21 CFR Part 11 Compliance

Last revised: 
03/17/2016

If your research is being conducted under an approved IND or IDE, the computer systems used to collect and analyze data must be validated to meet the FDA requirements for electronic records and signatures. Whether you are purchasing all or part of a system from a vendor or using your own system using university resources, you are responsible for demonstrating that the system meets 21 CFR Part 11.

Not complying with 21 CFR Part 11 may result in FDA citations. If you have any questions or concerns about your computer system or implementing the regulations, it is highly recommended that you review the following links for guidance.

Key Concepts About 21 CFR Part 11, Electronic Records and Signatures

  • When you automate collection, processing, and analysis of research information, you are creating an electronic record. 21 CFR Part 11 exists to give the agency assurance that electronic records are the same as paper records.
  • When you automate the process of an individual authorizing an action, you have created an electronic signature. In addition to the controls required for electronic records, 21 CFR Part 11 contains requirements to assure the agency that electronic signatures are the legally binding equivalent of a person’s handwritten signature.
  • Access control determines whether a system is open or closed. If the persons responsible for the content of electronic records also have control of system access, the system is ‘closed’. If the persons responsible for content of electronic records do not have control of system access, the system is ‘open’. Open systems require the added assurance that records are protected from point of creation to receipt.
  • You can use electronic records in lieu of paper records with one caveat – only a subset of records required for pre-market approval are accepted by the agency. Accepted documents are listed in public docket No. 92S-0251. All other records required to be kept, but not submitted, can be in electronic form. In all cases, to be valid, you must comply with 21 CFR Part 11.
  • Track activities and define your needs; employ a combination of procedural and technical controls for development and operation of the system; verify and certify that everything works; and document what you’ve done.
  • Validation effort for medical device software must be commensurate with the level of concern for the device. There are three levels of concern:
    Major – operation could result in death or serious injury
    Moderate – operation could result in non-serious injury
    Minor – operation not expected to result in any injury