FDA CFR21 part 11 product checklist
The Title 21 Code of Federal Regulations Part 11 (21 CFR Part 11) states the rules with which a company who uses an electronic system for document and signature control, must abide by. It puts forth the U.S. Food and Drug Administration’s (FDA) guidelines on electronic records and electronic signatures to ensure that these documents are authentic and make sure that they maintain the security, integrity, and confidentiality. Companies involved in making drugs, biologics, medical devices, CROs (Contract Research Organizations) and any establishment that comes under FDA regulation must follow stringent controls, audits, validations and other rules laid by them.
FDA CFR 21 part 11 compliancy is provided with LabCollector and major add-ons like ELN, LSM, WorkFlow, and equipment integration with I-Collector.
Full compliancy can be achieved with the compliancy pack that offers various options to follow regulations more stringently. Final validation is however always needed to be performed on the end-user side.
The following checklist is provided as a guide, but AgileBio also provides prechecked certificates and tests to facilitate the lab auditing.
For additional information from about how LabCollector helps to meet additional GxP and regulatory compliance read this Or contact us.
The guidelines by the FDA for electronic data compliance can be found by clicking the link.
The 21 CFR Part 11 Compliance Checklist is described below:-
Name and version of the software
The software version should indicate major and minor changes
The access should be limited to authorized users with privileges are assigned to role not individuals.
The password should be 8 characters minimum with alphanumeric characters
Password use must be changed frequently with predetermined time period (90 days)
System must prevent the reuse of the specified number of previous passwords (In 1 year 6 times changed password)
Password characters must not be visible during entering
Passwords should not be remembered by application or the browser
Passwords must be encrypted by the system upon entry and storage.
Passwords should not be able to be copied from password field to paste elsewhere.
Temporary passwords cannot be emailed without the two-factor authentication.
Temporary passwords should be unique
Temporary passwords must be changed during the next login.
Temporary passwords should expire after a short time period (for example 24 hours)
User name should identify the person and should not be generic
User name should appear on the screen and should be unique
User name/ID should be allowed to be disabled/inactivated as to not reuse it
After inactivity of application the system should allow re-entry of the password by logging the user out automatically
The system should lock out the user after too many failed attempts with a warning email to the administrator/security staff.
All user activity should be controlled by login in, log out and lock out.
Last log in should be displayed when the user logs in.
Data transfer should be limited and deleted capabilities should be controlled
Data transfer outside of intranet firewall should be encrypted by security https protocol
Type and size of input data should have validity check
The date format should not be ambiguous as the month and should be clearly stated
Audit trail records should contain information about record creation, modification, inactivation, or deletion of electronic records for data & configuration data
Audit trail should contain record user name, date, time, previous data, new data, and reason for change if required by predicate
Users that can change data can access audit trail to see the changes done.
For high risk data, the indication that data is changed should be mentioned on screen and not just in audit trail
For high risk applications the audit trail is written by database
Server to be on a centralized time source: server time
Should contains unique user ID & password
During signing password should be only known by the user
Meaning of signature (author & reviewer/approver) should be displayed during signature
Electronic signature should show the signer’s full printed name, to show the time and date of execution
The signed record should be locked from editing and deletion.
Electronic records must be maintained and linked to signatures for the life of the electronic record