Guidance for Industry FDA 21 CFR Part 11, Electronic Records; Electronic Signatures — Scope and Application
C. Approach to Specific Part 11 Requirements
1. Validation:
The Agency intends to exercise enforcement discretion regarding specific part 11 requirements for validation of computerized systems (§ 11.10(a) and corresponding requirements in § 11.30). Although persons must still comply with all applicable predicate rule requirements for validation (e.g., 21 CFR 820.70(i)), this guidance should not be read to impose any additional requirements for validation.
We suggest that your decision to validate computerized systems, and the extent of the validation, take into account the impact the systems have on your ability to meet predicate rule requirements. You should also consider the impact those systems might have on the accuracy, reliability, integrity, availability, and authenticity of required records and signatures. Even if there is no predicate rule requirement to validate a system, in some instances it may still be important to validate the system.
We recommend that you base your approach on a justified and documented risk assessment and a determination of the potential of the system to affect product quality and safety, and record integrity. For instance, validation would not be important for a word processor used only to generate SOPs.
For further guidance on validation of computerized systems, see FDA’s guidance for industry and FDA staff General Principles of Software Validation and also industry guidance such as the GAMP 4 Guide (See References).
2. Audit Trail:
The Agency intends to exercise enforcement discretion regarding specific part 11 requirements related to computer-generated, time-stamped audit trails (§ 11.10 (e), (k)(2) and any corresponding requirement in §11.30). Persons must still comply with all applicable predicate rule requirements related to documentation of, for example, date (e.g., § 58.130(e)), time, or sequencing of events, as well as any requirements for ensuring that changes to records do not obscure previous entries.
Even if there are no predicate rule requirements to document, for example, date, time, or sequence of events in a particular instance, it may nonetheless be important to have audit trails or other physical, logical, or procedural security measures in place to ensure the trustworthiness and reliability of the records. We recommend that you base your decision on whether to apply audit trails, or other appropriate measures, on the need to comply with predicate rule requirements, a justified and documented risk assessment, and a determination of the potential effect on product quality and safety and record integrity. We suggest that you apply appropriate controls based on such an assessment. Audit trails can be particularly appropriate when users are expected to create, modify, or delete regulated records during normal operation.
3. Legacy Systems:
The Agency intends to exercise enforcement discretion with respect to all part 11 requirements for systems that otherwise were operational prior to August 20, 1997, the effective date of part 11, under the circumstances specified below.
This means that the Agency does not intend to take enforcement action to enforce compliance with any part 11 requirements if all the following criteria are met for a specific system:
- The system was operational before the effective date.
- The system met all applicable predicate rule requirements before the effective date.
- The system currently meets all applicable predicate rule requirements.
- You have documented evidence and justification that the system is fit for its intended use (including having an acceptable level of record security and integrity, if applicable).
If a system has been changed since August 20, 1997, and if the changes would prevent the system from meeting predicate rule requirements, Part 11 controls should be applied to Part 11 records and signatures pursuant to the enforcement policy expressed in this guidance.
4. Copies of Records:
The Agency intends to exercise enforcement discretion with regard to specific part 11 requirements for generating copies of records (§ 11.10 (b) and any corresponding requirement in §11.30). You should provide an investigator with reasonable and useful access to records during an inspection. All records held by you are subject to inspection in accordance with predicate rules (e.g., §§ 211.180(c), (d), and 108.35(c)(3)(ii)).
We recommend that you supply copies of electronic records by:
- Producing copies of records held in common portable formats when records are maintained in these formats
- Using established automated conversion or export methods, where available, to make copies in a more common format (examples of such formats include, but are not limited to, PDF, XML, or SGML)
In each case, we recommend that the copying process used produces copies that preserve the content and meaning of the record. If you have the ability to search, sort, or trend part 11 records, copies given to the Agency should provide the same capability if it is reasonable and technically feasible. You should allow inspection, review, and copying of records in a human readable form at your site using your hardware and following your established procedures and techniques for accessing records.
5. Record Retention:
The Agency intends to exercise enforcement discretion with regard to the part 11 requirements for the protection of records to enable their accurate and ready retrieval throughout the records retention period (§ 11.10 (c) and any corresponding requirement in §11.30). Persons must still comply with all applicable predicate rule requirements for record retention and availability (e.g., §§ 211.180(c),(d), 108.25(g), and 108.35(h)).
We suggest that your decision on how to maintain records be based on predicate rule requirements and that you base your decision on a justified and documented risk assessment and a determination of the value of the records over time.
FDA does not intend to object if you decide to archive required records in electronic format to nonelectronic media such as microfilm, microfiche, and paper, or to a standard electronic file format (examples of such formats include, but are not limited to, PDF, XML, or SGML). Persons must still comply with all predicate rule requirements, and the records themselves and any copies of the required records should preserve their content and meaning. As long as predicate rule requirements are fully satisfied and the content and meaning of the records are preserved and archived, you can delete the electronic version of the records. In addition, paper and electronic record and signature components can co-exist (i.e., a hybrid situation) as long as predicate rule requirements are met and the content and meaning of those records are preserved.
FDA 21 CFR Part 11 Guidelines for Pharmaceuticals: Discussion, C. Approach to Specific Part 11 Requirements: