Among the companies in the Life Sciences, such as pharmaceutical firms, hospitals, biotech innovators, physical therapists, rehabilitation centers and others, industry standards are quite strict. Due to high level of regulation in this industry, systems including learning management systems have to be validated. See below a 21 CFR Part 11 Checklist to ensure that your organization can stay compliant with the requirements of the 21 CFR Part 11 standard.

21 CFR Part 11 Checklist

(PDF version)

Validation

• Have you validated the system?
• Can you determine which records are altered or invalid?
• Can records be easily retrieved during their retention period?
• Is access to the system limited to individuals with appropriate authorization?
• Does the system enforce step or event sequence (process control system)?
• Are authorized individuals the only ones with the ability to use the system, alter records, electronically sign documents, and take other steps?
• If data can only be supplied by specific input devices, does the system validate data sources? (This implies a network of authorized input devices where the system must verify source identity/integrity/authorization).
• Do you provide documented training for system users, developers, and support team members, including training on the job?
• Do you have a written accountability and responsibility policy concerning actions taken under a user’s login/electronic signature?
• Do you have a way to control access to, use of, and distribution of the system’s operation and maintenance documentation?
• Are the system and its data fully protected with state-of-the-art encryption?
• Do you require digital signatures?

Create an Audit Trail for All Documents

• Do you have an audit trail for all documents? Note that the audit trail should be secure, computer-generated, and time-stamped, and it should record the date and time of entries and actions that affect documents/records in any way.
• Do changes to documents/records alter previously recorded information? Note that all previous information should still be accessible and not erased or obscured by changes.
• Is the audit trail for each document/record accessible for the duration of its retention period?
• Can the FDA review and copy each document/record’s audit trail?
• Does the audit trail include all necessary/relevant elements, including user ID, event sequence, original and changed values, changelog, revisions, and change controls?
• Do all signed documents/records include the signer’s printed name, the date/time of signing, and the reason/meaning for the signing? Is this information visible when the document/record is displayed and/or printed?
• Do all signatures link to their corresponding records/documents to prevent cutting, copying, or other modifications that might allow misrepresentation?
• Have you implemented a formal change procedure for documentation within the system? Does that procedure maintain a time-stamped audit trail for all changes made by a pharmaceutical firm?
• Does each individual have his or her own unique electronic signature?
• Do you have a means of preventing signatures from being reassigned or reused?
• Do you validate identities before assigning a signature?
• Do all signatures include at least two components? Examples include ID cards and passwords or ID codes and passwords.
• Have you guaranteed that only the genuine owner can use a biometric e-signature?
• Does the system require a password at each step in a multi-step/continuous session?
• Does each signing require the execution of both components at each signing if you do not use continuous sessions?
• Can you verify that only owners use non-biometric signatures?
• Would it require at least two individuals to forge an electronic signature?

Record Copies

• Can the system create accurate, complete paper copies of digital records/documents?
• Can the system create accurate, complete copies of records/documents in digital form for the FDA’s inspection, review, and use?
• Does the system use an established automated conversion or export process, such as PDF or XML?

Retaining Records

• Have you implemented controls to help enforce the uniqueness of all identification code and password combinations? Note that this is required to help prevent code/password duplication.
• Have you implemented a procedure to periodically check the validity of all password/code combinations recorded in the system?
• Do all passwords expire periodically, requiring the creation of a new, non-duplicated password?
• Have you implemented a procedure to recall ID codes and passwords if an employee leaves or is terminated?
• Have you implemented a means to disable/invalidate ID codes and passwords if they are lost or stolen?
• Have you implemented a procedure to detect unauthorized access attempts? Does that include alerting IT/security?
• Have you created a procedure for reporting multiple unauthorized access attempts, such as those that might be seen in a hacking attempt?
• Have you created a procedure to follow in the case of a lost or stolen device?
• Is there a way to disable lost or stolen electronic devices to protect access and sensitive data?
• Have you implemented controls over issuing temporary and permanent replacements?
• Do you test tokens and cards initially and then periodically?
• Does your token/card testing process verify that no unauthorized alterations have occurred?

Get the LMS platform to ensure you pass Part 11 inspection: https://www.eleapsoftware.com/21cfrpart11/

Note: You can download a printable version of this 21 CFR Part 11 checklist here.

Learning management systems (LMS) can apply similar technologies to various learning and development requirements. We know, however, that client needs vary widely based on their industry. Learn how eLeaP’s CFR Part 11 compliant system helps clients meet strict regulatory requirements. Industry standards are pretty strict among the companies in the Life Sciences, such as pharmaceutical firms, hospitals, biotech innovators, medical devices, CMO, CRO, SaMD, and others. The industry requirement to adhere to the US Federal Standard 21 CFR Part 11 requires rigorous, validated software platforms like eLeaP.

Here’s a quick overview of how eLeaP helps you stay compliant with 21 CFR Part 11. You can also download the “How to Prepare for a 21 CFR Part 11 FDA Inspection” whitepaper.

Here’s what the FDA says about 21 CFR Part 11

PART 11 — ELECTRONIC RECORDS; ELECTRONIC SIGNATURES

Subpart A – General Provisions

Sec. 11.3 Definitions.
(a) The definitions and interpretations of terms contained in section 201 of the act apply to those terms when used in this part.

(b) The following definitions of terms also apply to this part:

(1) Act means the Federal Food, Drug, and Cosmetic Act (secs. 201-903 (21 U.S.C. 321-393)).

(2) Agency means the Food and Drug Administration.

(3) Biometrics means a method of verifying an individual’s identity based on the measurement of the individual’s physical feature(s) or repeatable action(s) where those features and/or actions are both unique to that individual and measurable.

(4) Closed system means an environment in which system access is controlled by persons responsible for the content of electronic records on the system.

(5) Digital signature means an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.

(6) Electronic record means any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.

(7) Electronic signature means a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual’s handwritten signature.

(8) Handwritten signature means the scripted name or legal mark of an individual handwritten by that individual and executed or adopted with the present intention to authenticate a writing in a permanent form. The act of signing with a writing or marking instrument such as a pen or stylus is preserved. While conventionally applied to paper, the scripted name or legal mark may also be applied to other devices that capture the name or mark.

(9) Open system means an environment in which system access is not controlled by persons responsible for the content of electronic records on the system.

A considerable emphasis is placed on security. Any LMS must be able to verify with 100% certainty that a given employee or learner has acquired the skills imparted by the learning modules and that they can be trusted to use them on the job in a potentially high-risk scenario. In addition to a secure password system, eLeaP also utilizes Multi-Factor Authentication (MFA) to ensure that access to the system is secured and verified.

Life Sciences companies also can tend to attract cybercriminals. Among large firms, a systems breach could compromise hundreds, if not thousands, of users’ personal information. This increased exposure prompted the FDA to adopt the 21 CFR Part 11 standard.

To go above and beyond the industry expectations for LMSs, eLeaP has conformed to the U.S. Food and Drug Administration’s “Industry Guidance.” While these documents are not legally binding, they provide an inside look at how the eLeaP Learning Management platform helps our clients comply with the 21 CFR Part 11. Suppose your organization maintains or compiles data on individuals (private or otherwise). In that case, it might be helpful to see how eLeaP could help you keep that data safe and meet this stringent federal standard.

10 Ways eLeaP LMS meets 21 CFR Part 11

The following are the top 10 industry standards to which eLeaP conforms:

1. Protect user data at all cost

For any user to access the eLeaP LMS, they must provide their unique User ID and password. System administrators can control who can and cannot access certain content, and they can block suspicious users altogether. The eLeaP LMS is a cloud-based learning and training management platform and secure service. The platform employs advanced algorithms to detect and disrupt duplicate or deceptive log-in sessions, ensuring that medical device manufacturers, biotechnology, and pharmaceuticals are all adhering to 21 CFR Part 11.

2. Ensure that all user log-in info is unique

Related to the previous mandate, some systems must accommodate many learners. In these situations, the possibility arises that certain individuals will create the same or similar user data in order to access the LMS. In the worst-case scenario, this can allow some people to sign on as a different user unwittingly. eLeaP protects against this danger.

3. Ensure that non-biometric signatures relate to a given user

In the best-case scenario, from a security standpoint, each user on any system would log in with some form of identification that no one else would be able to copy. One might use, for example, a fingerprint. At the moment, this is, unfortunately, not realistic.

For this reason, we require each user to log in with two separate items that prove his or her identity, such as a User ID and a password. eLeaP passwords must conform to certain additional standards. Administrators can require users to change their password periodically.

4. The system must detect and report suspicious or unauthorized activity
   

eLeaP automatically challenges repeat incorrect or suspicious login attempts. This prevents nefarious actors from gaining access to the system. While in infosec, there’s no such thing as 100% indeed, eLeaP comes close. In addition to this, we can provide a custom report of strange or suspicious activity.

5. Provide real-time progress reports confirmed by electronic signatures in a legible form

When it comes to Pharma and Biotech, things move quickly. When an employee earns a new qualification or proves themselves able in certain situations, management needs to know immediately. Even weekly reports aren’t going to cut it. eLeaP audits all user progress in real-time, and whenever an administrator wishes, they can access a given learner’s progress in a legible, easy-to-read, date-stamped report. If an instructor sets the E-Signature required setting to enforce course signing by end users before completion status can be awarded.

6. The system must ensure that all learning modules progress in a given sequence and that users cannot access future modules before completing one that comes before.

The software engineers at eLeaP understand that, in the context of Pharma and Biotech training, learning new info is contingent on knowledge and skills previously acquired. Administrators using the system will be able to mandate that learners progress through learning modules one at a time. Clients can even set progressive access rules to ensure that users cannot access future modules unless they have completed the prerequisites.

7. System must have version control for learning modules to ensure course updates can be performed and communicated to users.

eLeaP comes with a powerful version control system. Not only can you create minor or major changes, but you can even restore previous versions in case of mistakes. eLeaP also provides an easy and convenient way to notify users of course changes when major changes are made. Rely on a validated system like eLeaP to ensure full compliance with CFR Part 11.

8. All uses of a separate user’s electronic signature must be confirmed by two other individuals

In general, we do not recommend sharing user data at all. If you must, however, and someone wishes to use another user’s electronic signature, we have put measures that require extra security clearance from two other authorized users.

9. If long periods of inactivity occur, users must be timed out

We’ve all been in a situation where we left a password-secured account open on our computer in a social setting. The eLeaP LMS cannot risk allowing sensitive information to be made available to strangers or even friends. After a given period of inactivity, users will be automatically logged out. Clients can set their own timeout threshold.

10. The system can be configured to require password authentication at periodic points of progress

While many systems will require password authentication only when initially logging on, eLeaP can be configured to require a user’s electronic signature or password at specific points throughout a given learning module.

11. Electronic signatures must correspond to user data

Among Pharma and Biotech LMSs, one’s electronic signature is the first point of authorization. They cannot be used to falsify progress in any way. Our LMS automatically pairs user progress with their User ID and a date stamp as they move through learning modules. At the end of the course, the system can ensure that an E-Signature is provided before a completion status can be awarded.

These are just ten of the measures that eLeaP takes to ensure that the LMS conforms to industry standards and protects user data. All measures have been tested extensively. We can guarantee that they will meet and exceed industry expectations.

If you are in the Life Sciences industry, especially Pharma, Biotech, and Medical Device manufacturing, contact eLeaP today to schedule your free consult.

Resources:

• Why is CFR Part 11 so complicated?