FDA Title 21 CFR Part 11 of the Code of Federal Regulations deals with the Food and Drug Administration (FDA) guidelines on electronic records and electronic signatures in the United States. Part 11 requires drug makers, medical device manufacturers, biotech companies, biologics developers, and other FDA-regulated industries, with some specific exceptions, to implement controls, including audits, system validations, audit trails, electronic signatures, and documentation for software and systems involved in processing electronic data that are:
(1) required to be maintained by the FDA predicate rules or;
(2) used to demonstrate compliance to a predicate rule.
People using closed systems to modify, create, maintain, or transmit electronic records must employ, at a minimum, procedures and controls designed to conduct the following:
(1) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records;
(2) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency;
(3) Record protection enabling accurate and ready retrieval throughout the retention period;
(4) Limiting system access to authorized individuals;
(5) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. This documentation must be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.
(6) Use of operational system checks enforcing permitted sequencing of steps and events, as appropriate;
(7) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand;
(8) Use of device checks to determine, as appropriate, the validity of the source of data input or operational instruction;
(9) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks;
(10) Establishing and adhering to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification;
(11) Use of appropriate controls over systems documentation
Link to Regulation: https://www.ecfr.gov/cgi-bin/text-idx?SID=a1b54a9b011485769b05296e648addd1&mc=true&node=pt21.1.11&rgn=div5