Guide to 21 CFR Part 11 compliance [free checklist]
For life science companies, FDA 21 CFR Part 11 compliance has always been a challenge.
It requires irrefutable evidence that your organization is following FDA standards for electronic record and signature management. When these records were on paper, this was often a tedious process for companies. Thankfully, the FDA allows digital signatures and documentation that streamlines the compliance process.
However, even with the use of electronic quality management system (eQMS) software, compliance for digital signatures and documentation for FDA 21 CFR Part 11 can still be complicated. You need to dot your 'i's and cross your 't's while keeping your documents safe and secure. Your entire team needs to understand how to treat documents and signatures.
That’s why we recommend using a 21 CFR Part 11 compliance checklist to improve your record and signature processes.
Use our checklist to ensure that you’ve got the right systems and steps in place to maintain compliance.
What is 21 CFR Part 11 compliance?
FDA 21 CFR Part 11 compliance is the state of organizational adherence with a key regulation issued by the FDA to map out requirements for electronic records and signatures.
The full title of the 21 CFR Part 11 regulation is 'Electronic Records; Electronic Signatures', and it was last revised in 2003.
FDA 21 CFR Part 11 was established to ensure the reliability, authenticity and integrity of e-records and e-signatures, and was introduced to address the rising use of electronic systems (in place of traditional paper-based systems) for documenting and maintaining records related to Good Manufacturing Practice (GMP) and other regulated quality management activity.
Basics of 21 CFR Part 11
21 CFR Part 11 compliance hinges on some fundamental basics.
Compliance is crucial for companies in regulated GxP industries to maintain data integrity, and therefore to ensure the safety, efficacy and quality of their manufactured products.
21 CFR Part 11 has a big role to play, for instance, in clinical trials, in supply chain integrity, and in medical device manufacture.
21 CFR Part 11 compliance basics include:
- Secure, well-managed streams of information with access control and retrieval
- Properly controlled documents with a high level of integrity and protection
- Traceability of record histories and iterations
- Legally binding e-signatures for significant activity, such as completing training or approving a quality management action
- Validation of electronic systems that your business uses
Importance of 21 CFR Part 11
21 CFR Part 11 is a critical regulation to comply with if your business:
- Operates in the United States
- Provides a regulated product or service, such as in life science
- Uses electronic and digital systems as part of your operation
Because regulated products are manufactured as part of a quality management system underpinned by records and data, the integrity of those records and the processes and decisions dependent upon them needs to be airtight.
And because more and more regulated companies are turning to digital tools to accelerate and strengthen their work, the electronic records and signatures flowing through these new systems need to be similarly managed and controlled.
It's for this reason that 21 CFR Part 11 compliance is mandatory for regulated U.S. companies.
Unsurprisingly, Part 11 has a number of counterpart regulations worldwide with similar electronic record control objectives, such as the EU's Annex 11.
21 CFR Part 11 noncompliance
Like any mandatory FDA regulation, failure to comply with the requirements of 21 CFR Part 11 can have negative consequences for your business.
If an FDA auditor finds a Part 11 infraction, you'll receive a Form 483 inspectional observation outlining the problem.
Repeated failure to comply will bring a warning letter, and persistent non-compliance could even result in recall of connected products or shutdown of your organization.
21 CFR Part 11 compliance checklist
With our printable 21 CFR Part 11 compliance checklist, you can identify current areas of risk and adhere to key components of electronic record and signature compliance.
Part 1: Validation
Validation systems will all have an impact on the quality of a product, so they need to follow specific regulations.
For any electronic compliance technology you’re using, you want to check off the following steps:
- Is the system validated?
- Is it possible to discern invalid or altered records?
- Are the records readily retrievable throughout their retention period?
- Is system access limited to authorized individuals?
- If the sequence of system steps or events is important, is this enforced by the system (process control system)?
- Does the system ensure that only authorized individuals can use it, electronically sign records, alter a record, or perform other operations?
- If it is a requirement of the system that input data or instructions can only come from certain input devices (e.g. terminals) does the system check the validity of the source of any data instructions received? (Note: This applies where data or instructions can come from more than one device, and therefore the system must verify the integrity of its source, such as a network of weight scales, or remote, radio controlled terminals).
- Is there documented training, including on the job training for system users, developers, IT support staff?
- Is there a written policy that makes individuals fully accountable and responsible for actions initiated under their electronic signatures?
- Is the distribution of, access to, and use of systems operation and maintenance documentation controlled?
- Is data encrypted?
- Are digital signatures used?
Technology that passes all of these criteria will be the foundation of your 21 CFR Part 11 Compliance and will ensure that documents are secure and authentic.
Part 2: Audit trails
Using electronic compliance technology, however, does not ensure that you’re safe from audits and potential compliance issues. You need to establish clear audit trails within these systems or a series of records that demonstrate you are following FDA regulations and guidelines.
According to FDA regulations, these trails will provide specifics to document your quality management and product development processes to protect from potential audits.
We recommend that you base your decision on whether to apply audit trails, or other appropriate measures, on the need to comply with predicate rule requirements, a justified and documented risk assessment, and a determination of the potential effect on product quality and safety and record integrity. - FDA.gov
To ensure that you’re creating an acceptable audit trail entry, check off:
- Is there a secure, computer-generated, time-stamped audit trail that records the date and time of operator entries and actions that create, modify, or delete electronic records?
- Upon making a change to an electronic record, is previously recorded information still available (i.e. not obscured by the change)?
- Is an electronic records audit trail retrievable throughout the record’s retention period?
- Is the audit trail available for review and copying by the FDA?
- Does the audit trail include the User ID, sequence of events (in particular scenarios or instances), original and new values (Backups of any modified or deleted records), a change log, and revision and change controls?
- Do signed electronic records contain:
- The printed name of the signer
- The date and time of signing
- The meaning of the signing (such as approval, review, etc.)
- Is the above information shown on displayed and printed copies of the electronic record?
- Are signatures linked to their respective electronic records to ensure that they cannot be cut, copied, or otherwise transferred by ordinary means for the purpose of falsification?
- Is there a formal change control procedure for system documentation that maintains a time-sequenced audit trail for those changes made by the pharmaceutical organization?
- Are electronic signatures unique to an individual?
- Are electronic signatures ever reused by or reassigned to anyone else?
- Is the identity of an individual verified before an electronic signature is allocated?
- Is the signature made up of at least two components, such as an identification code and password, or an id card and password?
- Has it been shown that biometric electronic signatures can be used only by their genuine owner?
- When several signings are made during a continuous session, is the password executed at each signing? (Note: Both components must be executed at the first signing of a session.)
- If signings are not done in a continuous session, are both components of the electronic signature executed with each signing?
- Are non-biometric signatures only used by their genuine owners?
- Would an attempt to falsify an electronic signature require the collaboration of at least two individuals?
A complete, compliant audit trail entry is critical and will protect you from potential penalties.
Part 3: Copies of records
In addition to creating an audit trail, you also must ensure that your electronic compliance technology will provide copies of your records. The FDA requires that these copies are easily accessible to one of their representatives.
You should provide an investigator with reasonable and useful access to records during an inspection. All records held by you are subject to inspection in accordance with predicate rules. - FDA.gov
To ensure that your system can provide the copies of records necessary to remain compliant, you want to check off the following boxes:
- Is the system capable of producing accurate and complete copies of electronic records on paper?
- Is the system capable of producing accurate and complete copies of records in electronic form for inspection, review, and copying by the FDA?
- Is the system using established automated conversion or export methods (PDF, XML, or SGML)?
Your technology should automate and archive these records, making them traceable and accessible to regulators.
Part 4: Record retention
Another critical aspect of achieving 21 CFR Part 11 compliance is securely storing old and original records and signatures. According to the FDA, you should base these records on predicate rule requirements.
“We suggest that your decision on how to maintain records be based on predicate rule requirements and that you base your decision on a justified and documented risk assessment and a determination of the value of the records over time.” - FDA.gov
While the FDA does not require these records to be electronic, they require that the “records should preserve their content and meaning,” which is difficult to do with paper records.
You also want to ensure the security of your records, with procedures and systems such as:
- Are controls in place to maintain the uniqueness of each combined identification code and password, such that no individual can have the same combination of identification code and password?
- Are procedures in place to ensure that the validity of identification codes is periodically checked?
- Do passwords periodically expire and need to be revised?
- Is there a procedure for recalling identification codes and passwords if a person leaves or is transferred?
- Is there a procedure for electronically disabling an identification code or password if it is potentially compromised or lost?
- Is there a procedure for detecting attempts at unauthorized use and for informing security?
- Is there a procedure for reporting repeated or serious attempts at unauthorized use to management?
- Is there a loss management procedure to be followed if a device is lost or stolen?
- Is there a procedure for electronically disabling a device if it is lost, stolen, or potentially compromised?
- Are there controls over the issuance of temporary and permanent replacements?
- Is there initial and periodic testing of tokens and cards?
- Does this testing check that there have been no unauthorized alterations?
Another component to securely saving and storing documents is limiting system access, which shows the FDA you know which users are accessing your database.
Maintaining 21 CFR Part 11 compliance
Of course, it's not enough to just work to your 21 CFR Part 11 compliance requirements then forget about them.
21 CFR Part 11 compliance demands constant, robust control of electronic records and signatures, and that means a long-term management strategy.
Role of audits
Internal audits are the best way to keep on top of your 21 CFR Part 11 compliance and pinpoint gaps and weaknesses in your digital data flows.
Use our Part 11 checklist to structure and standardize your audit focus, and ensure you dedicate specifically allotted time to checking up on your document management system.
21 CFR Part 11 compliance software
Adapted legacy digital tools like SharePoint and Dropbox folders are a common port of call for regulated companies just starting to digitize their records and data.
But they lack the baked-in 21 CFR Part 11 compliance features of dedicated quality management tools. Core requirements like version control, audit trails and change histories are often conspicuously absent, placing a major blocker in the way of effective compliance.
Generic digital document tools without in-house regulatory expertise won't offer the white-glove validation services required for Part 11 compliance either, placing responsibility in your lap.
And other key 21 CFR Part 11 compliance elements like e-signatures are often missing - forcing investment in supplementary add-on tools and, as a result, extra validation work.
Dedicated 21 CFR Part 11 compliance software solves this problem.
Purpose-built quality management software systems usually include document management functionality by default, with configurable libraries underpinned by 21 CFR Part 11 compliance guardrails like version control, e-signatures, password protection, and so on.
Updating procedures and policies as regulations evolve
Part 11 was unveiled in 1997 and last touched in August 2003.
As the digitization of regulated industries deepens and widens, we can expect 21 CFR Part 11 compliance expectations to shift and evolve in the future. It's imperative that your electronic document management system has sufficient flexibility to tweak your policies and procedures.
On top of that, keep a close eye on other adjacent computer system regulatory publications like:
- GAMP 5 (2nd Edition)
- Enabling Innovation Good Practice Guide
- FDA Computer Software Assurance for Production and Quality System Software guidelines
These guidelines are valuable indicators of the most efficient and modern ways to get a Part 11-compliant operation in place, then supplement it with the latest best practice.
Our complete guide to computer system compliance is a great place to start your research.
Keeping abreast of best practice and making incremental adjustments is the best way to make long-term 21 CFR Part 11 compliance a natural and automatic part of how your business works.