Skip Nav

Contact Us

Instrumentation Technical Services

Thank you for your interest in Instrumentation Technical Services. Complete the form below to send us an email, or simply give us a call. We're looking forward to working with you.

  • West Chester, PA 19382
  • (610) 436-9703






    Thank You!

    Your message has been sent.

    Oops, message not sent.

    Please make sure fields are complete.

    Electronic Records; Electronic Signatures

    Guidance for Industry(1) Part 11, Electronic Records; Electronic Signatures — Scope and Application

    DRAFT GUIDANCE – This guidance is being distributed for comment purposes only.

    Comments and suggestions regarding this draft document should be submitted within 60 days of publication in the Federal Register of the notice announcing the availability of the draft guidance. Submit comments to Dockets Management Branch (HFA-305), Food and Drug Administration, 5630 Fishers Lane, rm. 1061, Rockville, MD 20852. All comments should be identified with the docket number listed in the notice of availability that publishes in the Federal Register.

    For questions regarding this draft document please contact (CDER) Joseph C. Famulare, 301827-8940, [email protected]; (CBER) David Doleski, 301-827-3031, [email protected]; (CDRH) John Murray, 301-594-4659, [email protected]; (CVM) Vernon D. Toelle, 301-8270312, [email protected]; (CFSAN) JoAnn Ziyad, 202-418-3116, [email protected]; or (ORA) Scott MacIntire, 301-827-0386, [email protected].

    U.S. Department of Health and Human Services
    Food and Drug Administration
    Center for Drug Evaluation and Research (CDER)
    Center for Biologics Evaluation and Research (CBER)
    Center for Devices and Radiological Health (CDRH)
    Center for Food Safety and Applied Nutrition (CFSAN)
    Center for Veterinary Medicine (CVM)
    Office of Regulatory Affairs (ORA)

    February 2003 Compliance

     

    INTRODUCTION
    This guidance is intended to describe the Food and Drug Administration’s (FDA’s) current thinking regarding the scope and application of Part 11 of Title 21 of the Code of Federal Regulations; Electronic Records; Electronic Signatures.(2)

    This document provides guidance to persons who, in fulfillment of a requirement in a statute or another part of FDA’s regulations to maintain records or submit information to FDA(3), have chosen to maintain the records or submit designated information electronically and, as a result, have become subject to Part 11. Part 11 applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted under any records requirements set forth in Agency regulations. Part 11 also applies to electronic records submitted to the Agency under the Federal Food, Drug, and Cosmetic Act (the Act) and the Public Health Service Act (the PHS Act), even if such records are not specifically identified in Agency regulations (§ 11.1). The underlying requirements set forth in the Act, PHS Act, and FDA regulations (other than Part 11) are referred to in this guidance document as predicate rules.

    As an outgrowth of its current good manufacturing practice (CGMP) initiative for human and animal drugs and biologics(4),FDA is embarking on a re-examination of Part 11 as it applies to all FDA regulated products. We may revise provisions of Part 11 as a result of that reexamination. This guidance explains that, while this re-examination of Part 11 is under way, we will narrowly interpret the scope of Part 11. It also explains that we intend to exercise enforcement discretion with respect to certain Part 11 requirements. We will not normally take regulatory action to enforce compliance with the validation, audit trail, record retention, and record copying requirements of Part 11 as explained in this guidance. However, records must still be maintained or submitted in accordance with the underlying predicate rules.

    In addition, we intend to exercise enforcement discretion and will not normally take regulatory action to enforce Part 11 with regard to systems that were operational before August 20, 1997, the effective date of Part 11 (commonly known as existing or legacy systems) while we are reexamining Part 11.

    FDA’s guidance documents, including this guidance, do not establish legally enforceable responsibilities. Instead, guidances describe the Agency’s current thinking on a topic and should be viewed only as recommendations, unless specific regulatory or statutory requirements are cited. The use of the word should in Agency guidances means that something is suggested or recommended, but not required.

          

    BACKGROUND
    In March of 1997, FDA issued final Part 11 regulations that provided criteria for acceptance by FDA, under certain circumstances, of electronic records, electronic signatures, and handwritten signatures executed to electronic records as equivalent to paper records and handwritten signatures executed on paper. These regulations, which apply to all FDA program areas, were intended to permit the widest possible use of electronic technology, compatible with FDA’s responsibility to protect the public health.

    After Part 11 became effective in August 1997, significant discussions ensued between industry, contractors, and the Agency concerning the interpretation and implementation of the rule. FDA has (1) spoken about Part 11 at many conferences and met numerous times with an industry coalition and other interested parties in an effort to hear more about potential Part 11 issues; (2) published a compliance policy guide, CPG 7153.17: Enforcement Policy: 21 CFR Part 11; Electronic Records; Electronic Signatures; and (3) published numerous draft guidance documents including the following:

    • Guidance for industry, 21 CFR Part 11; Electronic Records; Electronic Signatures Validation

    • Guidance for industry, 21 CFR Part 11; Electronic Records; Electronic Signatures, Glossary of Terms

    • Guidance for industry, 21 CFR Part 11; Electronic Records; Electronic Signatures, Time Stamps

    • Guidance for industry, 21 CFR Part 11; Electronic Records; Electronic Signatures, Maintenance of Electronic Records

    • Guidance for industry, 21 CFR Part 11; Electronic Records; Electronic Signatures, Electronic Copies of Electronic Records

    Some statements by Agency staff may have been misunderstood as statements of official Agency policy. Concerns have been raised that some interpretations of the Part 11 requirements would (1) unnecessarily restrict the use of electronic technology in a manner that is inconsistent with FDA’s stated intent in issuing the rule, (2) significantly increase the costs of compliance to an extent that was not contemplated at the time the rule was drafted, and (3) discourage innovation and technological advances without providing a significant public health benefit. These concerns have been raised particularly in the areas of Part 11 requirements for validation, audit trails, record retention, record copying, and legacy systems.

    In the Federal Register of February 4, 2003, we announced the withdrawal of the draft guidance for industry, 21 CFR Part 11; Electronic Records; Electronic Signatures, Electronic Copies of 92 Electronic Records because we wanted to avoid loss of time spent by industry in an effort to review and comment on the draft guidance when that draft guidance may no longer be representative of FDA’s approach under the new CGMP initiative. The other Part 11 draft guidances were left in place because industry had already had the opportunity to review and comment on them. However, in preparing this guidance, FDA has determined that it might cause confusion to leave standing the other Part 11 draft guidance documents on validation, glossary of terms, time stamps, maintenance of electronic records, and CPG 7153.17. Accordingly, FDA is withdrawing those draft guidances and CPG 7153.17 as well as the guidance on electronic copies of electronic records. FDA received valuable public comments on these draft guidances and plans to use that information to inform the Agency’s future decision-making with respect to Part 11.

    We have now determined that we will re-examine Part 11, and we may revise provisions of that regulation. To avoid unnecessary expenditures of resources to comply with Part 11 requirements that may be revised through a rulemaking, we are issuing this guidance to describe how we intend to exercise enforcement discretion with regard to certain Part 11 requirements during the re-examination of Part 11.

    DISCUSSION
    A. Overall Approach to Part 11 Requirements

    As described in more detail below, the approach outlined in this guidance is based on three main elements:

    • Part 11 will be interpreted narrowly; we are now clarifying that fewer records will be considered subject to Part 11.

    • For those records that we are now clarifying are subject to Part 11, we intend to exercise enforcement discretion with regard to Part 11 requirements for validation, audit trails, record retention, and record copying, in the manner described in this guidance, and in applying Part 11 to systems that were operational before the effective date of Part 11.

    • FDA will enforce predicate rule requirements for records that are subject to Part 11.

    It is important to note that FDA’s exercise of enforcement discretion as described in this guidance, is limited to the specified Part 11 requirements. We intend to enforce all other provisions of Part 11 including, but not limited to, certain controls for closed systems in § 11.10 (e.g., limiting system access to authorized individuals; use of operational system checks; use of authority checks; use of device checks; determination that persons who develop, maintain, or use electronic systems have the education, training, and experience to perform their assigned tasks; establishment of and adherence to written policies that hold individuals accountable for actions initiated under their electronic signatures; and appropriate controls over systems documentation), the corresponding controls for open systems (§ 11.30), and requirements related to electronic signatures (e.g., §§ 11.50, 11.70, 11.100, 11.200, and 11.300). We expect continued compliance with these provisions, and we will continue to enforce them. Furthermore, persons must comply with applicable predicate rules, and records that are required to be maintained or submitted must remain secure and reliable in accordance with the predicate rules.

    B. Details of Approach – Scope of Part 11

    1. Narrow Interpretation of Scope
    We understand that there have been different views expressed about the scope of Part 11. Some have understood the scope of Part 11 to be very broad. We believe that some of those broad interpretations could lead to unnecessary controls and costs and could discourage innovation and technological advances without providing added benefit to the public health. As a result, we want to clarify that the Agency intends to interpret the scope of Part 11 narrowly.

    Under the narrow interpretation of the scope of Part 11, with respect to records required to be maintained or submitted, when persons choose to use records in electronic format in place of paper format, Part 11 would apply. On the other hand, when persons use computers to generate paper printouts of electronic records, those paper records meet all the requirements of the applicable predicate rules, and persons rely on the paper records to perform their regulated activities, the merely incidental use of computers in those instances would not trigger Part 11. In such instances, FDA would generally not consider persons to be “using electronic records in lieu of paper records” under §§ 11.2(a) and 11.2(b).

    2. Definition of Part 11 Records
    Under this narrow interpretation, FDA considers Part 11 to be applicable to the following records or signatures in electronic format (Part 11 records or signatures):

    • Records that are required to be maintained by predicate rules and that are maintained in electronic format in place of paper format. On the other hand, records (and any associated signatures) that are not required to be retained by predicate rules, but that are nonetheless maintained in electronic format, are not Part 11 records.

    • Records that are required to be maintained by predicate rules, are maintained in electronic format in addition to paper format, and are relied on to perform regulated activities.

    In some cases, actual business practices may dictate whether you are using electronic records instead of paper records under § 11.2(a). For example, if a record is required to be maintained by a predicate rule and you use a computer to generate a paper printout of the electronic records, but you nonetheless rely on the electronic record to perform regulated activities, the Agency may consider you to be using the electronic record instead of the paper record. That is, the Agency may take your business practices into account in determining whether Part 11 applies.

    Accordingly, we recommend that, for each record required to be maintained by predicate rules, you determine in advance whether you plan to rely on the electronic record or paper record to perform regulated activities. We recommend that your decision be documented (e.g., in a Standard Operating Procedure (SOP)).

    • Records submitted to FDA, under the predicate rules (even if such records are not specifically identified in Agency regulations), in electronic format (assuming the records have been identified in the docket as the types of submissions the Agency accepts in electronic format). However, a record that is not itself submitted, but is used in generating a submission, is not a Part 11 record unless it is otherwise required to be maintained by a predicate rule and it is maintained in electronic format.

    • Electronic signatures that are intended to be the equivalent of handwritten signatures, initials, and other general signings required by predicate rules.

    C. Approach to Specific Part 11 Requirements

    1. Validation
    The Agency intends to exercise enforcement discretion regarding the specific Part 11 requirements for validation of computerized systems (§ 11.10(a) and corresponding requirements in § 11.30). Persons must still comply with all applicable predicate rule requirements for validation (e.g., 21 CFR 820.70(i)).

    Even if there is no predicate rule requirement to validate a system in a particular instance, it may nonetheless be important to validate the system to ensure the accuracy and reliability of the Part 11 records contained in the system. We suggest that your decision to validate such systems, and the extent of validation, be based on predicate rule requirements to ensure the accuracy and reliability of the records contained in the system. We recommend that you base your approach on a justified and documented risk assessment and a determination of the potential of the system to affect product quality and safety and record integrity. For instance, a word processor used only to generate SOPs would most likely not need to be validated.

    For further guidance on validation of computerized systems, see FDA’s guidance for industry and FDA Staff General Principles of Software Validation and also industry guidance such as the GAMP 4 Guide (See References).

    2. Audit Trail
    The Agency intends to exercise enforcement discretion regarding the specific Part 11 requirements related to computer-generated, time-stamped audit trails (§ 11.10 (e), (k)(2) and any corresponding requirement in §11.30). Persons must still comply with all applicable predicate rule requirements related to documentation of, for example, date (e.g., § 58.130(e)), time, or sequencing of events.

    Even if there are no predicate rule requirements to document, for example, date, time, or sequence of events in a particular instance, it may nonetheless be important to have audit trails or other physical, logical, or procedural security measures to ensure the trustworthiness and reliability of the records. We recommend that your decision on whether to apply audit trails, or other appropriate measures, be based on the need to comply with predicate rule requirements, a justified and documented risk assessment, and a determination of the potential impact on product quality and safety and record integrity. We suggest that you apply appropriate controls based on such an assessment. Audit trails are particularly important where the users are expected to create, modify, or delete regulated records during normal operation.5

    3. Legacy Systems
    The Agency intends to exercise enforcement discretion with regard to legacy systems that otherwise met predicate rule requirements prior to August 20, 1997, the effective date of Part 11. This means that the Agency will not normally take regulatory action to enforce compliance with any part 11 requirements. However, all systems must comply with all applicable predicate rule requirements and should be fit for their intended use.

    4. Copies of Records
    The Agency intends to exercise enforcement discretion with regard to the specific Part 11 requirements for generating copies of records (§ 11.10 (b) and any corresponding requirement in §11.30). You should provide an investigator with reasonable and useful access to records during an inspection. All records held by you are subject to inspection in accordance with predicate rules (e.g., §§ 211.180(c),(d) and 108.35(c)(3)(ii)).

    We recommend that you supply copies of electronic records by

    • Producing copies of records held in common portable formats where records are kept in these formats

    • Using established automated conversion or export methods, where available, to make copies in a more common format (including PDF)

    In each case, we recommend that you ensure that the copying process used produces copies that preserve the content and meaning of the record. If you have the ability to search, sort, or trend Part 11 records, copies provided to the Agency should provide the same capability if it is technically feasible. You should allow inspection, review, and copying of records in a human readable form, on your site, using your hardware and software, following your established procedures and techniques for accessing those records.

    5. Record Retention
    The Agency intends to exercise enforcement discretion with regard to the Part 11 requirements for the protection of records to enable their accurate and ready retrieval throughout the records retention period (§ 11.10 (c) and any corresponding requirement in §11.30). Persons must still comply with all applicable predicate rule requirements for record retention and availability (e.g., §§ 211.180(c),(d), 108.25(g), and 108.35(h)).

    We suggest that your decision on how to maintain records be based on predicate rule requirements and that you base your decision on a justified and documented risk assessment and a determination of the value of the records over time.

    FDA normally does not intend to object if you decide to archive required records in electronic format to nonelectronic media such as microfilm, microfiche, and paper, or to a standard electronic file format, such as PDF. Persons must still comply with all predicate rule requirements, and the records themselves and any copies of the required records should preserve their content and meaning. In addition, paper and electronic record and signature components can co-exist (i.e., a hybrid situation) as long as predicate rule requirements are met and the content and meaning of those records are preserved.6

     

    1 This guidance has been prepared by the Office of Compliance in the Center for Drug Evaluation and Research (CDER) in consultation with the other Agency centers and the Office of Regulatory Affairs at the Food and Drug Administration.

    2 62 FR 13430.

    3 These requirements include, for example, certain provisions of the Current Good Manufacturing Practice regulations (21 CFR part 211), the Quality System Regulation (21 CFR part 820), and the Good Laboratory Practice for Nonclinical Laboratory Studies regulations (21 CFR part 58).

    4 See Pharmaceutical CGMPs for the 21st Century: A Risk-Based Approach; A Science and Risk-Based Approach to Product Quality Regulation Incorporating an Integrated Quality Systems Approach at www.fda.gov/oc/guidance/gmp.html.

    5 Various guidance documents on information security are available (see References).

    6 Examples of hybrid situations include combinations of paper records and electronic records, paper records and
    electronic signatures, or handwritten signatures executed to electronic records.

     

    REFERENCES

    Food and Drug Administration References

    1. Glossary of Computerized System and Software Development Terminology (Division of
    Field Investigations, Office of Regional Operations, Office of Regulatory Affairs, FDA
    1995) (http://www.fda.gov/ora/inspect_ref/igs/gloss.html)

    2. General Principles of Software Validation; Final Guidance for Industry and FDA Staff
    (FDA, Center for Devices and Radiological Health, Center for Biologics Evaluation and
    Research, 2002) (http://www.fda.gov/cdrh/comp/guidance/938.html)

    3. Guidance for Industry, FDA Reviewers, and Compliance on Off-The-Shelf Software Use
    in Medical Devices
    (FDA, Center for Devices and Radiological Health, 1999)
    (http://www.fda.gov/cdrh/ode/guidance/585.html)

    4. Pharmaceutical CGMPs for the 21st Century: A Risk-Based Approach; A Science and
    Risk-Based Approach to Product Quality Regulation Incorporating an Integrated Quality
    Systems Approach
    (FDA 2002)(http://www.fda.gov/oc/guidance/gmp.html)

    Other U.S. Federal References

    5. NIST Special Publication SP800-30: Risk Management Guide for Information
    Technology Systems
    (National Institute of Standards and Technology, U.S. Department of
    Commerce, 2002) (http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf)

    Industry References

    6. The Good Automated Manufacturing Practice (GAMP) Guide for Validation of
    Automated, GAMP 4
    (ISPE/GAMP Forum, 2001) (http://www.ispe.org/gamp/)

    7. ISO/IEC 17799:2000 (BS 7799:2000) Information technology – Code of practice for
    information security management (ISO/IEC, 2000)