21 CFR Part 11 Overview

As teams continue to adopt electronic documentation for consent and data collection, they must ensure they’re protecting participant’s safety and privacy by following federal regulations where applicable. The Food and Drug Administration (FDA) released 21 CFR Part 11 to provide guidance on the use of electronic systems.

Ripple Enterprise is an FDA 21 CFR Part 11 compliant version of the Ripple platform. This platform includes additional functionality and administrative features to ensure compliant digital signatures, enhanced auditing, and vendor audit support. This helps research staff standardize and operationalize direct-to-patient workflows in a way that’s compliant with the FDA’s 21 CFR Part 11 standards.

What is 21 CFR Part 11 compliance?

21 CFR Part 11 is a set of regulatory requirements that defines the criteria for creating, modifying, maintaining, archiving, retrieving, or transmitting electronic signatures and electronic records. These requirements make sure that the electronic signatures, records, and handwritten signatures on the electronic record are “equivalent to paper records and harndwritten signatures on paper.” When an electronic signature replaces a handwritten paper signature, 21 CFR Part 11 eSignatures must include the printed name, time stamp, and meaning of the signature that the signer must verify.

21 CFR Part 11 also requires the implementation of controls for data protection. Softwares that are 21 CFR Part 11 compliant must: 

• Undergo Audits to ensure data integrity
• Have tools in place to retrieve data as appropriate
• Require system validation that documents how each components should work and prove functioning via testing
• Include Audit Trails to document the action, date, and author of any changes made to the system
• Have operational and security controls to make sure the software is functioning in the correct way by the intended user

Who needs 21 CFR Part 11 compliance?

21 CFR Part 11 compliance is required for all FDA-regulated research that is greater than minimal risk and minimal risk research where the requirement for documentation of consent has not been waived.

21 CFR Part 11 compliance may be required for the following electronic records:

• Signed consent forms
• Source documentation
• Institutional review board (IRB) records 
• Drug accountability logs
• Delegation of authority logs
• Other records required by the FDA’s regulations

How is Ripple Enterprise different from Ripple Pro?

Differences between the Ripple Enterprise and Ripple Pro products:

Ripple Enterprise has three key functions and features that are not included in Ripple Pro:

• Enhanced surveys:
  • When participants complete an external survey, they receive an email code to sign in and authenticate their survey submission
  • This sign-in acts as a second verification of the participant’s identity and ensures that the person signing the survey is who they say they are
• Advanced Audit Trial:
  • Ripple Enterprise’s 21 CFR Part 11-compliant Audit Trail All changes in the Ripple Enterprise system are fully traceable. This includes all changes to site settings, study settings, and participant profile cards.
  • Ripple Pro’s HIPAA-compliant Audit Log only records additions, modifications, and deletions to some data on the participant’s profile card

Processes of the Ripple Science company and the support provided to you:

• Product Validation and Audit Support:
  • Ripple Science provides documentation that validates the accuracy and consistent operation of all features and functions of the platform. 
  • Ripple Science also offers support for one quality audit every two years to teams during supplier audits or FDA inspections. Additional audit support may be available based on the Scope of Work.
• Records Availability and Protection:
  • Ripple Science can readily generate accurate and complete copies of all records in human readable and electronic forms suitable for any agency inspection.
  • Ripple Science does not delete or archive records and has a policy for system deactivation to ensure appropriate retention of records.
  • System access is limited to only authorized individuals
• Qualifications of personnel: 
  • Ripple Science staff undergo extensive training and certification in Good Clinical Practice (GCP), data privacy and security, HIPAA-compliance, and other related topics
• Accountability:
  • Ripple Science also provides validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records
• Device checks:
  • Ripple Science staff undergo device checks to determine the validity of the source of data input or operational instruction