The Food and Drug Administration (FDA) has a regulation called 21 CFR Part 11 that specifies requirements for digital records and electronic signatures. It was put in place within the pharmaceutical, medical product, and biologic industries back in 1997 to ensure the correctness, authenticity, and safety of electronic data and signatures.
All digital records that must be kept per FDA standards, including those on product development, production, distribution, and packaging, are covered by the regulation. In today’s article, we’ll be looking at certain technical controls for electronic records and signatures and seeing how they affect 21 CFR Part 11.
21 CFR Part 11 Technical Controls
Organizations must put in place technical controls that safeguard the veracity, integrity, and privacy of electronic documents and electronic signatures to comply with 21 CFR Part 11. Access control, digital signing, and encryption are some of these technical controls. Let’s take a look at them in no particular order;
The process of transforming plain language into an unintelligible format is known as encryption. It is used to safeguard the privacy of electronic documents since it makes it impossible for unauthorized people to view and access the data. Both data at rest and data in transit can be encrypted. Data in transit includes internet traffic and email attachments that are being sent from one place to another. Data that is kept on a database, HDD, or other storage media is referred to as data-at-rest.
Electronic records must be encrypted to maintain their confidentiality since it makes it more difficult for outsiders to obtain and read such data.
Encryption could also safeguard the accuracy of electronic records since it makes it harder for unauthorized parties to change or remove the data.
Electronic signatures and digital records must be protected to ensure their authenticity, and online signing is essential for this. It allows users to confirm that the data has not been changed or erased.
Digital signatures furthermore offer non-repudiation, which refers to the capacity to demonstrate that a signing was produced by a specific person and can’t be changed or removed.
Access control refers to the process of limiting who has access to electronic documents and signatures as well as the actions they are permitted to do. Multi-factor authentication, passwords, or any other types of authentication can all be used to establish access control. Access control may also be used to limit what functions people have access to electronic signatures and records, including the ability to add, amend, or delete records.
Access control, which regulates who has access to data and what measures they may take with it, is essential for maintaining the integrity and confidentiality of electronic signatures and electronic records.
Access control also gives a way to track who has viewed the material and what acts they have taken, which aids in ensuring that digital records and signatures are secured properly and controlled.
Guidelines for Adhering to 21 CFR Part 11
The next difficulty is to maintain compliance with 21 CFR Part 11 once you have finished the checklist. If you’ve already reached this point, don’t worry—we have you covered, too! All you have to do is adhere to these 5 easy steps:
Even though the majority of software wireless carriers supply a solution, it’s indeed your duty as a producer to adhere to 21 CFR Part 11.
Therefore, similar to the user needs to be established by your existing team, you should double-check the important user requirements listed above. Being part of the functional accreditation of the software verification process, a comprehensive examination of 21 CFR Part 11 compliance is possible. These phases make up a typical software verification process:
- Is the software set up properly?
- Would the software abide by all applicable rules and user specifications?
Software Performance Qualification:
- Does it operate consistently and dependably?
2. Authenticity and Protection for Electronic Records
Ensure that records are accurate, trustworthy, and consistent. Create and run routine processes to look for records that have been edited or are invalid.
- Ascertain the correct and thorough creation of data that are appropriate for agency examination, evaluation, and replication.
- All through the retention term, make the records recovery accurate and quick.
- Determine and confirm that individuals who create, utilize, or maintain electronic records and signing systems have the knowledge, skills, and experience necessary to carry out their assigned duties.
- Utilize policies and measures to guarantee the veracity, accuracy, and, when necessary, privacy of digital records from the time of creation to the time of reception.
3. Authority and Security
This involves restricting system access to those with permission. To ensure that the appropriate users can use the network, digitally sign records, connect directly to the operations or computer output or input device, access the record to be altered, or carry out the task at hand, create various sorts of authorization levels for users.
Assure that there are sufficient controls over how documentation for systems maintenance and operation is distributed, accessed, and used.
4. Audit Trails
Note the operator entries that have a time stamp.
The acts that produce, edit, or remove electronic records should be noted.
- Make sure the record updates don’t obfuscate previously recorded data.
- Keep the audit trail recording for the relevant electronic records for at least as much time as is necessary by law, and make it accessible for agency examination and copying.
- Establish revisions and changing organizational processes to keep track of the history and chronological evolution of system documentation modifications.
5. Digital Signatures
Ensure that electronically signed documents include details such as the signer’s name, the time and date the signature was made,
- Also include the function (such as review, approval, accountability, or authorship) connected to the signature.
- To guarantee that the signatures cannot be removed, copied, or somehow transferred to falsely represent an electronic record, connect the handwritten signatures and digital signatures performed to digital records to their corresponding electronic records.
- To prevent record and signature falsification, establish written policies and make sure they are followed. These policies should hold people accountable for actions taken with their electronic signatures.
The aforementioned action items address all of the main challenges associated with compliance with 21 CFR Part 11.
So how then could you choose the most suitable eLearning software among the various options on the market that perfectly satisfies your eLearning requirements? It’s easy! Consider these 4 factors while purchasing an LMS: mobile compatibility, price, maintenance and utility.
Give the eLearning software you’ve picked a shot if it ticks off these 4 features. You can find all of these features and many more with the eLeap LMS! You’ll receive the most for your money in addition to a platform that is simple to use, packed with features, and compatible with a variety of devices.
21 CFR Part 11 is the legal framework that controls how businesses handle electronic documents and signatures. To comply with the FDA’s statutory inspection requirements, the regulation develops a framework for managing records and electronic signatures, making them generally similar to paper archives and handwritten signings completed on paper.
Here, we’ll be taking a deeper look at the impact of 21 CFR Part 11 on a typical organization and seeing what requirements should be met.
The Need for 21 CFR Part 11
In essence, 21 CFR Part 11 was created as a regulatory solution to safety worries on how biotechnology, pharmaceutical, and medical equipment makers should handle the distribution, storage, and retrieval of records in the digitized age.
The following electronic records elements are of considerable importance to the FDA:
- Software and computer system malfunctions
- The manufacturer’s procedures for maintaining data confidentiality and safety
- Avert data loss or corruption
- Uncontested review and approval signatures
- Traceability of data change
- Detecting and/or preventing fake records
21 CFR Part 11 was also created to accelerate digital transformation and generate significant cost savings for businesses over paper-based record-keeping to ensure compliance with the regulations and encourage enterprises to embrace paperless systems.
Additionally, it aims to lower these businesses’ high costs while retaining paper-based filing systems to satiate regulatory bodies. A fundamental objective is enabling these organizations to eventually establish a regulated shift to digital circuits and digitized operations. If you are unsure if your organization is covered under 21 CFR Part 11, see this course.
The Importance of Complying with 21 Part 11
Typically, regulatory compliance isn’t approached with much enthusiasm. Nevertheless, 21 Part 11 is crucial in defending the sector from non-compliant operators and the accompanying quality assurance errors.
Although adhering to the regulation can appear difficult, it’s crucial to keep in mind that its goals are to free regulated industries from the restrictions of paper documentation, standardize compliance, and provide a mechanism for businesses to operate more quickly. Additionally, software programs created to simplify Part 11 compliance are now accessible.
Following are a few benefits of 21 CFR Part 11 compliance:
- Improved operational effectiveness
- Cost-cutting: Huge space reductions in the warehouse
- Heightened system security
According to the “General Principles of Software Validation” guidance document, the FDA mandates validating the IT systems covered above. This raises the question of whether the entire software life cycle or the validation process is being discussed.
Closed and Open Systems
A closed system is one where the organization employing it controls system access. Only electronic signatures are necessary because the company has the ability to verify each user’s identification before granting them access to the digital record system.
An open system is one in which the organization using it does not have control over system access. Before granting access to the digital record system, the organization is unable to verify the identities of all users.
Standards for Closed Systems
For closed systems, the criteria are outlined in 21 CFR Part 11.10. The rationale behind the standards is that those using these systems must ensure that all data is authentic, intact, and, if required, confidential. Because of this, the following are important:
- Device verification
- Creation of records that are readable by humans.
- Making sure that records are protected (must be available).
- Restricting system access to those with permission.
- Use time-stamped, computer-generated audit trails that identify who made what changes and when.
- Operational system checks to make sure that, when necessary, just the authorized order of actions and events is implemented.
- Checks for authority to guarantee that only authorized individuals have access to the OS, computer, or peripherals, as well as use the system (for example, digitally generate and sign a document).
- Peripherals verify that outputs and inputs are accurate.
- Training for anyone involved in creating or using the system.
- Falsification is prevented so that signers are accountable for the documents they sign.
- Paperwork on the network includes information on who has access to it, how that access is allowed, whether it is for using or maintaining the system, and information on who modified what and when.
Standards for Open Systems
Open systems are subject to additional rules under 21 CFR Part 11.30. These include steps to guarantee the veracity, integrity, and confidentiality of records, like document encrypting and digital signature standards. Individuals who have handled this topic before will be conversant with 21 CFR Part 11 standards addressing digital signatures.
The following information must be included in a digital signature:
- The signature’s time and date.
- The signature’s significance (e.g., author, approval, review).
- Protection from falsification: Its digital signature can’t be changed in any way.
- Link to record: The signing needs to be joined to the paper to prevent it from being used on any other files.
- Uniqueness: It must be feasible to link a particular person’s signature to that person.
- Methods that are both biometric and non-biometric: The authentication should be founded on biometric techniques or two separate identifying elements, like a password and identification code.
21 CFR Part 11 provides the following criteria for the use of identifying codes and passwords (such as user names, initials, or numbers) in 11.200 (a) as well as 11.300:
- The four-eyes rule states that electronic signatures must be controlled so that it takes the cooperation of two or more people to attempt to use another person’s electronic signature fraudulently.
- Unique combinations: It shouldn’t be able to assign passwords and codes twice.
- Update: To ensure they are still secure, passwords and codes must be reviewed frequently.
- Loss management: There needs to be a process that allows “deauthorization” if passwords, codes, credentials, etc. are misplaced.
- Security precautions: Appropriate safeguards must be implemented to deter and identify illegal access attempts.
- Testing: To ensure input/output gadgets are functioning properly, particularly cards containing or reading permission information, they must be examined routinely.
Your company can benefit from the organizational advantages of digital record-keeping systems thanks to 21 CFR Part 11. Additionally, it enables the FDA to ensure that document safety and integrity are properly preserved when companies employ electronic record-keeping systems. Check out eLeaP’s LMS software right away to learn how it is designed to assist you in achieving and maintaining compliance with 21 CFR Part 11.
What is 21 CFR Part 11?
21 CFR Part 11 establishes FDA regulations on Electronic Records & Electronic Signature (ERES), which includes electronic submissions to the FDA. 21 CFR Part 11 defines the criteria under which ERES is considered Trustworthy, Reliable, and Equivalent to paper records. Title 21 is the portion of the Code of Federal Regulations (CFR) governing Food and Drugs in the United States.
21 CFR Part 11 is divided into 3 Subparts – A, B, and C
Subpart A – General Provisions
- Subpart A discusses the scope of regulations and when and how they should be implemented.
- It also defines some key terms used in regulations.
- Part 11 applies to all electronic records that fall under FDA Regulations. FDA will accept Electronic submissions instead of Paper submissions if those submissions adhere to Part 11 requirements and are included among the types of documents that the FDA accepts electronically.
Subpart B – Electronic Records
- Subpart B discusses the requirements for the administration of closed and open systems.
- Closed system
- System that can be built and tested, i.e., a system on the intranet that only testers and developers responsible can access.
- It would be a build-and-test system on the intranet.
- According to 21 CFR Part 11, a closed system must have a collection of procedural and technological controls to protect data within the system
- Open System
- System that transmits data via the Internet.
- Open computer systems must have controls to ensure that all records are authentic, incorruptible, and confidential where applicable.
- Subpart B discusses Signature manifestations and requirements for establishing a link between signatures and records.
- It also explains that the organizations using electronic records must establish and document procedures and controls – that include “CSV, Record Rendering, Document storage, and record retention, System access, Audit Trails, Workflows, Authority checks, Device checks, personnel qualifications, and personal accountability and document control” that ensure Authenticity, Integrity, and Confidentiality.
- Closed system
Subpart C – Electronic Signatures
- This section includes general requirements for:
- Electronic Signature component and controls
- Controls for identification codes and passwords
- A person using an electronic signature must have their identity confirmed and should use a unique signature.
- Subpart C also includes special design requirements for digital signatures that are biometric and non-biometric.`
When does CFR Part 11 apply?
- 21 CFR Part 11 is applicable when an organization,
- Maintains electronic records instead of paper records or if the record is maintained in an electronic format in addition to paper records.
- Relies on electronic records on a computerized system to perform any regulated activities required by FDA, though they still make printouts.
- Submits records to the FDA in electronic format (even though the records are not explicitly identified in FDA regulations).
- Requires Electronic Signatures to be the equivalent of handwritten signatures, initials, and other general signings required by rules.
- 21 CFR Part 11 applies to all data acquisition and evaluation steps. Primarily, you must perform a risk assessment for all processes or activities required. To manage risks, you will need to understand your business and the goals of your business so that you will be able to identify how to reduce/mitigate those risks using Part 11 controls. This can be achieved by Part 11 – Gap Analysis – “to document the system’s compliance status in relation to all the requirements of Part 11”. The gap analysis checklist included consideration for the following:
- Part 11 applicability
- Process and procedures related to the use of electronic records and electronic signatures
- Electronic Audit Trails
- Logical security, user permissions, and workflow enforcement
- Documentation procedures and training management
- Implementation of electronic/digital signatures.
The Gap Analysis provides the company with insight into identifying the gaps that might exist and remediating those gaps in the system. The Part 11 Gap Analysis also helps to create new requirements to comply with Part 11 regulations, and it can also help improve access to the existing system.
Why is Part 11 required?
The core intention of Part 11 is to help any organization planning to use electronic records to replace paper records. In other words, this is an excellent tool and method to ensure that electronic records and signatures used in your work and organization are as authentic as physical records and signatures.
Thus 21 CFR Part 11 ensures,
- Reliability of electronic records and signatures
10 Steps to achieve compliance:
1. Validated Systems with complete documentation, including change control
Computer System Validation (CSV) is a formal process of testing or qualifying to ensure that systems operate consistently as intended. See how the eLeaP LMS helps you stay in compliance with Part 11.
What is expected by FDA?
- Procedures/SOPs should be put in place to ensure that the systems used in regulated activities are validated and maintained in a validated state through effective change control. Also, the person(s) validating must have adequate training and experience.
- A risk-based approach should be taken to validate. The actions should be determined by the risk a specific system or system functionality can have on data integrity, product quality, and patient safety. The risk assessment should ensure that the system functionalities with the highest risk receive the highest extent of validation.
- Data Integrity principles ALCOA+ (Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, Available) should be in place.
- Version control and change control procedures should be in place for system documentation.
- An extensive Validation Plan which states the scope of the validation, approach, strategy, schedule, tasks to be performed, etc., should be created along with the Validation Summary Report, which provides an overview and results for the activities mentioned in Validation Plan. Both documents should be reviewed and approved.
- Traceability Matrix should be created and maintained as part of change control (it is a living document).
- It should clearly indicate which requirements were tested with which scripts – IQ, OQ, and PQ.
- Requirements can also be traced to SOPs, i.e., few requirements can even be achieved through implementing procedures or having SOPs in place to train the employees.
- It should also reference Functional Specifications and Design Specifications for custom-built systems.
- It should be structured to enable the performance of an Impact assessment.
- The Traceability Document is very useful and significantly facilitates system management and inspection of system documentation
2. System should generate accurate and complete copies of electronic records for review/inspection
- The system should be enabled to easily search records (through Indexing) and print the records in a portable format (pdf, xml) in case of inspection along with the associated Audit Trail or E-signature information
- Document Version has to be clear and well maintained.
3. Record protection and easy retrieval throughout their retention
- A Retention policy or SOP should be in place.
- The system should be fully backed up regularly per the SOP or policy.
- Regular backup Restoration Tests have to also be performed. The records should be in a portable format (pdf, xml).
- Disaster Recovery Plan should be available for all the systems.
4. Appropriate Access Management – Security controls
- The system should have a security procedure based on user security profiles which can be applied up to the document access level.
- The system should enforce the sequencing of events based on document status.
- Each User must have a unique username and password to access the system. And the password should be changed periodically.
- The system should ensure that all approved or final records are read-only.
- Controls should be in place to detect security breaches.
5. Audit Trail – to discern changes to records throughout
- Audit Trails are very important and should be applied to all records in the system – documents, metadata, and signatures. When working with a 3rd party, all electronic records should be shared along with Audit Trail.
- The Audit Trail should be computer generated and non-modifiable and should include details of “who,” “what,” “when,” “where,” and “why” of activity on an electronic record. Audit Trail should have both old and new values.
6. Encryption for Open Systems
- According to CFR, “An Open system means an environment in which system access is not controlled by persons responsible for the content of electronic records on the system.”
- In other words, if the system is hosted or used by an individual outside of the organization, thus transmitting information over the internet, it may be considered an open system.
- Records from Open systems should ensure Authenticity, Integrity, and Confidentiality.
- Encryption such as VPN can also be used to ensure Confidentiality, and Digital Signatures can help to show integrity and authenticity.
7. Linking Electronic Signature to Records
- As per CFR, “Electronic signatures and handwritten signatures executed to electronic records should be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.”
- Proper Version control procedures should be in place to maintain system documentation and record.
8. Electronic Signature – controls and components
Electronic Signature should have the following controls or components:
- E-signature should have at least two identification elements to sign and should be unique to an individual.
- The person who performs an E-signature must be trained to E-Sign and sign a non-repudiation form that clearly identifies them.
- The E-signature should become invalid if a record updates after being signed.
- The E-signature should have the following components:
- Full Name of the Signer
- Reason for signature (Author, review, approve)
- Date and Time of signature (Unambiguous Timestamp)
9. Trained and qualified people
- There should be a clear job description and training matrix to indicate qualifications and required training for each role – to develop, install, validate, maintain and use the system.
- There should be formal training to use the system along with SOP trainings.
10. SOPs in place
There should be formal and regularly updated SOPs in place for the following:
- Software Development
- Computer System Validation (CSV)
- Physical and Logical security and data protection
- System Maintenance and Administration
- Disaster Recovery and Business Continuity
- System change control
- Record Management (Backup, Recovery, Record Retention, Archival)
- Electronic and Digital Signatures
- System Management
- Any other regulated process.
How does eLeaP help you with 21 CFR Part 11:
eLeaP is a web-based e-learning solution with a simple but sophisticated user interface, allowing technical and non-technical training managers to create, manage and track interactive training courses and learning programs for all levels of users. eLeaP’s training tracking software can also be used to register and track classroom or instructor-led training and deliver continuing education credits.
Let’s say you use a general-purpose e-learning (LMS) system to manage your training. Given that it’s a general purpose, you have to spend a considerable amount of time and effort to engineer the system you want. Also, it includes lots of risks because regulatory LMS best practices won’t be built in. Our learning management software system is flexible, validated, adaptable, and customizable – and so easy to use that it can be up and running in a matter of minutes with no special training.
For highly regulated medical device organizations and life science industries, it has become a challenge to achieve 21 CFR Part 11 compliance and a matter of concern for companies subject to FDA inspections. Organizations must follow best practices in maintaining compliance and the quality process by following the 21 CFR Part 11 regulation. However, as more medical device manufacturers have moved from paper-based to electronic quality systems, they have become subject to a new set of regulations: 21 CFR Part 11. When the regulation is viewed as a whole, the goal is quite simple, to legitimize digital records by giving credibility to electronic signatures, audit trails, and digital authority checks. Organizations that are required to comply with 21 CFR Part 11 understand the stakes that exist. We’ll try to give you helpful tips to get your organization aligned with the FDA’s requirements.
Here are some significant points and tips to be aware of to ensure you and your organization achieve compliance with 21 CFR Part 11:
- Determine whether 21 CFR Part 11 applies to your system or organization
- Assess your data integrity compliance status in terms of how your data is currently stored and protected
- Follow accepted processes to implement time-stamped audit trails
- Ensure that access management is strictly controlled
- Ensure that your current digital signature process is as per the regulations
- Implement change control procedures for compliance
- Ensure the applicable predicate rules are implemented
- Validate electronic records and electronic signatures, i.e., IQ, OQ, PQ
- Provide training to the staff
The brief overview of 21 CFR Part 11
The FDA’s Code of Federal Regulations Title 21 Part 11 defines basic criteria for which electronic records and electronic signatures are considered reliable, trustworthy, and equivalent to paper documents with handwritten signatures.
Furthermore, it establishes requirements related to electronic signatures, electronic records, and controls on electronic record systems.
As we move more towards digitalization, it has become difficult for companies to handle paper documentation. In Part 11, the FDA addressed the need for increased innovation in the industry’s working methods so that new products could be brought to market faster with the help of digital tools.
While it may seem like 21 CFR Part 11 was created to make your life more complex, the intent is actually the opposite. The goal is to ensure that your electronic records and signatures can be trusted. Yes, you have additional steps to take to ensure you can comply with 21 CFR Part 11; however, they are manageable, and the right partner makes all the difference.
As digital recordkeeping becomes more and more commonplace and eliminates the use of paper copies for data, it is essential to protect the integrity and accuracy of the information. This regulation will help with accountability and traceability of information throughout the documentation processes. It helps to protect against falsified records and unauthorized access to information and ensures that everything is stored safely.
Having a SaaS-validated learning management platform that is compliant with 21 CFR Part 11 can help you not only understand the FDA regulatory requirements but, more importantly, comply with those rules.
Let’s take a deep dive into understanding the tips that can help medical device companies improve CFR Part 11 compliance.
#01- Determine whether 21 CFR Part 11 applies to your system or organization
The first consideration is identifying if 21 CFR Part 11 applies to your system or organization. Any medical device company releasing a product in the market who thinks they won’t be subject to the regulation because their ‘master copies’ of documentation are all in paper form is probably mistaken. If you store or have uploaded any of your documents onto any computer system as part of your development process, you are certainly subjected to the regulatory requirements.
In section 11.3, the FDA defines “electronic record” as “any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.” As the definition describes, the FDA statute covers a broad swath of electronic records. Whether you are a heavy user of electronic or computerized systems or an infrequent user, you and your organization are most likely covered under Part 11.
Moreover, the FDA has broadened its perspective on electronic records and specifically defines which records are applicable for Part 11.
#02- Assess your data integrity compliance status in terms of how your data is currently stored and protected
There must be procedures to ensure that the data is stored and protected from modification or loss of data. The companies must assess if their systems are closed or open and implement procedures accordingly. Companies that use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, confidentiality of electronic records. The procedures and control are defined in the 21 CFR Part 11 statute under section 11.10(c) as the Protection of records to enable accurate and ready retrieval throughout the records retention period.
Also, Part 11 requires that electronic systems be able “to generate accurate and complete copies of records in both human-readable and electronic form for inspection, review, and copying by the agency.” The FDA guidance specifies that a company should provide the FDA investigator with reasonable access to records during an inspection.
#03- Follow accepted processes to implement time-stamped audit trails
Electronic records have grown exponentially since Part 11 was issued, making the audit trail more crucial today. Clear audit trails are required to show the date, time, or sequence of events in a particular instance to ensure the trustworthiness and reliability of the records. The audit trail can help reveal data tampering or fabrication of results. The audit trail provides the information of the users who create, modify, or delete regulated records.
Recording the details of every change and sign-off event by author, date, and time will provide complete traceability and accountability over all the decision-making that happens in a development process, and easy availability of an audit trail can ease the process of inspection as well.
#04- Ensure that access management is strictly controlled
Part 11 specifies the controls you need to have over access and editing rights within your system. The regulation includes many exacting requirements to prevent the accidental loss and deletion of data and security breaches that can result as a consequence. The system should restrict access in accordance with preconfigured rules that can be maintained.
#05- Ensure the current digital signature process is as per the regulations
The requirements regarding the use of electronic signatures are clearly defined in Part 11. It says, “A digital signature is an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.”
The FDA allows and recommends electronic signatures to be used on electronic documents in place of ‘wet signatures’ on paper documents to streamline and standardize business activities. To be compliant, the electronic records must include the printed name of the signer, the date/time it was signed, and the electronic signature’s intention.
#06- Implement change control procedures for compliance
After the system has been released for operation, system maintenance activities take over. The importance of such activities is characterized by recent FDA remarks related to the lack of change control management by regulated organizations. The companies must implement procedural control to implement the changes. Change control must be rigorously applied. The impact (criticality) of new versions on the standard product must be reviewed, and appropriate action must be taken. Adherence to change management practices for computer technologies provides a process by which a change to a computer system must be proposed, evaluated, approved, or rejected, scheduled, tracked, and audited.
#07- Ensure the applicable predicate rules are implemented
Predicate rules are FDA regulations that require companies to maintain certain records and submit information (both paper and electronic sources) as part of compliance. For FDA-regulated companies where electronic systems and records are used, companies must know the predicate rules that apply to their industry in order to use Part 11. Any predicate rule that calls for a record or signature must be satisfied with an electronic record and electronic signature, respectively.
The predicate rule details the kind of records required and the signatures needed to validate/certify. Therefore, it is crucial for companies to improve their awareness of the predicate rules that lay the groundwork for Part 11 compliance.
The Predicate Rule requirements must be the basis of the decisions to maintain the electronic records, and the associated risk must be documented. The record retention period is also defined on the basis of the applicable predicate rule. It determines the value of the records over time.
#08- Validate electronic records and electronic signature, i.e., IQ, OQ, PQ
Validation of the quality systems is critical to ensure consistency, accuracy, and reliability. In simple words, you need proper documentation to define the elements and their intended functions to validate their functionality at regular intervals of time.
The validation is performed through IQ, OQ, and PQ.
- Installation Qualification (IQ) is tested to provide confirmation that the software is configured and installed correctly.
- Operational Qualification (OP) is performed to ensure that the functionality is working correctly and there are no bugs.
- Performance Qualification (PQ) confirms that the software is fit for its intended use.
FDA recommends that the validation approach must be justified and document a risk assessment and a determination of the potential of the system to affect product quality and safety, and record integrity.
#09- Provide training to the staff
Part 11 clearly defines that all the system users should undergo the necessary training required to perform their assigned tasks and projects. Companies must establish and deploy proper training and SOPs so that their trained staff is well-versed in their processes and procedures. The establishment of, and adherence to written policies that hold individuals accountable and responsible for actions is a core piece for making sure your organization can comply with 21 CFR Part 11.
Outcome of compliance with Part 11
21 CFR Part 11 provides an opportunity for Life Science companies to gain the organizational benefits of paperless record-keeping systems. It also helps the FDA ensure that when companies use electronic record-keeping systems, that they document security procedures and that authenticity is adequately maintained.
The goal is quite simple, which is to achieve a system where electronic records and signatures can be trusted. Companies in FDA-regulated industries must view investing in 21 CFR Part 11 compliance as an investment in their long-term success. We invite you to contact eLeaP to see how we have helped others in the life sciences space comply with 21 CFR Part 11.
21 CFR Part 11 applies to all digital records within your life science organization. That includes your learning and development initiatives. It is important to understand how the FDA’s rules affect training records, including their storage, access, and more. Of course, navigating this area can be confusing, so we created a guide to help ensure you can comply with legal requirements and avoid an FDA audit. You can download the whitepaper “How to Prepare for a 21 CFR Part 11 FDA Inspection“.
What Training Records Are Affected?
Technically, all electronically stored training records fall under the purview of 21 CFR Part 11. In most cases, they must also comply with Good Manufacturing Practices, Good Clinical Practices, and Good Laboratory Practices. However, the most important training records include the following:
- Course versions (to ensure versioning accuracy)
- Course completions (to ensure accurate tracking)
- Exam completions (to track knowledge retention)
Why Are Training Records Kept?
Training records serve several important purposes within life science organizations. Some of the most common reasons for storing and maintaining training records include the following:
- Verify compliance with training requirements
- Verify compliance with certification/recertification requirements
- Develop in-house talent by training employees and closing skill gaps
- Track employee learning and development over time
- Make central decisions concerning promotions and informing hiring strategy
The Onus of CFR Part 11 Compliance with Training Records
While 21 CFR Part 11 is complex and can be confusing, its application when it comes to training records can be broken down and made more understandable.
The entire purpose of 21 CFR Part 11 is to protect training records (and the information they contain) from theft, loss, or damage. All industries have seen a dramatic rise in data breaches, data theft, and cyberattacks, which can compromise any form of electronically-stored data, including training records.
Given the purpose, how are training records supposed to be secured? The FDA leaves a lot up to the organization, simply mandating that all records be secured and protected, including when they are created, modified, or archived. Life science organizations must:
- Ensure that the person making the changes is identified (with each change)
- The reason for the change is noted in the log
- Ensure that all training records are “trustworthy and reliable” to be interchangeable with paper records
- All e-signatures are secure enough that they can replace physical signatures
Electronic documents (including training records) must be stored in some sort of electronic system. For instance, employee workstations include Excel sheets, Word docs, and other electronic files. The organization’s training records must be stored within a compliant learning management system (LMS). However, that LMS must meet FDA requirements, as well. While most of the onus falls on the life science company to design and then implement policies and procedures that safeguard electronic records, the systems the organization uses must also be “fit for use.”
When it comes to learning management systems, there are several technical aspects of the rule that must be met. These include:
- The LMS must be secure. This generally means secure usernames and passwords, which form part of an e-signature but also include additional security tools, such as the ability to restrict access to specific information to only those with a need, the ability to remove usernames and passwords from the system, and much more.
- The LMS must support audit trails. As discussed above, any changes made (including training record creation in the first place) must include not only the username and password of the person making the changes but also the reason for the change itself. All changes must be logged and accessible for auditing purposes, providing a clear trail showing who did what, when, and why.
- The LMS must rely on robust e-signatures. Electronic signatures must be the equivalent of physical signatures in terms of trust and validity, but for that to happen, there must be trust that those signatures have not been falsified or obscured in any way.
- The LMS must provide reporting capabilities. This ensures that those who need access to information have it, but also provides the ability to hone in on specific data quickly and the ability to share information (including with the FDA) when necessary.
- Training the trainer matters, too. The FDA requires that “persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks.” This means that administrators, and even employees who will complete training in the LMS, must be trained on how to use the system effectively and to ensure continued compliance with FDA rules and regulations, as well as the organization’s own practices and policies.
How Does an LMS Meet These Requirements for 21 CFR Part 11 Training Records?
While the life science organization is ultimately responsible for actual 21 CFR Part 11 compliance, learning management systems must be up to the task. For instance, with an LMS like eLeaP, it becomes a simple matter to ensure that all training records are always up to date and ready for auditing or sharing with the FDA.
With robust reporting capabilities, in-depth tracking and learner management tools, and powerful e-signature and digital security steps, eLeaP delivers not only peace of mind, but a defined road to 21 CFR Part 11 compliance.
Will the Right LMS Guarantee 21 CFR Part 11 Compliance?
In a nutshell, no. No system can guarantee compliance with 21 CFR Part 11. The reason for this is that there are three controls needed for a compliant system. One of those controls, the technical aspect of everything, is provided by the LMS developer.
The other two, procedures and administrative processes, come from the organization. So, if the organization has not created robust policies and procedures or fails to hold individuals accountable for actions taken with their electronic signatures, it will not be compliant.
Ready to experience the difference that a compliance-ready LMS can make? At eLeaP, we understand how critical it is to have a robust learning management system that delivers an ideal user and administrative experience while simultaneously helping you move toward 21 CFR Part 11 compliance. Contact us today to learn more.