How to Achieve FDA CFR 21 Part 11 Compliance

Written by Rina Nir

FDA CFR 21 Part 11, compliance, Life Science, digital health

If you are in digital health or clinical research, you’ve likely heard about FDA 21 CFR Part 11 compliance. (Or, if you are on friendly terms, simply “Part 11.”) This regulation is unclear and confusing, which can complicate compliant implementation — especially for Jira users.

Because we’re dedicated to helping you sleep well at night, here’s a simple, no-nonsense survival guide for Part 11. While it does not replace any full-blown legal or regulatory advice, it should help you understand the gist and set your company up for success.

You’ll also be able to check out a real-life example that illustrates correct scoping and how the Speedy PDF For Jira can facilitate compliance.

What is 21CFR Part 11 compliance?

Historically, FDA submissions and audits required hard copies signed with a pen. As paper documents became electronic files and items (i.e., databases), the FDA needed to define acceptable digital documentation parameters.

Simply put: if an electronic file is compliant with the requirements of 21 CFR Part 11, it can be inspected by the FDA.

In Part 11, the FDA defined a set of conditions that ensures the authenticity of any electronic file submitted. If a company can’t demonstrate compliance, then the file might be erroneous or fraudulent and will not be inspected by the FDA.

Part 11 covers these three main areas:

  1. How was the file created? Specifically, who are the people and systems involved, and how do we know the information included in the file is correct?
  2. How do we guarantee that once created, the file remains unchanged?
  3. If the file is “electronically signed,” how can we guarantee that that signature’s registered details are truthful?

Part 11 is process-oriented and prescriptive. It provides a checklist that includes the electronic files and a set of organizational and infrastructure elements that have to be in place.

For example: If Roger Rabbit signs a report electronically, then:

  • His identity must first be verified before gaining access to the electronic signatures system. (HR typically facilitates this first step.)
  • Roger must sign a form stating that he will keep his system credentials to himself.
  • The system itself needs to be tested (a.k.a. validated) to demonstrate that it only allows for authentic signatures.

Although software can support Part 11, software compatibility alone is not enough to achieve compliance. So, from the above example, if Roger shares his password with Jessica, then she could theoretically sign an electronic document on his behalf. According to Part 11, that file is no longer submittable.

Why correct scoping is critical for FDA 21 CFR Part 11 compliance

The first step to achieve compliance is to scope correctly by making a list of electronic items you’re submitting to the FDA.

During an inspection, the FDA can access anything on your premises, but what counts for Part 11 are:

  1. The files and any other electronic items you plan on submitting.
  2. Any additional “evidence of compliance.”

Those electronic files are in the scope of your 21 CFR Part 11 planning. The scope should be as narrow as possible so that it is easier to comply. However, be careful to avoid descoping anything you might later need to submit.

Once the scope is known, you list the systems, processes, and people involved:

  1. What are apps and infrastructures involved in creating, processing, signing, and archiving electronic files?
  2. Who are the people active in file creation and electronic signatures? (This tells you who is responsible and, on the flip side, who might ruin compliance.)
  3. What mechanisms are in place to ensure everything works as expected? How do you prevent errors, breaches, or data loss?

Once you’ve answered these questions, you can identify gaps between your current state of affairs and Part 11 requirements. Then all you have to do is close these gaps to achieve compliance.

A real-life example: Achieving FDA 21 CFR Part 11 compliance with Speedy PDF For Jira cloud

SuperHealth develops a digital health app. During the development process, software specifications are defined in Jira and approved by the development lead and the product manager.

SuperHealth has set up their Jira like this:

  1. Defined a new issue type in Jira — a “specification item” —and associated it with all the fields deemed necessary, such as description, risk mitigation checkbox, and acceptance criteria. (Here’s more information about why you should manage requirements in Jira.)
  2. Applied a workflow that corresponds with their internal process of specifications elaboration and review, setting up a status “ready for release” to designate that the specification is implemented and is all set to go.
  3. Speedy PDF is installed on Jira.

So far, this is still considered a “work in progress” and is not officially approved. When the issue is ready for release, the product owner reviews the Jira data to ensure it’s complete and correct. If all is perfect, that person triggers Speedy PDF, assigning approvals to those responsible (i.e., the development lead and the product owner herself). All that’s left is for the stakeholders to preview the Speedy record and sign-off.

The Speedy PDF file is the only part that falls within the Part 11 scope.

FDA 21 CFR Part 11, digital health, clinical research

To recap: the setup is Part 11 compliant for the following reasons:

  • Each signatory reviews the PDF. This is how the data on file is guaranteed to be correct.
  • The signed data is a PDF file with clear audit details and is considered “not editable.”
  • Access controls 1: Only registered Jira users can generate and sign a Speedy record. Additionally, they dictate how the signature is obtained and registered in the file.
  • Access controls 2: The Speedy PDF record is held in a storage location controlled by the owner, thus ensuring that access is limited only to authorized users.
  • Validation: the only scope that is subject to CSV is the generation of the Speedy PDF file and the signature cycle.

21 CFR Part 11 compliance is essential, but it shouldn’t be a painful experience. With the help of Speedy PDF for Jira, you can easily prepare your electronic files to FDA standards. And like we said —we don’t want you to lose sleep over compliance. If you have questions, we’re here to help.


Blog posts in this series:

  1. Adjusting Jira for FDA CFR 21 Part 11 compliance: managing deletion
  2. Creating records for FDA inspections? Jira is the way to go.

Have an idea for your Quality Management System?

We’d love to learn more about your project.

Let’s have a chat