21 CFR Part 11 is not new, and it has always been problematic for life sciences companies. To comply with those rules and regulations, you must be able to show incontrovertible proof that you are and have been following the mandates. There’s good news – the allowance of digital signatures and electronic records makes things at least somewhat easier. Of course as with most federal regulations the devil is in the details. That’s why we decided to look into what makes it into your 21 CFR Part 11 compliance checklist.
The bad news is that, even with a modern learning management system and other technology in place, it can still be challenging to ensure you’re doing things the right way. Our 21 CFR Part 11 compliance checklist will help. Note that this checklist is usable with multiple different types of systems, including choosing/implementing a learning management system. You can download the whitepaper, “How to Prepare for a 21 CFR Part 11 FDA Inspection“.
- Has the system been validated?
- Can you determine invalid records in the system?
- Can you easily retrieve records for the duration of their retention?
- Is access to the system limited to only specific individuals?
- Is there a way to ensure that only authorized users can access the system, sign records, or make other changes?
- Does the system only allow data inputs from authorized devices?
- Is there documented training for system users?
- Do you have a written policy dealing with user accountability and responsibility?
- Is there a controlled solution for accessing system resources?
- Is the system’s data fully encrypted?
- Do you enforce the use of digital signatures?
- Does the LMS automatically generate a secure, time-stamped audit trail? Does that trail include the date and time of entries, as well as actions users take, including deleting or modifying data?
- Do changed records still include previous information in a legible format?
- Is the audit trail fully available and accessible for the duration of the record’s storage time?
- Can the audit trail be reviewed easily? Can it be sent to the FDA as a copy?
- Does each audit trail include important information, such as:
- User ID
- Event sequence
- Original and new values/data
- Revision and change controls
- Does each signed electronic record include the signer’s name, date and time of the signing, and the reason for the signing?
- Is there a system in place to ensure that electronic signatures cannot be copied or otherwise falsified?
- Do you have a formal change control procedure in place?
- Does each individual have their own electronic signature?
- Do you have a policy in place regarding the re-use, re-issuance, or reassignment of electronic signatures?
- Do you require identity verification before assigning a signature to an individual?
- Do you have at least two types of ID verification components in each signature?
- Do you require the user to re-submit their password during a session?
- Do you have an automatic time out procedure in place?
- Does your system accurately reproduce copies of electronic records?
- Can the system easily create copies of records for review or use by the FDA?
- Does the system export records in an established/widely used format, such as PDF or XML?
- Do you have specific controls set to ensure that each combined identification code and password remains unique?
- Do you have a policy that requires a periodic review of identification codes and passwords?
- What is your procedure relating to passwords/ID codes if an employee leaves the company?
- Can you disable a code/password if it is compromised?
- Do you have a procedure for reporting unauthorized use attempts?
The information above is a rough guide to ensuring compliance with 21 CFR Part 11. However, if these are uncharted waters, it’s highly recommended that you work with an experienced partner. At eLeaP, we have years of experience developing Part 11 compliant LMS software and help ensure that your data is safe and secure in the cloud.
How Does an LMS Fit In?
The 21 CFR Part 11 compliance checklist above applies to all digital systems your organization uses where data might be compromised, or that might allow an attacker/malicious software to access other parts of the system. Your LMS contains a wide range of sensitive information about your employees, certification information, career data, and much more. It is also connected directly to your HR software and likely dovetails with other software used daily within your business, whether you’re in pharmaceutical development, medical R&D, or hospital management. Given that, it’s critical that you have the right LMS in place and that it complies with the FDA’s requirements.
How Does an LMS Help?
Now that we’ve explored the 21 CFR Part 11 compliance checklist, we need to address a few questions, particularly as they relate to your company’s LMS. At eLeaP, we take data protection and authorized access very seriously. We’ve built our LMS from the ground up to ensure that it is completely in line with the FDA’s requirements and mandates. You don’t want to wait to receive a Form 483.
Our system is cloud-based and completely secured using best-of-breed encryption. We also require that electronic signatures correspond with user data, including mandating that an e-signature is provided before awarding a completion status. Our system can be configured to require password authentication at periodic points, and we’ll log accounts out after periods of inactivity to safeguard against unauthorized access. Other features and benefits of our LMS include:
- Guaranteed tracking of records and activities
- Full access to detailed audit trails
- The ability to generate custom reports as needed
- Continually updated electronic training records stored securely
- Three-step electronic signature process, including user ID, password, and reason for change/modification
All of our features have been extensively tested to ensure operability and compliance with the FDA’s rules, as well. Ready to find out just how well our LMS can support your learners? Contact us today to schedule a custom consultation.