Understanding 21 CFR Part 11
The official title of 21 CFR Part 11 is “Electronic Records; Electronic Signatures.” For reasons unclear, it is commonly referred to simply as “Part 11” rather than by its formal name.
The origins of Part 11 trace back to the early 1990s when the pharmaceutical industry requested that the FDA establish clear regulations for electronic signatures. Prior to this, despite the increasing digitalization of pharmaceutical companies, the requirement for handwritten signatures meant that all records ultimately had to be printed. This practice was clearly inefficient, which led to growing recognition of the need for electronic signatures—in other words, paperless operations.
In response to this request, the FDA published an Advance Notice of Proposed Rulemaking (ANPRM) in the Federal Register (FR) in 1992, presenting the FDA’s views and concepts and engaging in repeated discussions with the industry. As a result, on August 31, 1994, the FDA published the 21 CFR Part 11 Electronic Records and Electronic Signatures Draft Rule (proposed regulation) for public comment.
The public comment period yielded 49 submissions from the industry. Many of these comments were substantive and raised issues that were not easily resolved. The FDA responded to these concerns and published the final rule, titled “The Final Rule on Electronic Records, Signatures, and Submissions,” in the Federal Register on March 20, 1997, with an effective date of August 20, 1997. This final rule reduced the burden of compliance compared to the draft.
Part 11 was the world’s first regulatory requirement for paperless record-keeping.
Interestingly, during the FDA’s repeated discussions with industry, it was initially believed that Electronic Signatures would be the primary focus. However, the FDA came to realize that Electronic Records were equally, if not more, important.
The Myth: “Printing to Paper Exempts You from Part 11”
In my consulting work, I have encountered more than a few companies that have adopted the policy of “printing all records to paper and using handwritten signatures as the ‘official’ version because they are afraid of Part 11 violations.” In other words, they print all records to paper and apply handwritten signatures (or seals/stamps).
However, such attempts to evade Part 11 compliance through this expedient measure are futile. Part 11 applies from the moment electronic records or electronic signatures are used during the creation process of a record, even if the final form is paper. This principle also applies to Japan’s ER/ES Guidelines.
The Misconception: “All Systems Shown During FDA Inspections Must Be Part 11 Compliant”
A well-known consultant in the industry apparently stated that “all systems shown to FDA inspectors during FDA inspections must be Part 11 compliant!” This presumably refers to document management systems or cloud systems (such as Box) used to manage SOPs and similar documents.
However, this consultant appears never to have actually attended an FDA inspection. I have attended FDA inspections for over 20 years, and I have never once been asked by an FDA inspector about CSV (Computer System Validation) or Part 11 compliance for document management systems. The reason is simple: Part 11 compliance for these systems has absolutely no impact on patient safety or product quality.
The United States values fairness, so if the FDA were to require Part 11 compliance for document management systems from one company, it would be obligated to impose the same requirement on companies worldwide. Consider the consequences: if guidance were issued that increases compliance costs without any meaningful impact on patient safety or product quality, these costs would ultimately be passed on to drug prices and borne by patients.
FDA inspections are not conducted to audit computer systems. One should not blindly accept the dogmatic statements of consultants who only instill fear.
There Is No Such Thing as a “Part 11 Inspection”
The FDA conducts GxP inspections, not Part 11 inspections. There is no such thing as a Part 11 inspection. The FDA has no Part 11 checklist, nor does a Part 11 inspection guide exist.
However, currently, for human pharmaceuticals only, data integrity inspections based on Part 11 are conducted specifically for quality testing (QC) and batch release processes. This is because these areas significantly impact patient safety.
For medical device companies, Part 11 inspections are highly unlikely. Even for pharmaceutical companies, there is little need to worry about Part 11 outside the areas mentioned above.
That said, there is something important to understand.
Part 11 is a regulatory requirement for electronic records. It remains in effect today. However, the reliability of electronic records is not the only concern—the reliability of paper records is equally important. Consequently, data integrity inspections are now conducted rather than Part 11 inspections. This is because tampering with electronic records and tampering with paper records have the same impact on patients.
In other words, Part 11 is outdated. Consultants from IT backgrounds tend to fixate on electronic records, but data integrity—including paper records—must be thoroughly examined.
When listening to pharmaceutical companies present their data integrity initiatives, I notice an excessive focus on the security of electronic records. This approach is insufficient. Data integrity must protect against not only deliberate tampering but also inadvertent human errors, and this protection must extend to paper-based records as well.
Updates on Regulatory Trends and Data Integrity
FDA’s Evolving Approach to Part 11 (2003-Present)
Following the implementation of Part 11 in 1997, significant concerns arose within the industry regarding interpretation and implementation. In response, the FDA issued important guidance in September 2003 titled “Part 11, Electronic Records; Electronic Signatures – Scope and Application.” This guidance clarified the FDA’s enforcement approach and introduced the concept of “enforcement discretion” for certain Part 11 requirements.
Key points from the 2003 guidance include:
- The FDA adopted a “narrow interpretation of scope,” meaning Part 11 would primarily be enforced for records that are required to be maintained under predicate rules and where electronic versions are used in lieu of paper.
- The FDA announced it would exercise enforcement discretion regarding specific Part 11 requirements, particularly for validation of computerized systems and legacy systems that were in place before 1997.
- Companies were advised to take a risk-based approach to validation, considering the impact of systems on their ability to meet predicate rule requirements.
Contemporary Data Integrity Focus
The regulatory landscape has evolved significantly beyond Part 11. Modern FDA enforcement focuses on data integrity as a broader concept that encompasses both electronic and paper records. Recent developments include:
FDA Data Integrity Guidance (2018): The FDA published “Data Integrity and Compliance With Drug CGMP: Questions and Answers,” which provides comprehensive guidance on data integrity expectations. This guidance emphasizes the ALCOA+ principles (Attributable, Legible, Contemporaneous, Original, Accurate, plus Complete, Consistent, Enduring, and Available).
Bioavailability and Bioequivalence Studies (2024): In April 2024, the FDA issued draft guidance on “Data Integrity for In Vivo Bioavailability and Bioequivalence Studies,” addressing data integrity concerns at testing sites conducting BA/BE studies. This guidance reflects increasing regulatory attention to data integrity across the pharmaceutical development lifecycle.
Global Harmonization: Regulatory agencies worldwide, including the EMA (European Medicines Agency), MHRA (UK Medicines and Healthcare Products Regulatory Agency), WHO (World Health Organization), and PIC/S (Pharmaceutical Inspection Convention and Pharmaceutical Inspection Co-operation Scheme), have all issued data integrity guidance, creating a more harmonized global approach.
Japan’s ER/ES Guidelines
In Japan, the Ministry of Health, Labour and Welfare (MHLW) issued the “Guidelines for Electronic Records and Electronic Signatures in Applications for Approval or Permission of Pharmaceuticals” (commonly known as ER/ES Guidelines) on April 1, 2005. This guidance was issued in response to the e-Document Law (Act on Use of Information and Communications Technology in Administrative Procedures) that took effect the same year.
Key characteristics of Japan’s ER/ES Guidelines:
Scope: The guidelines apply to materials submitted to regulatory authorities and the underlying source data for electronic submissions related to pharmaceutical approvals, permits, and registrations.
Electronic Signature Definition: Unlike Part 11, Japan’s ER/ES Guidelines define electronic signatures in accordance with Japan’s Electronic Signature Act (Act No. 102 of 2000), which requires both user authentication and non-repudiation (proof of data integrity). This differs from Part 11, which accepts user ID/password combinations as electronic signatures but may not fully satisfy non-repudiation requirements.
Three Fundamental Principles: The guidelines emphasize three critical attributes for electronic records:
- Authenticity (真正性): Ensuring the record is genuine and created by the identified person
- Readability (見読性): Ensuring records can be read and understood when needed
- Retention (保存性): Ensuring records are preserved intact throughout their required retention period
Recent Updates: In March 2024, the Japan Contract Research Organization (JCRO) Association published a revised version of “Explanation of ER/ES Guidelines,” reflecting nearly two decades of technological advancement and practical experience in implementing these requirements.
Modern Interpretation and Risk-Based Approach
The contemporary regulatory environment emphasizes a risk-based, science-driven approach to computerized systems and data integrity:
Risk-Based Validation: Both FDA and international guidance now emphasize that validation efforts should be proportionate to the risk that a system poses to product quality and patient safety. Not every system requires the same level of validation rigor.
Data Governance: Modern data integrity programs require comprehensive data governance frameworks that address people, processes, and technology throughout the complete data lifecycle.
Audit Trail Requirements: While audit trails remain important, regulators now accept that the implementation method may vary based on system capabilities and risk. Manual procedures with appropriate oversight may be acceptable for low-risk applications where automated audit trails are not feasible.
Legacy Systems: Both FDA (through enforcement discretion) and MHLW (through interpretation guidance) acknowledge that legacy systems implemented before current regulations can remain in use if they are fit for purpose and appropriate compensating controls are in place.
Understanding Comparison: Part 11 vs. ER/ES Guidelines
| Aspect | 21 CFR Part 11 (US) | ER/ES Guidelines (Japan) |
|---|---|---|
| Effective Date | August 20, 1997 | April 1, 2005 |
| Legal Basis | Federal regulation with force of law | Administrative guidance based on e-Document Law |
| Electronic Signature Definition | User ID + Password or Biometrics (primarily authentication) | Must comply with Electronic Signature Act (authentication + non-repudiation via digital signature) |
| Typical Implementation | User ID/Password combinations widely accepted | Often requires digital signatures (e.g., PDF with embedded certificates) |
| System Types | Closed systems vs. Open systems (with additional security for open) | Closed systems vs. Open systems (with encryption/digital signatures for open) |
| Validation Approach | Risk-based with enforcement discretion (since 2003) | Risk-based, aligned with GAMP 5 principles |
| Audit Trail | Required with enforcement discretion for certain systems | Required, but manual procedures acceptable if documented |
| Current Focus | Data Integrity (broader than Part 11 alone) | Data Integrity with three principles: Authenticity, Readability, Retention |
Key Takeaways for Industry
Move Beyond Part 11 Compliance: While Part 11 remains in effect, the focus should be on comprehensive data integrity that addresses both electronic and paper records throughout their lifecycle.
Apply Risk-Based Approaches: Not every system requires the same level of controls. Focus resources on systems that have the greatest impact on patient safety and product quality.
Embrace Data Governance: Implement robust data governance frameworks that address organizational culture, roles and responsibilities, and technical controls throughout the data lifecycle.
Consider International Requirements: Companies operating globally must understand and reconcile the differences between Part 11, ER/ES Guidelines, and other international requirements. These regulations share common principles but differ in technical implementation details.
Focus on Patient Safety: Ultimately, all regulatory requirements for electronic records and data integrity exist to protect patients. Any compliance program should maintain this focus rather than becoming an end in itself.
Avoid Compliance Theater: Do not waste resources on low-value activities that do not meaningfully contribute to product quality or patient safety. Question consultants who recommend expensive compliance measures without clear risk-based justification.
Stay Current: Regulatory expectations continue to evolve. Stay informed about new guidance documents, warning letter trends, and industry best practices through continued education and engagement with professional organizations.
Conclusion
More than 25 years after its promulgation, Part 11 remains relevant but must be understood in the context of modern data integrity principles and risk-based regulatory expectations. The pharmaceutical industry has learned valuable lessons from the early compliance struggles with Part 11. Today’s approach emphasizes practical, risk-based strategies that truly protect data integrity and patient safety, rather than checkbox compliance with prescriptive requirements.
Both electronic and paper records require appropriate controls, and organizations must implement holistic data integrity programs that address the complete lifecycle of all data types. By focusing on the fundamental goal—ensuring that data used to make decisions about product quality and patient safety is reliable, accurate, and trustworthy—companies can build compliance programs that are both effective and efficient.
The future of pharmaceutical quality assurance lies not in rigid adherence to aging regulations, but in the intelligent application of data integrity principles that adapt to new technologies while maintaining unwavering commitment to patient safety.
Comment