For life sciences companies, 21 CFR Part 11 compliance has always been a challenge. It requires irrefutable evidence that your organization is following FDA regulations. When these records were on paper, this was often a tedious process for companies. Thankfully, the FDA allows digital signatures and documentation that streamlines the compliance process.
However, even with the use of a Quality Management System (QMS) software, compliance for digital signatures and documentation for FDA 21 CFR Part 11 can still be complicated. You need to dot your i's and cross your t's while keeping your documents safe and secure. Your entire team needs to understand how to treat documents and signatures.
That’s why we recommend using a 21 CFR Part 11 compliance checklist to improve your processes. With our checklist, you can ensure that you’ve got the right systems and steps in place to maintain compliance.
Our Printable 21 CFR Part 11 Compliance Checklist
With our printable 21 CFR Part 11 Compliance Checklist, you can identify current areas of risk and adhere to key components of compliance.
Part 1: Validation
Validation systems will all have an impact on the quality of a product, so they need to follow specific regulations.
For any electronic compliance technology you’re using, you want to check off the following steps:
- Is the system validated?
- Is it possible to discern invalid or altered records?
- Are the records readily retrievable throughout their retention period?
- Is system access limited to authorized individuals?
- If the sequence of system steps or events is important, is this enforced by the system (process control system)?
- Does the system ensure that only authorized individuals can use it, electronically sign records, alter a record, or perform other operations?
- If it is a requirement of the system that input data or instructions can only come from certain input devices (e.g. terminals) does the system check the validity of the source of any data instructions received? (Note: This applies where data or instructions can come from more than one device, and therefore the system must verify the integrity of its source, such as a network of weight scales, or remote, radio controlled terminals).
- Is there documented training, including on the job training for system users, developers, IT support staff?
- Is there a written policy that makes individuals fully accountable and responsible for actions initiated under their electronic signatures?
- Is the distribution of, access to, and use of systems operation and maintenance documentation controlled?
- Is data encrypted?
- Are digital signatures used?
Technology that passes all of these criteria will be the foundation of your 21 CFR Part 11 Compliance and will ensure that documents are secure and authentic.
Part 2. An Audit Trail For Every Document
Using electronic compliance technology, however, does not ensure that you’re safe from audits and potential compliance issues. You need to establish clear audit trails within these systems or a series of records that demonstrate you are following FDA regulations and guidelines.
According to FDA regulations, these trails will provide specifics to document your quality management and product development processes to protect from potential audits.
We recommend that you base your decision on whether to apply audit trails, or other appropriate measures, on the need to comply with predicate rule requirements, a justified and documented risk assessment, and a determination of the potential effect on product quality and safety and record integrity. - FDA.gov
To ensure that you’re creating an acceptable audit trail entry, check off:
- Is there a secure, computer-generated, time-stamped audit trail that records the date and time of operator entries and actions that create, modify, or delete electronic records?
- Upon making a change to an electronic record, is previously recorded information still available (i.e. not obscured by the change)?
- Is an electronic records audit trail retrievable throughout the record’s retention period?
- Is the audit trail available for review and copying by the FDA?
- Does the audit trail include the User ID, sequence of events (in particular scenarios or instances), original and new values (Backups of any modified or deleted records), a change log, and revision and change controls?
- Do signed electronic records contain:
- The printed name of the signer
- The date and time of signing
- The meaning of the signing (such as approval, review, etc.)
- Is the above information shown on displayed and printed copies of the electronic record?
- Are signatures linked to their respective electronic records to ensure that they cannot be cut, copied, or otherwise transferred by ordinary means for the purpose of falsification?
- Is there a formal change control procedure for system documentation that maintains a time-sequenced audit trail for those changes made by the pharmaceutical organization?
- Are electronic signatures unique to an individual?
- Are electronic signatures ever reused by or reassigned to anyone else?
- Is the identity of an individual verified before an electronic signature is allocated?
- Is the signature made up of at least two components, such as an identification code and password, or an id card and password?
- Has it been shown that biometric electronic signatures can be used only by their genuine owner?
- When several signings are made during a continuous session, is the password executed at each signing? (Note: Both components must be executed at the first signing of a session.)
- If signings are not done in a continuous session, are both components of the electronic signature executed with each signing?
- Are non-biometric signatures only used by their genuine owners?
- Would an attempt to falsify an electronic signature require the collaboration of at least two individuals?
A complete, compliant audit trail entry is critical and will protect you from potential penalties.
Part 3. Copies of Records
In addition to creating an audit trail, you also must ensure that your electronic compliance technology will provide copies of your records. The FDA requires that these copies are easily accessible to one of their representatives.
You should provide an investigator with reasonable and useful access to records during an inspection. All records held by you are subject to inspection in accordance with predicate rules. - FDA.gov
To ensure that your system can provide the copies of records necessary to remain compliant, you want to check off the following boxes:
- Is the system capable of producing accurate and complete copies of electronic records on paper?
- Is the system capable of producing accurate and complete copies of records in electronic form for inspection, review, and copying by the FDA?
- Is the system using established automated conversion or export methods (PDF, XML, or SGML)?
Your technology should automate and archive these records, making them traceable and accessible to regulators.
Part 4. Record Retention
Another critical aspect of achieving 21 CFR Part 11 compliance is securely storing old and original records and signatures. According to the FDA, you should base these records on predicate rule requirements.
“We suggest that your decision on how to maintain records be based on predicate rule requirements and that you base your decision on a justified and documented risk assessment and a determination of the value of the records over time.” - FDA.gov
While the FDA does not require these records to be electronic, they require that the “records should preserve their content and meaning,” which is difficult to do with paper records.
You also want to ensure the security of your records, with procedures and systems such as:
- Are controls in place to maintain the uniqueness of each combined identification code and password, such that no individual can have the same combination of identification code and password?
- Are procedures in place to ensure that the validity of identification codes is periodically checked?
- Do passwords periodically expire and need to be revised?
- Is there a procedure for recalling identification codes and passwords if a person leaves or is transferred?
- Is there a procedure for electronically disabling an identification code or password if it is potentially compromised or lost?
- Is there a procedure for detecting attempts at unauthorized use and for informing security?
- Is there a procedure for reporting repeated or serious attempts at unauthorized use to management?
- Is there a loss management procedure to be followed if a device is lost or stolen?
- Is there a procedure for electronically disabling a device if it is lost, stolen, or potentially compromised?
- Are there controls over the issuance of temporary and permanent replacements?
- Is there initial and periodic testing of tokens and cards?
- Does this testing check that there have been no unauthorized alterations?
Another component to securely saving and storing documents is limiting system access, which shows the FDA you know which users are accessing your database.
Going Beyond 21 CFR Part 11 Compliance
To comply with FDA standards, it’s critical for life science companies to go beyond 21 CFR Part 11 compliance. However, compliance is only the minimum threshold you should cross. If you want to move to the top of your market, you need to have the right technology and systems. It’s a team effort and all about having a quality-driven culture.
You can move toward a quality-driven culture at your organization using our quality score, which will let you know how you’re currently performing. The quality score will help you identify gaps and provide a summary of steps to increase compliance and improve the lives of your end user.