How to implement 21 CFR Part 11 features into your software

by | 07. 12. 2022 | Software Development

Reading Time: 5 minutes

Paper-based records have the merit of providing data security, where it is difficult to falsify a physical document and handwritten signatures. It is also easy to indicate any changes and corrections that were made.

However, over the years, computerized systems have gradually replaced paper records due to better traceability, accessibility, security, and data interoperability, and of course, to reduce material costs. As a response, many regulations and directives were implemented regarding the use of electronic records and signatures. One of them is FDA’s Title 21 CFR Part 11.

In this blog article, we will help you understand Title 21 CFR Part 11 and how to implement it into your software by answering the most common questions regarding this matter.

1. What is 21 CFR Part 11?

The Code of Federal Regulations (CFR) is a collection of general and permanent rules published by the Federal Government in the U.S. It is divided into 50 titles – Title 21 is reserved for the rules of the Food & Drug Administration (FDA).

Part 11 falls under chapter one of Title 21 (dedicated to regulated areas, such as Pharmaceuticals, Biotech, and Medical devices), which establishes regulations and guidelines on electronic records and signatures to be trustworthy, reliable, and equivalent to paper counterparts. 21 CFR Part 11 allows any paper record and signature to be replaced by an electronic one, where data integrity is assured.

2. What about other authorities?

21 CFR Part 11 is only relevant to U.S. FDA-regulated environment. Therefore, other authorities share mutual intent to have safe validated computerized systems and have implemented equivalent regulations and guidelines regarding this matter. All the documentation mentioned below possesses the same principles and vision as 21 CFR Part 11. Some other major authorities and attributed documentations are:

European Union

European Union (EU)
EU EMA Guidelines to good manufacturing practice: Annex 11: Computerised systems

Japan

Japan
ERES Guideline: Application for Approval of Licensing of Drugs

Canada

Canada
Food & Drugs Act, Division C.02

3. How are 21 CFR Part 11 & data integrity connected?

The main purpose of the 21 CFR Part 11 is to provide guidelines on what properties a software system has to have in order electronic records and signatures may replace their paper equivalents. These properties have to assure data integrity of the systems, and data integrity consists of the following four pillars:

Data security

Data security
Ensures no data is corrupted or lost

Benefits

No-falsification
Tampering of electronic records is made difficult and detectable

Audit trail

Traceability
All actions relevant to electronic records are traced in audit trails

Non-repudiation

Non-repudiation
Dictates that the authenticity of the user’s approval of the electronic record cannot be repudiated (rejected)

4. What are the main 21 CFR 21 Software features?

Authorization

Authentication
A process of verifying the user’s identity before using the software, where every action in the software can be associated with the user (traceability)

Audit trail

Audit trail
A record of all changes to system properties or input data with a timestamp, a reason to change, and the user responsible for the change. Additionally, some other attributes can be tracked (e.g., original and new values)

Data export

Data export
All electronic records and signatures should be exportable in a human- and machine-friendly format to be inspected by auditors. Common examples are CSV, PDF, XML, and SGML.

Electronic signatures

Electronic signatures
A piece of data logically associated with another data, used by the signatory to sign the associated data. There are many options to choose from when implementing electronic signatures (the most rigorous are digital signatures – a cryptographic scheme for verifying the authenticity)

One optional feature is authorization – integrating user management into the system.

5. How to start when selling your software to FDA-regulated companies?

It is important first to understand how the customer envisioned the use of the software. Next, you need to define the required software features for the software to be CFR-ready. Here you need to distinguish the solutions that will be implemented directly in the system from those that can be addressed in some other way (technical or policy solutions).

Another important notice is to implement a quality management system (QMS) on your site if not yet implemented since many companies from regulated areas usually request this from their partners.

6. Can software be CFR-compliant?

The software itself cannot be CFR-compliant, only CFR-ready, since the software is always a part of some larger system, like an instrument and related documentation. Validation is then performed on-site on the whole system, for which we can say it is compliant.

7. What if we want to add 21 CFR Part 11 features to existing software?

We advise starting with the review of your existing software. Check which requirements are already addressed in the current version and what needs to be implemented. You might also want to consider what persistency technology to use. For example, if your software is file-based, it is advised to migrate to the database for easier data integrity implementation.

If you plan to use the software also in a non-regulated environment, it is highly recommended to have a Research-use-only version of the software. This can be very useful in R&D, where CFR features are far too complex. In addition, based on how you want to distribute the software, you might want to adapt the licensing mechanism.

8. How important is it to have an external consultant?

21 CFR Part 11 content is very general. It explains all the mandatory features but not how to implement them. Therefore, it is highly recommended to hire an expert if you don’t have in-house expertise. A consultant will help you design a system that will not be more complex as it should be. This can save you a lot of money and time, especially if you start collaboration early in the process and this collaboration is very tight. When hiring, it is important to consider a consultant with hands-on experience in developing CFR-ready software.

If you want to learn more, check out our webinar we conducted on this subject.

Summary

  • 21 CFR Part 11 is a collection of regulations and guidelines on electronic records and signatures to be trustworthy, reliable, and equivalent to paper counterparts.
  • It is published by Federal Government in the U.S. and is only relevant to U.S. FDA-regulated environment. Other authorities (EU, Canada, Japan, etc.) share mutual intent regarding this matter and issued their own documentation.
  • Data integrity of electronic records and signatures is the main concept in 21 CFR Part 11 documentation. The four principles here are data security, non-repudiation, traceability, and no-falsification.
  • The main 21 CFR Part 11 software features are authentication, audit trail, electronic signatures, and data export. Another feature is authorization, which is optional.
  • Software can not be CFR-compliant, only CFR-ready, because the software is always a part of some larger system that is later validated.
  • If you don’t have in-house expertise, it is highly recommended to hire an external consultant. This will help you reduce costs and save time.