The FDA (Food and Drug Administration) is responsible for regulating Title 21, which involves CFR Part 11 and the laws surrounding data security for life sciences and medical device brands. The basics of these laws are pretty straightforward, but while a lot of organizations assume they’re in compliance, they could be missing the mark and not even realize it.
CFR stands for Code of Federal Regulation, which means Part 11 is a guideline, not a hard-and-fast checklist of requirements for compliance. Here’s what the regulation outlines, verbatim from the code itself:
Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine.
The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency.
Protection of records to enable their accurate and ready retrieval throughout the records retention period.
Limiting system access to authorized individuals.
Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.
Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.
Essentially, compliance with Part 11 means that all of your electronic records and signatures meet the requirements set forth and can be regarded as having the same level of validity and authenticity as a hardcopy document or signature.
There’s also a lot more to it.
#1: It’s Not Automatic
You are in charge of the responsibility to comply with CFR Part 11. You’re also in charge of validating that compliance in software and hardware platforms that you use. If you are using cloud-based solutions, it will take a lot of the compliance risk off your hands and allow you to lay the responsibility mostly on the tools that you are using. You can also choose to partner with companies like ours that have validation tools to ensure that all of your software and electronic records meet FDA CFR Part 11 compliance.
#2: It’s a Software and Hardware Issue
The hardware that you are using for electronic records access and updating is just as important to check for CFR Part 11 compliance as the software tools that you use. This is often why some people elect to use cloud solutions that will provide all of the data security compliance without the heavy hardware or bulky server requirements. It’s a two-fold process and it’s one that you need to follow through with in every regard to maximize your own regulatory compliance. Essentially, companies must design and implement policies and procedures that provide full protection for electronic records as outlined in Part 11.
#3: There are Three Controls for Compliant Systems
As mentioned, no single system will guarantee compliance with this complex code. The technical aspect of things is covered by the LMS developer, so they should be capable of meeting the requirements in that regard. However, the administrative processes and procedures come from the organization. If they fail to hold individuals accountable or they have not created proper procedures and policies, the system won’t be in compliance even if the LMS creator has done their part. At eLeap, we know that in addition to our software, there are several ways we can help you move toward compliance with this system, no matter what type of organization you have.
#4: Electronically Stored Training Records
All of your training records that are stored electronically are subject to FDA CFR Part 11 compliance. They must also comply with Good Laboratory Practices, Good Manufacturing Practices, and Good Clinical Practices. Training records that need to be kept in compliance include course versions, course completion records, and exam records. This ensures version accuracy in training software and provides accurate tracking for training and knowledge retention. Although the majority of the responsibility for compliance falls on the life sciences company, the systems being used must also be deemed “fit for use”.
#5: Digital Signatures and Electronic Signatures are Different
Many people don’t realize that in terms of regulatory compliance, digital signatures are different than electronic signatures. A digital signature may include a passcode, biometrics, or an additional security key that provides that added layer of authentication. These are not the topic of discussion when it comes to Title 21 CFR Part 11—they’re already protected, validated, and properly encrypted.
Electronic signatures, on the other hand, are not. These are the very literal digital translation of a wet signature, with no other security or authentication attached to it. These need to be validated to ensure that compliance is met with Part 11, and they should fall within the best practices that were mentioned above. Those include:
- Unique logins for electronic records access
- System lockouts after too many incorrect passwords
- Inactive account lockout
- And more
Learning is Half the Battle
Life sciences companies would do well to establish a standard operating procedure (SOP) for dealing with CFR Part 11 compliance, as the law itself is quite vague and often left to much interpretation. Understanding this regulation and how it impacts business operations is critical for companies that want to make the most of their electronic records and documentation. When people have the right information, they can make more informed decisions about their next steps.
The team at eLeap can provide validation assistance and the tools that you need to ensure that your electronic records and signatures are in compliance with FDA CFR Part 11, including a robust LMS that can even help train your team on best practices for compliance in this area and more.