Resources Related to Compliance and 21CFR11

Background

Title 21 CFR Part 11 (often shortened to “21CFR11″) is the part of Title 21 of the Code of Federal Regulations  that establishes the United States Food and Drug Administration (FDA) regulations on electronic records and electronic signatures (ERES). Part 11 defines the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records.
Any scientist who goes into commercial research will probably need to know about these regulations. Additionally, because Universities are becoming more focussed on licensing research discoveries as a source of revenue, academic labs will certainly need to become more familiar with these regulations in the coming years.


21CFR11 was developed in the US during the 1990s to ensure that records in a digital system can be reasonably assumed to be a true and accurate representation of the work performed. 21CFR11 helps to ensure that the records were created by the author(s) who claims they did the work, and that they performed the work at the date and time that they say they did it. The 21CFR11 rule set also helps reviewers to understand who has had access to, or has contributed to the work. Digital records should be collected and stored in a 21CFR11 compliant system if you want to eventually use your records as supporting evidence in any type of formal, legal or regulatory proceeding, or if you want the records to be used in patent hearings, or other “due diligence” / intellectual property verification events. Ownership and accuracy disputes related to scientific research are surprisingly common and expensive in both industry and academia, and many of these disputes can be avoided if records are kept in a 21CFR11 compliant system.

Requirements


Initially 21CFR11 was only considered an absolute requirement for US-based, FDA regulated organizations, however, (in part because nobody else ever came up with anything better) 21CFR11 has gradually become the international “gold standard” for scientific digital data management and is becoming common in other sectors where accurate, reliable, legally defensible or patent-related record keeping is required. In our opinion, 21CFR11 record keeping should be considered mandatory for any modern, efficient, paperless lab. Additionally, 21CFR11 compliance is probably the main reason why your organization should use a dedicated ELN system vs. a home-grown system; ad-hoc, non-compliant data management tools like Dropbox, MS OneNote, Evernote; shared file servers; or keeping files on personal computers.

Compliance and ELN products

The key elements of 21CFR11 that are supported by our ELN products are as follows:

  • Data is true and accurate record of your work.
  • Ability to create accurate copies and human readable exports for inspection.
  • Limited, secure, role-based access by authorized individuals only.
  • Users only see what they have specific access to, even in search results.
  • The system should encourage individuals to make good decisions about what records they disclose to others.
  • The system must include a secure audit trail that records all user actions with computer generated timestamps
  • All changes are visible, older versions, and deleted data remain available for inspection.
  • Records remain available for the period of the study (i.e. permanently for most research organizations).
  • Training in proper use of the system is available and completed by all users.
  • Digital signatures can be used to lock and witness documents. 
  • Digital signatures cannot be separated from the data they safeguard.
  • Digital signatures are unique to each user, are not transferable and cannot be repudiated.
  • Proper password management procedures, security and access / activity logging must be part of the system.

Other Considerations

Best Practices

There are a range of other additional best practices, rule sets, compliance guidelines and related laws that you may encounter as a scientist.

Examples include FAIR data management practices, ALCOA-PLUS, “Good Lab Practice” (GLP), HIPAA, GDPR and many others. Which regulations apply to you depends on your location, the type of research you do, whether or not you use human or animal subjects in your research, whether or not you or your organization plan(s) to patent any of your discoveries, as well as whether or not there are safety or privacy concerns related to the type of research you do. At minimum, we would recommend that all research scientists be familiar with at least 21CFR11 and ALCOA-PLUS. Note that some compliance rule sets have requirements that directly CONFLICT with each other, so in some cases it’s important to determine which ones are most important to your organization and legal jurisdiction. In some cases it may be necessary to segregate different types of data into different systems, or different instances of the same system that have been configured to follow different types of rules. 

Hosting

Additionally, depending on your overseeing organization and whether or not you work with things like personal medical records, your host environment may also need to meet certain sorts of requirements that are not related to the software you select. If you choose an on-site deployment of RSpace then the security, compliance, configuration and maintenance of the server host is your responsibility. If you choose to have us host the system for you on an Amazon data center then you should consult the latest version of Amazon’s documentation to see what security precautions they use and if AWS hosting will meet you compliance needs, but in our opinion amazon security is extremely solid.

IQ/ OQ

In stringent environments, a validation of some kind may be necessary to ensure that the deployed system has been setup properly (called “Installation Qualification or IQ) and that it operates as designed (“Operation Qualification” – OQ), and also that it follows the desired rules properly. Technically, a computer system can only really be fully validated in situ at a customer site, so although a system can be designed to be be compatible with 21CFR11 (or some other rule set), the system can only be “validated” as such once it has been deployed for a specific customer. Beware systems that claim to be 21CFR11 “validated” before you have even deployed them – that’s not possible.

Note that Lab-Ally and our partners can assist with the IQ – OQ process. Contact us for details.

Please find below some resources where you can learn more.

Further Reading

Please find below some resources where you can learn more.

https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?CFRPart=11

https://en.wikipedia.org/wiki/Title_21_CFR_Part_11

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3121265/

https://www.fda.gov/downloads/drugs/guidances/ucm495891.pdf

https://www.fda.gov/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/default.htm

https://www.who.int/medicines/publications/pharmprep/WHO_TRS_996_annex05.pdf

https://cerf-notebook.com/articles/eln-glossary/

https://cerf-notebook.com/solutions/iq-oq-validation/