Post

Electronic Records and Electronic Signatures - Scope and Application

This guidance clarifies FDA's interpretation of Part 11 requirements regarding electronic records and electronic signatures. It applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted under FDA regulations, as well as electronic records submitted to FDA under the Federal Food, Drug, and Cosmetic Act and Public Health Service Act.

Posted
By ReguVirta
3 min read

What You Need to Know? 👇

What is the scope of FDA Part 11 for electronic records in medical device manufacturing?

Part 11 applies narrowly to electronic records required by predicate rules that replace paper records, records submitted to FDA electronically, and electronic signatures equivalent to handwritten signatures. It doesn’t apply when paper printouts meet predicate rule requirements.

How does FDA’s enforcement discretion affect Part 11 compliance for legacy systems?

FDA exercises enforcement discretion for systems operational before August 20, 1997, if they met predicate rules before and after the effective date, and have documented evidence of fitness for intended use with acceptable security and integrity.

What validation requirements apply to computerized systems under current Part 11 guidance?

FDA exercises enforcement discretion on specific Part 11 validation requirements. Validation decisions should be based on risk assessment considering impact on predicate rule compliance, product quality, safety, and record integrity rather than blanket requirements.

Are audit trails mandatory for all electronic records systems in medical device companies?

FDA exercises enforcement discretion on computer-generated audit trails. Companies must still meet predicate rule documentation requirements. Audit trails should be implemented based on risk assessment and potential impact on record integrity and product quality.

How should medical device companies provide electronic record copies during FDA inspections?

Companies should provide copies in common portable formats (PDF, XML, SGML), use automated conversion methods when available, and preserve content and meaning. The same search/sort capabilities should be provided if technically feasible.

What are the record retention requirements for electronic records in medical device manufacturing?

FDA exercises enforcement discretion on Part 11 retention requirements but predicate rules still apply. Records can be archived to non-electronic media or standard formats, and electronic versions deleted if content and meaning are preserved.

What You Need to Do 👇

  1. Document decisions on which records are considered Part 11 records
  2. Perform and document risk assessments for computerized systems validation
  3. Implement appropriate audit trail controls based on risk assessment
  4. Ensure legacy systems meet the exemption criteria if claiming exemption
  5. Establish procedures for record copying and conversion to common formats
  6. Implement record retention procedures based on predicate rules and risk assessment
  7. Ensure personnel have documented training and qualifications
  8. Establish written policies for electronic signature accountability
  9. Document system security controls and access limitations
  10. Maintain system documentation controls and procedures

Key Considerations

Software

  • Validation of computerized systems should be based on risk assessment and potential impact on product quality, safety and record integrity
  • Legacy systems (operational before August 20, 1997) may be exempt from Part 11 requirements if they meet specific criteria
  • Systems must limit access to authorized individuals
  • Operational system checks must be implemented
  • Authority checks must be performed
  • Device checks must be performed

Cybersecurity

  • Systems must have appropriate controls for system documentation
  • Controls for open systems must correspond to controls for closed systems
  • Security measures should ensure trustworthiness and reliability of records

Other considerations

  • Audit trails should be implemented based on risk assessment and predicate rule requirements
  • Records must be readily retrievable throughout retention period
  • Copies of records must preserve content and meaning
  • Electronic signatures must meet requirements for being equivalent to handwritten signatures
  • Personnel must have appropriate education, training and experience

Relevant Guidances 🔗

Related references and norms 📂

  • ISO/IEC 17799:2000: Information technology – Code of practice for information security management
  • ISO 14971:2002: Medical Devices - Application of risk management to medical devices

Original guidance

  • Electronic Records and Electronic Signatures - Scope and Application
  • HTML / PDF
  • Issue date: 2003-09-05
  • Last changed date: 2024-10-01
  • Status: FINAL
  • Official FDA topics: Radiation-Emitting Products, Tobacco, Medical Devices, Food & Beverages, Good Clinical Practice (GCP), Dietary Supplements, Postmarket, Investigation & Enforcement, Electronic Submissions, Drugs, Animal & Veterinary, Compliance, Food & Color Additives, Biologics, Current Good Manufacturing Practice (CGMP), Cosmetics, Administrative / Procedural
  • ReguVirta ID: 936b50e23033fc097e7eb6d6cee0c97f
FDA guidance, Final
Radiation-Emitting Products Tobacco Medical Devices Food & Beverages Good Clinical Practice (GCP) Dietary Supplements Postmarket Investigation & Enforcement Electronic Submissions Drugs Animal & Veterinary Compliance Food & Color Additives Biologics Current Good Manufacturing Practice (CGMP) Cosmetics Administrative / Procedural
This post is licensed under CC BY 4.0 by the author.