21 CFR Part 11 stands for Part 11 of Title 21 of the Code of Federal Regulations. The US FDA issued this final Part 11 regulation in March 1997, which became effective in August 1997. It governs the FDA regulations for electronic signatures and electronic documents. Ever since, the regulation has been revised from time to time to encourage the electronic submission of records and minimize the cost of compliance.
Who Should Care About the 21 CFR Part 11 Regulation?
The 21 CFR Part 11 applies to all records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted under any records requirements outlined in US FDA regulations. Part 11 also applies to electronic records submitted to the FDA under the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act, even if such records are not specifically identified in agency regulations (§ 11.1). The term “electronic record” also applies to the records that were not originally created electronically but were stored for future reference or were sent to the agency in electronic format by scanning. Therefore, all Life Sciences industries need to comply with the US FDA’s regulations to maintain electronic records or submit designated information electronically for product approval in the US market.
What Are the Objectives of 21 CFR Part 11?
The primary reason for the existence of the 21 CFR Part 11 compliance requirement is the security and protection of digitally managed Quality records in the Life Sciences industry and their distribution, storage, and retrieval. The FDA is particularly concerned about the following aspects related to electronic records:
- Malfunctioning in the computer systems and software
- Practices followed by the manufacturer to maintain data safety and security
- Prevent data corruption or loss
- Undisputed approval and review signatures
- Traceability of changes to data
- Prevention and/ or detection of falsified records
Additionally, 21 CFR Part 11 was intended to boost digital transformation, creating major savings for companies over paper-based filing systems to satisfy the regulator, with the goal of making them adopt paperless systems.
Why Do You Need a 21 CFR Part 11 Compliant eQMS?
One of the primary objectives of an electronic Quality management system (eQMS) is to electronically create, store, retrieve, and archive Quality records. Additionally, the process of electronically signing these Quality documents is also performed within the eQMS. Therefore, it goes without saying that your eQMS needs to be 21 CFR Part 11 compliant to sell Life Sciences products in the USA. If you are currently searching for a 21 CFR Part 11 compliant eQMS or if you are uncertain about the compliance of your current eQMS, let’s review the most important features of an ideal eQMS that is compliant with the 21 CFR Part 11 regulation.
Prominent Requirements Under 21 CFR Part 11
Now that you know why 21 CFR Part 11 is important for choosing the right eQMS solution for your organization, let's try to understand the prominent requirements under 21 CFR Part 11. Below is a quick checklist that will help you to speed up your process to find 21 CFR Part 11 compliant equal:
- Does the eQMS solution allow you to define user permissions based on their roles?
- Can you assign specific file access to a specific user role?
(For example, can you limit access to the audit trail only to the QA personnel?) - Can you assign specific folder access to a specific user role or function within your organization?
(For example, can you limit access to the QC results folder only to QC personnel?) - Can you assign permission to delete files/ folders to specific users/ functions?
(For example, can you limit delete access of files/ folders only to IT personnel?) - Can you assign permission to create files/ folders to specific users/ functions?
(For example, can you limit the access to create files/ folders only to the production supervisor?) - Can you assign permission to edit files/ folders to specific users/ functions?
(For example, can you limit edit access of files/ folders only to the production supervisor?) - Can you assign permission to review files to specific users/ functions?
(For example, can you limit access to review files/ folders only to the production head?) - Can you assign permission to approve files to specific users/ functions?
(For example, can you limit access to approve files/ folders only to the QA head?) - Does the eQMS solution allow you to create separate usernames and passwords for all employees?
- Does the eQMS solution require you to have a unique username for every user for better traceability?
- Does the eQMS solution prompt you to follow best practices for password management?
- Does the eQMS solution notify the user to maintain the confidentiality of their username and password as their username and password will be used to authorize their electronic signature?
- Does the eQMS solution capture every action a logged-in user performs in the form of an audit trail?
- Does the audit trail track user action against username, time, and date? Additionally, does the audit trail contain information on when the records were created, modified, deleted, or made obsolete?
While the above checklist comprises some of the most prominent requirements of 21 CFR Part 11 compliance, we would like to caution you that it should not be treated as the replacement of the legislation itself. Hence, we would like to strongly recommend you read the federal legislation and make your independent interpretations as well.
Tips to Comply With 21 CFR Part 11
After you are done with the checklist and have chosen a 21 CFR Part 11 compliant eQMS solution, the next challenge is to stay in compliance with 21 CFR Part 11. If you have already made it to this stage, then we got you covered too! All you need to do is follow these five simple steps:
1. Validation
Although most software service providers offer a pre-validated solution, it is your responsibility as a manufacturer to comply with 21 CFR Part 11. Hence, you should crosscheck the prominent user requirements stated above in addition to the user requirements defined by your internal team. You can do a thorough check of 21 CFR Part 11 compliance as part of the operational qualification of the software validation process. A typical software validation process contains the following steps:
-
- Installation Qualification:
Is the software installed correctly? - Operational Qualification:
Does the software comply with regulatory and user requirements? - Performance Qualification:
Does the software perform consistently and reliably?
- Installation Qualification:
2. Protection and Authenticity of Electronic Records
-
- Ensure accuracy, reliability, and consistency of records.
- Define and periodically execute processes to detect invalid or altered records.
- Ensure the accurate and complete generation of records that are suitable for inspection, review, and copying by agency.
- Enable accurate and ready retrieval of the records throughout the retention period.
- Determine and ensure that persons who develop, maintain, or use electronic record and signature systems have the education, training, and experience to perform their assigned tasks.
- Employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, confidentiality of electronic records from the point of their creation to the point of their receipt.
3. Security and Authority
-
- Limiting system access to authorized individuals.
- Enable password protection.
- Create different types of authority levels for users to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.
- Ensure adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.
4. Audit Trails
-
- Record the time-stamped operator entries.
- Record the actions that create, modify, or delete electronic records.
- Ensure that the record changes shall not obscure previously recorded information.
- Retain the audit trail document for a period at least as long as legally required for the subject electronic records and make them retrievable for agency review and copying.
- Create revision and change control procedures to maintain an audit trail that documents chronological development and history of modification of systems documentation.
5. Electronic Signatures
-
- Ensure that signed electronic records contain information related to the signer's printed name, the date and time when the signature was executed, and the role (such as review, approval, responsibility, or authorship) associated with the signature.
- Link the electronic signatures and handwritten signatures executed to electronic records to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.
- Create and ensure adherence to written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures to deter record and signature falsification.
The above-mentioned action points cover all major pain points for complying with 21 CFR Part 11. For a more detailed analysis, we recommend you read through the actual FDA guideline. However, if you are a Scilife user, you would easily recognize that all this is already taken care of by us to make your work even easier.
Does 21 CFR Part 11 Apply to Manufacturers in the European Market?
Well, yes and no! Even though 21 CFR Part 11 does not apply to products that are meant to be sold in Europe, EU Annex 11 is applicable in such cases. And the EU Annex 11 covers all the requirements for a computerized system covered in 21 CFR Part 11. Therefore, if you are already complying with the EU Annex 11, you will easily be able to comply with 21 CFR Part 11 too, and hence you can explore the opportunity to enter the US market without much effort.
How Scilife Helps You Comply with 21 CFR Part 11
Scilife uses a system validation approach according to GAMP5 and 21 CFR Part 11, assuring full integration of software life cycle management and risk management activities to help you save a lot of hassle. The 21 CFR Part 11 guidance is the FDA’s way of formalizing and promoting paperless submissions in the form of electronic records. The paperless systems not only reduce storage space and maintenance costs but also reduce the time spent on the physical movement of documents from desk to desk to complete the approval cycle. This is especially more time-consuming in big organizations with a global presence.
Discover how Scilife Smart QMS for Pharma can help you become fully compliant with 21 CFR Part 11 in no time!