21 CFR Part 11 Tutorial
Not Clear on How an LMS Should Comply with 21 CFR Part 11? This Tutorial’s for You
Are you thinking about migrating to a new learning management system within your life science business? It’s a big decision for any company but is particularly challenging for pharmaceutical companies, biotech firms, medical device manufacturers, and other businesses that fall under the purview of the FDA. This 21 CFR Part 11 tutorial article helps illustrate the FDA’s requirements and how you can meet them (with the right learning management system).
The elephant in the room her is 21 CFR Part 11 – the part of the FDA’s Code of Federal Regulations that deals with electronic records and electronic signatures. Your LMS is a critical area for compliance, as training records are high up on the FDA’s list of priorities during an audit. You also need to ensure that you’re providing learners with the best experience and that you’re doing your best to safeguard digital data in your keeping.
So, how do you choose an LMS that’s compliant with those regulations? This LMS 21 CFR Part 11 tutorial will explain some of the considerations that you need to make when shopping around for a new learning management system. It’s not as complicated as you might think – we’ll even bump features against CFR requirements to help you better understand the situation.
21 CFR Part 11 Tutorial: Requirements and Features Explained
| 11.10 (b) | The system shall generate accurate and complete copies of records in human-readable and electronic form suitable for inspection, review, and copying | The LMS should provide you with reports detailing user progress, scores, weaknesses, and more. Those reports should be in PDF, Excel, HTML, or another accepted format, and should be ready for use within your company, or for sharing with FDA inspectors. |
| 11.10 (d) | The system shall limit system access to authorized individuals. | The LMS must provide authorized access only. This goes beyond simply requiring a username and password to log into the LMS. You must set user rights so that everyone (including administrators) has access only to those areas they need. Look for an LMS that also requires strong passwords. |
| 11.10 (e) | The system shall employ secure, computer-generated date/time-stamped audit trails to independently record operator entries and actions that create, modify, or delete electronic records without obscuring previously recorded information. | Any changes within the system, whether that’s assigning a module or deleting data, should be recorded and include a date and time stamp, user credentials, and other information important for accountability. |
| 11.10 (f) | The system shall enforce required steps and events sequencing, as appropriate (e.g., key steps cannot be bypassed or similarly compromised). | The LMS should require users to follow a specific set of steps, such as completing module A before moving on to module B. Each set of events should be logged and recorded for future review. |
| 11.10 (g) | The system shall ensure that only authorized individuals can use the system, electronically sign a record, access the operations or computer system input or output device, alter a record, or perform the operation at hand. |
Your LMS must enforce authorized users only. Without recognized credentials, users and administrators should be prevented from accessing the system. You should also be able to set specific rights and access capabilities per user or user type. |
| 11.10 (h) (1) | The system shall determine, as appropriate, the validity of the source of data input or operational instruction. |
Users should be free to access the LMS through a wide range of other devices, including mobile devices and personal devices. However, the system must be able to recognized authorized devices and IP addresses to prevent access from an unauthorized individual/device. |
| 11.50 (a) (1), (2), (3) | The system shall ensure all signed electronic records contain the printed name of the signer, date/time signature was executed, and the meaning associated with the signature (e.g., approval, responsibility, authorship). | Your LMS should maintain audit trails that show the username, password, date, time, and reason for all changes. That information should be maintained even in the event of future changes. |
| 11.50 (b) | The system shall ensure the three signature elements (described in the previous requirement) of a signed electronic record are a part of any human-readable form of the electronic record (e.g., electronic display or printout). | Each electronic signature should include three components: username, date and time, and the reason for or type of action or change. Those should be included in all reports to ensure traceability and accountability. |
| 11.70 (a) | The system shall ensure electronic signatures are linked to their respective electronic records and that these electronic signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means. | All electronic signatures should be linked to usernames and passwords, and those credentials should protect the electronic signature from any action that would allow falsification. |
| 11.100 (a) | The system shall ensure that each electronic signature is unique to one individual and shall not be reused by, or reassigned to, anyone else. | Your LMS should require unique usernames and never allow re-used names. |
| 11.200 (a) (1) | The system shall employ at least two distinct identification components, such as an identification code and a password. |
Accessing the LMS should require at least two components – a username and password, for instance. However, biometric and two-factor authentication components can add strength and protection. |
| 11.200 (a) (1) (i) | The system shall require the use of all electronic signature components for the first signing during a single continuous period of controlled system access. |
Each session should require the user to log into the system again. |
| 11.200 (a) (1) (i) | The system shall allow all subsequent signing during the same continuous period of controlled system access to use at least one electronic signature component. | The system should require the user to enter their password periodically during use sessions. |
| 11.200 (a) (1) (i) | The system shall ensure users are timed out during periods of specified inactivity. | You should be able to set time-out periods, after which a user will need to log back into the system to regain access. |
| 11.200 (a) (1) (ii) | The system shall require the use of all electronic signature components for the signings not executed during a single continuous period of controlled system access. |
The LMS should require both username and password to log in to the system during separate sessions (the system should not “remember” the user from session to session). |
| 11.200 (a) (3) | The system shall require all attempted uses of an individual’s electronic signature by anyone other than its genuine owner to require the collaboration of two or more individuals. |
Your LMS should prevent any sharing of electronic signatures. Any attempt to falsify access should require at least two individuals. |
| 11.300 (a) | The system shall require that each combination of identification code and password is unique, such that no two individuals have the same combination of identification code and password. | All users should have a unique username and password – no one should have a duplicated component (whether username or password). |
| 11.300 (b) | The system shall require that passwords be periodically revised. | The LMS should require users to change their passwords periodically. |
| 11.300 (d) | The system shall employ transaction safeguards preventing the unauthorized use of a password and/or identification codes. | Your LMS should include good password hygiene policies, such as requiring users to change passwords on initial login. |
| 11.300 (d) | The system shall detect and report unauthorized use of a password and/or identification codes to specified units. |
Any unauthorized access attempts should be logged, recorded, and reported. |
Help Is at Hand
As you can see from our LMS 21 CFR Part 11 tutorial, there’s a lot to consider when choosing a new system. Thankfully, we can help. Contact eLeaP today to learn more about our groundbreaking learning management system and to schedule a consultation.