electronic records. These criteria include specific information security and electronic signature practices. Part 11 applies to electronic records that are created, modified, maintained, archived, retrieved, or transmitted under any FDA regulations. Part 11 also applies to electronic records submitted to the FDA under the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act, even if such records are not specifically identified in FDA regulations. Therefore, it applies to most aspects of research, quality assurance, clinical activities, manufacturing, and distribution of drugs, biologics, and devices. Virtually anything over which the FDA has jurisdiction, as well as some items subject to Public Health Service purview, is covered by the terms of Part 11. Therefore, higher education entities that conduct research under the jurisdiction of the FDA or the Public Health Service must comply with these regulations when submitting electronic records.

Organizations subject to these regulations are required to identify all information systems and applications covered by the regulations, develop a plan for bringing the systems and applications into compliance, and demonstrate that all of the items contained in the plan have been accomplished. The FDA recently issued guidance for organizations to follow when implementing compliance with 21 C.F.R. Part 11. Although the guidance contains only nonbinding recommendations, the FDA's current approach is to interpret Part 11 narrowly and to use discretion in enforcing the requirements for validation, audit trails, record retention, and record copying. Enforcement discretion will also be applied to all organizations using "legacy systems," which are those systems that were operational before the effective date of Part 11 (August 1997). However, the FDA guidelines state that the FDA intends to enforce all other provisions of Part 11, including the following controls and requirements:
Limiting system access to authorized individuals

  1. Use of operational system checks
  2. Use of authority checks
  3. Use of device checks
Determination that those who develop, maintain, or use electronic systems have the education, training, and experience to perform their assigned tasks Establishment of and adherence to written policies that hold individuals accountable for actions initiated under their electronic signatures Appropriate controls over systems documentation Controls for open systems corresponding to controls for closed systems Requirements related to electronic signatures Organizations that are not using legacy systems and that fail to comply with the above controls could be subject to an FDA enforcement action, including seizure, injunction, and debarment. For example, in a warning letter sent to a college that was found in violation of the Federal Food, Drug, and Cosmetic Act, the FDA Detroit District director wrote: In addition to the above listed violations, our Investigator noted that the laboratory is using an electronic record system for processing and storage of data from the atomic absorption and HPLC instruments that is not set up to control the security and data integrity in that the system is not password controlled, there is no systematic back-up provision, and there is no audit trail of the system capabilities. The system does not appear to be designed and controlled in compliance with the requirements of 21 CFR, Part 11, Electronic Records.4 Compliance with this regulation can be achieved by following a unified approach to information security compliance


Home Security Auditing Secure Auditor Suite 24/7 Support Center Buy Online
About Us Security Assessment Secure Oracle Auditor Knowledge Base
Resources Network Designing Secure Windows Auditor
Careers System Hardening Secure Cisco Auditor