The Learning Management System has largely replaced one-on-one or one-on-multiple instruction in a traditional classroom-style setting. More commonly known to most as an LMS, this tool is one of many in your organization that needs to meet the requirements and compliance guidelines of Title 21 CFR Part 11, along with all of the other digital software that you are using. The process of transmitting and sharing digital data has sparked compliance debates for years, but the implications of CFR Part 11 make it easier for life sciences organizations to get on board and check themselves off the list.
All of the electronic records stored in your LMS fall under the guidance of this code. Those records will typically also need to comply with Good Clinical Practices, Good Manufacturing Practices, and Good Laboratory Practices, ensuring that they provide secure documentation and proper recordkeeping for life sciences companies.
In order to check your LMS for all Title 21 CFR Part 11 software requirements, here is a checklist that can help.
#1: Do I Have an Open or Closed System?
In setting forth the guidelines for compliance with Title 21 CFR Part 11, decision makers must understand whether they have an open or closed system. There are rules that differentiate based on the type of system that you have, which is why this is important. A closed system is one in which the people who are responsible for managing the records are the ones also handling the network.
With an open system, the people who are responsible for the records do not control access to the general system. Thus, they will have to monitor their own software and records within the system, rather than being responsible for the system itself. For example, a public cloud would be considered open, while a private cloud like your business Learning Management System (LMS), would be considered closed.
The difference matters because the FDA differentiates how you can protect the information, restrict access, and avoid data theft or damage. With closed systems, it’s easier to manipulate these elements and guarantee that the data is secure and everything is in compliance. In fact, Part 11 directly states that:
“Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine.”
#2: What Information Needs to be Captured?
Within the guidelines of CFR Part 11, electronic signatures require not only the name and date, but also the meaning of the signature, or why a signature was required in the first place. The code specifies that each electronic signature needs to include:
- The signer’s printed name
- The time and date of signing
- The purpose of the signature (review, approval, agreement, etc.)
As with the entirety of the Title 21 CFR Part 11 software requirements, all of this information must be presented in a human-readable form and an electronic record.
#3: Authentication of E-Signatures
As part of compliance with part 11, you must ensure that authentication is in place to confirm access authorized users only. In addition to the printed signature and timestamp, the following ID combinations are suggested by Title 21:
- Signatures not based on biometrics will employ at least two distinct components for identification, such as a username and password.
- When multiple signatures in a document take place, the first will need all components, with all subsequent signatures only needing a single component that can only be executed by the signer.
- Electronic signatures must be used only by the genuine owners
- All signatures must be executed and administered in a way that ensures attempting to use another’s credentials will require the collaboration of two individuals or more
To confirm that these signatures are as valid and binding as traditional wet signatures, all organizations will be required to send e-signature disclosure letters to anyone utilizing them to confirm that they are equivalent to a legally binding handwritten signature.
#4: Do You Have Remote Access?
In order to establish proper safety and security protocols, the FDA requires that all systems have remote access by administrators so that you can instantly limit or completely interrupt access to your system when suspicion is raised or unauthorized access is found.
The existing electronic authorizations must be revoked or deauthorized immediately and temporary or permanent replacements should be issued under the appropriate controls. This should happen as soon as possible to ensure security and compliance of the system, as well as the users who access it.
#5: System Scans and Proactive Measures
In addition to setting up a compliant system, it will also be crucial that your system proactively work to safeguard itself from unauthorized access or forged signatures. As a subsection of CFR Part 11, the use of these safeguards is required to detect and report unauthorized use to the appropriate parties.
It’s a tall order, but it can save a lot of trouble down the line.
Keeping Up with the Changes
Regulatory compliance with CFR Part 11 is what helps life sciences companies ensure that they are meeting FDA guidelines not just for day-to-day operations, but for the storage and long-term use of electronic records and data as a means to run the business. It’s a demanding list of requirements, but it doesn’t insist on as much as some would expect, such as the use of biometrics or digital encryption methods, as much as it focuses on making sure organizations find the best way to keep their records secure.
As a small or midsize business, you should choose an LMS and other tools that have been vetted for compliance with CFR Part 11, including software requirements and more. When you partner with eLeap, you can trust that you’re getting a compliant tool that goes above and beyond to ensure that all electronic records and signatures are secure, accurate, and representable as valid, authentic documents.