How to Implement 21 CFR Part 11 In Your Lab

Paper-based records have the merit of providing data security, where it is difficult to falsify a physical document and handwritten signatures. It is also easy to indicate any changes and corrections that were made.

However, over the years, computerized systems have gradually replaced paper records due to their enhanced traceability, accessibility, security, and data interoperability, and of course, to reduce material costs. As a response, many regulations and directives were implemented regarding the use of electronic records and signatures in place of paper records. One of them is the FDA’s Title 21 CFR Part 11.

In this article, we will help you understand Title 21 CFR Part 11 and how to implement it into your lab workflow by answering users’ most common questions.

What is 21 CFR Part 11?

The Code of Federal Regulations (CFR) is a collection of general and permanent rules published by the Federal Government in the U.S. It is divided into 50 titles – Title 21 is reserved for the rules of the Food & Drug Administration (FDA).

Part 11 falls under chapter one of Title 21 (dedicated to regulated areas, such as Pharmaceuticals, Biotechnology, and Medical devices), which establishes regulations and guidelines on the electronic records and signatures to be trustworthy, reliable, and equivalent to their paper counterparts. 21 CFR Part 11 allows any paper record and signature to be replaced by an electronic one, where data integrity is assured.

What about other authorities?

21 CFR Part 11 is technically only relevant to the U.S. FDA-regulated environment although the U.S.’s dominance in medicines manufacturing has led to the legislation being used as the “gold standard” worldwide in some cases. Other authorities across the world also share the same goal of regulating the usage of safe, validated computerized systems and have implemented equivalent regulations and guidelines regarding this matter. All the documentation linked below is guided by the same principles and vision as 21 CFR Part 11 in different regions:

European Union (EU)

How are 21 CFR Part 11 & data integrity connected?

The main purpose of 21 CFR Part 11 is to provide guidelines on what properties a software system has to have in order to produce electronic records and signatures that are equivalent to the paper ones they’re designed to replace. These properties have to assure data integrity within the systems, data integrity consists of the following four pillars:

Data security
Ensures data is unable to be lost, corrupted or overwritten.

Anti-tamper
Ensures that any time data is altered within the system, electronic records are tracking those changes which cannot be falsified or edited.

Traceability

All actions performed within the system are electronically recorded and can be traced back to specific users who performed those actions through audit trails

Non-repudiation

Dictates that the authenticity of the user’s approval of the electronic record cannot be renounced (rejected)

What are the main 21 CFR 21 features available within Software?

Authentication
The process of verifying a user’s identity before allowing access to the software, so that every action in the software can be reliably linked to a user (traceability)

Audit trail
A record that contains all of the changes to system properties or input data with a timestamp, description of the change, and the user responsible for the change. Additionally, some other attributes can also be tracked (e.g., original and new values, revision number etc.)

Data export
All electronic records and signatures should be exportable in a human- and machine-friendly format to be inspected by auditors. Common examples are CSV, PDF, XML, and SGML.

Electronic signatures
A piece of data logically associated with another data, used by the signatory to sign the associated data. There are many options to choose from when implementing electronic signatures (the most rigorous are digital signatures – a cryptographic scheme for verifying the authenticity)

One optional feature is user authorization – which integrates user management and permissions into the system – which our AuditSafe software contains.

Can software be 21 CFR-compliant?

The software itself cannot be 21 CFR-compliant, only 21 CFR-ready, since the software is always a part of some larger system, like an instrument and related documentation. Validation is then performed on-site on the whole system, for which we can say it is compliant. TotalLab offers IQOQ validation services alongside its AuditSafe software purchases to help our users reach compliance.

Summary

  • 21 CFR Part 11 is a collection of regulations and guidelines on electronic records and signatures to be trustworthy, reliable, and equivalent to paper counterparts.
  • The Federal Government publishes it in the U.S. and is only technically relevant to the U.S. FDA-regulated environment. Other authorities (EU, Canada, Japan, etc.) share mutual intent regarding this matter however issue their own documentation.
  • Data integrity of electronic records and signatures is the main concept in 21 CFR Part 11 documentation. The four principles here are data security, anti-tampering, traceability, and non-repudiation.
  • TotalLab’s AuditSafe 21 CFR Part 11 software features user authentication, audit trails, electronic signatures, human-readable data export and user authorization.
  • Software can not be CFR-compliant, only CFR-ready, because the software is always a part of some larger system that is later validated for use.