Title 21 CFR Part 11 Compliance with EAM: Guide & Checklist

For organizations in the life science sector, adhering to FDA (U.S. Food and Drug Administration) Title 21 CFR Part 11 is a complex but essential task. The policy, designed to protect consumer health and safety, defines the requirements for electronic recordkeeping by life science companies operating in the United States. Given the many nuances of 21 CFR Part 11, organizations must have a comprehensive internal recordkeeping system with numerous controls in place.

In this article, we’ll review what exactly Title 21 CFR Part 11 entails, provide a full 21 CFR Part 11 compliance checklist, and discuss how enterprise asset management (EAM) software can help life science organizations achieve compliance.

What is Title 21 CFR Part 11?

Title 21 CFR Part 11 is a series of FDA regulations that set the criteria for electronic recordkeeping and e-signatures so that they are reliable, trustworthy, and equivalent to paper records and handwritten signatures. The policy was founded in March 1997 to standardize electronic recordkeeping in organizations that handle FDA-regulated products and services as digital technology advanced. Industries that are required to be compliant with Part 11 include:

Pharmaceutical companies
Food and beverage manufacturers
Medical device companies
Clinical laboratories
Shipping and logistics companies

Title 21 CFR Part 11 Compliance Requirements

For life science organizations aiming to achieve or maintain compliance, the FDA conducts extensive audits to determine Title 21 CFR Part 11 compliance. Here are 4 key requirements of 21 CFR Part 11 to consider when conducting an internal system audit or preparing for an FDA audit.

1. Validation

Firstly, internal systems must be validated to ensure the accuracy, integrity, and availability of electronic records and signatures. Processes must be standardized and enforced through a fixed sequence of events. The appropriate access to perform these processes, sign electronic records, and alter records should be assigned to authorized users only. Documentation of internal systems and processes should be readily available to authorized users to further enforce workflows. Data should also be encrypted to ensure further security of internal systems.

2. Audit Trails

Organizations should maintain computer-generated, time-stamped audit trails that include details of any records that were created, modified, or deleted. Previous versions of altered records should remain available in the system for review. Organizations must also be able to provide copies of previous audits if the FDA requests them for increased traceability.

Electronic signatures are also a key part of audit trails and should include the printed name of the signer, the date and time of the signature, and the purpose of the signature. An employee’s real name must be used in their e-signature and cannot be substituted with a job title. Electronic signatures must be unique to individual employees and attached to the correct record.

3. Copies of Records

For the FDA to effectively audit an organization’s 21 CFR Part 11 compliance, their internal system must be able to generate accurate and complete copies of their records, both in electronic form and on paper. The system should be able to export these copies in multiple formats, including PDF, XML, and SGML.

4. Record Retention

Records and signatures should be securely retained and available for retrieval or copying based on "a justified and documented risk assessment and a determination of the value of the records over time,” according to the FDA. To ensure the security of these stored records, organizations should have procedures in place to periodically reset system passwords, disable lost or stolen devices, and check for any unauthorized record alterations.

21 CFR Part 11 Compliance Checklist

While the above requirements summarize the 4 main areas of Part 11, there are many nuances to these regulations. Life science organizations can use this complete 21 CFR Part 11 compliance checklist to conduct internal audits or prepare for an FDA audit.

1. Validation

Has the internal system been validated?
Can altered or invalid records be discerned?
Are records readily accessible throughout their retention period?
Is the ability to access the system and view, alter, or sign records limited to authorized individuals?
If a sequence of events is important, is this enforced in the system processes?
Does the system only accept data input or instructions from valid devices?
Is system documentation and training available for all system users, developers, and IT support?
Is there a documented policy that makes users fully responsible for the processes completed or altered under their e-signatures?
Is access to and distribution of systems and maintenance documentation controlled?
Is data encrypted for enhanced security?
Are electronic signatures used?

2. Audit Trails

Is there a secure and automated audit trail that captures the time and date an electronic record is created, modified, or deleted?
Is previously recorded information still available in the system when records are altered?
Is an audit trail retrievable throughout the record’s retention period?
Is the audit trail available to be copied and reviewed by the FDA?
Does the audit trail include the User ID, sequence of events (if applicable), current and previous values, the change history, and change controls?
Do signed electronic records include...
- The signer’s printed name?
- The date and time of the signature?
- The purpose of the signature?
- Signatures that are linked to their respective electronic record?
- Electronic signatures unique to an individual?
- Electronic signatures that are not reused or reassigned to anyone else?
- Verification of the user’s identity before the e-signature was allocated?
- E-signature that is made up of at least two components, such as an ID code and password?

3. Copies of Records

Can the system produce complete copies of electronic records on paper?
Can the system produce complete copies of records in electronic form for review and copying by the FDA?
Can the system export copies of records in established formats (PDF, XML, or SGML)?

4. Record Retention

Does each user have a unique identification code and password?
Is the validity of identification codes periodically reviewed?
Do passwords periodically expire?
Is there a procedure to recall ID codes and passwords when a person leaves the organization?
Is there a procedure to disable an ID code or password if it is potentially compromised?
Is there a procedure to remotely disable a device if it is lost, stolen, or otherwise compromised?
Are there controls over issuing both temporary and permanent device replacements?
Does the system detect unauthorized login attempts and is there a process in place to inform security or management?
Are tokens and cards initially and periodically tested to confirm that there have been no unauthorized changes?

The Benefits of Using Enterprise Asset Management Software for Compliance

Title 21 CFR Part 11 compliance is an ongoing process, which means a long-term electronic record management plan is imperative. Enterprise asset management (EAM) software is one tool that can help life science organizations maintain secure and traceable records and ultimately achieve compliance. Here are several ways that EAM software can help organizations comply with 21 CFR Part 11.

Standardized Processes and Electronic Signatures

With enterprise asset management software, organizations can create custom, standardized workflows to ensure their records meet 21 CFR Part 11 requirements. Beyond ensuring that processes follow a certain sequence of events, organizations can also add required fields like date and time stamps, signatures, and more. Further, EAM software ensures that all e-signatures are compliant with Part 11 standards (e.g., include a printed name, are unique to the specific user) and are linked to a specific record.

Full Record History

EAM software allows organizations to securely maintain the full history of their asset records and archive older records so they’re still accessible if needed for auditing purposes. With the ability to retain all relevant records and produce physical copies of them when requested, companies can confidently meet the Record Retention and Copies of Records requirements.

Effective User Management

Enterprise asset management software not only protects companies’ asset records but also ensures secure user access. With robust roles and permissions, organizations can assign the right access to the right users for enhanced accountability and data integrity. Plus, EAM software allows companies to maintain an up-to-date employee directory right in their platform, so they can easily assign user permissions and track employees’ training progress.

Data Security

While standardized workflows and robust user permissions help enforce procedures, EAM software often boasts other security measures to further protect organizations’ data. When considering enterprise asset management software, organizations should look for high data encryption levels and certifications like SOC 2 or ISO 27001.

Attain FDA Title 21 CFR Part 11 Compliance with Asset Panda

Achieving and maintaining FDA Title 21 CFR Part 11 compliance is no small feat. But with a comprehensive internal system to effectively manage and secure your electronic records, compliance is within reach.

Whether you’re newly working towards 21 CFR Part 11 compliance or are seeking to maintain it, Asset Panda’s EAM software can help. Our enterprise asset management software stores full record histories for all your assets and workflows, all of which can easily be exported for audits. Configure your workflows to capture the correct sequence of events and the necessary e-signature validation fields. Add unlimited users to your EAM platform and fully customize their permissions to ensure only authorized users can open or alter records.

With Asset Panda’s SOC 2-certified EAM software, you can trust that your data is secure and accessible to the right people. To see our enterprise asset management software in action, request your demo today.