How to comply with FDA 21 CFR Part 11
An organization can meet the compliance requirements of FDA 21 CFR Part 11 in multiple ways. For example:
- Using a non-electronic paper-based approach
- Using a Quality Management System software with compliant document management features
- Using a Document Management System designed for use across industries
- Using a Document Management System designed specifically for Part 11 compliance
Using a good electronic quality management software (eQMS) which has robust document management capabilities is the most common method to meet the stringent requirements for 21 CFR Part 11 compliant software that FDA is requiring from organizations in pharma, biologics, and life sciences industries.
In this post, we will examine the 21 CFR Part 11 compliance requirements, and the recommended best features for compliant eQMS software.
21 CFR Part 11 Compliance and eQMS Software Best Features
Currently on the market there are no software products which are designed exclusively for 21 CFR Part 11 compliance. The compliance for signatures and records are most commonly achieved by using eQMS software.
Organizations would also need to consider management, collaboration, productivity and agility in their chosen software solution.
The FDA or European Medicines Agency compliance requires organizations to validate their software solution which is used for quality management or document control. The software has to be compliant with 21 CFR Part 11 and other regulations such as:
- 21 CFR 210-211
- 21 CFR 600
- 21 CFR 820
- 21 CFR 1271
While the FDA doesn’t provide specific instructions on how to perform validation, besides guidelines they recommend a “least burdensome approach”.
Most of the organizations usually choose to undergo a series of three documented tests:
- Installation Qualification (IQ)
- Operation Qualification (OQ)
- Performance Qualification (PQ)
It is also often chosen to integrate the validation into the change control processes. This will ensure that the software stays validated after an upgrade or other significant system change.
The validation can become complicated if legacy systems, third-party existing systems, or customized software is used together with the eQMS. New issues can occur during upgrades or security patches.
Software vendors often charge extra support and consulting fees for each new validation process.
Therefore, before deciding on the system it’s recommended to overview each vendor’s approach to the software validation at installation, during operation, and the used methods for revalidation as part of the change control process.
Cloud FDA compliance software vendors can often offer simple revalidation packages for their systems as a client service.
The software vendor also has to be prepared for any future changes and updates regarding compliance from FDA, such as the recent update to industry guidance for software validation.
Robust Document Control Features
21 CFR 11-compliant software needs to efficiently manage electronic records and signatures, such as revision tracking and audit trails. The software should include both technical and collaboration features to meet the requirements and help the organization to work together more effectively.
The eQMS should be able to completely manage the organization’s electronic records. This includes any document revisions and approvals, adding trustworthy date and time stamps to them. These records should be archived per company policy, and not automatically removed or deleted from the system.
The software needs to provide a comprehensive audit trail of all possible document actions, including how the system users or groups of users have interacted with the documents, and provide document workflows.
The FDA requirements for electronic signatures also require that the software needs to ask all users to enter their credentials for the digital documents which require a legally binding signature, to ensure the integrity of a user’s signature.
A good, compliant document control software will help organizations to work more effectively by improving team communication regarding the documents. This should include for example automated notifications and reminders for the document authors and contributors, and ability to leave in-line comments during the document revisions. A cloud-based software will make it possible for a team to collaborate globally and efficiently.
Although meeting FDA requirements for electronic records and signatures, the document control features shouldn’t add extra complexity to the organization’s workflow. Ideally, the software should make global collaboration to be possible with trustworthy, compliant electronic documents in a streamlined workflow process.
Authenticated Electronic Records
According to Subpart C of Section 11.200 in the FDA guidance, for the authentication of electronic records and signatures requires that the software “must employ at least two distinct identification components such as an identification code and password”.
This means that if the trustworthiness and authenticity of stored records or signatures has to be verified, the organization needs to prove a user’s unique identity.
To be compliant, it’s not enough to just provide a form with name and date. Multi-factor authentication (MFA) is an essential software feature requirement for FDA 21 CFR Part 11 compliance, and for the security of sensitive data.
There are several possible ways to provide MFA user authentication, which are typically the following:
- Type 1 – “Something You Know” – requiring passwords, PINs, secret questions
- Type 2 – “Something You Have” – sending a Code to a mobile phone (SMS)
- Type 3 – “Something You Are” – requiring biometric validation, via fingerprints or retinas
A compliant software should at least require the users to enter their password and/or personal PIN before making an electronic signature. Depending on the given organization’s requirements, it might be necessary to increase security by using a multi-factor authentication (MFA) model that includes mobile phone texting, or by validating the user’s device.
The software vendor should provide information regarding how they verify a user’s identity to ensure the trustworthiness of the electronic signatures, and how this information is reflected in the full audit trail.
Strong Password Requirements
21 CFR Part 11 requires organizations to establish “access control” to the closed systems and create an audit trail, although FDA provides little guidance on the specifics.
Each user account which can access the system must be given a unique username and password combination. Per FDA guidance, organizations need to maintain proper access control by creating username/password combinations which will limit a user’s data access and capabilities based on their assigned roles.
However, as of now there are no requirements for using software which enforces strong passwords or periodic password changes.
For increased data security the organization should still use good password policy (strong passwords and expiration for example) since in the recent years, 80 percent of information security incidents having data loss involved the use of weak or stolen passwords, according to the Verizon DBIR.
Weak passwords can also present internal security risks. Such passwords could be guessed or shared by colleagues, even without malicious intents. Coworkers might use a colleague’s account in some situations as it’s “easier” than asking the administrator for granting different permissions, or for a password change.
However, these methods will compromise the authenticity of records and signatures and the trustworthiness of the audit trails.
Therefore, the software should include features to enforce an effective password policy, such as:
- Unique passwords
- Password encryption
- Lock out user accounts automatically, when an incorrect password is entered repeatedly
- Enforced password complexity, requiring the use of unique combination of letters, numbers, and special characters
- Password expiration, requiring a new password every 30-90 days
- Security questions
Implementations with weak security policies regarding user passwords, such as emailing lost passwords directly to the user instead of enforcing a password change, has to be avoided.
It can be complicated to comply with 21 CFR Part 11 and other FDA cGMP requirements, but the software shouldn’t feel involved or otherwise add weight to the company’s quality management processes and workflows.
Instead, the compliance should stay in the background of an otherwise user-friendly product for collaboration and great quality management. A simple, useful product should help the organization to adapt to new cGMP rules and exceed requirements.
The “simplicity” in the used software can vary significantly depending on the given organization. For example, a product which is usefully “simple” for a startup company could be far too lightweight for an enterprise which has a vast catalog of approved products for the market.
There are some general signs that a software product is “simple” such as:
- Provides comprehensive features for total quality management and for FDA compliance
- Offers linked processes for end-to-end process visibility
- Has a simple, closed-loop reporting feature for continuous improvement
- Offers built-in validation and revalidation packages
- Provides customized workflows and features to efficiently streamline quality management processes
- Offers intuitive, user-friendly experience on desktop and mobile platforms
To comply with FDA 21 CFR Part 11, the organization should also consider the time-to-value as a component of simplicity. For example:
- How easy is the software to implement?
- How much engineering, customization and configuration is required ahead of time?
A good software should require just minimal customization, and the necessary configurations to meet the organization’s requirements. To be able to achieve compliance and enjoy the software’s possible benefits quickly, cloud software vendors could be considered which are offering quick implementation and value out-of-the-box.
It is a very important feature for the software to be able to scale according to company growth, and to any new FDA requirements. This is especially true for the fast-growing scale-up companies and startups in FDA-regulated industries. In such environments, the chosen system will need to be able to scale to any new capabilities, such as CAPA and possible customer complaints.
These scalability capabilities are important for a good software:
- Work sites
A software vendor should also make it affordable for their clients to grow, to provide the capacity to scale.
One of the most important scalability components for the software is the capability to integrate easily with the existing systems, and optionally the easy transfer to a new system.
FDA 21 CFR Part 11 Compliant Software Systems
A compliant Document Management System is a software which simplifies the compliance with all requirements of the FDA 21 CFR Part 11 regulations for system implementation, electronic signatures and electronic records keeping.
A Document Management System (DMS) that is designed to help an organization to maintain compliance with Part 11 should include all of these following features:
- Electronic Signatures
- Audit Trail
- Standard Operating Procedures (SOPs)
- Work Instructions
Below we will examine some of the compliant software systems.
MasterControl is a total quality management suite, which has broad adoption among enterprise customers, including several of the major regulatory agencies. This solution is mostly focused on helping large organizations to manage large global portfolios of their products, bring their new products to market at a greater speed, and to increase the organization’s efficiency.
The user reviews shows that customers are happy with the software’s linked quality processes and extensive document control capabilities. This software is better suited for larger enterprises, due to the extensive requirements for additional configuration, higher cost, and a steep learning curve which would most likely require a vendor-supported training.
The TrackWise software provides an “out of the box” solution for compliance with 21 CFR Part 11, and is built on the Salesforce platform. As an extra feature, users can get access to pre-validated product releases and prebuilt workflows.
The client reviews on G2 Crowd shows that customers are happy with the product’s pre-built offerings (workflows, and the software’s ability to efficiently scale the existing workflows and documents to any new processes). However, some users are dissatisfied with the vendor’s post-sale service and with their customer support.
DocStar Enterprise Content Management (ECM) is a robust solution for larger organizations, designed for complex content and document management requirements. Although DocStar offers locally installed implementations for those organizations which are seeking a legacy solution, but mostly they focus on offering a cloud-based deployment for organizations looking for a mobile-friendly solution for global content access from any device. DocStar’s advanced document management features include support for document versioning, multiple file types, metadata, collaboration, and form creation.
This software also requires extensive configuration and thus some user training. The user reviews also shows that setting up the security and user management is complex and “inflexible.”
Qualio is a cloud eQMS solution designed per the latest FDA cGMP requirements. The product is compliant with FDA 21 CFR Part 11, Part 820, ISO 13485:2016 and ISO 14971 and offers compliant records and electronic signatures across automated, linked quality processes.
It is best suited for small-to-midsized life sciences organizations, where the software can help to achieve total traceability, superior collaboration, and continuous improvement while exceeding compliance requirements. The product is designed for simplicity and scalability in mind, although it might still require user training. The user reviews show great user support from the vendor, and a comprehensive set of features in the software with an intuitive user experience.
The eFileCabinet is a widely known and adopted solution for document management in the enterprise sector, they have a global user base of more than 155,000 individuals. This vendor offers a suite of solutions for document control and collaboration: products that support the searching, sharing, and the storage of “valuable and confidential” data. Built-in robust security features support the compliance with several common regulations, including HIPAA, SEC, and FINRA.
Although eFileCabinet is not a comprehensive eQMS and not explicitly designed for FDA compliance, it includes many features which can support FDA 21 CFR Part 11 compliance. This includes audit trails, user access permissions, and “the ability to validate” the system.
The vendor provides a library of on-demand training resources and support for process automation and template creation, extensive product configuration options and easy-to-use search.
However, some user reviews show a limited collaboration functionality and limited support for rare types of electronic document types, for example .PCB, and .DXF files
An FDA 21 CFR Part 11 compliant software can simplify adopting the requirements for the organization by providing the required documentation and validation support, and will also serve as a platform for quality-driven growth throughout the organization. In this post we have made an overview of these requirements, and examined some of the compliant software available.
By choosing a good document management software (DMS) built for FDA compliance, or a solution which integrates document control and eQMS, an organization can significantly simplify the transition to electronic document management.