29 Jan The 21 CFR Part 11 Compliance Checklist for Digital Applications
Are digital applications better than paper-based systems? Without a doubt, yes. Applications replace large cabinets of paper storage with a small computer. They not only save space and paper but also offer quick data or document search with easy updates. But there is one component where paper-based systems are better than applications and that is maintaining signatures. Physical signatures cannot be easily replicated. As a software developer, I have successfully developed complex dynamic forms with nested search queries, but it makes me ponder how can I validate a digital record or a signature that would make my developed system as reliable as a paper-based document management system?
The FDA’s regulation 21 CFR Part 11 outlines the requirements for electronic signatures and records. Through this regulation, the FDA provides a detailed list of rules or factors that can be utilized to prove a digital application is equivalent to a paper-based system, in terms of record security. This regulation is especially important to an enterprise Quality Management System, or an eQMS, which is a planned and structured repository of quality documents.
One of the most significant technologies is the Digital signature, which is an electronic signature, that may be composed of a unique username and password. This signature might also be encrypted using additional parameters, but the system should not allow copying, transferring, reusing, or re-assigning the same signature to others, indicating the electronic signature is always unique and validated.1
Considering electronic records, the regulation requires document access to only authorized users. Additionally, the recommendations from FDA include encryption for critical data, validity checks for external data sources, documentation of employee training over electronic records, workflow-based enforcement of sequential processing steps, and most importantly, the overall system validation from a design and functionality perspective.2
In software development, logging is generally encouraged, as it promotes code maintenance and readability which brings us to the next point of discussion, Audit Trail. “Audit Trail” is defined as the digital logging of every activity a user performs. Ideally, it should contain user ID or employee name, timestamp, and the activity performed by the user which may be record creation, modification, approval, or deletion. Additionally, the system should feature exporting data to distinct formats such as PDF or Excel and support data searching, copying, plus file printing activities.3
One of the concluding discussion points of 21 CFR part 11 is password-based security. It is recommended that the system should not only trigger notifications but also enforce password changing activity periodically (every 3-6 months) on all users. Also, every user should have the ability to easily retrieve lost passwords using the reset password functionality. Moreover, the application should continuously monitor the number of times a user logs in. If it is detected that users have accessed their account multiple times with invalid credentials, the application should invoke a temporary account lock and later allow unlocking only through an authorized system admin. Indeed, Audit Trails should also record every login and password reset activity as it helps provide admins security-related data such as which employee credentials have been stolen or compromised. 2
To wrap up, make sure you follow the 21 CFR Part 11 regulation while developing or hosting an eQMS or utilizing any digital records in your QMS. Validation is a significant part of compliance which includes documenting the software design, architecture, unit code testing, and code inspections. Indeed, system validation also helps manufacturers identify risks and mitigate them before hosting the app in the market. If you need help ensuring your QMS is compliant with 21 CFR Part 11, EMMA International is here to help. Our quality, regulatory, and software experts can guide you not only through the 21 CFR Part 11 compliance process but also ensure your application is compliant with all other applicable FDA regulations. Contact us at 248-987-4497 or firstname.lastname@example.org for additional information.
1FDA (April 2020). CFR – Code of Federal Regulations Title 21. Retrieved on January 27th, 2021 from https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?CFRPart=11&showFR=1.
2FDA (August 2018). Part 11, Electronic Records; Electronic Signatures – Scope and Application. Retrieved on January 27th, 2021 from https://www.fda.gov/regulatory-information/search-fda-guidance-documents/part-11-electronic-records-electronic-signatures-scope-and-application.
3Legal Information Institute. 21 CFR § 11.3 – Definitions. Retrieved on January 27th, 2021 from https://www.law.cornell.edu/cfr/text/21/11.3.