Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

What are FDA 21 CFR 11 Compliant Electronic Records?

Title 21 of the Code of Federal Regulations, Part 11, also known as 21 CFR 11, deals with the requirements for Electronic Records and Electronic Signatures to be considered “trustworthy” by the FDA.

If you work in the MedTech or Pharma sector, you probably have heard about this regulation plenty of times. And if you are an Atlassian user, you have probably seen it mentioned in several Apps, claiming to be compliant to it.

It is worth now to make some clarity around what this regulation exactly requires and what “compliant” apps means.

We have split this discussion in 2 posts, one for Electronic Records and one for Electronic Signatures.

Like any piece of regulation, it can be accessed for free, in this case here: Federal Register FDA 21 CFR 11: Electronic Records.

For the discussion on Electronic Signatures, please see the previous post.

Electronic Records

From 21 CFR 11.3:

Electronic record means any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.

Almost every piece of electronic information can be considered Electronic Record: Confluence pages, attachments, Jira issues, test results, CSV files, audit logs, Office files, and more.

Technical requirements for Electronic Records

Many aspects of this regulation for Electronic Records cannot be enforced by software and must be “proceduralized”, i.e. contained in a procedure that employees have to adhere to. For a more readable table of technical requirements for the electronic records, please check it out here.

 

#

Requirement

which means…

Common misconceptions

Are Atlassian tools compliant?

What to look for in an App

1.

Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine.

A Company needs some sort of “Document Control” procedure hat explains how these records are managed, including any security aspect and electronic signatures.

Yes, it must be in writing.

N/A, proceduralized.

N/A, proceduralized.

2.

Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.

The tools you are using to manage these objects must be validated.

Validation must be completed, at least in part, by the user. Validation performed by the developer is not sufficient.

Atlassian does not provide any validation documentation, it is up to the user to validate tools and apps.

If the developer of the App provides a validation package it is a big plus.

3.

The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency.

These records must be “displayable”, i.e. they can be visualized and read by a human on a screen. It should also be possible to export the content to a shareable file (PDF or similar)

It is not sufficient to have information “somewhere in the system” and accessible only “from the IT computers”.

Most items can be exported to PDF, CSV or other common formats.

Any data managed by the App must be “exportable” too, ideally together with the record itself.

4.

Protection of records to enable their accurate and ready retrieval throughout the records retention period.

Records can’t be lost, corrupted or deleted.

It is not sufficient to have old records available “somewhere”, it must be easy to retrieve them too.

Atlassian does not delete any of your data. Archiving options are also available.

The only data that are periodically deleted are the Audit log.

There should be no data retention limit after which something is deleted.

5.

Limiting system access to authorized individuals.

Self explanatory.

None

Yes. Admins can invite and remove users from an instance.

If necessary, the App should have its own permission management system.

6.

Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.

There should be a log of who-did-what-when for every record.

The change history of a record must be preserved.

Previous versions of a record must be maintained, then cannot be just arbitrarily deleted.

Yes, but…

  1. It is still possible to delete previous versions of a document in Confluence.

  2. The history of changes in Jira is not user friendly.

  3. It is possible to delete issues in Jira.

  4. Audit logs are periodically pruned.

These issues must be proceduralized as they are prone to use error.

The App should have its own audit log and change log for any item it manages.

7.

Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.

Some sort of workflows.

None

Not all Atlassian tool have built in workflows (e.g. Confluence). Additional apps may be required.

The App must be able to gate events, i.e. permit an action only after another one is completed.

8.

Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.

Permission management.

Not everyone can be an Admin.

Yes, but plans where permission management is not available (e.g. Confluence Free plan) are NOT compliant.

If necessary, the App should have its own permission management system.

9.

Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.

Not applicable to our case.

10.

Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks.

Users must be trained.

Even external users must be trained.

N/A, proceduralized.

The App should have manuals, guides, instructions to ensure users can be independent.

11.

The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.

There must be procedure to explain users that electronic signatures are equivalent to handwritten signatures.

Electronic signatures are not somewhat less binding than wet signatures.

N/A, proceduralized.

N/A, proceduralized.

12.

Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.

Manuals and procedures to use the Document Management system must be controlled.

A local copy would be beneficial.

Yes, but plans where permission management is not available (e.g. Confluence Free plan) are NOT compliant.

The App should have manuals, guides, instructions to ensure users can be independent.

13.

Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.

Manuals and procedures to use the Document Management system must be controlled.

A local copy would be beneficial.

Yes, but plans where permission management is not available (e.g. Confluence Free plan) are NOT compliant.

The App should have manuals, guides, instructions to ensure users can be independent.

14.

Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in § 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality.

Data security

The user always bears some level of responsibility for the secure use of the system.

Ref. https://www.atlassian.com/trust/security/security-practices#security-philosophy

Atlassian Cloud is considered a very secure platform, but there are practices and aspects of security that rely on configuration and cyberhygiene.

Any specific aspect related to data security, including information reported in the “Privacy and Security” tab of the App in the marketplace, and if the App is Fortified or participates to the Cloud security program.

15.

The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout).

This refers to “(1) The printed name of the signer; (2) The date and time when the signature was executed; and (3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature.

They must be integral part of any record and you must be able to visualize and export them.

This is the part that is often misinterpreted as the need to Digital Signatures.

The requirements is that they must be readable.

Yes, although it depends on how signatures are displayed in the record.

Can signatures be inserted in the page? Do they correctly export?

Conclusion

If you are looking for an App with 21 CFR 11 compliant electronic signatures, make sure you understand what part of 21 CFR 11 it complies to. As compliance to this regulation is not certifiable, use a checklist like the one above to ensure you are picking the right tool.

The SoftComply Document Manager on Confluence Cloud meets the requirements of 21 CFR 11 for electronic signature and electronic records. You can try it out for free for 30 days. 

2 comments

Comment

Log in or Sign up to comment
Darin - Opus Guard
Marketplace Partner
Marketplace Partners provide apps and integrations available on the Atlassian Marketplace that extend the power of Atlassian products.
May 16, 2024

@Marion Lepmets _SoftComply_ incredibly insightful! I particularly am interested in helping out on the section around retention requirements.

Like # people like this
Chris Cairns - Digital Rose
Marketplace Partner
Marketplace Partners provide apps and integrations available on the Atlassian Marketplace that extend the power of Atlassian products.
May 16, 2024

Thank you for sharing this article on FDA CFR 21 Part 11 compliance requirements. 

eSign Document Management & Training for Confluence is also designed to meet these same requirements.   If you are exploring solutions in this area, consider evaluating eSign.   It is free to trial and permanently free for teams of 10 or less.

 

Chris C.
Digital Rose

TAGS
AUG Leaders

Atlassian Community Events