21 CFR Part 11 Regulation Compliance Update

Compliance Update: 

The 21 CFR Part 11 Regulation is a cornerstone of conducting clinical trials in today’s world.  The release of the regulation 1997 established guidelines for the use of electronic records and electronic signatures in FDA-regulated industries and had a significant impact on the pharmaceutical and medical device industries.

The FDA began working on 21 CFR Part 11 as early as 1992. Many computers were still the size of small cars and Windows 3.1 was released that year. 

The regulation was developed in response to the increasing use of electronic records and electronic signatures in the life sciences industry. The FDA recognized that electronic records and electronic signatures could offer a number of advantages over paper records and handwritten signatures, such as improved efficiency, accuracy, and security. However, the FDA also wanted to ensure that electronic records and electronic signatures could be relied upon as evidence in the event of a regulatory inspection or legal proceeding.

The 21 CFR Part 11 regulation specifies a number of requirements that electronic records systems must meet in order to be considered compliant. These requirements include:

• The system must be able to create and maintain accurate and complete electronic records.
• The system must be able to protect electronic records from unauthorized access, modification, or destruction.
• The system must be able to generate electronic signatures that are unique to each individual user and that cannot be forged.
• The system must be able to audit all activity on the system, including who accessed or modified electronic records and when.

The release of Part 11 has also helped to promote the use of electronic records and electronic signatures in the industry. In order to comply with the new regulation, many organizations invested in electronic records systems and we saw the emergence of EDC systems which then led to the advent of direct data capture tools. 

While this was the first attempt to tackle modern systems and their use in clinical trials, the FDA followed up on the regulation and acknowledged in a related Part 11 guidance in 2003 that the regulation may lead to: 

• unnecessary restriction of use of electronic technology
• cost increases to demonstrate compliance
• discourage innovation and advances in technology

Fast forward to 2017: The 21 CFR Part 11 Q&A Guidance acknowledged the advances in technology, including mentioning mobile technology for the first time. In particular, the FDA mentioned that “electronic systems and technologies are used and managed in novel ways, services are shared or contracted between organizations in new ways, and electronic data flow between parties is more efficient and more prevalent. The standards and capabilities of electronic systems have improved, and features  such as audit trails, automated date-and-time stamps, appropriate validation, and the ability to generate copies and retain records  are standard components of many electronic systems.”

Timeline of 21 CFR Part 11 related documents by the FDA: 

So where are we today? 

In this newly released draft guidance, the FDA shares their current thinking across five categories: 

• Electronic Records 
• Systems Owned / Controlled by Sponsors and other regulated entities
• Technology Providers 
• Digital Health Technologies
• Electronic Signatures 

The FDA acknowledges in the 2023 guidance that 20 years prior, in 2003, the Part 11 guidance provided recommendations that were narrowly tailored to reflect the technological environment that prevailed at that time and that the thinking around electronic records and electronic signatures needs to evolve.

Further, this draft guidance provides additional recommendations regarding the risk-based approach to validation.

Lastly, the availability of IT services and use of digital health technologies (DHT) for remote data acquisition needs to be recognized also. 

In short, the guidance clears up some expectations for sponsors, sites and technology providers. 

Impacts to users of electronic systems and electronic signatures: 

Practical steps organizations can take to ensure compliance when implementing eSource solutions in clinical trials

Sites: 

• Any system under 21 CFR Part 11 requires validation. Seek out a vendor that has strong validation documentation and supporting documentation about its product / service. Also, a strong customer support staff to address any potential questions and issues is key. The site is not an IT help desk! 
• Develop internal processes to ensure your staff knows how to use the system, how to administer users, and how to train patients

The FDA will generally focus on the following during a site inspection: 

• Training records of site staff
• Procedures and controls for system access, data creation, data modification, and data maintenance
• Use of electronic systems at the site to generate, collect, transmit and archive data

Sponsors: 

• Sponsors should review the vendor’s SOPs and that includes the system and software development life cycle model,  validation documentation,  change control procedures and change control tracking logs. 
• In addition, sponsors should perform user acceptance testing (UAT) and document the criteria for and results of testing to ensure that the electronic system fulfills its intended purpose. 
• Alternatively, sponsors should review the vendor’s UAT evidence and document that the UAT was reviewed and was found to be adequate. 
• Changes to the system (patches, security updates, new functionality) should be evaluated depending on risk (they should not affect the collection, storage, retrieval of existing or new records or the traceability, authenticity, and integrity of existing data)
• It goes without saying that changes to the system should be documented – any software vendor that’s considered should be able to provide you with this kind of information. 

Lastly, here are some common pitfalls to avoid when implementing eSource solutions in compliance with regulatory guidance

Pitfall #1: Lack of oversight of the vendor: Being able to demonstrate that the vendor meets the criteria to manage clinical trial data is key. Again, any vendor worth considering should provide you with the key documents that can help you become compliant – ask your vendor about Part 11 compliance and their documentation around it. 

Pitfall #2: Lack of internal processes: Make sure to develop internal processes and controls that provide guidance for your staff on how to use the system. Also, have a plan in place that allows you to demonstrate that the system works as intended. 

Summary and Key Takeaways 

At CRIO, we have developed tailored internal processes to support our clients with their various documentation needs. The CRIO document center, our internal document repository available to all clients, houses our internal process documents, compliance documentation, validation certificates, training materials and manuals to ensure that these pitfalls can be avoided entirely. 

Discover how CRIO can help you and your organization to reimagine clinical trials. Explore other insightful white papers and blogs here.