21 CFR Part 11 handles the compliance of electronic records and signatures for data security purposes. This includes setting guidelines for how organizations create, store, and access their digital records.
As the life sciences sector continues to grow through SaaS cloud application use, understanding 21 CFR Part 11 compliance is becoming increasingly important for these organizations.
What is 21 CFR Part 11?
21 CFR—Code of Federal Regulation—Part 11 outlines specific practices that companies, including cloud SaaS applications, must follow regarding electronic records and signatures. This includes the validation of your systems, software tools, and operational and security controls.
Originally established in 1997, 21 CFR Part 11 is an essential part of business for any organization that uses digital records or works in the cloud.
While the guidelines set by 21 CFR Part 11 are open-ended—meaning that organizations can utilize compliance systems that fit their needs the best—it outlines the requirements of compliance for validating your systems and software.
21 CFR Part 11 requirements for cloud applications & SaaS
Now, let’s talk about some of the key requirements for 21 CFR 11 compliance and what these terms actually mean.
- Validation: You must conduct regular software validation checks, ensure your system is working as intended, and record all testing results.
- Record generation: You must have records relating to both hardware and software operations and be able to provide both electronic and paper copies of those records.
- Audit trails: Every file that you create, modify, or delete must have an audit history file, and that file should not be modifiable by users.
- Operational controls: System checks must be in place regarding the sequencing of steps for your workflow to ensure that each record is created, reviewed, and approved.
- Security controls: Each authorized user of your system needs to have a unique login ID and password, ensuring that only authorized personnel can access your systems.
- Training: All of your users should be trained to perform their specific roles, and that training must be well documented for auditor review.
- Digital signatures: Each electronic signature must include the signer’s printed name, the date and time of the signing, and the context of the signature (review, approval, etc.).
21 CFR Part 11 & Annex 11 for cloud SaaS applications
21 CFR Part 11 and Annex 11 are closely related. Both regulations provide detailed information about best practices for generating and storing electronic data in GxP lab and manufacturing applications. While 21 CFR Part 11 is primarily a list of prohibitions, Annex 11 is more of a guide for organizations to use to operate in a compliant GxP space. The most notable differences include personal liability expectations and how individuals are identified.
The inspection and validation process slightly differs for cloud-based and SaaS organizations compared to local software.
For life sciences companies, basically every computerized system you use is subject to 21 CFR Part 11 and Annex 11. Reviewing the most recent inspection trends is the best way to get insights into what your validation process should look like.
Electronic records, as defined by the FDA in 21 CFR Part 11, consist of much more than your documents. Other records that require compliance include:
- Source code
- Test records
- Sound files
- Any other file that could be considered an electronic record
21 CFR Part 11 is ultimately about data security and is based on following security best practices, using effective password and user ID protection, and setting the right roles and permissions for each user.
LMS & SaaS cloud applications: A solution for 21 CFR Part 11 compliance
Modern organizations are constantly searching for more efficient ways to handle employee education, training, and compliance. Learning management systems (LMS) allow those organizations to access all of their documents from the cloud and from any device without investing heavily in in-house software and hardware. An LMS is one of the best tools for SaaS, cloud applications, and companies in the GxP space to maintain 21 CFR Part 11 compliance.
Understanding the 21 CFR Part 11 guidelines is essential for validating your records—you’ll have to know how your software is affected and guarantee the integrity of your LMS and electronic records. All organizations in the GxP space must be compliant for data security purposes.
It’s best to leave compliance to the pros, and solutions like Dokeos LMS can deliver powerful CFR Part 11-compliant solutions to your GxP, SaaS, or cloud-based organization.
What does 21 CFR Part 11 mean for your organization?
SaaS cloud LMS applications are considered to be electronic record systems under 21 CFR Part 11—they provide access to employee and training data. For most organizations, especially those in the GxP space, using a cloud-based LMS that stands up to 21 CFR Part 11 regulations is the best way to deliver compliant resources to your team.
As SaaS solutions continue to flood the market, the responsibility for checking and maintaining 21 CFR Part 11 compliance falls on the organization using the software—choose your LMS and other SaaS cloud applications carefully.