What are the FDA 21 CFR 11 Compliant Electronic Records?
08 May 2024
Title 21 of the Code of Federal Regulations, Part 11, also known as 21 CFR 11, deals with the requirements for Electronic Records and Electronic Signatures to be considered “trustworthy” by the FDA.
If you work in the MedTech or Pharma sector, you probably have heard about this regulation plenty of times. And if you are an Atlassian user, you have probably seen it mentioned in several Apps, claiming to be compliant to it.
It is worth now to make some clarity around what this regulation exactly requires and what “compliant” apps means.
We have split this discussion in 2 posts, one for Electronic Records and one for Electronic Signatures.
Like any piece of regulation, it can be accessed for free, in this case here: Federal Register :: Request Access.
For the discussion on Electronic Signatures, please see the previous post.
Electronic Records
From 21 CFR 11.3:
Electronic record means any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.
Almost every piece of electronic information can be considered Electronic Record: Confluence pages, attachments, Jira issues, test results, CSV files, audit logs, Office files, and more.
Technical requirements for Electronic Records
Many aspects of this regulation for Electronic Records cannot be enforced by software and must be “proceduralized”, i.e. contained in a procedure that employees have to adhere to.
| Requirement | which means… | Common misconceptions | Are Atlassian tools compliant? | What to look for in an App? |
|---|---|---|---|---|
| Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. | A Company needs some sort of “Document Control” procedure that explains how these records are managed, including any security aspect and electronic signatures. | Yes, the procedure must be in written format. | N/A, proceduralized.* * This requirement is not applicable to the tools and is usually met by users covering it in internal procedures. | N/A, proceduralized. |
| Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. | The tools you are using to manage these objects must be validated. | Validation must be completed, at least in part, by the user. Validation performed by the developer is not sufficient. | Atlassian does not provide any validation documentation, it is up to the user to validate tools and apps. | If the developer of the App provides a validation package it is a big plus. |
| The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. | These records must be “displayable”, i.e. they can be visualized and read by a human on a screen. It should also be possible to export the content to a shareable file (PDF or similar). | It is not sufficient to have information “somewhere in the system” and accessible only “from the IT computers”. | Most items can be exported to PDF, CSV or other common formats. | Any data (e.g. electronic signatures on the record) managed by the App must be “exportable” too, ideally together with the record itself. |
| Protection of records to enable their accurate and ready retrieval throughout the records retention period. | Records can’t be lost, corrupted or deleted. | It is not sufficient to have old records available “somewhere”, it must be easy to retrieve them. | Atlassian does not delete any of your data. Archiving options are also available. The only data that are periodically deleted are the Audit log. | There should be no data retention limit set by the App, after which something is deleted. |
| Limiting system access to authorized individuals. | Self explanatory. | None | Yes. Admins can invite and remove users from an instance. | If necessary, the App should have its own permission management system. |
| Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying. | There should be a log of who-did-what-when for every record. The change history of a record must be preserved. | Previous versions of a record must be maintained, they cannot be just arbitrarily deleted. | Yes, but… 1. It is still possible to delete previous versions of a document in Confluence. 2. The history of changes in Jira is not user friendly. 3. It is possible to delete issues in Jira. 4. Audit logs are periodically deleted. These issues must be proceduralized as they are prone to use error. | The App should have its own audit log and change log for any item it manages. |
| Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate. | Need to establish specific workflows. | None | Not all Atlassian tools have built in workflows (e.g. Confluence). Additional apps may be required. | The App must be able to gate events, i.e. permit an action only after previous one is completed. |
| Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand. | Permission management. | Not everyone can be an Admin. | Yes, but plans where permission management is not available (e.g. Confluence Free plan) are NOT compliant. | If necessary, the App should have its own permission management system. |
| Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction. | Not applicable to our case. | |||
| Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks. | Users must be trained. | Even external users must be trained. | N/A, proceduralized. | The App should have manuals, guides, instructions to ensure users can be independent. |
| The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification. | There must be procedure to explain users that electronic signatures are equivalent to handwritten signatures. | Electronic signatures are not less binding than wet signatures. | N/A, proceduralized. | N/A, proceduralized. |
| Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. | Manuals and procedures to use the Document Management system must be controlled. | A local copy would be beneficial. | Yes, but plans where permission management is not available (e.g. Confluence Free plan) are NOT compliant. | The App should have manuals, guides, instructions to ensure users can be independent. |
| Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation. | Manuals and procedures to use the Document Management system must be controlled. | A local copy would be beneficial. | Yes, but plans where permission management is not available (e.g. Confluence Free plan) are NOT compliant. | The App should have manuals, guides, instructions to ensure users can be independent. |
| Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in § 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality. | Data security | The user always bears some level of responsibility for the secure use of the system. | Ref. Security Practices | Atlassian Atlassian Cloud is considered a very secure platform, but there are practices and aspects of security that rely on configuration and cyber hygiene. | Any specific aspect related to data security, including information reported in the “Privacy and Security” tab of the App in the Atlassian Marketplace, and if the App is Cloud Fortified or participates the Cloud security program. |
| The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout). | This refers to “(1) The printed name of the signer; (2) The date and time when the signature was executed; and (3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature. They must be integral part of any record and you must be able to visualize and export them. | This is the part that is often misinterpreted as the need to Digital Signatures. The requirement is that they must be readable. | Yes, although it depends on how signatures are displayed on the record. | The App should allow the user to insert the signature on a page and the signatures have to be present and readable also when a page is exported. |
Conclusion
If you are looking for an App with 21 CFR 11 compliant electronic signatures, make sure you understand what part of 21 CFR 11 it complies to. As compliance to this regulation is not certifiable, use a checklist like the one above to ensure you are picking the right tool.
The SoftComply Document Manager on Confluence Cloud meets the requirements of 21 CFR 11 for electronic signature and electronic records. You can try it out for free for 30 days.
Recommended articles
Supporting Regulated Industries on Atlassian
On May 2, 2024 SoftComply hosted the 2nd edition of Regulated Industries workshop during Atlassian Team…
What is an FDA 21 CFR 11 Compliant Electronic Signature?
Title 21 of the Code of Federal Regulations, Part 11, also known as 21 CFR 11,…
Software Risk Analysis in Medical Devices
In the Medical Device industry software components, whether standalone or as part of a physical device,…