Electronic Records and Electronic Signatures - Scope and Application
This guidance clarifies FDA's interpretation of Part 11 requirements regarding electronic records and electronic signatures. It applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted under FDA regulations, as well as electronic records submitted to FDA under the Federal Food, Drug, and Cosmetic Act and Public Health Service Act.
Recommended Actions
- Document decisions on which records are considered Part 11 records
- Perform and document risk assessments for computerized systems validation
- Implement appropriate audit trail controls based on risk assessment
- Ensure legacy systems meet the exemption criteria if claiming exemption
- Establish procedures for record copying and conversion to common formats
- Implement record retention procedures based on predicate rules and risk assessment
- Ensure personnel have documented training and qualifications
- Establish written policies for electronic signature accountability
- Document system security controls and access limitations
- Maintain system documentation controls and procedures
Key Considerations
Software
- Validation of computerized systems should be based on risk assessment and potential impact on product quality, safety and record integrity
- Legacy systems (operational before August 20, 1997) may be exempt from Part 11 requirements if they meet specific criteria
- Systems must limit access to authorized individuals
- Operational system checks must be implemented
- Authority checks must be performed
- Device checks must be performed
Cybersecurity
- Systems must have appropriate controls for system documentation
- Controls for open systems must correspond to controls for closed systems
- Security measures should ensure trustworthiness and reliability of records
Other considerations
- Audit trails should be implemented based on risk assessment and predicate rule requirements
- Records must be readily retrievable throughout retention period
- Copies of records must preserve content and meaning
- Electronic signatures must meet requirements for being equivalent to handwritten signatures
- Personnel must have appropriate education, training and experience
Relevant Guidances
- Off-The-Shelf Software in Medical Devices: Documentation Requirements for Premarket Submissions
- Content of Premarket Submissions for Device Software Functions
- Cybersecurity in Medical Devices: Design, Implementation, and Premarket Submissions
- Software Validation for Medical Device Production, Quality Systems, and Device Components
Related references and norms
- ISO/IEC 17799:2000: Information technology – Code of practice for information security management
- ISO 14971:2002: Medical Devices - Application of risk management to medical devices
Original guidance
- Electronic Records and Electronic Signatures - Scope and Application
- HTML / PDF
- Issue date: 2003-09-05
- Last changed date: 2024-10-01
- Status: FINAL
- Official FDA topics: Radiation-Emitting Products, Tobacco, Medical Devices, Food & Beverages, Good Clinical Practice (GCP), Dietary Supplements, Postmarket, Investigation & Enforcement, Electronic Submissions, Drugs, Animal & Veterinary, Compliance, Food & Color Additives, Biologics, Current Good Manufacturing Practice (CGMP), Cosmetics, Administrative / Procedural
- ReguVirta summary file ID: 936b50e23033fc097e7eb6d6cee0c97f
This post is licensed under CC BY 4.0 by the author.