Companies subject to 21 CFR Part 11 must adhere to strict requirements for electronic records, electronic signatures, and computer systems to comply with the FDA regulations.
To help companies stay on top of regulatory compliance, we have examined official FDA data, identified the most common 21 CFR Part 11 non-compliances, and given best practices for avoiding them.
One way to ensure compliance with 21 CFR Part 11 is to use a modern Electronic Quality Management System (eQMS) with built-in features and functionality to support FDA requirements.
SimplerQMS provides an eQMS software solution that is fully compliant with 21 CFR Part 11 and tailored to the specific needs of Life Science companies. Book a personalized demo of SimplerQMS to see how your company can benefit from it and make 21 CFR Part 11 compliance easier.
This article covers the following topics:
- Common 21 CFR Part 11 Compliance Issues
- Best Practices to Avoid 21 CFR Part 11 Noncompliances
- Consequences of 21 CFR Part 11 Noncompliances
- Achieve 21 CFR Part 11 Compliance Excellence with SimplerQMS
Common 21 CFR Part 11 Compliance Issues
To gain insight into the most common 21 CFR Part 11 compliance issues for our analysis, we used the official Food and Drug Administration (FDA) Data Dashboard from 2016 to 2020.
Based on the analysis of the data, we identified the five most common problem areas with the most citations:
- Audit trails: 14 inspection citations.
- Records retention period: 8 inspection citations.
- System access controls: 8 inspection citations.
- System validation: 7 inspection citations.
- System documentation control and Signature record linking: 4 inspections citations each.
Read our analysis below for a more detailed explanation of the FDA data.
NOTE
As noted by the FDA, not all inspections are included in the database. More specifically, inspections conducted by States, pre-approval inspections, mammography facility inspections, inspections waiting for final enforcement action, and inspections of nonclinical labs are not included.
General Analysis of Inspections
During the analyzed period, 14 inspections were conducted for domestic companies in the United States. In contrast, foreign companies underwent only eight inspections.
Upon analyzing the final classification of noncompliance identified during the inspections, it becomes apparent that 18% of the inspection results were classified as No Action Indicated (NAI). This indicates that no objectionable conditions or practices were found during the inspection.
The majority of the inspection were classified as Voluntary Action Indicated (VAI).
This indicates that conditions or practices that are not entirely following the regulation were found. Still, the FDA is not yet prepared to take or recommend any administrative or regulatory action. This classification represented 73% of the inspection results.
Only a small proportion of inspections, 9%, were classified as Official Action Indicated (OAI), indicating the need for regulatory and/or administrative actions by the FDA.
The final classification of inspections by industry type showed that the pharmaceutical drug industry had the most inspections during the analyzed period. This industry accounted for 58% of all audits.
Most of the inspections within the Drugs industry resulted in NAI or VAI classifications, indicating that only a small percentage of inspections led to regulatory or administrative actions.
The Devices and Food/Cosmetics industries also had no inspections classified as OAI during the analyzed period.
In the Veterinary industry, while most classifications were VAI, almost half of the results were OAI, indicating the need for regulatory actions by the FDA.
General 21 CFR Part 11 Noncompliances
NOTE
We analyzed inspection details of companies cited for 21 CFR Part 11 noncompliance and extracted relevant subsections of the regulation.
It is important to note that the FDA does not provide specific data regarding these subsections. Our team extracted these subsections to understand the specific compliance issues better.
From the chart above, it is clear that between 2016 and 2020, 72% of citations for 21 CFR Part 11 noncompliance were related to section 11.10. This section pertains to electronic records, specifically the controls for closed systems.
We can also highlight sections 11.70 for signature and record linking and 11.300 for controls for identification codes and passwords, each representing 6% of the noncompliance issues.
The remaining sections, which cover topics such as electronic signature components and controls, account for 3 to 5% of the total identified noncompliances.
21 CFR Part 11 Section 11.10 Noncompliances
Upon closer analysis of section 11.10, we identified the specific requirements that are most commonly associated with noncompliance.
In the analyzed period, the main compliance issue with closed system controls was related to section 11.10(e). This section refers to using secure, computer-generated, time-stamped audit trails, representing 31% of the citations.
Next, there is almost an equal percentage of citations related to compliance issues related to:
- Section 11.10(a): System validation with 15%.
- Section 11.10(d): System access control with 17%.
- Section 11.10(c): Records retention period with 17%.
Another noteworthy section is 11.10(k), which pertains to system document control and accounts for 9% of total citations.
Followed by section 11.10(f) on operational system checks, which represents 5% of citations.
Additionally, 2% of the citations were related to noncompliance issues in other sections:
- Section 11.10(g): Authority checks.
- Section 11.10(h): Device checks.
- Section 11.10(j): Written policies.
Notably, in the analyzed data, section 11.10(b) regarding the ability to produce copies of records and make them available for FDA review and inspection did not receive any citations.
Proactively addressing these common issues can help Life Science companies avoid regulatory and administrative actions and ensure compliance with 21 CFR Part 11.
One effective solution is implementing robust Document Management or QMS software solution that is fully compliant with the FDA 21 CFR Part 11, like SimplerQMS.
Best Practices to Avoid 21 CFR Part 11 Noncompliances
There are several best practices that Life Science companies can implement to avoid some of the most common compliance issues related to 21 CFR Part 11.
Listed below are some examples of best practices to improve compliance. We will also provide examples of how an eQMS solution follows these practices and help companies ensure compliance with 21 CFR Part 11.
Establish a Robust Audit Trail System
Companies should establish an audit trail system that provides accurate and complete information on all changes made to electronic records. This includes the date and time of each change, the identity of the individual who made the change, and the reason for the change.
The audit trail should be secure, computer-generated, time-stamped, and readily available for review by the FDA.
Audit trails are automatically generated in the SimplerQMS software solution, ensuring all data required as per 21 CFR Part 11 is captured and available for review at all times.
Here we provided a brief overview of best practices for the audit trail system. For more comprehensive information on this topic, please refer to our 21 CFR Part 11 audit trail requirements article.
Implement Appropriate System Access Controls
Companies should implement system access controls to ensure that only authorized individuals can access electronic records and signatures. These controls can include user authentication, password controls, and role-based access.
For example, SimplerQMS integrates with Microsoft Entra ID (previously known as Microsoft Azure Active Directory) to control user access to the system, ensuring secure authentication and authorization.
We provide unique identification codes and password combinations to establish a clear one-to-one relationship between authorized individuals and their login accounts. Additionally, we ensure that each employee has only one user account.
To ensure secure access to electronic records systems, companies must comply with identification code and password requirements. You can learn more about this topic by reading our 21 CFR Part 11 password requirements article.
Ensure Proper Record Retention
Companies should establish records for retention procedures that include the length of time electronic records must be retained and the format in which they should be stored.
Using modern QMS solutions, like SimplerQMS, allows companies to store records in a cloud-based system. This ensures that documents are always secure and readily available anywhere.
In the SimplerQMS system, document collections can be created to facilitate the organizing of relevant records for retention, audits, and regulatory submissions.
The search feature allows you to match keywords in both document titles and content, simplifying the process of retrieving records.
Additionally, if there is a need to restore prior versions of documents, a roll-back function is readily available to facilitate the process.
Establish Clear Standard Operating Procedures (SOPs)
Develop and maintain procedures and written policies for managing electronic records and signatures, as well as for the operation of the QMS system.
Ensuring that employees are familiar with and follow the policies and procedures consistently is essential.
Using a document management system, such as SimplerQMS, companies can easily create and maintain the policies and procedures documentation. It is possible to assign documents to relevant people for review and approval.
The software also facilitates employee training by easily relating SOPs to other documents and training material.
Share Copies of Records With the FDA
Companies should also ensure the creation of copies of records. These copies need to be accurate and complete, maintaining all information from the original record.
Moreover, copies of records must be accessible only to authorized individuals and available to FDA inspections as necessary.
With the SimplerQMS solution, it is easy to create copies of records. The system allows converting and exporting documents with just a few clicks. It also has a controlled print feature to keep track of all printouts.
Conduct Regular Validation Testing
Regular validation testing of electronic record systems ensures they function as intended. It should be conducted periodically and after any significant changes or upgrades to the system.
SimplerQMS software is validated according to ISPE GAMP5, a risk-based approach to computer systems.
The software is regularly revalidated by SimplerQMS every time a new version is released, or standard updates are applied, eliminating the need for customers to conduct validation activities.
Keep Electronic Signatures Accessible and Secure
Companies must ensure that electronic signatures are unique to each user and cannot be copied or reused. Electronic signatures must also be linked to records and include the signer’s identity, date, time, and meaning.
Electronic signatures in SimplerQMS are automatically linked to their respective records, preventing them from being removed, duplicated, or transferred to falsify any document.
The system also captures and displays all signature information at the bottom of all documents.
This section provided a concise overview of electronic signatures under 21 CFR part 11. For a more in-depth understanding, we recommend reading our article on 21 CFR Part 11 compliant electronic signatures.
Ensure Proper Training and Documentation
Companies should ensure that employees working with electronic records and signatures receive proper training on the relevant policies and procedures. Keeping a record of training completion for compliance purposes is also a must.
Upon becoming a customer of SimplerQMS, our implementation team provides extensive training to users and issues training certificates.
Using the SimplerQMS solution also helps streamline employee training. The software allows you to create learning rules and assign relevant procedures and documents for specific training purposes.
The system automatically sends notifications and reminders about the training assignments, tracks the training status, and creates re-training assignments when specific documents related to training are updated.
Additionally, Training Managers can create quizzes to evaluate the effectiveness of the training and do much more.
Consequences of 21 CFR Part 11 Noncompliances
Noncompliance with 21 CFR Part 11 may result in advisory actions.
But FDA enforcement actions can be more severe if there are additional violations.
The consequences become more severe and extensive as noncompliance increases in severity and frequency.
Some of the enforcement actions listed in the FDA Regulatory Procedures Manual are the following:
Advisory actions
- Untitled Letter: This letter is sent to regulated companies to address minor violations that do not meet the regulatory significance threshold for a Warning Letter.
- Warning Letters: These are notices sent to individuals or companies advising them about specific violations with regulatory significance. The letters ask for a written response on the actions that will be taken to fix the problem.
Administrative actions
- Citations: This is a notice given to a company accused of violating the regulation. The notice allows the company to share its views in writing or orally before the United States institutes any criminal proceeding.
- Administrative Detentions: The FDA can hold adulterated or misbranded products and prevent them from reaching the marketplace.
- Civil Money Penalties: The FDA may impose monetary penalties on companies for violating food, drugs, and cosmetics regulations.
Judicial actions
- Seizure: Occurs when the FDA takes action against a product that violates regulations by being a significant or serious risk to the product user. The goal is to remove these products from the market.
- Injunction: This is a legal process used to stop or prevent a violation of the regulations. It is often used to stop the sale or distribution of noncompliant products and address the issue’s reason.
- Criminal Prosecution: The FDA’s Office of Criminal Investigation investigates illegal activities involving FDA-regulated products and arrests those responsible. People who violate the regulation may have to go to court and receive punishment according to the law of the United States.
Achieve 21 CFR Part 11 Compliance Excellence with SimplerQMS
Achieving compliance excellence is made easier and more effective with the use of the 21 CFR Part 11 compliance software solution.
SimplerQMS offers a comprehensive QMS software solution that integrates all core Life Science QMS modules into a single system:
- Document Management
- Change Control Management
- Training Management
- Supplier Management
- Audit Management
- Nonconformance/Deviation Management
- CAPA Management
- And more
To gain a better understanding of the benefits that SimplerQMS can offer, download our eQMS Business Case template.
Using this template, you can identify the economic advantages of implementing an eQMS and create a compelling business case to present your findings to management or the board.
Final Thoughts
Many companies still face challenges regarding 21 CFR Part 11. However, by examining where common problems arise, companies can proactively address potential issues.
Upon closer analysis, it is evident that the most common noncompliance issues regarding 21 CFR Part 11 are related to electronic records, particularly controls for closed electronic systems.
To address these challenges, an electronic document storage system or eQMS, such as SimplerQMS, allows companies to comply with the requirements of 21 CFR Part 11 effortlessly.
At SimplerQMS, we provide a complete eQMS solution made for the needs of Life Science companies that fully complies with 21 CFR Part 11.
Request a demo of the SimplerQMS solution, talk with our experts, and learn how we can help your company get up and running with an eQMS that will help your company comply with 21 CFR Part 11.