What Is 21 CFR Part 11?

21 CFR Part 11

There is often some confusion in companies about 21 CFR Part 11 and related compliance. Many companies think they meet the requirements but in reality they are not.

If you think it’s all about validation, audit trails, records and retention, and that your business is safe because it has paper master files, maybe you should review your idea. The question is more complex.

Let’s clarify and give some advice, especially to companies that deal with medical devices.

What Is 21 CFR Part 11?

What Is 21 CFR Part 11 .CFR Part 11 is a regulation that defines the criteria required by the FDA for electronic data to be truthful, robust and equivalent to the corresponding paper data.

The first part of 21 CFR Part 11 deals with electronic records and data retention, while the second part is inherent to electronic signatures.

One thing to remember is that 21 CFR dates back to 1997, so it is obvious that in the last 20 years our knowledge of electronic systems and their potential have changed a lot.Who Should Apply 21 CFR Part 11? Any company where electronic data is used must apply the regulation.

Dato elettronico: “any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.” (11.3)

Purpose Of 21 CFR Part 11

Know how to use computer systems and software and when they are not working properly.

Keep data securely to prevent it from being modified or lost

Track changes to the data

Identify data falsification and prevent it

Controls for closed systems

Anyone who uses closed systems to create, modify, store or transmit electronic data must have procedures and controls to ensure the authenticity, integrity, and confidentiality of the data through:

System validation

Ability to generate certified and controlled copies of data

Data protection

Limited and controlled access to the system

Use of audit trail

Operating system checks

Access controls

Adherence to the SOPs

Checks on documentation

Password and access management

Passwords are one of the most secure components of a system. With passwords it is possible to know the role, permissions and limitations of each user.

It is good practice to apply password management best practices, but in this case the document is vague. Here are some general indications to improve security and choose a good password:

Minimum 8 characters

Do not use common words

Use alphanumeric characters

Change the password every 90 days

Do not reuse the last 6 passwords

Do not show the text as you type the password

Do not allow the browser to save the password

The password must be personal and non-transferable

Do not write the password on paper or post-its

Access to electronic data must be controlled by unique IDs and with personalized logins that provide access via username and password.

After a period of inactivity (about 10 minutes) you should be expected to log out of the system. Any login attempts should be suspended after 3 unsuccessful entries of your credentials.

If an account has been inactive for a long period of time, it must be locked out. This period is usually quantified in 30 days.

Audit trail and electronic signature

The purpose of the audit trail is to know what each user did and when they did it. The audit trail tracks 21 CFR Part 11 when data is created, changed, deleted and when all these changes have occurred.

All the events that occur concerning a datum must be recorded with the name of the person who made the modification, the date and the time.The purpose of 21 CFR Part 11 also includes detecting fraud and knowing when each change occurs helps with this task.

The audit trail is the complete history of electronic data management

In 21 CFR Part 11 there is also talk of electronic signature for the review and approval of information.The electronic signature must be associated with a unique and personal username and password and must be completed with date and time.It is essential that once a data is signed for approval, it becomes impossible to modify.

Remember that:

Compliance with 21 CFR Part 11 is always the responsibility of the company. No softward and / or validation company will take responsibility for you.

Consulting firms will be able to test and validate your platform, support you in filling out the necessary documentation and help you achieve compliance but the ultimate responsibility remains with the company.

What is FDA CFR21 part 11 for the pharma world?

Luca Rizzardi 17. January 2019

In the pharmaceutical world, one of the most important regulations to comply with is FDA CFR21 part 11. What is this regulation, so important, to which Yokogawa fully responds with its data logging & recording systems?

Well… let’s imagine a pharmaceutical manufacturing facility that makes some drugs for heart disease. You can well imagine that any errors in production, incorrect measurements or incorrect device settings (and human errors) could lead to tragic events, dramatically affecting people’s health.

Based on the above, it is therefore mandatory to find some rules to follow in order to be able to trace and detect any errors and / or anomalies before these can lead to serious consequences.

The above is the purpose of FDA CFR21 part 11.

The basic core of the rules of the aforementioned legislation is as follows:

Track and record any settings or changes in device settings

 who did it

 guarantee the quality and incorruptibility 21 CFR Part 11 of the recorded data

set up user profiles in terms of complete control, partial control and “user” to ensure the right delegation of responsibilities at the right level.

The coding of the data must guarantee the incorruptibility of the recorded data; in short, it must be impossible to manually change the data. This is done by special algorithms that encode the data so that any changes are immediately detected and reported (thus ensuring compliance with point 3).


Leave a Reply

Your email address will not be published. Required fields are marked *