Pharmaceutical companies, medical device manufacturers, labs, and other life sciences organizations need to be 21 CFR Part 11 compliant. The right maintenance software can help.
Achieving FDA Title 21 CFR Part 11 Compliance with CMMS Software in Life Sciences Industries
Industries regulated by the U.S. Food and Drug Administration (FDA) must follow a strict set of standards intended to protect consumers’ health and safety by achieving FDA Title 21 CFR Part 11 compliance. FDA Title 21 CFR Part 11 is an important policy that outlines the requirements for electronic recordkeeping for organizations in the life science industry that do business in the United States. Because of the complexities and nuances of the policy, manufacturers may think they are achieving 21 CFR Part 11 regulatory compliance but find out during an audit that they are not.
The following guide explains the requirements life science maintenance teams must follow to obtain 21 CFR Part 11 compliance, and how they can achieve compliance by leveraging computerized maintenance management system (CMMS) software. Organizations manufacturing pharmaceuticals, medical devices, lab equipment, and more must be able to prove their compliance with 21 CFR Part 11.
What is 21 CFR Part 11 Compliance?
21 Code of Federal Regulations (CFR) is the policy governing manufacturing standards for organizations whose products are regulated by the FDA. Part 11 of the regulation, released in 1997, specifically establishes the criteria for ensuring that electronic records are as reliable and trustworthy as paper records. 21 CFR Part 11 requires regulated businesses to make sure electronic records and signatures are “trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper” (CFR Part 11.1 (a)).
Even research sites and sponsors must comply with 21 CFR Part 11 rules if they maintain, sign, and/or submit FDA documents digitally.
21 CFR Part 11 compliance is the state of being officially recognized as compliant by the FDA. Businesses can use their organizational systems, controls, and processes in combination with software to optimize their compliance – for example, implementing a system by which employees are required to record their maintenance work digitally and utilizing software that records actions and establishes controls in a manner that adheres to 21 CFR Part 11.
Maintenance programs like a CMMS or enterprise asset management (EAM) software can be a powerful partner in the journey to 21 CFR Part 11 compliance. A CMMS or EAM software can provide features like a detailed audit trail, data security, and password-protected or biometric electronic signatures.
Achieving compliance with Part 11 is the responsibility of businesses – but having the right maintenance software can make the difference when it comes to being ready for auditors and confident in your compliance.
What is the History of 21 CFR Part 11?
As digital recordkeeping became more commonplace in the 1980s and 1990s, recordkeeping technologies came with both benefits and risks. Electronic records enabled fast information exchange, made it possible to quickly search and retrieve data, and reduced errors through automated data collection and recording.
However, electronic records often failed to measure up to the reliability and authenticity standards of traditional paper-based records. For example, without proper controls, electronic records can be easier to falsify compared to paper records. Title 21 CFR Part 11 solves this problem by outlining clear standards for how electronic records are logged, validated, traced, and stored.
Why is 21 CFR Part 11 Compliance Important?
The consequences of not complying with Title 21 CFR Part 11 are significant for manufacturers. For one, compliance is mandatory for any company that seeks to sell their products in the United States and submits electronic records to the FDA. Failing to meet compliance standards can also lead to an operational shutdown, costing valuable production time while concerns are resolved.
Beyond the costs of non-compliance, 21 CFR Part 11 plays a key role in digital recordkeeping security. The regulation ensures data integrity, so that practices are in place to verify the authenticity and confidentiality of digital records. It also makes sure the right tools are in place to retrieve essential data and documents.
When it comes to establishing controls over key actions, 21 CFR Part 11 requires both operational and security controls. Regulated businesses are required to build automated workflows that guide processes through a safe and logical sequence and to restrict users to only appropriate actions within digital platforms.
Maintaining a detailed history of actions and changes is also essential to 21 CFR Part 11. Companies must be able to provide an audit trail that provides traceability for users’ actions so that supervisors can review what changed, when, and who performed the change.
A last vital role of 21 CFR Part 11 in electronic recordkeeping security is in validation: the documentation of how processes should work, and testing to validate functions are as expected.
Which Industries Must Comply with 21 CFR Part 11?
Title 21 CFR Part 11 applies to pharmaceutical companies, food and drink manufacturers, biotechnology institutions, medical device manufacturers, cosmetics companies, and more. It applies to all FDA-regulated industries, as well as businesses that provide raw materials for retail distribution. It also includes companies involved in the use of operating lab equipment for research and development. Other regulated businesses and organizations include research sites, clinical trial sponsors who are performing FDA-regulated research, and clinical research organizations (CROs). Clinical research personnel working on FDA-regulated studies, along with personnel involved with purchasing digital recordkeeping systems or software, should know the fundamentals of 21 CFR Part 11.
A technology platform does not necessarily require validation. Defining how you will use the platform is important to understanding whether you need to consider using software that is 21 CFR Part 11 compliant. What actions will your team perform with the platform? Will the platform handle or change electronic records, the integrity of which needs to be safeguarded? Will your team be signing electronically to approve key actions?
Do your research to ensure your digital documentation is compliant.
4 Key Areas to Ensure 21 CFR Part 11 Compliance
The FDA conducts audits on facilities using a comprehensive checklist that marks internal systems for security, traceability, valid use, and reference purposes. While not an exhaustive list, the following are four key areas to focus on when reviewing your 21 CFR Part 11 compliance and preparing for an audit:
1. Validate Controls and Procedures
Title 21 CFR Part 11 states that internal systems must be validated to ensure they are accurate, reliable, and consistent. To protect security and access controls, only authorized personnel should be allowed to operate the system to sign production records, update existing documentation, and open core files or directories. If unauthorized access to the database is detected, immediate action must be taken to report the incident to a security unit or IT manager.
2. Establish an Audit Trail
The 21 CFR Part 11 compliance checklist requires that manufacturers are able to produce accurate, complete, and time-stamped records of changes made to the system during normal operation, including creating, modifying, or deleting files. To ensure traceability, organizations must also be able to produce copies of previous audits at the FDA’s request.
3. Follow Electronic Signature Requirements
21 CFR Part 11 electronic signatures must have the signer’s name, the signed date/time, and the “reviewed” or “approved by” indicator. Real names are required and cannot be substituted with job titles. Likewise, the signature must be attached to a specific document. Companies should also avoid mixing up electronic signatures on digital documents and scanned signatures on physical copies, as scanned signatures are not considered electronic records.
Electronic signatures can also be biometric, such as a fingerprint or retinal scan, but must be designed so that they can only be used by their genuine owners.
4. Retain Complete and Accurate Copies of Inspection Results
The 21 CFR Part 11 compliance checklist explains the need for producing accurate and complete copies of files in multiple formats. These must be stored in a secure system to serve inspection and review purposes. A robust system should support multiple file types, including PDF, XML, and SGML. Records should be stored and ready for retrieval throughout the duration of a record’s retention period, defined by a “documented risk assessment and a determination of the value of the records over time” (FDA).
An Exhaustive 21 CFR Part 11 Compliance Checklist
A CMMS can help organizations comply with FDA electronic records requirements by providing a centralized location where records are logged and stored electronically. But using a CMMS doesn’t automatically guarantee compliance with these standards, as some software programs are not Title 21 Part 11 compliant. Ultimately, your organization is responsible for ensuring its own compliance, not the CMMS provider.
This comprehensive checklist can help you ensure you are using a CMMS that is compliant with FDA Title 21 Part 11 and following all legal requirements. If there are any items on this list that you can’t check off, take action on them as soon as possible in case of an audit.
1. Validation
- Over the given period, the computer system was in a validated state
- Invalid/outdated records can be distinguished from current records
- Only individuals with express permission can view, edit, or sign documents
- Privilege to access core files is delegated and restricted only to certain users
- All employees accessing the dashboard receive proper training in advance
- Instructions for system usability are available for different roles, including developers, IT, and support staff
- The system processes instructions exclusively from authorized input devices
- All data is encrypted for confidentiality
- Process controls ensure compliance with predefined sequences of steps or events
- Each user has a unique combination of ID code and password
- The system routinely verifies ID code validity
- A protocol exists for password reset requests
- Upper management is notified of unauthorized login attempts
- Devices that are lost or compromised are swiftly deactivated
- In the event of a lost device, temporary or permanent replacements must be issued with the same rigorous controls
- Former employees’ IDs and passwords are immediately revoked upon termination
2. Audit Trails
- Entries in the audit trail are clear and can be traced back to their origin
- Change records, including file creation, modification, and deletion, are precise, comprehensive, and time-stamped
- Updated electronic records retain prior versions for auditing purposes
- An audit trail can be provided to the FDA upon request
- Each user ID, sequence of events, change controls, change log, and revisions are clearly displayed in the audit trail
- The signer’s name, date, time of approval, and the purpose for signing are displayed on each document
- Signatures are secure and cannot be replicated or forged to alter records
3. Electronic Signatures
- Each user is assigned a unique signature to guarantee accuracy and authorization
- The system identifies if electronic signatures have ever been reused or reassigned
- Every signature is associated with a particular electronic document
- Signatures consist of an ID code or card paired with a password
- An individual’s identity is confirmed at the moment of signing
- Passwords are validated during signings within an uninterrupted session
- Passwords must be periodically checked or revised
4. Record Copies and Retention
- In the event of an inspection, the FDA can be granted reasonable and useful access to records
- Your software system employs standard methods to convert or export files into widely used formats like PDF, XML, or SGML
- Records are available for inspection, review, and duplication and in a human-readable format
- Printed copies are as precise as digital ones and fully reflect the original records
- Retention duration for old records is established through a risk assessment
- Records are maintained and accessible for review for the entirety of their retention periods
- Archived records maintain their original integrity and context
Complying with 21 CFR Part 11 rules means that, in the eyes of the FDA, your electronic records are just as complete, accurate, and authentic as traditional paper-based records. Life sciences companies that comply with best practices for electronic records can protect themselves in the event of an FDA audit. Plus, the additional security that comes from having accurate information and requiring authorized changes also protects clients and customers from potential harm caused by falsified or inaccurate information.
Why Should Companies Use Electronic Records Over Paper Records?
If you use a paper tracking system, you may think you don’t need to comply with 21 CFR Part 11 since it applies only to electronic record keeping. But there are several reasons you should reconsider your position.
First, it’s likely that your company has used electronic record keeping at some point. Even if most of your records are kept on paper, any records you do keep electronically must comply with these regulations. Ensuring compliance now can help you avoid audit surprises later.
Second, electronic documentation is more thorough, easier to access, and often more accurate than relying on paper trails. Paper is easier to lose, misplace, tamper with, or destroy. Using an electronic system circumvents these challenges. And once your electronic system complies with 21 CFR Part 11, your team can consistently maintain records that are safe, accurate, and always available.
Finally, submitting to reports and audits with electronic documentation is much more efficient than using paper documentation. When you’re waiting for FDA approval so you can begin or continue manufacturing processes, saving time in the approval process can be key to keeping your production line running.
How An Efficient CMMS Helps With 21 CFR Part 11 Compliance
To facilitate compliance, organizations are implementing CMMS software for core capabilities such as:
- Assigning user permissions
- Centralized document and data storage
- Tracking work orders
- Logging equipment and inventory
Just having a CMMS does not automatically guarantee compliance with 21 CFR Part 11, but an effective life sciences CMMS does provide the tools and functionality to help achieve compliance.
To meet Title 21 CFR Part 11 requirements, your CMMS should provide the following capabilities to protect the reliability, completeness, and authenticity of your digital records:
- Management of digital signatures with multiple levels of approval
- Access to records of maintenance activities, including time-stamped records of modifications and revisions
- Strict security and data privacy, including restricting user access and permissions
