What is FDA 21 CFR Part 11 Compliance & Why & Who Needs To Comply?

What is FDA 21 CFR Part 11?

Part 11 of Title 21 of the Code of Federal Regulations provides guidelines to maintain electronic records and submit them electronically to Food and Drugs Administration (FDA).

Part 11 requires drug makers, medical device manufacturers, biotech companies, biologics developers, and other FDA-regulated industries to implement controls, including audits, system validations, audit trails, electronic signatures, and documentation for software and systems involved in processing electronic data that are either required to be maintained by the FDA predicate rules or used to demonstrate compliance to a predicate rule.

What are the requirements of 21 CFR 11?

21 CFR 11 requires that closed computer systems must have a collection of technological and procedural controls to protect data within the system. Open computer systems must also include controls to ensure that all records are authentic, incorruptible, and (where applicable) confidential.

How must records be protected?

Electronic records must not be corrupted and must be readily accessible throughout the record retention period. This is usually performed through a combination of technological and procedural controls by implementing limited system access.

LuitBiz DMS can help comply with some parts of Clause 11 that are pertaining to document management. Let’s take a look at some of the key elements of the FDA 21 CFR part 11 and how LuitBiz DMS addresses them:

How LuitBiz DMS helps you become FDA 21 CFR Part 11 compliant


What it means

How LuitBiz DMS helps

11.10(b): Preserving / Exporting Documents in Readable Format

11.10(b) of FDA requires that files are preserved as is and that printable documents can be exported or printed as PDF.

LuitBiz DMS doesn’t change the format of documents so that all your files are preserved as is and presented in human readable format. This helps comply with section 11.10(b) of FDA. Additionally, all printable documents can be downloaded from LuitBiz DMS and printed as PDF.

11.10(c): Records Retention

Protection of records to enable their accurate and ready retrieval throughout the records retention period

LuitBiz DMS provides a feature to define document retention periods and the robust search functionality of LuitBiz DMS ensures fast and easy retrieval of stored records during the retention period.

11.10(d): Security

Section 11.10(d) of FDA states that the system should provide robust security administration and authorization system for access.

LuitBiz DMS provides user-based access and folder-based security as well as maintains record of users logged into the system and changes made in the repository which helps comply with section 11.10(e).

11.10(e): Time stamped Audit Trail

Section 11.10(e) requires the use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying

LuitBiz DMS provides full audit trail with complete time stamp of all actions within the repository that can’t be accessed or modified by any user. Additionally, document retention rules can be defined in LuitBiz DMS.

11.10(f): Sequential Workflow Steps

Section 11.10(f) requires the use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.

LuitBiz DMS allows group leaders to define sequential steps for uploading, tagging and approving documents in accordance to the FDA requirements.

11.10(g): Authority Checks

Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.

LuitBiz DMS requires users to enter two passwords to approve any type of document collaboration. The first password is the login password and the second password is an approval password.

11.10(h): Data Source Validity Checks

Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.

LuitBiz DMS only communicates over HTPPS, which prevents a third party from modifying data being transmitted. Additionally, it can be configured to allow only registered IPs to be able to communicate with LuitBiz DMS

11.10(k): Appropriate Controls

Part 11 Section 11.10k requires document controls that provide revision controls, change controls and time-based system modifications.

LuitBiz DMS provides all of these document control features.

11.50 (a) (1), (2), (3): Electronic Signature

(1) The printed name of the signer;
(2) The date and time when the signature was executed; and
(3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature.

The meaning of the signature is the action performed and recorded in the log. LuitBiz DMS stores this information along with the full name and account username of the signatory.

11.50 (b): Electronic Signature Control

The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout).

The three signature items are included in all audit trail reports.

11.70 (a): Electronic Signature Security

Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.

Electronic signatures are linked and this link is protected by username and password protection and this information is encrypted and stored in the database.

11.100 (a): Electronic Signature Uniqueness

Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else.

Uniqueness of username and password is enforced by the system. This uniqueness survives even the expiry of an account. Inactive accounts and their records are never removed from the system.

11.200 (a) (1): Username & Password

Employ at least two distinct identification components such as an identification code and password.

LuitBiz DMS employs username and password protection, and enforces that the authenticated session maintains the continuity of IP address.

11.200 (a) (1) (i): Session Time

The system shall ensure users are timed out during periods of specified inactivity.When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.

Time out in a 21 CFR Part 11 environment is enforced after 20 minutes of inactivity.

11.200 (a) (3): Sharing Electronic Signature

Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.

Sharing electronic signatures is not permitted in LuitBiz DMS.

11.300 (a): Unique Login Credentials

Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password.

LuitBiz DMS does not allow duplication. The hashes of both the username and password are kept for comparison purposes to maintain integrity without storing actual information unencrypted.

11.300 (b): Password Policy

Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).

LuitBiz DMS allows the admin to define the password reset and composition policy for all the users.

11.300 (d): Unauthorized Login

Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.

LuitBiz DMS uses intrusion detection to identify fraudulent transactions, including: multiple failed attempts at log in; log in from a large number of IP addresses, and; unusual activity in an account. The system will temporarily suspend accounts showing this activity and will required logged explanations of the activity by administrators, including actions taken. Administrators are alerted to all attempts to log in with: a valid username and invalid password, or; an invalid username and valid password.