Life Sciences Companies and 21 CFR Part 11 Compliance
In the digital age of the twenty-first century, it’s only natural for all kinds of companies to handle more and more of their business operations digitally. While this process of digitization marches forward, it comes with risks concerning the security of electronic records. For life sciences companies, the United States Food and Drug Administration (FDA) is the regulatory agency keeping an eye on their operations, including how the business maintains the trustworthiness and reliability of all electronic records and the use of electronic signatures. The FDA’s requirements around electronic records and signatures are described in this article, as well as how the right learning management system (LMS) can help a biopharmaceutical company comply with FDA regulations.
What Kinds of Companies Qualify as Life Sciences?
Any business or company that is subject to FDA regulation because it deals in biologics, medical devices, drugs, or any combination thereof, is a life sciences company that must comply with 21 CFR Part 11. These can include companies in the following categories:
- Medical Devices
- Research, Testing, and Medical Laboratories
- Digital Health and Informatics
- Bioscience Distribution
- Agricultural Feedstock and Industrial Biosciences
When looking at the regulatory requirements below for electronic records, keep in mind it’s not just a matter of complying—a company has to be able to prove its compliance through established documentation procedures that can be provided to the FDA during an inspection or audit.
21 CFR Part 11: Guidelines for Electronic Records of Biopharmaceutical Companies
The FDA describes what life sciences companies need to do in its guidelines called Title 21 CFR Part 11, first created in 1997 with updated guidance in 2003. For electronic records and signatures to be considered as equivalent to signed paper documents, those electronic records must be handled according to the FDA standards in 21 CFR Part 11. There are a lot of exceptions to Part 11, but the kinds of records that must meet the standards here are two-fold: 1) Any records a company is required to submit to the FDA, and 2) Any records a company is required to maintain but not submit to the FDA. In both cases, these records can be electronic as long as they meet the requirements of Part 11.
The Requirements of 21 CFR Part 11 for Compliant Electronic Records
The FDA distinguishes between two types of computerized systems a life sciences company may use at its business: a closed system or an open system. The basic requirements are the same for both types of systems, except that an open system has a couple extra requirements to meet. Here are the basics:
- Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.
- The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records.
- Protection of records to enable their accurate and ready retrieval throughout the records retention period.
- Limiting system access to authorized individuals.
- Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.
- Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.
- Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.
- Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.
- Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks.
- The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.
- Use of appropriate controls over systems documentation including:
- Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.
- Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.
For companies using an open system for records, all the above must be met, along with “additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality.”
Then there’s the section that deals with electronic signatures, which is significantly more complicated, so it’s important to study it carefully in the Code of Federal Regulations website. Also take advantage of pages available from eLeaP that explain the requirements around electronic signatures in plain language, including 21 CFR Part 11 Electronic Signature and 21 CFR Part 11 Electronic Records Electronic Signatures Validation.
Must a Company’s LMS Comply with 21 CFR Part 11? YES!
While the above regulations for electronic records seems like a fairly manageable set of requirements, closer examination reveals they are far-reaching and complex, especially when consideration must include all the different software applications a life sciences company might use that falls under the scope of 21 CFR Part 11. Be sure all such software indicates it is “FDA-compliant” or “CFR Part 11-compliant” (either one is fine as they are used interchangeably to mean the same thing). This includes cloud-based SaaS (software-as-a-service) apps a company may use.
Many life sciences companies don’t realize that the learning management system (LMS) they use for training and education does in fact fall under the scope of 21 CFR Part 11. The good news is that eLeaP is a cloud-based SaaS LMS that is fully compliant with these FDA requirements and has the kinds of features and built-in security measures that facilitate any life science company’s compliance with 21 CFR Part 11. Give the eLeaP LMS a try now or use the Contact Us page to get in touch and learn more.