What are the Key Factors (Essentials) for 21 CFR Part 11 Compliance?

1.  Apply Predicate Rules For Complete Compliance

Predicate rules are FDA regulations that require companies to maintain certain records and submit information (both paper and electronic sources) as part of compliance. Predicate rules are regulations such as Good Laboratory Practices (GLP), Good Clinical Practices (GCP) and Current Good Manufacturing Practices (cGMP).

FDA regulated companies and personnel working with electronic systems and records must know the predicate rules that apply to their industry in order to use Part 11.

On issues pertaining to signatures and records, 21 CFR Part 11 allows:

•       Any predicate rule that calls for a record to be satisfied with an electronic record

•       Any predicate rule that calls for a signature to be satisfied with an electronic signature

It should also be noted that predicate rules do not directly address computer or software validation.

While 21 CFR Part 11 addresses the issues of electronic signatures, records and systems validation, it is the predicate rule that details the kind of records required and the signatures needed to validate/certify them. Therefore, it is crucial for companies to improve their awareness of the predicate rules that lay the groundwork for Part 11 compliance.

2.  Enforce Strict Security Measures

It is important to authenticate the process of verifying the identity of users to control access to critical data assets, perform electronic transactions and prevent manipulation of electronic records.

According to the regulations, “records are less trustworthy and reliable if it is relatively easy for someone to deduce or execute by chance a person’s electronic signature where the ID is not confidential and the password is easily guessed.”

Firms should ensure that software with enhanced security features such as user ID with a strong password (preferably a two-factor authentication) is used. This will provide a high assurance system that records are trustworthy.

Computer systems should carry features like:

•       Auto-lockout of inactive accounts,

•       Automatic logouts

•       Not allow multiple logons from dissimilar locations,

•       Usernames that identify a person and are not generic

•       Unique passwords,

•       Limited control delete capabilities in data transfer process

•       Operational system checks to enforce the correct sequencing of events in the software,

•       A validity check for every input field

•       Log all user access activity

Companies should understand the need for robust security in the form of electronic signatures so as to comply with Part 11 as well as improve business processes, protect intellectual property, mitigate the risk of litigation and protect an organization from liability.

3.  Ensure Data Transfer Is Secure

The secure transfer of data is a cornerstone of Part 11 compliance. In order to ensure this, FDA regulated firms must implement the following measures in electronic systems:

•       Control and limit delete capabilities – data can be inactivated but should not be deleted. The archiving process can be deleted once the audit trails have been generated and saved elsewhere.

•       Encrypt all data transferred outside of the intranet firewall

•       Encrypt all data that is taken offsite through laptops or removable media

•       Checks in the operational systems to enforce correct sequencing of events (a three step event should not miss out on the second step and so on) and validity of input data (Dates have to be dates, numbers have to be numbers and so on).

•       Date formats that are unambiguous – therefore months should always be first three letters such as JAN or FEB as this is universally understood. So the format should be DD-MMM-YYYY (for e.g. 31-DEC-2012)

4.  Generate Audit Trails For All Electronic Records

Audit trails can be generated to authenticate and confirm the integrity of regulated records and signatures which often remains as the greatest challenge to FDA regulated companies. An audit trail is a series of documents or a documentation archive that allows reconstruction of the course of events and should contain

•       Details regarding the reason for the change,

•       Name and user ID of the person making the change,

•       Date and time,

•       The original and final entry in the database.

Firms should ensure that all changes made to the electronic data (any modification, updates or deletion) and every transaction made in the system database is recorded through an audit trail.

Firms should re-establish requirement for audit trail functionality of internal system software. Risk assessment procedures should involve reviewing the potential risks associated with traceability and data integrity of the records.

5.  Comply With Electronic Signature Requirements

Firms are increasingly using electronic information systems to improve efficiency of operation and for developing enhanced security policies so as to transform to a paperless environment and thereby significantly reduce costs.

Electronic signatures should uniquely identify an individual. Part 11 stipulates that controls for electronic signatures should be based on identification codes and passwords.

The regulations state that:

•       Electronic signatures cannot be modified or copied by anyone

•       Standard Operating Procedures must be implemented and followed for the issue, expiry and loss management of electronic signatures

•       Written policies must be implemented to hold users accountable for actions undertaken with their electronic signatures

•       Electronic signatures are not digital signatures

A compliant electronic signature must have the following components:

•       A public user name that uniquely identifies the user

•       A private password known only to the user

•       The meaning of the electronic signature (stating the reason for it)

•       Date and time on which the signature was executed

•       The object that is signed should display the printed name, date, time and meaning of the signature

•       The signed object should be permanently locked to prevent future editing or modification

•       The electronic signature must be permanently linked to the signed object

6.  Validate Electronic Systems

Computer systems are subject to validation requirements and all software used for storing clinical data must be validated in order to stay in compliance with 21 CFR Part 11. Firms must demonstrate that software used in systems meet company requirements for each purpose served by the software.

Firms should ensure that:

•       There is continuous maintenance and scheduled internal reviews of computer systems as a part of the ongoing quality management system

•       Required documentation should be maintained for all validation that is carried out for electronic systems

•       Validation of individual utilities, equipment and instruments should be also be completed

•       Validation of software is a regular part of the maintenance of electronic systems, especially in the case of version updates and re-installation and so on.

The electronic system must be validated from the perspective of the developer. When validated from the user perspective, it should be done so as to ensure accuracy, reliability and performance.

Trending now

Why do medical devices need FDA approval?

Blog

Top 10 HR Compliance Challenges in USA

Blog

Medical Device Regulations in the USA

Blog

Understanding IEC 62304 & Compliance Tips for Medical Device Software Developers

Blog

What is HIPAA (The Health Insurance Portability and Accountability Act) ?

Blog

FDA Steps to Ensure Quality of Foreign Products

Blog

6 Skills that Make for a Great Human Resources Manager

Blog

Why do we have OSHA Regulations?

Blog

21 CFR part 11 compliance - key factors that every FDA regulated business should know

Blog

Why is 21 CFR Part 11 Compliance Important?

Blog

What are the Key Factors (Essentials) for 21 CFR Part 11 Compliance?

Blog

FDA Regulated Firms Must Ensure Part 11 Compliance to Generate Accurate and Usable Data

Blog

Know how to Survive an OSHA Audit

Blog

Top 5 Job Opportunities in Biotechnology

Blog

5 Key functions of HR Management

Blog

Cybersecurity Threats Upcoming in 2023

Blog

Why Should You Learn About OSHA's Guidance on Substance Abuse Testing?

Blog

Importance of SOPs in the Pharmaceutical Industry

Blog

Non-Compliance on 1099 Filing: Consequences and Best Practices

Blog

Artificial Intelligence (AI) in Healthcare: A Boon or Bane?

Blog

How to Ensure Compliance with the I-9 Form: A Guide for Human Resources

Blog

Effective OSHA Audit Observations and Best Practices

Blog

How to Land Your Dream Job in Accounting: Top Tips and Career Options

Blog

Cultivating Connections: How to Foster a Thriving Culture with Your Remote Workforce

Blog

The Transformative Power of Artificial Intelligence in Biotechnology

Blog

6 Steps to Building an Effective Hazard Communication Program (EHS)

Blog

Mastering VLOOKUP in Excel: The Ultimate Guide to Excel VLOOKUP Function

Blog