The Food and Drug Administration (FDA) has a regulation called 21 CFR Part 11 that specifies requirements for digital records and electronic signatures. It was put in place within the pharmaceutical, medical product, and biologic industries back in 1997 to ensure the correctness, authenticity, and safety of electronic data and signatures.

All digital records that must be kept per FDA standards, including those on product development, production, distribution, and packaging, are covered by the regulation. In today’s article, we’ll be looking at certain technical controls for electronic records and signatures and seeing how they affect 21 CFR Part 11.

Technical Controls for Electronic Records and Signatures

21 CFR Part 11 Technical Controls

Organizations must put in place technical controls that safeguard the veracity, integrity, and privacy of electronic documents and electronic signatures to comply with 21 CFR Part 11. Access control, digital signing, and encryption are some of these technical controls. Let’s take a look at them in no particular order;

Encryption

The process of transforming plain language into an unintelligible format is known as encryption. It is used to safeguard the privacy of electronic documents since it makes it impossible for unauthorized people to view and access the data. Both data at rest and data in transit can be encrypted. Data in transit includes internet traffic and email attachments that are being sent from one place to another. Data that is kept on a database, HDD, or other storage media is referred to as data-at-rest.

Electronic records must be encrypted to maintain their confidentiality since it makes it more difficult for outsiders to obtain and read such data.

Encryption could also safeguard the accuracy of electronic records since it makes it harder for unauthorized parties to change or remove the data.

Digital Signing

Electronic signatures and digital records must be protected to ensure their authenticity, and online signing is essential for this. It allows users to confirm that the data has not been changed or erased.

Digital signatures furthermore offer non-repudiation, which refers to the capacity to demonstrate that a signing was produced by a specific person and can’t be changed or removed.

Access control refers to the process of limiting who has access to electronic documents and signatures as well as the actions they are permitted to do. Multi-factor authentication, passwords, or any other types of authentication can all be used to establish access control. Access control may also be used to limit what functions people have access to electronic signatures and records, including the ability to add, amend, or delete records.

Access Control

Access control, which regulates who has access to data and what measures they may take with it, is essential for maintaining the integrity and confidentiality of electronic signatures and electronic records.

Access control also gives a way to track who has viewed the material and what acts they have taken, which aids in ensuring that digital records and signatures are secured properly and controlled.

Guidelines for Adhering to 21 CFR Part 11

The next difficulty is to maintain compliance with 21 CFR Part 11 once you have finished the checklist. If you’ve already reached this point, don’t worry—we have you covered, too! All you have to do is adhere to these 5 easy steps:

1. Verification

Even though the majority of software wireless carriers supply a solution, it’s indeed your duty as a producer to adhere to 21 CFR Part 11.

Therefore, similar to the user needs to be established by your existing team, you should double-check the important user requirements listed above. Being part of the functional accreditation of the software verification process, a comprehensive examination of 21 CFR Part 11 compliance is possible. These phases make up a typical software verification process:

Installation Criteria:

Operational Qualification: 

Software Performance Qualification:

2. Authenticity and Protection for Electronic Records

Ensure that records are accurate, trustworthy, and consistent. Create and run routine processes to look for records that have been edited or are invalid.

3. Authority and Security

This involves restricting system access to those with permission. To ensure that the appropriate users can use the network, digitally sign records, connect directly to the operations or computer output or input device, access the record to be altered, or carry out the task at hand, create various sorts of authorization levels for users.

Assure that there are sufficient controls over how documentation for systems maintenance and operation is distributed, accessed, and used.

4. Audit Trails

Note the operator entries that have a time stamp.

The acts that produce, edit, or remove electronic records should be noted.

5. Digital Signatures

Ensure that electronically signed documents include details such as the signer’s name, the time and date the signature was made,

The aforementioned action items address all of the main challenges associated with compliance with 21 CFR Part 11.

So how then could you choose the most suitable eLearning software among the various options on the market that perfectly satisfies your eLearning requirements? It’s easy! Consider these 4 factors while purchasing an LMS: mobile compatibility, price, maintenance and utility.

Conclusion

Give the eLearning software you’ve picked a shot if it ticks off these 4 features. You can find all of these features and many more with the eLeap LMS! You’ll receive the most for your money in addition to a platform that is simple to use, packed with features, and compatible with a variety of devices.

21 CFR Part 11 is the legal framework that controls how businesses handle electronic documents and signatures. To comply with the FDA’s statutory inspection requirements, the regulation develops a framework for managing records and electronic signatures, making them generally similar to paper archives and handwritten signings completed on paper.

Here, we’ll be taking a deeper look at the impact of 21 CFR Part 11 on a typical organization and seeing what requirements should be met.

Understanding the Impact of 21 CFR Part 11 on Your Organization

The Need for 21 CFR Part 11

In essence, 21 CFR Part 11 was created as a regulatory solution to safety worries on how biotechnology, pharmaceutical, and medical equipment makers should handle the distribution, storage, and retrieval of records in the digitized age.

The following electronic records elements are of considerable importance to the FDA:

21 CFR Part 11 was also created to accelerate digital transformation and generate significant cost savings for businesses over paper-based record-keeping to ensure compliance with the regulations and encourage enterprises to embrace paperless systems.

Additionally, it aims to lower these businesses’ high costs while retaining paper-based filing systems to satiate regulatory bodies. A fundamental objective is enabling these organizations to eventually establish a regulated shift to digital circuits and digitized operations. If you are unsure if your organization is covered under 21 CFR Part 11, see this course.

The Importance of Complying with 21 Part 11

Typically, regulatory compliance isn’t approached with much enthusiasm. Nevertheless, 21 Part 11 is crucial in defending the sector from non-compliant operators and the accompanying quality assurance errors.

Although adhering to the regulation can appear difficult, it’s crucial to keep in mind that its goals are to free regulated industries from the restrictions of paper documentation, standardize compliance, and provide a mechanism for businesses to operate more quickly. Additionally, software programs created to simplify Part 11 compliance are now accessible.

Following are a few benefits of 21 CFR Part 11 compliance:

Regulatory Specifications

According to the “General Principles of Software Validation” guidance document, the FDA mandates validating the IT systems covered above. This raises the question of whether the entire software life cycle or the validation process is being discussed.

Closed and Open Systems

A closed system is one where the organization employing it controls system access. Only electronic signatures are necessary because the company has the ability to verify each user’s identification before granting them access to the digital record system.

An open system is one in which the organization using it does not have control over system access. Before granting access to the digital record system, the organization is unable to verify the identities of all users.

Standards for Closed Systems

For closed systems, the criteria are outlined in 21 CFR Part 11.10. The rationale behind the standards is that those using these systems must ensure that all data is authentic, intact, and, if required, confidential. Because of this, the following are important:

Standards for Open Systems

Open systems are subject to additional rules under 21 CFR Part 11.30. These include steps to guarantee the veracity, integrity, and confidentiality of records, like document encrypting and digital signature standards. Individuals who have handled this topic before will be conversant with 21 CFR Part 11 standards addressing digital signatures.

The following information must be included in a digital signature:

21 CFR Part 11 provides the following criteria for the use of identifying codes and passwords (such as user names, initials, or numbers) in 11.200 (a) as well as 11.300:

Conclusion

Your company can benefit from the organizational advantages of digital record-keeping systems thanks to 21 CFR Part 11. Additionally, it enables the FDA to ensure that document safety and integrity are properly preserved when companies employ electronic record-keeping systems. Check out eLeaP’s LMS software right away to learn how it is designed to assist you in achieving and maintaining compliance with 21 CFR Part 11.

What is 21 CFR Part 11?

21 CFR Part 11 establishes FDA regulations on Electronic Records & Electronic Signature (ERES), which includes electronic submissions to the FDA. 21 CFR Part 11 defines the criteria under which ERES is considered Trustworthy, Reliable, and Equivalent to paper records. Title 21 is the portion of the Code of Federal Regulations (CFR) governing Food and Drugs in the United States.

Decoding 21 CFR Part 11 – 10 steps to achieving compliance

21 CFR Part 11 is divided into 3 Subparts – A, B, and C

Subpart A – General Provisions

  1. Subpart A discusses the scope of regulations and when and how they should be implemented.
  2. It also defines some key terms used in regulations.
  3. Part 11 applies to all electronic records that fall under FDA Regulations. FDA will accept Electronic submissions instead of Paper submissions if those submissions adhere to Part 11 requirements and are included among the types of documents that the FDA accepts electronically.

Subpart B – Electronic Records

  1. Subpart B discusses the requirements for the administration of closed and open systems.
    1. Closed system
      • System that can be built and tested, i.e., a system on the intranet that only testers and developers responsible can access.
      • It would be a build-and-test system on the intranet.
      • According to 21 CFR Part 11, a closed system must have a collection of procedural and technological controls to protect data within the system
    2. Open System
      • System that transmits data via the Internet.
      • Open computer systems must have controls to ensure that all records are authentic, incorruptible, and confidential where applicable.
    3. Subpart B discusses Signature manifestations and requirements for establishing a link between signatures and records.
    4. It also explains that the organizations using electronic records must establish and document procedures and controls – that include “CSV, Record Rendering, Document storage, and record retention, System access, Audit Trails, Workflows, Authority checks, Device checks, personnel qualifications, and personal accountability and document control” that ensure Authenticity, Integrity, and Confidentiality.

Subpart C – Electronic Signatures

  1. This section includes general requirements for:
    • Electronic Signature component and controls
    • Controls for identification codes and passwords
  2. A person using an electronic signature must have their identity confirmed and should use a unique signature.
  3. Subpart C also includes special design requirements for digital signatures that are biometric and non-biometric.`

When does CFR Part 11 apply?

The Gap Analysis provides the company with insight into identifying the gaps that might exist and remediating those gaps in the system. The Part 11 Gap Analysis also helps to create new requirements to comply with Part 11 regulations, and it can also help improve access to the existing system.

Why is Part 11 required?

The core intention of Part 11 is to help any organization planning to use electronic records to replace paper records. In other words, this is an excellent tool and method to ensure that electronic records and signatures used in your work and organization are as authentic as physical records and signatures.

Thus 21 CFR Part 11 ensures,

10 Steps to achieve compliance:

1.    Validated Systems with complete documentation, including change control

Computer System Validation (CSV) is a formal process of testing or qualifying to ensure that systems operate consistently as intended. See how the eLeaP LMS helps you stay in compliance with Part 11.

What is expected by FDA?

  1. Procedures/SOPs should be put in place to ensure that the systems used in regulated activities are validated and maintained in a validated state through effective change control. Also, the person(s) validating must have adequate training and experience.
  2. A risk-based approach should be taken to validate. The actions should be determined by the risk a specific system or system functionality can have on data integrity, product quality, and patient safety. The risk assessment should ensure that the system functionalities with the highest risk receive the highest extent of validation.
  3. Data Integrity principles ALCOA+ (Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, Available) should be in place.
  4. Version control and change control procedures should be in place for system documentation.
  5. An extensive Validation Plan which states the scope of the validation, approach, strategy, schedule, tasks to be performed, etc., should be created along with the Validation Summary Report, which provides an overview and results for the activities mentioned in Validation Plan. Both documents should be reviewed and approved.
  6. Traceability Matrix should be created and maintained as part of change control (it is a living document).
    • It should clearly indicate which requirements were tested with which scripts – IQ, OQ, and PQ.
    • Requirements can also be traced to SOPs, i.e., few requirements can even be achieved through implementing procedures or having SOPs in place to train the employees.
    • It should also reference Functional Specifications and Design Specifications for custom-built systems.
    • It should be structured to enable the performance of an Impact assessment.
    • The Traceability Document is very useful and significantly facilitates system management and inspection of system documentation

2.    System should generate accurate and complete copies of electronic records for review/inspection

3.    Record protection and easy retrieval throughout their retention

4.    Appropriate Access Management – Security controls

5.    Audit Trail – to discern changes to records throughout

6.    Encryption for Open Systems

7.    Linking Electronic Signature to Records

8.    Electronic Signature – controls and components

Electronic Signature should have the following controls or components:

  1. E-signature should have at least two identification elements to sign and should be unique to an individual.
  2. The person who performs an E-signature must be trained to E-Sign and sign a non-repudiation form that clearly identifies them.
  3. The E-signature should become invalid if a record updates after being signed.
  4. The E-signature should have the following components:
    • Full Name of the Signer
    • Reason for signature (Author, review, approve)
    • Date and Time of signature (Unambiguous Timestamp)

9.    Trained and qualified people

10.    SOPs in place

There should be formal and regularly updated SOPs in place for the following:

  1. Software Development
  2. Computer System Validation (CSV)
  3. Physical and Logical security and data protection
  4. System Maintenance and Administration
  5. Disaster Recovery and Business Continuity
  6. System change control
  7. Record Management (Backup, Recovery, Record Retention, Archival)
  8. Electronic and Digital Signatures
  9. System Management
  10. Any other regulated process.

How does eLeaP help you with 21 CFR Part 11:

eLeaP is a web-based e-learning solution with a simple but sophisticated user interface, allowing technical and non-technical training managers to create, manage and track interactive training courses and learning programs for all levels of users. eLeaP’s training tracking software can also be used to register and track classroom or instructor-led training and deliver continuing education credits.

Let’s say you use a general-purpose e-learning (LMS) system to manage your training. Given that it’s a general purpose, you have to spend a considerable amount of time and effort to engineer the system you want. Also, it includes lots of risks because regulatory LMS best practices won’t be built in. Our learning management software system is flexible, validated, adaptable, and customizable – and so easy to use that it can be up and running in a matter of minutes with no special training.

For highly regulated medical device organizations and life science industries, it has become a challenge to achieve 21 CFR Part 11 compliance and a matter of concern for companies subject to FDA inspections. Organizations must follow best practices in maintaining compliance and the quality process by following the 21 CFR Part 11 regulation. However, as more medical device manufacturers have moved from paper-based to electronic quality systems, they have become subject to a new set of regulations: 21 CFR Part 11. When the regulation is viewed as a whole, the goal is quite simple, to legitimize digital records by giving credibility to electronic signatures, audit trails, and digital authority checks. Organizations that are required to comply with 21 CFR Part 11 understand the stakes that exist. We’ll try to give you helpful tips to get your organization aligned with the FDA’s requirements.

Tips To Comply with 21 CFR Part 11

Here are some significant points and tips to be aware of to ensure you and your organization achieve compliance with 21 CFR Part 11:

  1. Determine whether 21 CFR Part 11 applies to your system or organization
  2. Assess your data integrity compliance status in terms of how your data is currently stored and protected
  3. Follow accepted processes to implement time-stamped audit trails
  4. Ensure that access management is strictly controlled
  5. Ensure that your current digital signature process is as per the regulations
  6. Implement change control procedures for compliance
  7. Ensure the applicable predicate rules are implemented
  8. Validate electronic records and electronic signatures, i.e., IQ, OQ, PQ
  9. Provide training to the staff

The brief overview of 21 CFR Part 11

The FDA’s Code of Federal Regulations Title 21 Part 11 defines basic criteria for which electronic records and electronic signatures are considered reliable, trustworthy, and equivalent to paper documents with handwritten signatures.

Furthermore, it establishes requirements related to electronic signatures, electronic records, and controls on electronic record systems.

As we move more towards digitalization, it has become difficult for companies to handle paper documentation. In Part 11, the FDA addressed the need for increased innovation in the industry’s working methods so that new products could be brought to market faster with the help of digital tools.

While it may seem like 21 CFR Part 11 was created to make your life more complex, the intent is actually the opposite. The goal is to ensure that your electronic records and signatures can be trusted. Yes, you have additional steps to take to ensure you can comply with 21 CFR Part 11; however, they are manageable, and the right partner makes all the difference.

As digital recordkeeping becomes more and more commonplace and eliminates the use of paper copies for data, it is essential to protect the integrity and accuracy of the information. This regulation will help with accountability and traceability of information throughout the documentation processes. It helps to protect against falsified records and unauthorized access to information and ensures that everything is stored safely.

Having a SaaS-validated learning management platform that is compliant with 21 CFR Part 11 can help you not only understand the FDA regulatory requirements but, more importantly, comply with those rules.

Let’s take a deep dive into understanding the tips that can help medical device companies improve CFR Part 11 compliance.

#01- Determine whether 21 CFR Part 11 applies to your system or organization

The first consideration is identifying if 21 CFR Part 11 applies to your system or organization. Any medical device company releasing a product in the market who thinks they won’t be subject to the regulation because their ‘master copies’ of documentation are all in paper form is probably mistaken. If you store or have uploaded any of your documents onto any computer system as part of your development process, you are certainly subjected to the regulatory requirements.

In section 11.3, the FDA defines “electronic record” as “any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.” As the definition describes, the FDA statute covers a broad swath of electronic records. Whether you are a heavy user of electronic or computerized systems or an infrequent user, you and your organization are most likely covered under Part 11.

Moreover, the FDA has broadened its perspective on electronic records and specifically defines which records are applicable for Part 11.

#02- Assess your data integrity compliance status in terms of how your data is currently stored and protected

There must be procedures to ensure that the data is stored and protected from modification or loss of data. The companies must assess if their systems are closed or open and implement procedures accordingly. Companies that use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, confidentiality of electronic records. The procedures and control are defined in the 21 CFR Part 11 statute under section 11.10(c) as the Protection of records to enable accurate and ready retrieval throughout the records retention period.

Also, Part 11 requires that electronic systems be able “to generate accurate and complete copies of records in both human-readable and electronic form for inspection, review, and copying by the agency.” The FDA guidance specifies that a company should provide the FDA investigator with reasonable access to records during an inspection.

#03- Follow accepted processes to implement time-stamped audit trails

Electronic records have grown exponentially since Part 11 was issued, making the audit trail more crucial today. Clear audit trails are required to show the date, time, or sequence of events in a particular instance to ensure the trustworthiness and reliability of the records. The audit trail can help reveal data tampering or fabrication of results. The audit trail provides the information of the users who create, modify, or delete regulated records.

Recording the details of every change and sign-off event by author, date, and time will provide complete traceability and accountability over all the decision-making that happens in a development process, and easy availability of an audit trail can ease the process of inspection as well.

#04- Ensure that access management is strictly controlled

Part 11 specifies the controls you need to have over access and editing rights within your system. The regulation includes many exacting requirements to prevent the accidental loss and deletion of data and security breaches that can result as a consequence. The system should restrict access in accordance with preconfigured rules that can be maintained.

#05- Ensure the current digital signature process is as per the regulations

The requirements regarding the use of electronic signatures are clearly defined in Part 11. It says, “A digital signature is an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.”

The FDA allows and recommends electronic signatures to be used on electronic documents in place of ‘wet signatures’ on paper documents to streamline and standardize business activities. To be compliant, the electronic records must include the printed name of the signer, the date/time it was signed, and the electronic signature’s intention.

#06- Implement change control procedures for compliance

After the system has been released for operation, system maintenance activities take over. The importance of such activities is characterized by recent FDA remarks related to the lack of change control management by regulated organizations. The companies must implement procedural control to implement the changes.  Change control must be rigorously applied. The impact (criticality) of new versions on the standard product must be reviewed, and appropriate action must be taken. Adherence to change management practices for computer technologies provides a process by which a change to a computer system must be proposed, evaluated, approved, or rejected, scheduled, tracked, and audited.

#07- Ensure the applicable predicate rules are implemented

Predicate rules are FDA regulations that require companies to maintain certain records and submit information (both paper and electronic sources) as part of compliance. For FDA-regulated companies where electronic systems and records are used, companies must know the predicate rules that apply to their industry in order to use Part 11. Any predicate rule that calls for a record or signature must be satisfied with an electronic record and electronic signature, respectively.

The predicate rule details the kind of records required and the signatures needed to validate/certify. Therefore, it is crucial for companies to improve their awareness of the predicate rules that lay the groundwork for Part 11 compliance.

The Predicate Rule requirements must be the basis of the decisions to maintain the electronic records, and the associated risk must be documented. The record retention period is also defined on the basis of the applicable predicate rule. It determines the value of the records over time.

#08- Validate electronic records and electronic signature, i.e., IQ, OQ, PQ

Validation of the quality systems is critical to ensure consistency, accuracy, and reliability. In simple words, you need proper documentation to define the elements and their intended functions to validate their functionality at regular intervals of time.

The validation is performed through IQ, OQ, and PQ.

FDA recommends that the validation approach must be justified and document a risk assessment and a determination of the potential of the system to affect product quality and safety, and record integrity.

#09- Provide training to the staff

Part 11 clearly defines that all the system users should undergo the necessary training required to perform their assigned tasks and projects. Companies must establish and deploy proper training and SOPs so that their trained staff is well-versed in their processes and procedures. The establishment of, and adherence to written policies that hold individuals accountable and responsible for actions is a core piece for making sure your organization can comply with 21 CFR Part 11.

Outcome of compliance with Part 11

21 CFR Part 11 provides an opportunity for Life Science companies to gain the organizational benefits of paperless record-keeping systems. It also helps the FDA ensure that when companies use electronic record-keeping systems, that they document security procedures and that authenticity is adequately maintained.

The goal is quite simple, which is to achieve a system where electronic records and signatures can be trusted. Companies in FDA-regulated industries must view investing in 21 CFR Part 11 compliance as an investment in their long-term success. We invite you to contact eLeaP to see how we have helped others in the life sciences space comply with 21 CFR Part 11.

21 CFR Part 11 applies to all digital records within your life science organization. That includes your learning and development initiatives. It is important to understand how the FDA’s rules affect training records, including their storage, access, and more. Of course, navigating this area can be confusing, so we created a guide to help ensure you can comply with legal requirements and avoid an FDA audit. You can download the whitepaper “How to Prepare for a 21 CFR Part 11 FDA Inspection“.

What Training Records Are Affected?

Technically, all electronically stored training records fall under the purview of 21 CFR Part 11. In most cases, they must also comply with Good Manufacturing Practices, Good Clinical Practices, and Good Laboratory Practices. However, the most important training records include the following:

Why Are Training Records Kept?

Training records serve several important purposes within life science organizations. Some of the most common reasons for storing and maintaining training records include the following:

The Onus of CFR Part 11 Compliance with Training Records

While 21 CFR Part 11 is complex and can be confusing, its application when it comes to training records can be broken down and made more understandable.

The Purpose

The entire purpose of 21 CFR Part 11 is to protect training records (and the information they contain) from theft, loss, or damage. All industries have seen a dramatic rise in data breaches, data theft, and cyberattacks, which can compromise any form of electronically-stored data, including training records.

The Method

Given the purpose, how are training records supposed to be secured? The FDA leaves a lot up to the organization, simply mandating that all records be secured and protected, including when they are created, modified, or archived. Life science organizations must:

The System

Electronic documents (including training records) must be stored in some sort of electronic system. For instance, employee workstations include Excel sheets, Word docs, and other electronic files. The organization’s training records must be stored within a compliant learning management system (LMS). However, that LMS must meet FDA requirements, as well. While most of the onus falls on the life science company to design and then implement policies and procedures that safeguard electronic records, the systems the organization uses must also be “fit for use.”

Training Records and 21 CFR Part 11 Compliance: What Organizations Should Know

When it comes to learning management systems, there are several technical aspects of the rule that must be met. These include:

How Does an LMS Meet These Requirements for 21 CFR Part 11 Training Records?

While the life science organization is ultimately responsible for actual 21 CFR Part 11 compliance, learning management systems must be up to the task. For instance, with an LMS like eLeaP, it becomes a simple matter to ensure that all training records are always up to date and ready for auditing or sharing with the FDA.

With robust reporting capabilities, in-depth tracking and learner management tools, and powerful e-signature and digital security steps, eLeaP delivers not only peace of mind, but a defined road to 21 CFR Part 11 compliance.

Will the Right LMS Guarantee 21 CFR Part 11 Compliance?

In a nutshell, no. No system can guarantee compliance with 21 CFR Part 11. The reason for this is that there are three controls needed for a compliant system. One of those controls, the technical aspect of everything, is provided by the LMS developer.

The other two, procedures and administrative processes, come from the organization. So, if the organization has not created robust policies and procedures or fails to hold individuals accountable for actions taken with their electronic signatures, it will not be compliant.

Ready to experience the difference that a compliance-ready LMS can make? At eLeaP, we understand how critical it is to have a robust learning management system that delivers an ideal user and administrative experience while simultaneously helping you move toward 21 CFR Part 11 compliance. Contact us today to learn more.