Breathe easy knowing your site is compliant! In part 1, we provided an overview of Rule 21 CFR Part 11 which covered the rise of electronic records and signatures, what is 21 CFR Part 11, why does it exist, and the risk of non-compliance. In this post, we’ll dig into how you can stay compliant.
How to Meet 21 CFR Part 11 Compliance
There’s a lot to 21 CFR Part 11, but we broke it out into seven key sections following the FDA’s approach to specific critical requirements:
- System Validation. Part 11 requires validation for systems that create, modify, maintain, archive, retrieve or transmit electronic records. The systems must demonstrate fitness of use, consistency and reliability. The FDA says, “We recommend that you base your approach on a justified and documented risk assessment and a determination of the potential of the system to affect product quality and safety, and record integrity.”
- Audit Trails. Audit trails are required are required to authenticate and confirm the integrity of records and signatures in the system. As the FDA put it: “The Agency intends to exercise enforcement discretion regarding specific Part 11 requirements related to computer-generated, time-stamped audit trails. Persons must still comply with all applicable predicate rule requirements related to documentation of, for example, date, time, or sequencing of events, as well as any requirements for ensuring that changes to records do not obscure previous entries.”
- Copies of Records. All electronic records are subject to inspection. So, your electronic system should be capable of producing accurate, complete copies of records for FDA inspectors. Copies of records should be easily accessible, sortable and searchable in electronic form as well as on paper.
- Record Retention. In addition to having copies of records for inspection, Part 11 mandates the secure storage of old and original records and signatures. These records do not have to electronic, but they do have to “preserve their content and meaning” — which is often difficult to maintain on paper.
- Security Controls. Part 11 establishes a standard for security measures. Every user should have a unique login and password. Passwords should periodically expire and require revision. Controls should be in place for different access levels for personnel. Each file should have version tracking, and final records should be unalterable, read-only files.
- Digital Signatures. FDA allows digital signatures to be used in place of “wet signatures.” To meet compliance, these signatures must include the printed name of the signer, the date and time, and the intention of the signature.
- Training. And finally, you won’t have a truly compliant system in place if the people using it every day aren’t properly trained to use it. Individuals with access to the electronic system must be trained and certified.
Conclusion: The Easy Way to Stay Compliant
These are the basics of 21 CFR Part 11 compliance — and a good start. But there are also many predicate regulations we didn’t touch on that you will need to consider.
Formally, Part 11 compliance is the responsibility of the company using the digital system — that’s you. If you have questions about compliance or want to know more about what you should be doing, Complion can help.
We work closely with clinical research sites, from set-up and go-live through ongoing maintenance, to ensure all standards are being met.
How we help research sites meet 21 CFR Part 11 requirements:
- Our software is designed specifically for clinical trial site files and provides the required audit trails, eSignatures and access controls.
- For every site and with every software update, we walk you through software validation in a single meeting. Alternatively, we support your own validation process, and always provide education and document templates.
- We support you every step of the way in developing the required policies and SOPs for research sites and training staff.
- We maintain vendor SOPs that are regularly audited by third parties for software development and validation, as well as HIPAA security and privacy.
- Our data center is highly secure with processes in place to manage new software installation/validation, backups and disaster recovery.