These days, information security is paramount. Life sciences companies, especially, face challenges in complying with the CFR Part 11 rule of Title 21. This rule is what sets forth the compliance guidelines for information security and electronic systems, and it is one that everyone needs to be familiar with in order to take their business to the next level.
Understanding this code and what it means to your organization is perhaps the biggest part of the compliance puzzle. Below, you’ll find all the details about the goals, methods, systems, and other factors.
With the software market for life sciences expected to see growth to as much as $22.5 billion through 2024, now is the time to get started. Get started on the right foot with the eLeaP validated platform.
The Goals of CFR Part 11
Despite the fact that this guideline was created all the way back in 1997, it still holds applicable use in the modern digital age, and was designed to cater to the ever-changing needs of this industry with assistance like:
- Training companies and individuals on how to use computer systems and software, as well as to troubleshoot them when they are not working effectively.
- Maintain secure, safe data that is protected from all threats and ensure that data does not get lost or corrupted.
- Ensure that signatures for review and approval are valid, legitimate, and cannot be the subject of dispute.
- Tracing changes to data during its lifecycle to monitor security and potential risks along the way.
- Detecting and/or preventing falsified records or records breaches.
It’s also necessary for organizations to be more practical about how they manage paperwork across multiple offices or other multi-access needs. With today’s companies spread more globally and connected more remotely than ever before, paper-based systems just aren’t practical. Electronic records make far more sense and are far more efficient, but the challenge comes in proving to the regulating authorities that your system can handle the standards set forth by 21 CFR Part 11.
In doing that, and in learning more about this statute and how it may impact your organization, read on for five things you need to know about Part 11 and what it means to you.
Digital Signatures and Electronic Signatures are Different
Title 21 CFR Part 11 is a very specific set of guidelines, and it explains carefully the difference between digital signatures, which aren’t monitored, and electronic signatures, which do fall under Part 11. Electronic signatures are those that are simply used to replace wet ink and are not validated with any kind of key or passcode or other digital authentication.
Digital signatures refer to those that are authenticated with another layer of security, such as a pin number or password. These do not fall under Part 11 because of the two-factor authentication, but the electronic signature needs to meet all of the regulations of this compliance guideline.
Ask for Proof of Compliance Before Using Systems
In a perfect world, you would be able to take someone at their word when they tell you that they have the compliance tools that you need. When you’re looking at software that you can use for electronic signatures or records, you need to ask to see their proof of certification. Validating these systems is part of your due diligence in choosing the right solutions for managing and securing your data to meet Part 11 guidelines.
If you’re using SaaS (Software-as-a-Service) platforms, the vendor host and manager is going to hold more responsibility.
CFR Part 11 Compliance and FDA Compliance are the Same
If you’ve looked at software already, you may have noticed that some products are sold especially as CFR Part 11-compliant but then there are others that are not marked as “FDA compliant” or otherwise validated. This is the same thing—whether it says “FDA” or “CFR”, the compliance is there. Of course, just because a provider claims that their software fits the bill doesn’t mean you should take their word for it. Ask to see their proof of validation so that you can guarantee their compliance before you choose their platforms.
It’s up to you to make sure that companies are compliant, as discussed above, before you start working with them. By understanding the different terms and the way things are labeled, it will be easier for you to get what you need.
Not All Companies Have to Comply
While the majority of life sciences companies, including medical device and biotech brands, need to comply with Title 21 and the CFR Part 11 statute, not all companies will be subject to this regulatory compliance. In order to check to see whether you have to follow Title 21 CFR Part 11, you should consider whether you have any electronic records and take electronic signatures. If the answer is yes, the compliance is mandatory. Plus, you have to make sure that your hardware and software measure up, including if you’re using cloud-based or SaaS tools.
Electronic Signature Rules
In order to comply with 21 CFR Part 11, electronic signatures need to be captured in such a way that they are secure, and password protected whenever possible. Passwords need to be reviewed and approved regularly and the guidelines of this statute even allow for a variety of electronic signature options:
- Handwriting capture
- Digital signatures (with PIN codes or keys)
- Biometrics, such as fingerprints or facial recognition
Any and all of these secure methods can be used to allow both employees and clients alike to trust that they are being given a compliant process to deliver secure electronic records, no matter what area of life sciences they work in. The entire premise of this guideline is in establishing security for electronic signatures, after all, so having the right tools is critical to your success.
It’s about regulatory compliance, but it’s also about protecting your organization. With CFR Part 11, the knowledge is half the battle and once you know what’s expected, you can deliver the best electronic security compliance every single time. eLeaP is a validated software platform to meet CFR Part 11 compliance.
Life sciences organizations using electronic systems must check all of their software for CFR Part 11 compliance. Although many think otherwise, if the FDA requests an audit, it will not be of the software provider—it will be an audit of the life sciences organization using the software.
When setting up electronic systems like an LMS, employee records database, or another laboratory platform or software solution, it is crucial for companies to work with solutions that are openly and obviously meeting the guidelines of CFR Part 11 software compliance, including as it relates to:
- Electronic record storage and security
- Electronic signature validation and authentication
Software compliance is a topic that is on the rise, as it is expected that the life sciences software market will grow by as much as $2.55 billion through 2024. Software vendors are using SaaS-based models to enter new markets and expand their services, with cloud deployment that offers efficient, affordable, scalable solutions for all sizes and types of life sciences organizations.
Compliance is Not Inherent
CFR Part 11 software compliance is not guaranteed. Unlike some regulatory guidelines or standards, there is nothing preventing companies from launching SaaS products or other software solutions that are out of compliance with what the Part 11 mandate sets forth for electronic records and electronic signatures.
This is a standard that must be modified or added with intention. In some cases, users or developers can modify existing programs (such as Excel) to fit the guidelines of CFR Part 11 and other compliance codes. As of the time of this writing, however, most solutions do not automatically comply with CFR Part 11, nor do they guarantee it or even announce it very well.
What does that mean? Put simply, it means that it is up to your life sciences organization to choose compliant tools and ensure that you are capable of providing an audit trail and following the guidelines for electronic records and signatures.
So, What Do You Ask For?
When inquiring with software companies about their compliance and regulatory standards, you need to ask for proof of compliance with Title 21 CFR Part 11, as well as any other compliance standards that must be met. Companies should be able to produce this information to give you the peace of mind that you need. If they cannot, you should assume that the software isn’t compliant.
Ask companies if their tools meet the criteria for Title 21 CFR Part 11. These include guidelines like a need for clear audit trails, password protection and data security, and even electronic signatures and guidelines as to what does and doesn’t qualify as a legally binding signature. If a company doesn’t advise you as to whether their software meets compliance guidelines, you should always ask.
What Should You Get?
If you’re trying to make sure that you are protected under Title 21 and that your business is compliant, you are on the right track. This is your responsibility and even the software providers cannot be held responsible for your failures to confirm that all of your tools and resources are compliant.
When you are working with a company that will provide testing, validation, or supporting documentation, you will benefit in several ways. They should provide:
- A compliance checklist
- A certificate of compliance
- Documentation of inspections and audits (passed)
This should be done for all of the electronic software systems that are used, as well as for your network as a whole. Life sciences organizations need to ensure that every aspect of their software is in compliance with the CFR Part 11 software guidelines in order to operate legally and properly under the FDA’s regulatory guidelines.
A Note on Qualification
When you are qualifying or validating software and tools for their compliance, there are several different aspects that you need to consider. This statute was released in 1997, but it still delivers the basic language needed, so not much has been changed. The terms are transferable because even though they once referred to equipment, they can now be used interchangeably for software.
You’ll want to check three areas of qualification on all software when it comes to CFR Part 11 policy compliance:
- Performance Qualification: Is the software performing as it should? Is it processing and storing records correctly and ensuring security compliance across the board?
- Installation Qualification: Has the software been correctly and securely installed, following all necessary protocols and security procedures?
- Operational Qualification: Is the software capable of meeting all of the regulatory requirements of CFR Part 11 and other necessary compliance requirements?
The Rising Need for Operational Efficiency Improvements
In an industry that is expected to see so much growth, there is also a growing need for improvements in operational efficiency from an end-user standpoint. Through 2024, as life sciences software continues to enhance the performance of organizations, many companies depend entirely on this software to obtain information and create reports from them.
Another area where life sciences organizations can stand to make improvements is in the use of learning management systems (LMS). This software carries out the centralized training and management of employee data to aid in increasing compliance and operational efficiency. In turn, that will enable these organizations to remain competitive in their market.
The Software Market for Life Sciences: The Highlights
Through 2024, the life sciences industry will continue to see extensive growth in several areas, including with electronic records systems and software tools used to perform everyday tasks. Upcoming trends and changes in consumer behavior will affect the changes taking place, while the growth of the competitive market landscape will provide a more secure set of solutions for the future of this industry.
As the industry continues to evolve and grow, the factors that challenge the market for software will also evolve. It will be up to the organization, not the vendors, to prove compliance in the event of an FDA audit. Nonetheless, it can benefit everyone if vendors start embracing compliance and delivering it as standard operating procedure like we do here at eLeap. Contact us now to learn more about a custom, compliant LMS for your organization.
CFR Part 11 compliance is a huge issue for life science companies and it’s important for everyone to be on the same page. How, though, can you make sure that your team truly understands the value of security in the digital age enough to follow the rules of CFR part 11 to the letter?
It’s a tall order, even for those who are familiar with the guidelines. However, it’s an essential part of your business and one that your team will need to comprehend and utilize in their day-to-day operations. That’s why it’s better to train everyone on data security and various tools used to provide the company with the protection that it needs.
What is CFR Part 11?
For those who aren’t familiar, CFR Part 11 is a section of Title 21 that pertains to the securing and regulation of electronic records, including signatures, documents, data, and more. It’s a lot more complex than that, however, which is why you really have to figure out how to help your team understand it.
That starts by getting a firm grasp on the concepts yourself and fully understanding this statute and what is required by it. For example, if you have products on your own hardware, it’s your own responsibility to manage that software and to ensure that the proper procedures are in place in that regard.
CFR is the acronym for “Code of Federal Regulation”. The guidance in this code ensure the confidentiality, integrity, and authenticity of electronic data and signatures captured, and it’s important for all researchers to demonstrate that they have software and tools that are in compliance with the code.
Now, let’s talk a little more about what makes a tool or software platform compliant, as well as which features should be on the top of your list to discuss with your team.
Features to Consider for Part 11 Compliance
Although there are several different tools and software solutions on the market today, they are not all created equally. Many of them are compliant with Title 21 CFR Part 11 in every way possible, while others might lack the required compliance features for one reason or another. If you are going to invest in this kind of technology, you’ll want to consider things like:
- A detailed audit trail. Regulators that are performing inspections are going to need a chronological record of the goings on within the company. It will be important to use a software tool that keeps records of how, when, and how often it is used. That way, when then auditors show up, you’ve got all the records creating themselves automatically.
- Security controls for user access. You aren’t going to want every employee in every part of your software platforms. Therefore, you’ll want to choose a platform that includes security features like unauthorized access detection and more. These controls make it easier for you to manage remote accounts, including data and signature integrity.
- Electronic signatures. Electronic signatures are unique to each user, just like ink signatures. They are legally binding and with a system that is Part 11 compliant, users will be able to sign things electronically and have them considered to be legally binding, when done according to the letter of the code.
Being able to validate the software and security that is being incorporated as part of electronic records is a big part of the process. It is going to be up to you to figure out what type of validation is required and how it can implicate the overall success of your data security, including electronic signatures and more.
While performing research and learning about compliance, brands are going to be able to check out the software solutions available and how they are hosted. It also helps people understand data and gives everyone the secure, compliant access that they deserve.
Evaluating Your Tools
With the guidelines set forth by the CFR Part 11 rule, there are several exceptions and things to consider when setting up the proper procedures and ensuring that all software is validated and documented as being the most efficient, straightforward tool for managing products and procedures in a digital environment. You should be looking for vendors and products that have procedures and solutions in place for things like:
- Logical and physical security
- Disaster recovery
- Installation qualification
- Validation testing
- Vendor auditing
When you use these criteria to explore the validation and compliance of Part 11 with the software solutions that you have in mind, it will be much easier for you to put these methods into practice and use your software and tech tools to provide data security solutions that fit the needs of your organization at this point in time.
Getting the Team on Board
Once you have taken the time to put yourself in a position to better understand Title 21 and CFR Part 11 compliance, you will be able to share the procedure and guidelines with your team. You should incorporate data security and digital or electronic signature integrity into all of your efforts and with the right tools, it will be easy to get everyone on the same page. Remember to talk to your team about the products and procedures that you have in place and help them better understand the value of integrity that comes with proper data security and compliance.
You’ll have different rules to follow and things to consider depending on whether you are using software on your servers, hosted cloud solutions, or any other kind of software tools. You will also need to let your team know that each of these elements is going to impact how you comply with CFR Part 11 and your organization’s overall procedures for managing that data.
It’s not a challenging effort, really. It’s more about being informed and understanding what this compliance means for your business and your digital efforts. When you take the time to engage everyone and share the responsibility of compliance with your team, you’ll have less trouble keeping everyone on the same page when you’re building your digital existence.
The basic premise of the CFR Part 11 summary is simple: the data and electronic signatures used in any business efforts need to be secure and need to follow all of the guidelines of this compliance code. The manifestation is more than a digital signature or key—it is an actual physical representation of a wet signature and it has to meet all of the criteria in order to be proven compliant and legally binding.
In addition, all electronic records must be stored according to the regulation in a validated, secure system that has met all of the compliance markers set forth by the FDA in the code that was established in 1997. Life sciences organizations utilizing electronic systems for learning and training, data storage and record keeping, and other operations and functions will need to familiarize themselves with CFR Part 11 and how it impacts their business.
Does 21 CFR Part 11 Apply to You?
The first step in the process for any company is to determine whether this statute even applies to them and their digital efforts. Some companies will attempt to keep their “master records” on paper and then assume that means that they don’t have to worry about Part 11 compliance. In fact, that actually makes things much more difficult.
The FDA defines electronic records as:
“Any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.”
Thus, according to the technical definition set forth, this offers a broad coverage that means that most companies will be affected today because they are doing business online and attempting to do so with digital signatures and other electronic information keeping.
The bottom line? Even if you have “paper” records, once they’re uploaded to a server, an email, or any computer system, you immediately enter the realm of Part 11 compliance.
Best Practices of Title 21 CFR Part 11
You can use these best practices to help check permissions, compare compliance solutions, and double-check all passwords and system security to provide the right access for the organization as a whole. Here are a few best practices that you will want to keep in mind:
- Use a unique login, including a username and password that will not be easy for people to guess or share. You should also make sure that your system is set up to log users out after 10-20 minutes when they’re not active for extra safety.
- Choose a system that will allow you to set up a lockout protocol. Then, you will be able to lock out users after 3-5 failed attempts at coming up with the right password.
- Any accounts that have been inactive for an extended time need to be locked out for at least 30 days, allowing you to check and see if users even need the compliance or are still involved in the digital security in question.
- Make sure that you have clear audit trails that can allow you to trace your efforts and record events with a username and date or time so that you always know what’s going on in your day-to-day operations.
Complying with Part 11 guidelines allows you to review and improve information for various processes and practices in your daily business. You may comply by providing solutions like:
- Digital signatures
- Software with handwriting capture
- Biometrics (fingerprints)
- Electronic signatures
Here again, digital signatures and electronic signatures are two different items entirely. Usernames should be individual and not associated with the team as a whole. You will also find the tools and software that you need to create your own process for checking compliance with 21 CFR Part 11.
You also can’t edit anything, or you’re going to have to go back to the formal approval rules that are in place. You also need to notify the FDA in writing that you’re going to be using electronic signatures so that they can properly monitor and audit your organization if necessary.
Validation and Qualification
Checking the infrastructure of the system will allow organizations to document qualifications and ensure that their electronic systems measure up to the requirements of CFR Part 11. Validation applies to software that comes from third-party vendors (SaaS, for one example), computer systems, templates, and change controls. The hosting requirements and responsibilities are also different for SaaS/cloud solutions than for standard software or electronic databases.
Part of the qualification process will include coming up with a set of Standard Operating Procedures (SOPs) that can allow the organization to comply with all FDA regulations and other guidelines from an internal standpoint.
The Responsibility Falls to the Organization
Part of the guidelines of the Title 21 CFR Part 11 summary include outlining the responsibility for compliance. This lies with the organization that is using the electronic systems or records, not the software provider or vendor. Vendors are held accountable to an extent, but when an FDA audit comes up, the organization will be the focus of the scrutiny. Since compliance with this guideline is limited to certain industries, the FDA leaves it as the responsibility of the life sciences organizations in question.
When you take advantage of the resources out there, you will be able to find assistance in compliance, including someone who can go through the checklist of compliance with Part 11 and then ensure that you are using an LMS, QMS, and other solutions that have passed compliance inspections and audits. That way, you are confirming that your tools are validated for installation, operations, and performance in terms of correct operation and regulatory compliance.
Partner with a team that understands the intricacies of Title 21 CFR Part 11 so that you can guarantee organizational compliance with all the tools and software that you use. When you choose eLeap, you can start with your Learning Management System (LMS) and go from there to create the perfect custom solution for electronic record and signature compliance.
Title 21 CFR Part 11 is an important topic in the life sciences industry. As people are looking to build compliant solutions and keep their companies on track, understanding how to achieve those goals includes learning about the regulations and guidelines in place that are being held as the industry standard. In order to help more people better understand Title 21 CFR Part 11 and how it works, we’ve compiled a simple question and answer format article that will allow you to learn more about all of the most important aspects, one thing at a time. You can download the whitepaper, “How to Prepare for a 21 CFR Part 11 FDA Inspection“.
What is Title 21 CFR Part 11?
Title 21 CFR Part 11 is the regulatory guideline that outlines provisions for electronic records and electronic signatures, including the management, creation, and regulation of them as well as what qualifies.
This outlines how electronic records can be created, stored, and shared, as well as what requirements exist for electronic signatures and which elements qualify as validating factors, including things like two-factor authentication and requiring a reason for any change that is made in the system according to CFR Part 11. Adhering to this statute can be confusing so pay attention to the 21 CFR Part 11 questions and answers we raise here.
Who does CFR Part 11 apply to?
This statute applies to several different industries, including life sciences and pharmaceuticals, as well as biotech companies and others. This regulatory statute applies to any organization within these industries that are looking to create secure digital or electronic records and use electronic signatures to do business online or in a digital environment rather than using hard copies.
How does Title 21 CFR Part 11 relate to GxP?
GxP, or the Good Practice guidelines for multiple disciplines, define the ways that life sciences companies and other regulated organizations must control procedures, processes, people, and their premises to ensure quality and consistency in products and services.
The FDA’s Title 21 CFR Part 11 is just one facet of GxP compliance in the life sciences industry. Along with the FDA, the European Medicines Agency (EMA), International Organization for Standardization (ISO), and the Medicines and Healthcare Products Regulatory Agency in the UK (MHRA) all refer to and define GxP in various publications.
What does GxP say about electronic records?
Under GxP, Part 11 is considered a Good Documentation Process, among other things. Data integrity is a critical component of GxP, including the guideline that if it hasn’t been documented, it didn’t actually happen. That is, organizations must specify, document, and accurately record every single critical action taken by an employee while involved in the creation, manufacturing, or delivery of a project or product. This is generally done with a Quality Management System.
What is considered an “electronic signature”?
An electronic signature is a digital version of someone signing their name in a legally binding way. Of course, this wasn’t always a perfect solution. There were several platforms and documents in the past that simply allowed people to type in their name or initials in place of an actual signature, attesting to the validity of whatever they were signing. This is not a secure method of doing things, though, so the FDA has stepped in and created a demand for a better solution.
Today’s electronic signature requires a username and password, along with a reason for the action taken on electronic records while logged in. For example, if someone logs into the LMS and re-takes an exam they failed last time, the reason would be to re-take the exam. Even if you just add an employee’s updated training status, a change must be noted as part of your electronic signature.
The idea is that not only will this keep data secure, but it will allow everyone within the organization to trace who made changes and when, as well as to keep tabs on the various actions and activities of others.
How do I know if software is compliant?
The biggest struggle for many organizations is determining which tools are compliant and which ones are yet to be assessed. Software does not have to list that it meets compliance standards for CFR Part 11, so you might often find yourself having to ask. Some software does have compliant and non-compliant versions, but if you’re in the life sciences community it’s best to default to buying compliant tools as much as possible so that you can stay ahead of the data security game. Check to make sure the software you are purchasing has undergone computer system validation. We know you might have more questions and need more answers regarding 21 CFR Part 11, be sure to check out quick definitions page.
If software is reputable, it will generally do its part to ensure that you know that it is compliant with this standard, and also that it is a transparent solution that will provide you with the resources that you need. If software balks at giving information about certification or if they seem to avoid the topic entirely, that is probably something that you should consider suspect.
Who is responsible for CFR Part 11 compliance?
Although software brands are responsible for creating products that fall within compliance guidelines if they wish to be used by life sciences companies, it is ultimately up to you to make sure that you are being compliant with CFR Part 11 and holding your team to a higher standard when it comes to data security and protecting your electronic records.
You should do your part to learn about this regulatory standard and what it entails, as well as what elements are going to be most important to your organization specifically. That way, you can focus your efforts and then focus on training people on the specific areas they need to know so you aren’t wasting time or resources.
What should I be training my employees on with CFR Part 11?
You’ll want to focus on proper training for username and password creation, ensuring that your company policies are in line with CFR Part 11 and that your SOPs are included in your LMS as part of onboarding and ongoing training.
You will also want to train people on:
- Password hygiene
- Phishing avoidance
- Two-factor authentication
- Data integrity and security
With a proper LMS, it will be easy for you to implement training modules that cover all of these topics and more. Contact eLeap to discuss your needs and see how a validated software solution can help.
Title 21 CFR Part 11 covers several different topics related to data security and the requirements for software used by life sciences companies, pharmaceutical brands, and biotech companies. One of the very first things that CFR Part 11 points out is that nothing is automatic or guaranteed—that is, just because software exists doesn’t promise that it passes all compliance guidelines. After all, while your industry might require it, the general public doesn’t need a special data security compliance in place for their Microsoft Office products like PowerPoint for presentations, Excel, and others. 21 CFR Part 11 for your PowerPoint presentation files and training courses means you are deploying content on a validated system.
With that said, note that Microsoft Office is not automatically compliant with Title 21 CFR Part 11. You can make it compliant in various ways, including using it on a system that is compliant and that features all of the necessary security protocols. However, you cannot display secure electronic records or share them in Office, including PowerPoint, without changing the format, adding additional security protections or encryptions, or otherwise making sure that no one has access to the slideshow unless they have been given explicit permission.
Usually, this involves some other kind of tool that will help you authenticate and secure the software, or even using your own VPN (virtual private network) to allow for secure access to the software, no matter what kind of business you’re in.
What is CFR Part 11 and Why Does it Matter?
The FDA created Title 21 CFR Part 11 all the way back in 1997 when digital records first became a subject of concern. This regulatory standard was put into place to monitor and manage several aspects of data security and authentication for life sciences and other companies that handle sensitive and private electronic data. The FDA provisions set forth were designed to focus on:
- Use of authority and device checks
- Use of operational system checks
- Limiting system access to authorized parties
- Determining whether those who are maintaining, using, and developing electronic systems have the right training and experience
- Establishing policies that hold people accountable for actions taken under their electronic signature
- Appropriate systems documentation controls
- One and closed system requirements
- Electronic signature guidelines and requirements
The entire premise is about creating a secure, authenticated way to monitor and regulate electronic records and signatures. It is a guideline for setting rules and requirements as much as it is a hard-and-fast guideline for software, hardware, and other tools used by any organization in the life sciences, medical device, or biotech industries.
How to Make Office Compliant
Like all software, PowerPoint is one of the tools that you will find yourself using on a regular basis, and it might not be explicitly compliant under this statute. However, if you are aware of what you are doing, it will be easy to make the tool compliant—you can find other ways to authenticate it or add it to the list of approved digital records solutions. Some people will just create presentations without a second thought, unknowingly sharing sensitive data in a format that is not properly secured. That can spell disaster fast.
If you need to make Office, PowerPoint, or any other tool compliant with CFR Part 11, or at least make sure that it meets the basic criteria, you will have a few different options. You can upgrade to a version of Office that is specifically for these types of organizations and that includes the electronic records and signature tools and provisions that are set forth by the law.
You could also opt to use the software on a secure system that has already been validated as a tool for electronic records and electronic signatures. Then, it doesn’t matter whether the app itself has compliance because the entire server that it’s being used on will be complying with all of the guidelines and mandates set forth regarding these two issues.
Can You Use PowerPoint Presentations without Compliance?
If you opt to not explore how to make your PowerPoint presentations compliant with this statute, you will probably be wondering whether you can even still use the tool. Technically, you could use it as a viable business tool but you wouldn’t be able to share sensitive information or individual user details because the tool has not be vetted properly. Another concern is that if you are sharing information in these slides that is sensitive, it could end up in the wrong hands.
It’s rare that things like this happen, but it’s still something that needs to be on your radar. You never know when you’ll find yourself trying to work on a project only to realize that you’ve got to pause for compliance before you can move forward. There are several tools that you can use and several ways they can be used without falling outside of CFR Part 11, so long as you are following all safety and effective use protocols.
Setting Goals for Your Organization
Is CFR Part 11 compliance the goal? It should be, if it isn’t already, and these considerations should be on your mind. Tools like PowerPoint, Excel, and other Microsoft programs allow users to create robust documents, reports, and presentations and know that the information is protected and secure, no matter what.
Take the time to include compliance in your goals and check out whether your entire software stack is compliant with CFR Part 11, or whether it needs to be. This can help you figure out where to take the guidelines set forth by the FDA and how to use those guidelines to ensure compliance for your organization. It can also allow you to take a proactive approach so that you will never have to worry about the compliance of specific software tools because you’ll know which ones you want to use and where they stand.
Beyond the technical lingo and rules, CFR Part 11 isn’t nearly as scary as some people make it out to be. When you are investigating the regulation of your software tools used for creating and managing electronic records, these are the things that you need to keep in mind.
Compliance training is the Achilles heel for several organizations. Regulatory compliance topics like the FDA Title 21 CFR Part 11 policy are complex and provide more of a generalized guideline than a list of hard-and-fast rules, which can make training somewhat difficult in this particular arena. Every company is required to develop their own SOPs (Standard Operating Procedures) as a part of business development. Some companies may have multiple SOPs, and life sciences organizations will need to ensure that they have a dedicated SOP for CFR Part 11 compliance.
What SOPs Should Include
In order to keep life sciences organizations compliant, it will be important for companies to develop SOPs that include the necessary requirements and guidelines for electronic records and electronic signature compliance.
SOPs should include guidelines for things like:
- System features
- Infrastructure qualification and validation
- Security standards
- Data transfer standards
- Audit trails
- Electronic approval standards
- SaaS/cloud hosting guidelines
- Software development
In the security standards, usernames, passwords, and user access should be covered in detail, including login credentials that would require at least two or more people to falsify. This is not a full list of compliance regulations or guidelines, but will provide a good start for fleshing out an SOP for any life sciences organization.
What Electronic Systems are Included in Compliance?
According to the provisions of Part 11, any organization in the life sciences, biotech, or related industries that is using electronic (computerized) systems will be required to ensure that all of the systems that they use for storing and sharing information are compliant with this code.
- Clinical research software
- QMS software
- Learning management systems (LMS)
- Drug discovery software
- Pharmaceutical and biotech software
- Administrative software and databases
- Any other electronic system with restricted access, secure data, or other details required to be compliant under CFR Part 11.
Organizations within the regulated industries of life sciences and biotech essentially need to guarantee that any and all software or electronic systems they use are compliant with CFR Part 11 and all of its policies.
It’s Not Automatic
CFR Part 11 compliance is automatic or guaranteed. You can’t guarantee that software is compliant just because it is published—there is plenty of software that life sciences companies use every single day that doesn’t necessarily list this compliance outright and unless you’ve seen proof that they have it, you shouldn’t trust that it exists.
So, what can you do?
Teach your team (and yourself) how to ask. When engaging with software brands, hardware companies, or anyone else that may be involved in your electronic records systems, ask them what is compliant and what isn’t. Ask if programs like Excel and PowerPoint have been modified to be made compliant or if they are simply standard applications, for example. Find out what tools your team needs and make sure that you can offer compliant solutions by working with providers that offer compliant solutions.
The Value of Your LMS in CFR Compliance
The Learning Management System used by these organizations was listed on the applicable systems that must comply with Title 21 CFR Part 11 policy guidelines. However, more than just being a compliant system because it stores employee records, it can be a training tool that can help teams learn about proper compliance standards and policies.
Having a compliant LMS allows you to teach while also teaching by example. You can implement training presentations, tests, and other educational resources to help teach employees about CFR Part 11 policy compliance. When that is combined with a compliant LMS, organizations will be able to show as much as they tell about compliance in attempting to get their own teams on board.
A compliant LMS is one that has secure records with limited user access, proper signatures that include date and timestamps, as well as reasons for access and other details. It will offer ease of use and help organizations create a robust training strategy that covers everything related to CFR compliance, electronic records, and more, with real-time examples incorporated into the LMS that is being used to train the team.
Security Upgrades and Authorized Access
While teaching about Title 21 is effective enough on its own, showing people the difference between compliance and noncompliance with real world examples will always make the biggest difference.
Teach your team about things like two-factor authentication, biometrics, and other security measures that are used for sensitive information and medical sciences industries today. Help them understand the value of password security and keeping systems secure so that they can help you keep your business safe.
Consider any security upgrades and authorization restrictions that you can put into place to add further security and compliance for your electronic records and signatures. Upgrade from basic passwords to biometrics, or even just to two-factor authentication. Set up user access based on the level of clearance or position within the company, and ensure tracking is in place so that a record of who is in which system, and what they have done there, is available at all times.
Training Can Make the Difference
Often, compliance violations are met with responses of “I didn’t know” or “I thought it was automatic”, and so forth. If people aren’t familiar with the best practices and how to follow Title 21 CFR Part 11 policy guidelines, how are they supposed to do so in their own work?
You should have a robust training plan in place that addresses every aspect of your business operations, of course, and that comes with having a solid Learning Management System that is CFR Part 11-compliant and that is designed with safety and security in mind. Plus, the system should make it easy to customize your training modules and update things as necessary over time and may even suggest training topics like Title 21 and other compliance training that your employees need based on their line of work.
To learn more about eLeaP, a modern LMS that is fully compliant with Title 21 CFR Part 11 policy, contact us today. We can help you set up the training that your team needs for everything from compliance to job training, and more.
Password security is one of the most essential parts of data encryption in the online world. When you’re dealing with life sciences, biotech, and electronic records, it’s even more critical to get it right—not just for the protection of your files and company information, but for compliance with federal regulations. The 21 CFR Part 11 password policy is a core part of how life sciences organizations can stay in compliance. Download the whitepaper, “How to Prepare for a 21 CFR Part 11 FDA Inspection“.
The FDA released Title 21 CFR Part 11 in 1997 as the Internet became a place where more and more electronic business was taking place. Despite the evolution of digital technology since that time, the rule has remained largely unchanged. That’s due, in part, to the fact that the regulation was generalized and nonspecific to begin with, simply outlining that electronic records and signatures required as much scrutiny and protection, if not more than, paper records and signatures.
Part of that comes in password compliance. Keeping your team on board with secure passwords can feel like an insurmountable task—people already have dozens of passwords to remember, and they don’t want them to be any more difficult than necessary. For you, though, difficult means safe, and that’s what you need to impress upon your team when coaching password security as part of your onboarding or ongoing training. Get the validated eLeaP platform to stay in compliance.
What Does Title 21 CFR Part 11 Cover?
In addition to passwords, Part 11 covers all kinds of topics related to electronic records, electronic signatures, and data security. This includes:
- Standard Operating Procedures (SOPs)
- System Features
- Infrastructure Qualification
- System Validation
- Security Standards for Roles, Usernames/Passwords, Restrictions, and Logs
- Data Transfer Standards
- Audit Trail Standards
- Electronic Approval Standards
- SaaS/Cloud Hosting Requirements and Responsibilities
Who can benefit from understanding this regulation? All life sciences organizations using electronic records and systems will need to understand and follow CFR Part 11 in order to remain compliant in their operations. This information is also helpful to regulatory professionals, as well as those in IT, quality assurance, auditing, and positions of management. Software vendors and hosting providers should also be well-versed in this policy and what it entails.
What can you do for your team? This guide is a good start to improving password security and compliance. You can also:
- Address the latest industry standards and provide updated LMS training
- Help employees understand the importance and requirements of working with Saas/cloud-hosted solutions
- Implement a risk-based approach to validation to decrease implementation times and lower costs
- Review recent trends and FDA news to understand how improvements can be made to document authoring, review and revision, and final approval
- Take the course, “The GAMP Approach to 21 CFR Part 11 Compliance” to stay up to date and relevant.
What are the Password Guidelines?
CFR Part 11 password guidelines require that passwords are clean, not reused, and contain multiple combinations of numbers, letters, and special characters. In keeping compliance with Part 11 and protecting your life sciences organization when it comes to electronic systems, the following concerns need to be addressed in policy.
The first concern is password strength. People need to understand that while they might not want to go the extra mile on their personal accounts, there is no option at work. The first choice you have is to assign passwords that are strong enough to meet the demands of today’s systems. You could also allow people to choose their passwords but require certain guidelines to be followed, such as using a certain number of special characters or not repeating passwords previously used.
Password Hygiene and Housekeeping
Passwords need to be dusted off and changed periodically, just like your favorite jeans or the sheets on the bed. Regularly changing passwords (most security companies, and the 21 CFR Part 11 password policy, recommend every 60-90 days) ensures that there is less risk of a data breach because there is less opportunity for the password to be exposed to hackers or other threats.
Consider including a password policy in your employee handbook that covers things like:
- Credential safety
- Password strength
- Password hygiene/housekeeping
- Violations and consequences
Of course, you can’t punish your employees for a data breach—the “violations and consequences” section is just where you will outline what constitutes an outright violation of password safety and security, as well as what happens if someone compromises passwords or the related security of them by sharing information or otherwise not following the password policy.
Go the Extra Mile Regardless of Policy
When it comes to setting up your company for success, security is a primary concern. You should take the initiative to come up with a premium data security protocol for your life sciences company that includes password protection policies for all employees. Cover things like administrative permissions, levels of access, and other important topics so that everyone is on the same page. Provide your users with the chance to get as much information as they can about why password protection matters and how they can be a part of your company’s first line of defense by being smart.
The FDA requires that all electronic systems are adequately secured and that they have the necessary audit trails to prove that all changes and access points are carefully monitored and tracked. It also requires that all of the information that is protected by and specified in CFR Part 11 is shareable and accessible to all, including being able to be printed.
The idea is to ensure that everyone is informed and making the best decisions about things like data security for their company. When you engage the employees and make them an active part of the process, they will better understand the policies and feel more empowered to help keep the company safe. That’s an employee that any company would be lucky to have.
Take the time to sit down and come up with a Title 21 CFR Part 11 password policy that delivers the protection that your company needs, but that also meets all necessary guidelines for regulatory compliance. Get your employees on board and instead of just telling them how to set passwords, teach them why it matters. Your security will start improving in no time and you’ll ensure that your electronic records are safe from as many threats as possible.
Data security compliance and other FDA guidelines can be difficult to understand, even for the most seasoned of life sciences professionals. Title 21 CFR Part 11 is a regulation that was developed to outline the requirements for electronic records and signatures, including the use and management of them in the modern digital software ecosystem. Organizations that use Good Manufacturing Practice (GMP), adhering to the 21 CFR Part 11 statute is even more crucial.
CFR Part 11 is based on the prerequisite that all systems must be validated according to GMP, or Good Manufacturing Practice. This ensures that everything is up to par and that best practices are used in creating the databases and electronic records systems that are in place. As more brands strive to meet the guidelines to provide Part 11 compliant solutions and tools, it is important to understand how your organization, as a responsible party, should be able to validate and authenticate all of the resources that are being used. Get a free sandbox account to see how eLeaP’s CFR Part 11 compliant system works.
What are Good Practices?
Good Manufacturing Practice is one of the Good Practices guidelines that is relevant to life sciences and other related industries. Other GxP examples include:
- Good Laboratory Practice
- Good Clinical Practice
- Good Distribution Practice
- Good Documentation Practice
GMP ensures that all medical devices, pharmaceutical products, and other regulated products are manufactured and properly controlled according to high quality standards as a way to reduce the risk of harm to the consumer. Guidelines and rules vary from one country to the next, but every GMP has similar guidelines:
- All items must be consistently produced of high quality
- All products must be appropriate for their intended use
- Products must meet requirements for marketing or clinical trial authorization
The FDA regularly inspects various manufacturing facilities that produce medical devices, drugs, and other regulated products to ensure that all compliance guidelines are in place. The inspections all follow a singular approach that has been standardized, and each is conducted by a highly trained member of the FDA staff.
What is GMP?
Good Manufacturing Practice refers to the regulations set in place by the U.S. FDA that outlines the requirements of those who make drugs, medical devices, and some food products to be safe, effective, and pure. These regulations have quality controls in place and specific guidelines to prevent consumers from contamination, medical device errors, dangerous items or medications, and more. Failure of an organization to comply with GMP can result in jail time, fines, and even recall or seizure of product.
GMP is a very specific set of regulations that your life sciences company needs to be familiar with if you are working in the manufacture, processing, or packing of drugs, medical devices, and relevant food or blood products. It addresses things like:
- Record keeping
- Personnel qualification
- Cleanliness and sanitation
- Equipment verification
- Complaint handling
- Process validation
This is also sometimes known as the cGMP, or “current” GMP, which reminds companies that they must be using the most up-to-date systems and information in order to be in compliance. For example, if someone is still using a 20-year old system and trying to bring it into compliance, it may never be able to measure up and require replacement instead.
The biggest hurdle that people have with figuring out Title 21 CFR Part 11 is realizing that it’s such a generalized standard that there really is not “strict” set of rules about how to manage compliance and maintain proper electronic records. There are guidelines, of course, but in realizing that so many different organizations would be adhering, the FDA left them quite vague so that they were all-encompassing and didn’t require a separate set of rules for each industry.
Thus, many people aren’t even sure if this compliance topic is relevant to them or if they have to comply. If you are dealing with electronic records and signatures in the life sciences industry, you must be compliant with CFR Part 11 in order to avoid serious repercussions.
Another part of this regulatory guideline, and one that often points out those who aren’t in compliance, is that audit trails must exist. Part of the electronic records process must include digital (electronic) signatures that advise who accessed the system, when the access occurred, and what the reason was for doing so.
Although the exact parameters of an electronic signature can vary from one organization to the next, these three elements must be in place in order for the signature to be considered valid and legally binding. The idea is that if you know who has been in the system and why, it will be easier to track records and paper trails when something goes wrong or comes up missing.
Of course, in an ideal world you would only need audit trails to help you show the FDA or other regulatory authorities that you do have the proper procedures in place for electronic records and keeping secure information in the digital space.
Take Advantage of the Tools
You always want to take advantage of the latest resources and tools that are available to help you with things like compliance. This includes when it comes to training your employees and helping them understand regulatory issues and their role in them. Having a compliant Learning Management System, or LMS, will be a good start.
Your LMS is a great training tool and for people just coming into the company or just getting their feet wet with compliance, the hands-on experience is often a great way to learn. Here, you can incorporate all of the elements of GMP and Title 21 CFR Part 11 that your employees need to know in order to help keep your organization safe.
When you work with eLeaP, you’ll get the dedicated assistance of a team that is committed to providing people with the tools and resources that they need for compliance with CFR Part 11, GMP, and other Good Practices guidelines. Plus, you’ll have the support to build a custom solution for your LMS needs, no matter what your life sciences organization requires.
The biggest thing that people get wrong about the 21 CFR Part 11 compliance rule in regard to electronic records and signatures is assuming that software is just compliant because it exists. It’s easy to think, “Well surely a company like Microsoft would do its part to make sure that their Excel software is fully compliant for all of its intended uses,” but it’s really not that simple.
For life sciences organizations, ensuring that all software and systems are compliant with Title 21 CFR Part 11 is crucial not only to regulatory standards but to day-to-day business operations. See the course on The GAMP Approach to 21 CFR Part 11 Compliance for additional insights on how to ensure that the systems you use are Part 11 compliant.
How does Microsoft and its suite of tools fit in? Here’s what your organization needs to keep in mind. In the meantime, see how the FDA-compliant eLeaP platform can ensure you stay in compliance with CFR Part 11.
Is Microsoft Compliant?
According to Title 21 CFR Part 11, systems must adhere to certain security standards and protocols in order to be compliant. This is not something that is inherent, nor is it a standard checklist that can be crossed off by all developers as they create new platforms. The guidelines are generalized, on purpose, both so that the law requires less updating and so that companies have more leeway to decide how to secure the tools they use and find the resources that they need to comply with these guidelines.
Microsoft is not inherently going to be compliant with Part 11, but there are versions that can be. Some also choose to have their systems or versions modified to meet these requirements. It’s all about the electronic records and signatures.
Electronic records and signatures must be kept within certain compliance standards, including meeting security requirements, following password guidelines, and more. You can make Excel spreadsheets and other files compliant, but it will take some work.
How to Make Excel CSV Compliant with the Code
Excel spreadsheets are capable of becoming compliant with 21 CFR Part 11, but the right software will have to be used. There is a process of validating spreadsheets to meet regulatory compliance and it can be done by organizations or you can hire someone to do the services for you. Either way, it’s important to make sure that spreadsheets get properly validated. In most cases, you will be better to hire someone to do the work for you. Choose organizations and software that are designed to provide compliant solutions that are dedicated to the life sciences industry.
There are white papers and detailed reports on how to ensure that CSV files and other forms of communication are compliant with these codes and other federal regulations. It’s important to leave this to the professionals, though, because risking the compliance and integrity of your organization isn’t worth it for any cost.
Can I Use Non-Compliant Tools?
While you could store information in standard CSV files on a secure VPN or server that is secured according to the guidelines of CFR Part 11, you really shouldn’t. Technically, if you could produce an audit trail that ensures that the records are all electronically compliant and that all signatures have met appropriate validation requirements, this would be agreeable enough.
However, there’s a reason that compliant solutions for life sciences organizations and the like exist: because you’re supposed to use them. Think about all of the information that you are storing, the personal details that you may have on hand, and the sensitive health information and medical records that could become exposed. Not only that, but your entire company could be put at risk of a serious data breach from the smallest lack of consideration on your part.
The best solution is to always ask for compliance assistance or proof of compliance, and to request help from organizations that specialize in these services when you need it.
What Solutions are Available?
There are several services and tools available to help turn all MS Excel spreadsheets into compliant tools as part of the FDA Title 21 Part 11 code that has been put into place. Some companies offer integrated software solutions that create compliant spreadsheets and other Office documents and files. Others offer the software and actually perform the services for you, saving you the trouble of converting everything to a compliant solution on your end.
You should take the time to explore all of your options for compliance solutions, including the people and resources that are available to assist you along the way. Just because standard versions of software aren’t compliant doesn’t mean that you can’t use them. It just means that you have to go through the additional step of putting compliance measures into place before you do.
According to Microsoft, the FDA has regarded Microsoft Teams as a fully compliant CFR Part 11 communication tool that meets all standards. Third-party compliance testing has been done to prove the effectiveness and accuracy of the Microsoft controls that are used in Teams to help remote teams collaborate. For life sciences organizations looking for a way to keep in touch, this is great news. Although there are several tools out there, so many people are already familiar with the Microsoft family of products that it’s often easier to stick with what you know.
Protect Your Entire Organization
The reason that Title 21 CFR Part 11 is so generic in many ways is because there is so much variation between one organization and the next, both in terms of the hardware and software used, and in terms of the overall vulnerability of the records and information that are stored within the business. By taking the time to perform an applicability assessment, it will be easier to determine the best steps to take in order to fall into compliance with Part 11 or ensure continued compliance for your organization.
That includes validating and using tools like Microsoft Excel only when they are offered in compliant forms. Even if your system is setup to be the failsafe, there are no guarantees that your information will always be protected. Having tools that are all compliant will ensure that nothing slips through the cracks. From your Learning Management System to your everyday office tools, it’s about securing data and providing proper electronic records controls.
Today, companies are attempting to stay relevant and keep their systems secure and compliant in as many ways as possible. As more people experience the world remotely and handle things via digital document transmission, it becomes so much easier for people to transact business around the world. However, that also puts a lot more risk on companies in the life sciences and biotech industries that are dealing with all of these new electronic protocols and signature requirements if these companies want their electronic records and electronic signatures to be considered for validation in compliance with 21 CFR Part 11.
Under Title 21 CFR Part 11, electronic records and electronic signature validation both have specific guidelines that must be followed in order for them to be considered as real and authentic as a wet, or handwritten, signature or record. Below, we’ll look at the requirements in depth. In the meantime, get a free sandbox account to see how eLeaP’s CFR Part 11 compliant system works.
Digital Signature Requirements
Digital signature requirements under 21 CFR Part 11 state that there are several different elements that must be contained within the digital or electronic signature for it to be compliant. Under this statute, electronic signatures must contain:
- The legal name of the signer
- The time and date the document was signed
- Why the signature was required (training, review, approval, etc.)
Other requirements include:
- That the signature must be linked to a single, specific document in such a way that it can’t be tied to any other documents or be falsified in any way. That often includes the requirement of a password or unique identifier that allows the document and signature to be more secure.
- All signatures must be assigned only once and unique to each individual. That way, there is no confusion about who is altering the records or why they are doing so.
- The use of biometrics is allowed in place of two-factor authentication or alongside it to provide an additional layer of security, within specific protocols so that the validity of the signature or document access cannot be challenged.
If you go on to read the further text of Part 11, you will see that there are requirements regarding the use of electronic signatures, as well as how they are set up and regulated:
- The signature must be so secure that any misuse attempted will require at least two individuals within the organization in a collaborative effort.
- Signatures must be unique combinations of usernames and passwords and duplicates must be prevented by the system and the administrators.
- Passwords and usernames should be updated and checked regularly to ensure they are providing maximum security and still delivering the protection that is required.
- There must be loss management procedures in place for situations where passwords, codes, or key cards are lost or misplaced. This will ensure there is a way to deauthorize electronic access and signatures.
- There must be suitable measures in place to protect your system against unauthorized attempts at access.
- All input and output devices, as well as the software operating on them, should be tested regularly to ensure proper operation and that they are providing the best level of security possible.
How This Applies to Life Sciences
In the life sciences industry, there are a lot of regulatory compliance issues to cover. They all have the same purpose, however: providing a regulated, standardized system for ensuring that electronic records and signatures hold up and deliver the same caliber of reputability as paper records and wet ink signatures.
All systems that manage electronic records are required to have certain features when used by a life sciences organization. That includes your Learning Management System (LMS), as well as other electronic systems and records used. Features required for life sciences industries:
One of the biggest caveats of Title 21 CFR Part 11 is that every electronic record and signature needs to follow a clear trail that can easily be audited. This is required for any and all systems that are used in life sciences to store or capture electronic data and signatures.
A proper system to ensure record retention is another important element of any system that is compliant with CFR Part 11. Being able to ensure the integrity of data, proper file formats, and procedures on handling data security is critical.
Standard Operating Procedures
Every organization will need standard operating procedures that dictate how the organization handles their IT infrastructure, including physical and logical security, system maintenance, system change controls, electronic signature policies, disaster recovery and backup/restoration policies, and incident and problem management procedures.
Electronic Record and Signature Policies
As mentioned in the SOP, organizations will have a specific policy that mandates using and handling electronic signatures and records. This will include all guidelines set forth by Title 21 CFR Part 11 and will apply to all electronic systems on the network. These procedures must include all of the elements covered above as outlined in Part 11.
All electronic systems must also have validation that they are “fit for use”. This essentially means that the system is designed to provide the use required by the life sciences industry and that it meets all regulatory compliance guidelines. Fit for use is a different designation than compliance with Title 21 and is actually part of the latter.
Protecting Your Software and Your Team
Protect your learning management system, your customer database, your digital records, and anything else that’s located in the cloud or on a hard drive somewhere and do it by enlisting the compliance guidelines of Title 21 CFR Part 11. When you choose software tools that have compliance in mind, you’ll trust that your information is safe and secure. You can even enlist the help of biometrics, further deterring hackers and others from taking negative action against your organization or its electronic data.
If your LMS leaves something to be desired, contact the team at eLeaP to see how our platform can deliver the custom solutions that you need with usability and compliance in mind. To ensure your network is up to par and your LMS can deliver, reach out now.
Title 21 is the code that sets forth the guidelines for data security and privacy. Part 11 compliance is the part that covers electronic records and signatures compliance for organizations within the life sciences community, among others.
The Title 21 CFR Part 11 applicability assessment can be used to help you determine whether this guideline holds relevance to your business. There are exceptions to every rule, and this case is no different. Understanding that is the first step. You cannot properly employ the practices of CFR Part 11 or even know if they’re applicable to your business without doing a little research.
By 2024, it’s expected that the SaaS industry for life sciences will see growth of $2.55 billion. Applicability is becoming more relevant than ever before. Nonetheless, organizations and vendors alike will still want to use the applicability assessment to determine whether this compliance should be on their agenda. Get a free sandbox account to see how eLeaP’s CFR Part 11 compliant system works.
Title 21 CFR Applicability Assessment
This assessment is simply the process of ensuring that all software tools and hardware solutions are all compliant with CFR Part 11 in regard to electronic signatures and electronic record storage. People often struggle to figure out whether or not the rules and provisions of Title 21 CFR Part 11 even apply to their business or not. This statute is setting the regulatory compliance guidelines for several different electronic records and document keeping processes.
Applicability simply means: “does this rule pertain to my company/my records?”
There are some industries where Title 21 CFR Part 11 applicability comes standard. Life sciences, biotech, and medical device companies are at the top of the list, and in the UK, even pharmaceutical companies are held to a standard similar to the US’s Title 21 guideline that is known as Annex 11.
Below, you will see some factors in the applicability assessment as it applies to all life sciences organizations and others subject to compliance with CFR Part 11.
Is it a true digital record?
CFR Part 11 applies only to digital records. That means that a digital copy of a hard document (such as an email attachment of a PDF that was scanned in from a physical document) is not subject to the compliance guidelines of this statute. One of the biggest elements of applicability for compliance is the validation of the electronic nature of the record or information.
There are several regulations in place that govern determining the applicability of this rule, including the definition of an electronic record: any combination of digital media that is stored, maintained, modified, or created within a computer system.
Who decides what qualifies?
The FDA is responsible for regulating and determining what qualifications are set forth in regard to electronic record storage and electronic signatures. According to CFR Part 11, if electronic records meet all outlined requirements, they are deemed to be acceptable alternatives to a paper or hard copy record.
The “outlined requirements” include:
- Infrastructure and system validation
- Data security standards for roles and access
- Audit trails with record of who accessed the record, when it was accessed, and the purpose for access
- Single sign-on standards
- Two-factor authentication and/or the use of biometrics
- Hosting validation
There are several different hard copy records that do not qualify or that aren’t applicable under this law, and the regulations set forth will determine everything that you need to know.
What about the gray area?
The problem is that the 21 CFR Part 11 Applicability Assessment isn’t necessarily a cut-and-dry approach. There is a lot of gray area for the definitions and guidelines within this regulation. For one example, some companies automatically generate paper reports and have them printed and signed regularly, which many assume negates the need for compliance with this statute.
However, regardless of a paper trail, if there is any storage of electronic records or use of electronic signatures, the applicability assessment will generally determine that Title 21 CFR Part 11 does apply to your life sciences organization. The exceptions here are rare, and generally related to age.
Some systems, such as ones that were in place before the original law in 1997 (rare) and those that generate paper printouts do not have to meet compliance guidelines at the time of this writing. As the market for life sciences software and electronic access continues to grow, however, it’s likely that the compliance guidelines may also be modified to encompass more organizations and the record keeping systems that they use.
Closed systems are the ones that will be regulated by this guideline, for the most part. Open systems will have additional encryption methods in place to ensure that the system is protected from any potential threat that could come into play. Closed systems are required to provide:
- System validation
- Generation of readable records
- Ensuring record protection
- Limited system access
- Audit trails and operational system checks
- Authority checks
- Peripherals checks
- Training on the compliance necessary
- Prevention of falsification of records
- System documentation, including who has access and for what purpose at all times
This a guideline that outlines protocols and operational measures that are required by organizations dealing with any kind of electronic records. Therefore, it’s a matter of investigating to determine whether your records qualify for compliance under this rule.
Typically, any organization within the industries of life sciences, biotech, and pharmaceuticals will be required to comply with CFR Part 11 when they use electronic systems to store information or communicate with employees and/or vendors. This ensures that electronic records and signatures can be validated and authenticated, and that they are given the same credibility as a handwritten signature or hard copy record.
When you work with eLeap, the Title 21 CFR Part 11 Applicability Assessment is not something that you’ll have to worry about. Our LMS is designed to provide a compliant solution to assist your organization in streamlining your training and employee records and ensure that everything is up to code for organizations working within the life sciences industry.