21 CFR Part 11:
7 Ways to Avoid Noncompliance

The United States Food and Drug Administration’s (FDA) main guidance on electronic signatures and records, 21 CFR Part 11, has been around since the ‘90s. In the last 30 odd years electronic record keeping has come a long way, from obscurity to the ordinary in many industries.

Although technology is advancing rapidly, FDA regulations remain the same. Regulated industries still need to demonstrate compliance to predicate rules. They must continue to be vigilant in fulfilling Part 11 obligations and in producing safe and high-quality products.

Electronic records are all around in the lab and on the shop floor, though we may not think of them as such. If you use a computer workstation or other electronic device to record official test results, verify test batches, or even just sign-off on procedural documents, you’re beholden to 21 CFR Part 11. It is the only way life sciences manufacturers are allowed to officially keep electronic records and use electronic signatures to certify their work. If they’re out of step with the regulation’s requirements, they’re out of luck.

So, what can you do to ensure you’re compliant right now and remain compliant in the future? This industry brief outlines the 7 major elements critical to 21 CFR Part 11 compliance, how they relate to risks that pop up as noncompliance, and how MasterControl Quality Excellence, the #1 QMS software solution for life sciences, and MasterControl Manufacturing Excellence simplify the compliance process to help you avoid slowdowns and undue scrutiny while doing the work to bring quality, lifesaving products to market.

The simplest risk of noncompliance stems from how a company manages its electronic signatures and protects access to the QMS where electronic records are housed.

21 CFR Part 11 allows for an electronic signature to be used in place of a handwritten one only if it complies with predicate rules. Though it’s not required that companies use electronic signatures and a digital platform for official documentation, having a digitized QMS makes so many things that much easier.

Instead of searching through physical filing cabinets or remote, on-screen document folders when asked for approved documentation, MasterControl offers a completely compliant, purpose-built solution that is highly searchable and tracks all documentation and approval activity, giving companies the opportunity to create a unified digital database for official documentation while staying compliant with FDA current good manufacturing practices (cGMP). It also means approval processes can be sped up and simplified. Instead of signing off and passing a physical document to the next party in line, MasterControl Quality Excellence lets you easily make an approval with the next designee already lined up in the system.

Being compliant with 21 CFR Part 11 also means making sure the system you choose to house your electronic records can’t be easily breached by unauthorized users.

An effective document control system should track active accounts of every user in the system. With MasterControl, system administrators can monitor user licenses and connections through the system and track usage rights and access to documents. This information is accessible only to the system administrator and can be exported into a report format.

MasterControl software solutions have numerous levels of security to ensure the authenticity of each user, document, and electronic signature in the system. Each user has a unique user ID and login password to gain access to the system and can apply it, or a separate unique ID and password, for approvals. All user IDs and passwords are encrypted for security. Also, duplication of user IDs and passwords are prohibited and suspicious attempts to gain access to the system are recorded, lockouts are enabled, and system administrators can be notified.

With MasterControl, the system administrator can configure the passwords for both login and signature to expire after a certain number of days. Furthermore, MasterControl limits access to virtual vaults and documents through its permission system. It provides an administration feature that defines permissions for each vault in the system. There are more than 90 permissions available in MasterControl that are assigned at the administrator level. System administrators have all permissions and are able to restrict access to document vaults.

MasterControl also provides system administration features that define permissions for each user as well as for each distinct electronic record housed in the system. There are more than 100 permissions available, assigned at the administrator level. System administrators have all permissions and can restrict user access to records as is necessary and appropriate. Actions taken against any record in the MasterControl system is also captured electronically in the audit trail.

All of these efforts are designed to give you ultimate control over the security of your system, making it easier to meet business needs and maintain compliance with regulatory agencies.

Another major risk of 21 CFR Part 11 noncompliance is an accumulation of incomplete audit trails, or lack thereof, for official electronic documents and signatures. The FDA wants to see the steps leading up to an approval and any subsequent changes made to an electronic record.

21 CFR Part 11 requires an audit trail as a key control in making electronic records reliable and authentic.

• Time stamps on all records in system.
• Automatic tracking of document modifications.
• Exportable audit trails in multiple formats.

MasterControl maintains a secure, time-stamped audit trail that documents the identity of anyone who creates, modifies, or deletes an electronic record, when the action occurred, and the changes made to the record. The same holds true for all documentation in the system. Any modification to a document is recorded along with the information of the user making the change. Original versions of documents are also kept in the system.

Records along with associated metadata can be copied electronically, viewed electronically, or printed to paper. Reports can also be printed from the system or exported to other tools such as spreadsheets. The audit trail for each record is available in human readable form.

Audit trail data can be exported in human readable format when the FDA requests evidence of a thorough audit trail for electronic records. Instead of diving into a mountain of paper or trying to piece together disparate versions once an audit is initiated, MasterControl offers a solution that gives you control over all auditable data in one place, allowing for faster data retrieval and providing the assurance that you’re giving auditors the most accurate and up-to-date data possible.

One of the biggest hurdles and therefore risks to 21 CFR Part 11 compliance, and in return cGMP, is software validation. Essentially the FDA needs to know the software chosen to house electronic records and signatures works the way it’s supposed to and will continue to do so in the future.

Basic FDA requirements for computer systems validation include Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ).

In 2017, the MasterControl Validation Excellence (Vx) methodology and a patented tool (VxT) were developed in response to the validation challenges we’ve seen customers experience over the years. It quantifies and streamlines the risk-based validation approach to document the configuration variations from our best practices, the regulatory sensitivity of customer usage, and how well customer configurations are covered by our internal testing. Our Vx approach follows the risk-based principle advocated by the FDA.

We also provide fully executed functional testing and recommended usage testing for every release of our software. We include a full validation package for each release, so customers can trace the requirements to the executed testing and review a final summary report of any deviations we found internally. Using our new automated testing tools, MasterControl performs full regression testing throughout the life cycle of our software to ensure we release the cleanest code possible.

MasterControl offers an exhaustive set of IQ, OQ, and PQ test protocols to assist customers with software validation. Updated protocols are provided with every system build and revision. The MasterControl audit trail goes through revalidation with each system release at the OQ and PQ level.

The FDA expects a lot — and for good reason. It’s in a company’s best interest to remain compliant with 21 CFR Part 11 to be audit ready and maintain consumer trust and safety. Risks of noncompliance can equate to lost or altered data leading to anomalies in production, unauthorized persons accessing important and proprietary data, or data breaches that result in stolen data. All of this can slow production way down and decrease consumer trust and investment. Fortunately, MasterControl software solutions simplify the process of compliance by providing process integration and purpose-driven functionalities like:

• Encrypted, unique electronic signatures for all users.
• Tailored system access and administrator-assigned document- specific control.
• Comprehensive and transmissible audit trails.
• Out-of-the-box validated software that remains compliant with each release.