The CFR Part 11 summary essentially states that any data and electronic signatures used in business must be secure and comply with the FDA’s Part 11 statute guidelines. This means that a digital signature alone is not enough – it must be a physical representation of a wet signature and meet all of the necessary criteria to be legally binding and considered compliant.
In addition, all electronic records must be stored according to the regulation in a validated, secure system that has met all of the compliance markers set forth by the FDA in the code that was established in 1997. Life sciences organizations utilizing electronic systems for learning and training, data storage and record keeping, and other operations and functions will need to familiarize themselves with CFR Part 11 and how it impacts their business.
Does 21 CFR Part 11 Apply to You?
The first step in the process for any company is to determine whether this statute even applies to them and their digital efforts. Some companies will attempt to keep their “master records” on paper and then assume that means that they don’t have to worry about Part 11 compliance. In fact, that actually makes things much more difficult.
The FDA defines electronic records as:
“Any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.”
Thus, according to the technical definition set forth, this offers a broad coverage that means that most companies will be affected today because they are doing business online and attempting to do so with digital signatures and other electronic information keeping.
The bottom line? Even if you have “paper” records, once they’re uploaded to a server, an email, or any computer system, you immediately enter the realm of Part 11 compliance.
Best Practices of Title 21 CFR Part 11
You can use these best practices to help check permissions, compare compliance solutions, and double-check all passwords and system security to provide the right access for the organization as a whole. Here are a few best practices that you will want to keep in mind:
- Use a unique login, including a username and password that will not be easy for people to guess or share. You should also make sure that your system is set up to log users out after 10-20 minutes when they’re not active for extra safety.
- Choose a system that will allow you to set up a lockout protocol. Then, you will be able to lock out users after 3-5 failed attempts at coming up with the right password.
- Any accounts that have been inactive for an extended time need to be locked out for at least 30 days, allowing you to check and see if users even need the compliance or are still involved in the digital security in question.
- Make sure that you have clear audit trails that can allow you to trace your efforts and record events with a username and date or time so that you always know what’s going on in your day-to-day operations.
Complying with Part 11 guidelines allows you to review and improve information for various processes and practices in your daily business. You may comply by providing solutions like:
- Digital signatures
- Software with handwriting capture
- Biometrics (fingerprints)
- Electronic signatures
Here again, digital signatures and electronic signatures are two different items entirely. Usernames should be individual and not associated with the team as a whole. You will also find the tools and software that you need to create your own process for checking compliance with 21 CFR Part 11.
You also can’t edit anything, or you’re going to have to go back to the formal approval rules that are in place. You also need to notify the FDA in writing that you’re going to be using electronic signatures so that they can properly monitor and audit your organization if necessary.
Validation and Qualification
Checking the infrastructure of the system will allow organizations to document qualifications and ensure that their electronic systems measure up to the requirements of CFR Part 11. Validation applies to software that comes from third-party vendors (SaaS, for one example), computer systems, templates, and change controls. The hosting requirements and responsibilities are also different for SaaS/cloud solutions than for standard software or electronic databases.
Part of the qualification process will include coming up with a set of Standard Operating Procedures (SOPs) that can allow the organization to comply with all FDA regulations and other guidelines from an internal standpoint.
The Responsibility Falls to the Organization
Part of the guidelines of the Title 21 CFR Part 11 summary include outlining the responsibility for compliance. This lies with the organization that is using the electronic systems or records, not the software provider or vendor. Vendors are held accountable to an extent, but when an FDA audit comes up, the organization will be the focus of the scrutiny. Since compliance with this guideline is limited to certain industries, the FDA leaves it as the responsibility of the life sciences organizations in question.
When you take advantage of the resources out there, you will be able to find assistance in compliance, including someone who can go through the checklist of compliance with Part 11 and then ensure that you are using an LMS, QMS, and other solutions that have passed compliance inspections and audits. That way, you are confirming that your tools are validated for installation, operations, and performance in terms of correct operation and regulatory compliance.
Partner with a team that understands the intricacies of Title 21 CFR Part 11 so that you can guarantee organizational compliance with all the tools and software that you use. When you choose eLeap, you can start with your Learning Management System (LMS) and go from there to create the perfect custom solution for electronic record and signature compliance.