21 CFR Part 11: A guide for clinical trial compliance

When conducting or managing any part of a clinical trial, from pre-study through close-out, compliance with 21 CFR Part 11 is always required. The purpose of CFR Part 11 is to ensure the authenticity, integrity, and confidentiality of clinical trial data.

In order to comply with CFR Part 11, all organizations involved in clinical trials must have systems and processes in place that meet the requirements outlined in the regulation. This includes taking steps to ensure that the data collected is accurate and complete, and that it is protected from unauthorized access or alteration.

Part 11 requires the use of electronic signatures and records whenever possible, as well as comprehensive documentation and auditing procedures. Sponsors, contract research organizations (CROs) and study sites should familiarize themselves with the relevant requirements and ensure that their systems and processes are compliant. This comprehensive guide will provide these entities with an understanding of the relevant requirements and practical advice on how to ensure compliance throughout the clinical trial process.

RELATED READING: A [printable] 21 CFR Part 11 compliance checklist to follow step-by-step

When does 21 CFR part 11 apply in clinical trials?

21 CFR Part 11 is a set of regulations promulgated by the US Food and Drug Administration (FDA) that establish the agency's expectations for electronic records and signatures. Part 11, as it is commonly known, applies to all electronic records and signatures created, modified, maintained, archived, retrieved, or transmitted by FDA-regulated entities. Every document and record generated to meet requirements for 21 CFR Part 312, 21 CFR Part 812 or other regulations must also be in compliance with those specified in 21 CFR Part 11.

21 CFR part 11 applies once the design and/or development of the medical product is underway. All medical device or drug manufacturers need to comply with Part 11 requirements right out of the gate. These requirements continue to apply through the clinical trial process and the commercial phase as well.

RELATED READING: Guide to 21 CFR Part 11 for medical device manufacturers

What qualifies as an electronic record?

Any document or record that you are generating and saving in a digital format is considered an electronic record. This includes records that are generated through an electronic Clinical Trial Management System (eCTMS) software solution, any Electronic Data Capture (EDC) system, but also records that saved electronically such as site and trial master files. 

What are electronic signatures?

Both electronic signatures and digital signatures and are covered in Part 11. Electronic signatures are electronic representations of signatures that are saved to a document with the signer's identify, the purpose of the signature, and the date and time that the signature was applied. While electronic signatures as usually more common, digital signatures are considered more secure. A digital signature is encrypted using a computer algorithm. This encryption means a digital signature may appear as a series of numbers/letters that are tied to that particular signature instance—this makes the signature verifiable through a certificate lookup system. 

Using a signature service such as DocuSign or Adobe Sign or a closed system can be an efficient way to collect signatures on essential study documents where required. 

When are signatures required?

With a close read of applicable requirements such as 21 CFR 312 and 21 CFR 812, there are only a few places where signatures are explicitly required. Signatures are required in the following places:

21 CFR 812.20(a)(3) Application for an Investigational Device Exemption

21 CFR 812.140(b)(3) Signed investigator agreements

21 CFR 812.140(a)(3) signed and dated consent forms

21 CFR 312.62 (b) signed and dated consent forms

21 CFR 312.53 (c)(1) signed investigator statement (Form FDA-1572)

21 CFR 312.23 (a)(1)(ix) signature of the sponsor or the sponsor’s authorized rep

 If signatures are not explicitly required, you can use another means of documenting any review or approval that is required by the regulations. Make sure that you have documented procedures in place detailing how you will document that review and approval. Also, please note that this is only looking at FDA signature requirements and does not take into account any signature requirements as part of other standards or regulations.

21 CFR Part 11 for sponsors

The sponsor of the clinical investigation is ultimately responsible for ensuring that all regulations are adhered to, although they may have a formally documented a transfer of responsibility to a CRO or other external representative. Sponsors should already be familiar with Part 11 as part of their drug or device development process and should ensure that any external representatives that they are working with are also familiar with it. This should be part of the supplier evaluation process.

 One easy check is to determine if the company or individual will or has been using electronic signatures, and if so, if they have completed their electronic signature certification letter and filed with the FDA. This should be a letter to the FDA that simply states that electronic signatures used by the company are the legally binding alternative of a handwritten signature. 

If managing the clinical trial in-house, the sponsor will need to ensure that all study records that are maintained electronically are compliant with Part 11. This will include audit trails, security, and retrievability. 

21 CFR Part 11 for CROs

As a CRO, you may want to designate Part 11 compliance explicitly as part of the transfer of sponsor responsibility to remove any ambiguity. This will build sponsor confidence that the records that are being generated and retained for the study are compliant and will be valid and accepted by the FDA. Part 11 compliance should be a consideration when deciding if it makes sense to transition to a CTMS, EDC, or other software solution to help with data and/or trial management. 

RELATED READING: What are the 4 phases of clinical trials?

21 CFR Part 11 for study sites

The party responsible for managing the study site (sponsor, CRO, etc.), should include 21 CFR Part 11 requirements as part of their site startup process if there are any areas that will apply to you. For example, if using an EDC for data entry, you should receive appropriate training on how to use the system, including measures that are in place for 21 CFR Part 11 compliance, such as routine password expiration.

Closed systems

A closed system is a paperless system that is completely electronic. All data and records are stored in a central repository that can only be accessed by authorized users. A closed system can be either web-based or installed locally on a server. One of the benefits of using a closed system is that it provides more security and control over data and records. Since everything is stored in a central repository, it's easier to track what changes are being made and who is making them. 

There are a few different types of 21 CFR Part 11 compliant software that can be used to create a closed system:

  •  Document management solutions: These are off-the-shelf or custom-built solutions that are designed to store and manage electronic documents and records.
  • Electronic data capture (EDC) systems: These are web-based solutions that are used to collect and manage clinical trial data.
  • Clinical trial management systems (CTMS): These are software solutions that are used to manage all aspects of a clinical trial, from start to finish.

If considering using a CTMS, EDC, or other trial record or data management software solution it should be subject to a thorough vetting. This vetting process should include verification that all 21 CFR Part 11 requirements are met. There is no certification process for Part 11, so any statement of compliance is just that—a statement, which isn't backed by any sort of third-party auditing body. You will need to do your due diligence to ensure data integrity for the trial. This should also be part of your study risk assessment. 

Study risk assessment checklist for 21 CFR Part 11 compliance

  • Are records retrievable for the required retention period?
    • What happens if the software company no longer supports the version originally purchased? Can the records be exported out of the closed system for archival purposes? What about data security across international borders? That is something that must be disclosed on informed consent documents and should be taken into consideration.
  • Are appropriate security measures and safeguards in place to limit access and preserve records?
    • Will there be site users in addition to internal users? Password protection, time-outs if inactive for a few minutes, routine backup to multiple locations, and regular password resets should all be in place for a strong system.
  • Do admins have the ability to make backdoor edits using “god-like powers”?
    • This should be a deal-breaker. Being able to alter data or records without an audit trail could significantly impact data integrity.
  • Is the system validated?
    • Does the software vendor validate the software or will you need to perform validation and/or UAT? What about updated validations if there are version changes to the software?
RELATED READING: What's the best eQMS software?

Open systems

Maintaining folders, scanned copies of documents, and manual spreadsheets can be part of an open system. This system will typically work fine for a small study, but may become too cumbersome when looking at many sites or a large subject pool. Records should never be deleted from an open system, rather older versions of documents or records should just be moved to an archive area. A username and password authentication should be required for basic system access (i.e. Windows login) as an initial layer of identity verification. 

A couple other things to note about open systems:

  • There should be a formal disaster recovery plan in place in case of system failure or data loss.
  • Data backups should be stored in a separate, secure location—preferably offsite.
  • All study documents and records should be indexed and searchable by multiple parameters. 

Hybrid systems

A hybrid system is a mix of open and closed systems. With a hybrid system, you'll typically have some type of document management solution or EDC in place as your core platform. This could be an off-the-shelf product or a custom solution that was developed in-house. All data and records will be stored within this central platform.

Folders and files can still be used with a hybrid system, but they will be electronic folders and files that are accessible via the central platform. This could be an intranet site, SharePoint site, or some other type of web-based solution. The benefit of using a hybrid system is that it provides more control and security than an open system, but is not as restrictive as a closed system. When using a hybrid system, you'll still want to consider the same factors that were mentioned for closed and open systems. In addition, you'll need to make sure that the central platform is secure and can be accessed by authorized users only.

Benefits of complying with Part 11

To comply with Part 11, you'll need to put some procedures and controls in place to ensure the security and integrity of electronic records. While challenging, there are many benefits to complying with 21 CFR Part 11. For starters, it will help to ensure the accuracy and integrity of clinical trial data. In addition, it will help to streamline processes and make it easier to manage clinical trials. Another benefit of complying with Part 11 is that it will make it easier to share data and records with sponsors and regulators. And finally, it will help to improve the overall efficiency of clinical trials.

Use our 21 CFR Part 11 compliance checklist to help you get up to speed if you need assistance getting started. Need an eQMS that is built with 21 CFR Part 11 compliance in mind? Check out Qualio.