What is 21 CFR Part 11?
21 CFR Part 11 establishes FDA regulations on Electronic Records & Electronic Signature (ERES), which includes electronic submissions to the FDA. 21 CFR Part 11 defines the criteria under which ERES is considered Trustworthy, Reliable, and Equivalent to paper records. Title 21 is the portion of the Code of Federal Regulations (CFR) governing Food and Drugs in the United States.
21 CFR Part 11 is divided into 3 Subparts – A, B, and C
Subpart A – General Provisions
- Subpart A discusses the scope of regulations and when and how they should be implemented.
- It also defines some key terms used in regulations.
- Part 11 applies to all electronic records that fall under FDA Regulations. FDA will accept Electronic submissions instead of Paper submissions if those submissions adhere to Part 11 requirements and are included among the types of documents that the FDA accepts electronically.
Subpart B – Electronic Records
- Subpart B discusses the requirements for the administration of closed and open systems.
- Closed system
- System that can be built and tested, i.e., a system on the intranet that only testers and developers responsible can access.
- It would be a build-and-test system on the intranet.
- According to 21 CFR Part 11, a closed system must have a collection of procedural and technological controls to protect data within the system
- Open System
- System that transmits data via the Internet.
- Open computer systems must have controls to ensure that all records are authentic, incorruptible, and confidential where applicable.
- Subpart B discusses Signature manifestations and requirements for establishing a link between signatures and records.
- It also explains that the organizations using electronic records must establish and document procedures and controls – that include “CSV, Record Rendering, Document storage, and record retention, System access, Audit Trails, Workflows, Authority checks, Device checks, personnel qualifications, and personal accountability and document control” that ensure Authenticity, Integrity, and Confidentiality.
- Closed system
Subpart C – Electronic Signatures
- This section includes general requirements for:
- Electronic Signature component and controls
- Controls for identification codes and passwords
- A person using an electronic signature must have their identity confirmed and should use a unique signature.
- Subpart C also includes special design requirements for digital signatures that are biometric and non-biometric.`
When does CFR Part 11 apply?
- 21 CFR Part 11 is applicable when an organization,
- Maintains electronic records instead of paper records or if the record is maintained in an electronic format in addition to paper records.
- Relies on electronic records on a computerized system to perform any regulated activities required by FDA, though they still make printouts.
- Submits records to the FDA in electronic format (even though the records are not explicitly identified in FDA regulations).
- Requires Electronic Signatures to be the equivalent of handwritten signatures, initials, and other general signings required by rules.
- 21 CFR Part 11 applies to all data acquisition and evaluation steps. Primarily, you must perform a risk assessment for all processes or activities required. To manage risks, you will need to understand your business and the goals of your business so that you will be able to identify how to reduce/mitigate those risks using Part 11 controls. This can be achieved by Part 11 – Gap Analysis – “to document the system’s compliance status in relation to all the requirements of Part 11”. The gap analysis checklist included consideration for the following:
- Part 11 applicability
- Process and procedures related to the use of electronic records and electronic signatures
- Electronic Audit Trails
- Logical security, user permissions, and workflow enforcement
- Documentation procedures and training management
- Implementation of electronic/digital signatures.
The Gap Analysis provides the company with insight into identifying the gaps that might exist and remediating those gaps in the system. The Part 11 Gap Analysis also helps to create new requirements to comply with Part 11 regulations, and it can also help improve access to the existing system.
Why is Part 11 required?
The core intention of Part 11 is to help any organization planning to use electronic records to replace paper records. In other words, this is an excellent tool and method to ensure that electronic records and signatures used in your work and organization are as authentic as physical records and signatures.
Thus 21 CFR Part 11 ensures,
- Reliability of electronic records and signatures
10 Steps to achieve compliance:
1. Validated Systems with complete documentation, including change control
What is expected by FDA?
- Procedures/SOPs should be put in place to ensure that the systems used in regulated activities are validated and maintained in a validated state through effective change control. Also, the person(s) validating must have adequate training and experience.
- A risk-based approach should be taken to validate. The actions should be determined by the risk a specific system or system functionality can have on data integrity, product quality, and patient safety. The risk assessment should ensure that the system functionalities with the highest risk receive the highest extent of validation.
- Data Integrity principles ALCOA+ (Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, Available) should be in place.
- Version control and change control procedures should be in place for system documentation.
- An extensive Validation Plan which states the scope of the validation, approach, strategy, schedule, tasks to be performed, etc., should be created along with the Validation Summary Report, which provides an overview and results for the activities mentioned in Validation Plan. Both documents should be reviewed and approved.
- Traceability Matrix should be created and maintained as part of change control (it is a living document).
- It should clearly indicate which requirements were tested with which scripts – IQ, OQ, and PQ.
- Requirements can also be traced to SOPs, i.e., few requirements can even be achieved through implementing procedures or having SOPs in place to train the employees.
- It should also reference Functional Specifications and Design Specifications for custom-built systems.
- It should be structured to enable the performance of an Impact assessment.
- The Traceability Document is very useful and significantly facilitates system management and inspection of system documentation
2. System should generate accurate and complete copies of electronic records for review/inspection
- The system should be enabled to easily search records (through Indexing) and print the records in a portable format (pdf, xml) in case of inspection along with the associated Audit Trail or E-signature information
- Document Version has to be clear and well maintained.
3. Record protection and easy retrieval throughout their retention
- A Retention policy or SOP should be in place.
- The system should be fully backed up regularly per the SOP or policy.
- Regular backup Restoration Tests have to also be performed. The records should be in a portable format (pdf, xml).
- Disaster Recovery Plan should be available for all the systems.
4. Appropriate Access Management – Security controls
- The system should have a security procedure based on user security profiles which can be applied up to the document access level.
- The system should enforce the sequencing of events based on document status.
- Each User must have a unique username and password to access the system. And the password should be changed periodically.
- The system should ensure that all approved or final records are read-only.
- Controls should be in place to detect security breaches.
5. Audit Trail – to discern changes to records throughout
- Audit Trails are very important and should be applied to all records in the system – documents, metadata, and signatures. When working with a 3rd party, all electronic records should be shared along with Audit Trail.
- The Audit Trail should be computer generated and non-modifiable and should include details of “who,” “what,” “when,” “where,” and “why” of activity on an electronic record. Audit Trail should have both old and new values.
6. Encryption for Open Systems
- According to CFR, “An Open system means an environment in which system access is not controlled by persons responsible for the content of electronic records on the system.”
- In other words, if the system is hosted or used by an individual outside of the organization, thus transmitting information over the internet, it may be considered an open system.
- Records from Open systems should ensure Authenticity, Integrity, and Confidentiality.
- Encryption such as VPN can also be used to ensure Confidentiality, and Digital Signatures can help to show integrity and authenticity.
7. Linking Electronic Signature to Records
- As per CFR, “Electronic signatures and handwritten signatures executed to electronic records should be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.”
- Proper Version control procedures should be in place to maintain system documentation and record.
8. Electronic Signature – controls and components
Electronic Signature should have the following controls or components:
- E-signature should have at least two identification elements to sign and should be unique to an individual.
- The person who performs an E-signature must be trained to E-Sign and sign a non-repudiation form that clearly identifies them.
- The E-signature should become invalid if a record updates after being signed.
- The E-signature should have the following components:
- Full Name of the Signer
- Reason for signature (Author, review, approve)
- Date and Time of signature (Unambiguous Timestamp)
9. Trained and qualified people
- There should be a clear job description and training matrix to indicate qualifications and required training for each role – to develop, install, validate, maintain and use the system.
- There should be formal training to use the system along with SOP trainings.
10. SOPs in place
There should be formal and regularly updated SOPs in place for the following:
- Software Development
- Computer System Validation (CSV)
- Physical and Logical security and data protection
- System Maintenance and Administration
- Disaster Recovery and Business Continuity
- System change control
- Record Management (Backup, Recovery, Record Retention, Archival)
- Electronic and Digital Signatures
- System Management
- Any other regulated process.
How does eLeaP help you with 21 CFR Part 11:
eLeaP is a web-based e-learning solution with a simple but sophisticated user interface, allowing technical and non-technical training managers to create, manage and track interactive training courses and learning programs for all levels of users. eLeaP’s training tracking software can also be used to register and track classroom or instructor-led training and deliver continuing education credits.
Let’s say you use a general-purpose e-learning (LMS) system to manage your training. Given that it’s a general purpose, you have to spend a considerable amount of time and effort to engineer the system you want. Also, it includes lots of risks because regulatory LMS best practices won’t be built in. Our learning management software system is flexible, validated, adaptable, and customizable – and so easy to use that it can be up and running in a matter of minutes with no special training.