9 Practical Tips to Help You Comply with 21 CFR Part 11

by Innovit Corporate Affairs | August 22, 2018 | Blog

Businesses and organizations that use electronic record keeping might find they take up less space than paper, but they come with their own difficulties.

Due to the FDA regulations on electronic data management, it can seem like a lot of hassle for companies to stay compliant.

But having a system that meets the FDA’s main regulation on electronic records – Title 21 CFR Part 11 – doesn’t have to be difficult.

To help you, here are 9 practical policies for your company to implement to ensure part 11 compliance.


Any Computer Records Require Compliance

If you’re wondering when 21 CFR part 11 compliance begins, it’s pretty simple. Any data records you upload to a computer system, in any format, must be compliant with this regulation.

That could mean text, audio files, images, or any kind of information you can store and access on a computer in any format. If it’s saved electronically, it counts.


Adequate Security Access Is Needed

If you were building a 21 CFR part 11 compliance checklist, you’d probably have data security at the top. For businesses and organizations working with sensitive records, it’s important you access to those records is secure.

That means ensuring the right level of access for your various personnel using access controls that restrict reading or editing records without the proper authority.


Password Management Is Essential

You can’t have proper access controls without ensuring that your staff follows good practice for password management. No ‘password123’ passwords, please.

It would be advisable to ensure that passwords are forcibly changed on a regular basis. Strong passwords should also include capital letters, numbers, and special characters like percentage signs to make them harder to guess or, in a worse case scenario, crack-able using brute force methods.

Here are some tips for proper password management from the US government.


Access Logs for Auditing

Build your system with the assumption that every record you have is sensitive. With that in mind, it’s important to be able to audit the access to those records. This is to confirm that only legitimate access to records occurs, but also to demonstrate your part 11 compliance.

You should keep records of access and changes to records, but it doesn’t stop there. Monitor, too, all user logins with timestamps, as well as any failed login attempts.


No Group Controls or Usernames

Access to records is an individual process. No one department or section of your company is accessing a record as a group, or at least they shouldn’t. If someone made a malicious change using a group account, who would be blamed?

Always ensure that any access logins you have to your data are restricted to individual usernames and passwords. It’s fine having group access rights that can be applied to a set of users, but each access must be tied to an individual person.

Otherwise, anyone could make a change without worrying about the consequences.


Electronic Signatures Require FDA Notification

If you’re implementing an approval system of some kind into your record keeping, you might require electronic signatures to play a part. Doing so will require you, in writing, to notify the FDA as part of your FDA 21 CFR Part 11 compliance.

Before you implement a system like this, you should be sure of what the FDA considers an electronic signature.

E-pen signatures will count, but so will more reliable methods like biometric signatures (such as using your fingerprints), as well as generated signatures like those created by DocuSign.

Find out more about the FDA’s policy on electronic signatures here.


You Can’t Outsource Your Liability

It’s easy to fall into a false sense of security if you’re dealing with data management providers. You might assume that your compliance needs are taken care of if an IT company is in charge of your data solutions.

That mindset is lax from a compliance point of view, simply because you can’t outsource your liability to an outside firm.

If your compliance attempts are found lacking by the FDA, it won’t be an IT company that will pay the price, it will be your organization. That doesn’t mean an IT company can’t help you with your compliance requirements, but your liabilities will have to be shouldered by your organization.


IQ, PQ and OQ Validation on Your MDM System

IQ, PQ, and OQ stand for Installation, Operation and Performance Qualification, and they’re important elements to FDA CFR 21 part 11 compliance.

You have three questions you need to be able to answer correctly to confirm that these elements are validated before you use a Master Data Management system for your record keeping.

Is the system you’re using properly installed, is it fully operational, and can it adequately handle usage at both minimal and maximum levels?

If you can answer these questions satisfactorily, you can be sure of IQ, PQ, and OQ validation for your system.

Using a Master Data Management system can help you protect your data and ensure a standardized process for record keeping across your company. Learn more about Master Data Management systems from this beginners guide.


Regularly Check Your Processes

Compliance isn’t something that you can think about once when a new system is set up or installed. Compliance is an ongoing process, and that’s why it’s important to regularly check your processes.

Building a compliance checklist that includes many of the points we’ve listed is a good place to start. Work with your staff to identify weak areas for improvement, or staff that require additional training.

Regular compliance checks can also build up a record of evidence should the FDA audit your organization. They can also help you spot any malicious or fraudulent activities that may have gone unnoticed.


Achieve Compliance of 21 CFR Part 11 Easily

If you’re not compliant with FDA regulations, your organization is going to find itself under serious scrutiny.

As we’ve shown you, compliance with 21 CFR part 11 isn’t difficult to achieve. Make sure you notify the NDA if you plan on using electronic signatures, and use sensible IT security practices in your company.

Make sure you keep hold of suitable access logs, too. If you can’t prove who has access to your data, you could be in trouble.

Need help with your own part 11 compliance? Why not schedule a free demonstration to see how we could help your business or organization.