The U.S. Food and Drug Administration (FDA) is a federal agency that’s responsible forprotecting public health, and for regulating and supervising, among other things - food,drugs, medical devices, pharmaceuticals and vaccines.
Amid a plethora of its rules andregulations, there’s one that’s particularly important for organisations in the medical, lifesciences and other FDA-regulated industries operating in - or trying to operate in - the largeand powerful market that is the USA. This rule concerns the use of electronic quality recordsand digital signatures and is known as FDA 21 CFR Part 11.
So, what is 21 CFR Part 11?
Why should FDA-regulated industries pay more attention it?
Why should developerspay attention to it, and get training on it?
FDA 21 CFR Part 11 Explained
According to the FDA’s website:
“Part 11 applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted under any records requirements set forth in Agency regulations.”
21 CFR Part 11 establishes the FDA’s requirements for how medical device manufacturers, pharmaceutical companies, biologics developers, and other life science organisations should handle their electronic records and electronic signatures. It also outlines how electronic records should be handled if they are a part of Electronic Quality Management Systems (eQMS) and other quality-critical applications.
21 CFR Part 11 consists of three sections:
- General Provisions: discusses the scope and key terms of the regulations
- Electronic Records: discusses the administration requirements for closed and open electronic record-keeping systems, signature manifestations, and links between signatures and records
- Electronic Signatures: discusses components and controls for electronic signatures, and controls for identification codes/passwords
It is applicable if electronic records are replacing paper records (in full or in part). It also applies to electronic records submitted to the FDA, say, under the Federal Food, Drug, and Cosmetic Act (the Act) and the Public Health Service Act (the PHS Act), or to electronic records subject to FDA inspection. If a company maintains all its master records in paper format and nowhere else, 21 CFR Part 11 does not apply to them. It also does not apply to systems older than 20th August 1997, or to systems that generate paper printouts.
The 21 CFR Part 11 was published in 1996 to address concerns about how biotechnology and pharma firms would manage the distribution, storage and retrieval of digital records. It was also intended to help these firms shift to virtualised and compliant eQMS (electronic quality management system), and thus lower their costs of maintaining legacy, paper-based filing systems to satisfy the regulator. Nonetheless, the regulation is widely misunderstood. This is why many firms resist moving to electronic systems, and continue to rely on paper documents and manual signatures, even though they know that digitisation could be beneficial for them.
Why Should Developers Care about 21 CFR Part 11?
If 21 CFR Part 11 applies to FDA-related regulated industries like pharma and biotech, should developers care about it? Yes, they should!
This is because the regulation applies to different types of electronic information, whenever it is generated, amended, stored, transferred or accessed. This list of “electronic records” includes:
- Audio files
- Text files
- Test records
- Source Code!
Developers who are releasing a product in the U.S., but have stored their documentation master copies in paper form should not assume that this rule will not apply to them. As long as any of their documents are stored in or uploaded to any computer system, these regulations will almost certainly apply to them.
In the next section, we outline the key requirements that must be considered to ensure an FDA-compliant eQMS system, while implementing a document management solution.
7 Critical Requirements of FDA 21 CFR Part 11
Developers should work with an eQMS that can effectively deal with the below regulatory requirements.
Developers must develop scripts and test routines to validate that the system is functioning as it should, conduct regular validation checks, and record validation testing results. Validating the eQMS is a good way to ensure the security of data and audit logs, and improve record-keeping integrity.
2. Audit trails
Secure, time-stamped audit trails must be automatically generated to record the date and time of operator entries and actions that create, modify, or delete electronic records. The QA function ensures that every process is traceable and has an audit history that cannot be modified or tampered with.
3. Record generation
The eQMS must be able to generate and export accurate and complete copies of records stored in the system. Records must be protected to enable ready retrieval by authorized individuals.
4. Operational Controls
Operational system checks must be in place to ensure that the eQMS can monitor and control quality procedures. This will ensure that documents meet certain requirements before they are signed off by specified/authorized personnel.
5. Security Controls
These checks ensure that only authorized personnel can e-sign records, that too by accessing a system that’s controlled by a unique login and password. Final records should be read only.
6. Digital Signatures
Part 11 maps out the requirements for compliant digital signatures. It must include the printed name of the signer, the date/time the signature was applied, and the meaning or intention of the e-signature. It must also be possible to assign the signature to a specific individual, must not be possible to falsify, and must be linked to a document in a way that it cannot be used in other documents.
Training is another important requirement that’s clearly mapped out in Part 11. In general, all system users must be trained on how to perform their assigned tasks and roles to help ensure compliance. An eQMS can help with this requirement by documenting it, and making it easier for auditors to review the operational audit trail.
Open and Closed Systems
21 CFR Part 11 specifically mentions open and closed systems, and clarifies the control requirements for each.
A closed system is controlled by the people who are responsible for the electronic records managed by this system, e.g., a build and test system that only developers can access. Otherwise it is an open system.
The requirements for open systems focus more on maintaining the authenticity, integrity, and, confidentiality of electronic records through the use of encryption and digital signature standards. For closed electronic records/electronic signature systems, the regulation specifies that the persons who develop, maintain, or use such systems must be trained to perform their assigned tasks.
Clearly, training is a critical requirement for compliance with the regulations laid out under 21 CFR Part 11.
CFR Part 11 Compliance for Developers Starts with Secure Coding Training
21 CFR Part 11 is an important regulation; non-compliance to the framework’s requirements will prove costly if a breach does occur. Therefore, any organization that falls within the scope of this regulation and produces electronic records must adhere to it without fail. A lack of adherence mainly comes down to a lack of proper knowledge. And this comes down to a lack of proper training.
Before developers comply with the many rules specified in 21 CFR Part 11, they first need to be trained on them. However, boring classroom training with an instructor droning on about digital signatures, electronic records, audit trails and system validation is not the most effective training technique. In fact, the chances of achieving compliance with such a teaching strategy are next to nil!
To ensure full and ongoing compliance, developers need hands-on training in a real-world simulated environment. When they have access to practical exercises and can see the progress of their learning in tangible form, they are better able to identify and remediate prevalent security issues that can adversely affect the firm’s compliance posture. They learn useful security skills even faster and better if they can use the same tools and technologies they use in the workplace. Finally, to cement their learning, they need individualised training that shows them how to implement essential controls, such as secure log events, authority checks, authentication, secure validation of records, and other important aspects of 21 CFR Part 11.
SecureFlag’s 100% hands-on secure coding training provides all these advantages, and much more. An on-demand learning environment, individual “learning paths”, hands-on practice and refresher exercises - SecureFlag provides everything developers need to get up-to-speed with 21 CFR Part 11. For supervisors, the training platform maintains records that can be pulled out as reports to provide evidence to auditors of compliance with 21 CFR Part 11.
For more information about SecureFlag’s industry-leading 21 CFR Part 11, contact us today.