.svg "Cognidox logo")
WTH is FDA 21 CFR Part 11? That’s a question many life science developers wanting to access the US market must have asked themselves - in one way or another.
It’s easy to be intimidated by the slew of schedules and initials you’ll be confronted with when trying to break this huge and powerful marketplace, so here’s a guide to help you understand what Part 11 really means for you.
What is FDA 21 CFR Part 11?
It’s Part 11 of Title 21 of the Code of Federal Regulations, of course.
Put simply, Part 11 sets out how a life science company operating in the US can establish an FDA-compliant, digital Quality Management System using electronic records and e-signatures in place of paper-based documentation and ‘wet signatures'.
Why does part 11 matter?
First published in 1996, Part 11 was the FDA’s (slightly belated) response to the opportunities and challenges of the information age.
As other industries were reaping the benefits of increased digitisation, pharma and medical device companies were still losing time chasing multiple real-world signatures and collating paper documents to pass FDA audits.
In Part 11, the FDA addressed the need for increased innovation in the industry’s working methods so that new products could be brought to market faster using digital tools.
However, it balanced this with the need to retain the highest level of authentication and control over approval processes for potentially lethal products.
Does 21 CFR Part 11 apply to me, then?
Almost certainly. Any developer releasing a product in the US who thinks they won’t be subject to the regulation because their ‘master copies' of documentation are all in paper form, are mistaken.
If you store or have uploaded any of your documents onto any computer system as part of your development or quality process, the regulations will almost certainly apply to you.
11 requirements for electronic record keeping in 21 CFR part 11
If you are using an electronic quality management system (eQMS) to develop your product, what controls do you need to ensure required levels of data integrity and risk management?
Sec. 11.10 outlines eleven distinct security management requirements for companies that wish to manage their electronic records using a ‘closed software system'.
|
# |
Requirement |
Actions |
| 1 |
System Validation: Validate systems to ensure that the data they handle can be trusted. |
Conduct and document system validation activities regularly, re-validate systems after significant changes, and maintain detailed validation records. |
| 2 |
Record Accessibility: Ensure that all electronic records can be provided in a format that humans, not just computers, can read. |
Implement systems that can produce accurate, human-readable copies of electronic records and maintain them for the required retention period. |
| 3 |
Document Storage & Record Retention: Safeguard documentation and keep it available for as long as needed. |
Use secure storage methods and backup systems to protect electronic records from loss, unauthorised access, or alteration. |
| 4 |
System Access: Ensure that only the right people have access to your system |
Establish robust access controls, including unique user IDs and passwords, and assign roles and permissions based on job responsibilities. |
| 5 |
Audit Trails: Automatically capture a complete history of all electronic records. |
Systems must have secure, computer-generated, time-stamped audit trails that independently record the date and time of operator entries and actions that create, modify, or delete electronic records. |
| 6 |
Workflows: Ensure computer systems function correctly. |
Implement system checks that ensure processes follow the correct sequence and prevent unauthorised steps. |
| 7 |
Authority Checks: Limit user access (both system-level and record-level) and verify that users performing functions are authorised to do so. |
Establish and enforce robust access controls, including unique user IDs and passwords, and assign roles and permissions based on job responsibilities. |
| 8 |
Device Checks: Verify that equipment used for regulated purposes is functioning properly. |
Implement procedures to verify that input devices are functioning correctly and data sources are valid (see our blog post on equipment validation) |
| 9 |
Training Requirements: Ensure that only trained and qualified people perform functions on or within the system. |
Provide regular training for all personnel involved in the system, maintain training records, and ensure that staff are competent in using the system. |
| 10 |
Accountability: Hold individuals accountable for the integrity of their actions related to electronic records and electronic signatures. |
Implement policies and procedures to manage electronic signatures, ensuring they are linked to their respective records and cannot be excised, copied, or transferred without detection. |
| 11 |
Document Control: Maintain control over electronic records related to system operation and maintenance, preserving the complete history of changes made to these documents. |
Implement a document control system that manages the lifecycle of operational and maintenance documents, ensuring they are version-controlled and accessible only to authorised personnel. |
What are the electronic signature requirements in FDA CFR part 11?
Part 11 outlines in detail the requirements for using electronic signatures within a closed-loop quality management system.
Signature manifest requirements
Part 11 specifies that any e-signatures applied to documents must include the printed name of the signer, the date/time the signature was applied, and the ‘meaning' or intention of the electronic signature as part of an evolving and uneditable audit trail.
Control and authentication
But rules for the application, control and authentication of these signatures are extensive:
- E-signatures must be unique to individuals
- E-signatures must be password protected (with passwords changed frequently)
- Only administrators should be able to control the use of e-signatures in the system
- Signatures must be authenticated in real-time when they are used
- An approval must always be attributable to a specific individual
- The signature cannot be removed once it is applied
If you’re putting together your own DIY eQMS with tools like One Drive and PandaDoc, you may struggle to create the most frictionless process that can work in line with the regulation.
Compliance requirements are rigorous
In trying to match the level of legal confidence offered by a 'wet signature’, Part 11 has made the authentication requirements for digital approval way more stringent. The processes you’ll need to ensure identity authentication and protection from falsification require high levels of digital document control and workflow management.
Right now, it would be significantly easier to falsify a pen and ink signature on a test result than to do the same with an electronic signature under the FDA rules!
For all these reasons, Using an eQMS's native e-signature software is the most cost-effective and reliable way to meet the regulation laid out in FDA CFR 21 Part 11.
Supporting external approvals
However, there will be times when you need a supplier outside your organisation to approve a document (for example, for equipment calibration verification or contract signing). In these cases, you will need your QMS to integrate seamlessly with a tool like DocuSign. You’ll need the facility to open up limited access to your closed system - and let your partner apply an eIDAS-compliant electronic signature where required (including date and time stamp).
Your chosen eQMS supplier should make both these routes for applying e-signatures a standard part of the package, at no extra cost to you.
But compliance makes life easier (honestly)
The good news is that implementing Part 11 will make your process more efficient. It will help you develop a compliant and paperless QMS, ultimately giving you the tools to deliver safer and more effective products in a more streamlined way.
Even so, the bar for digital compliance is set extremely high. For some, the challenge often seems too daunting, with many developers choosing to maintain their paper-based systems rather than face the upheaval of a complete digital overhaul.
The tools, processes and procedures you'll need to meet the regulation are highly exacting. It will take time to set them up and validate they're working as they should be. But once you've done so, you'll be able to collaborate more efficiently and effectively across your business and more easily demonstrate to the regulator you have built your products to the required standards.
Last updated on 04/06/2024
%20(1).webp?width=133&height=76&name=ISO%20IEC%2027001%20(1)%20(1).webp)