The biggest thing that people get wrong about the 21 CFR Part 11 compliance rule in regard to electronic records and signatures is assuming that software is just compliant because it exists. It’s easy to think, “Well surely a company like Microsoft would do its part to make sure that their Excel software is fully compliant for all of its intended uses,” but it’s really not that simple.
For life sciences organizations, ensuring that all software and systems are compliant with Title 21 CFR Part 11 is crucial not only to regulatory standards but to day-to-day business operations. See the course on The GAMP Approach to 21 CFR Part 11 Compliance for additional insights on how to ensure that the systems you use are Part 11 compliant.
How does Microsoft and its suite of tools fit in? Here’s what your organization needs to keep in mind. In the meantime, see how the FDA-compliant eLeaP platform can ensure you stay in compliance with CFR Part 11.
Is Microsoft Compliant?
According to Title 21 CFR Part 11, systems must adhere to certain security standards and protocols in order to be compliant. This is not something that is inherent, nor is it a standard checklist that can be crossed off by all developers as they create new platforms. The guidelines are generalized, on purpose, both so that the law requires less updating and so that companies have more leeway to decide how to secure the tools they use and find the resources that they need to comply with these guidelines.
Microsoft is not inherently going to be compliant with Part 11, but there are versions that can be. Some also choose to have their systems or versions modified to meet these requirements. It’s all about the electronic records and signatures.
Electronic records and signatures must be kept within certain compliance standards, including meeting security requirements, following password guidelines, and more. You can make Excel spreadsheets and other files compliant, but it will take some work.
How to Make Excel CSV Compliant with the Code
Excel spreadsheets are capable of becoming compliant with 21 CFR Part 11, but the right software will have to be used. There is a process of validating spreadsheets to meet regulatory compliance and it can be done by organizations or you can hire someone to do the services for you. Either way, it’s important to make sure that spreadsheets get properly validated. In most cases, you will be better to hire someone to do the work for you. Choose organizations and software that are designed to provide compliant solutions that are dedicated to the life sciences industry.
There are white papers and detailed reports on how to ensure that CSV files and other forms of communication are compliant with these codes and other federal regulations. It’s important to leave this to the professionals, though, because risking the compliance and integrity of your organization isn’t worth it for any cost.
Can I Use Non-Compliant Tools?
While you could store information in standard CSV files on a secure VPN or server that is secured according to the guidelines of CFR Part 11, you really shouldn’t. Technically, if you could produce an audit trail that ensures that the records are all electronically compliant and that all signatures have met appropriate validation requirements, this would be agreeable enough.
However, there’s a reason that compliant solutions for life sciences organizations and the like exist: because you’re supposed to use them. Think about all of the information that you are storing, the personal details that you may have on hand, and the sensitive health information and medical records that could become exposed. Not only that, but your entire company could be put at risk of a serious data breach from the smallest lack of consideration on your part.
The best solution is to always ask for compliance assistance or proof of compliance, and to request help from organizations that specialize in these services when you need it.
What Solutions are Available?
There are several services and tools available to help turn all MS Excel spreadsheets into compliant tools as part of the FDA Title 21 Part 11 code that has been put into place. Some companies offer integrated software solutions that create compliant spreadsheets and other Office documents and files. Others offer the software and actually perform the services for you, saving you the trouble of converting everything to a compliant solution on your end.
You should take the time to explore all of your options for compliance solutions, including the people and resources that are available to assist you along the way. Just because standard versions of software aren’t compliant doesn’t mean that you can’t use them. It just means that you have to go through the additional step of putting compliance measures into place before you do.
According to Microsoft, the FDA has regarded Microsoft Teams as a fully compliant CFR Part 11 communication tool that meets all standards. Third-party compliance testing has been done to prove the effectiveness and accuracy of the Microsoft controls that are used in Teams to help remote teams collaborate. For life sciences organizations looking for a way to keep in touch, this is great news. Although there are several tools out there, so many people are already familiar with the Microsoft family of products that it’s often easier to stick with what you know.
Protect Your Entire Organization
The reason that Title 21 CFR Part 11 is so generic in many ways is because there is so much variation between one organization and the next, both in terms of the hardware and software used, and in terms of the overall vulnerability of the records and information that are stored within the business. By taking the time to perform an applicability assessment, it will be easier to determine the best steps to take in order to fall into compliance with Part 11 or ensure continued compliance for your organization.
That includes validating and using tools like Microsoft Excel only when they are offered in compliant forms. Even if your system is setup to be the failsafe, there are no guarantees that your information will always be protected. Having tools that are all compliant will ensure that nothing slips through the cracks. From your Learning Management System to your everyday office tools, it’s about securing data and providing proper electronic records controls.