7 Ways to Become FDA Part 11 Compliant Without Spending a Dime

Introduction

Transition to modern cloud-based technologies provides numerous benefits for biotech and pharmaceutical companies. Benefits such as lower IT cost, higher profit margins, and shorter time to market (1), have driven life sciences companies to embrace cloud-based solutions for data management. However, there are numerous challenges associated with adopting cloud-based solutions in the regulated life sciences industry. For example, ensuring robust data security and effectively responding to regulatory audit requests can be challenging when coupled with rapidly changing technologies.

The regulation most relevant to life sciences companies that keep their data and documents in the cloud is the United States Food and Drug Administration’s (FDA) Title 21 CFR Part 11 (2). This set of regulations applies to companies that manufacture chemicals, drugs, and medical devices for use in the United States. The requirements of Title 21 CFR Part 11 cover computer hardware and software systems used for digital document storage. At its core, the purpose of Part 11 is to ensure data security and trustworthiness. Therefore, academic research laboratories that do not require FDA compliance can also benefit from the guidelines outlined in Part 11.

A variety of commercial software products make it possible to migrate from a paper-based workflow to cloud-based document management. Most of these software packages, such as bear, dropbox, Evernote, offer a freemium pricing model, which allows you to manage documents online for free as long as you do not exceed their free-tier limits for storage space. Some paid apps are also commonly available for free through employers. For example, Microsoft Word is usually preinstalled on a team's computers. An alternative option is to use the free Google Docs solution, which provides both personal or business level document and spreadsheet management in the cloud.

You may be wondering if any of these software packages are CFR 21 Part 11 compliant. It is important to note that none of these solutions have built-in FDA Part 11 compliance. This is because compliance to part 11 is needed by a small section of the market while requiring substantial technical investment on part of the software vendors. It is therefore important to establish proper quality procedures that ensure compliance while using the above-mentioned free tools. See figure 1 below for an overview of how you and the vendor will have to share the burden of ensuring compliance.

The aim of this article is to provide guidance on how to achieve Part 11 compliance while using freely available online tools such as Dropbox, or Microsoft Word.

What is Title 21 CFR Part 11?

The FDA’s Title 21 Code of Federal Regulations Part 11 (3) also known as Part 11, lays out specific requirements for a digital document management workflow in laboratories that manufacture chemicals, drugs, and medical devices for use in the United States. The Part 11 criteria must be met before electronic documents and electronic signatures can be considered trustworthy and reliable by the FDA. The FDA expects that all digital documents maintained under this part will be readily available for inspection.

The Part 11 regulation applies to the entire lifecycle of a digital workflow for computerized laboratory document management. This starts with establishing the proper in-house procedures (SOPs) for digital document management. The individual organization will also be responsible for vendor validation, data storage and backups, user accountability, the validity of electronic signatures, and maintaining audit trails. As you can see, Title 21 Part 11 applies to all of the steps in a digital workflow used in a life sciences laboratory. This means that Part 11 is quite broad (Figure 2) and most companies in the biotech, pharmaceutical, and life sciences industries must comply with Part 11. In fact, since the publication of Part 11, the FDA has been enforcing this regulation rigorously and it has issued numerous warning letters for non-compliance to life sciences companies operating all around the world (selling products within the United States).

Why the FDA Part 11 Regulation is important

First published in 1997, the guidance for complying with Part 11 has been updated multiple times to take into account sponsor feedback and the changing technology. The FDA Part 11 can be considered as the data integrity and security part of an organization's Good Laboratory, Clinical, or Manufacturing Practices (GxP), which ultimately are designed for product and patient safety. Additionally, laboratories that do not require FDA compliance will benefit from adhering to Part 11 guidelines by securing their data and protecting their intellectual property. Learn more about the application of Title 21 Part 11 in the context of GxP procedures by downloading LabLog's whitepaper on this topic.

Modern cloud software tools (free and paid) cannot be automatically assumed secure and compliant to FDA regulations. A rigorous vendor validation and independent third-party audits are important to ensure compliance with internet security standards and government regulations.

Other less mature digital lab notebook vendors are often not built with compliance in mind, as they are targeted to purely academic research laboratories. LabLog™ has focused on compliance and security from the outset and is the only lab notebook app vendor that has this level of compliance.

Since Part 11 demands rigorous security and validation procedures, laboratories that do not necessarily require Part 11 compliance will tremendously benefit from a vendor that is Part 11 compliant and undergoes independent third-party verification. For example, a laboratory working in the field of cancer research or rare diseases can benefit from the security measures and streamlined workflow that is built into LabLog™.

How to achieve FDA Part 11 compliance using free cloud tools

An organization adopting a free online tool for its digital workflow must consider the seven principles described below to ensure data security, trustworthiness, and compliance to FDA Part 11 (Figure 3).

Step 1. Planning

The first step in adopting a free online tool as your organization's digital laboratory notebook is comprehensive planning. All user needs must be considered. All product feature requirements must be evaluated to ensure a good fit. It is also important to consider how the software will be distributed to your team for initial testing and final implementation. Also, consider if electronic signatures will be executed on the documents saved online. An additional factor that can affect the choice of the software tool is integration with existing hardware and software tools used in the organization. Create a flow chart of the entire system, detailing exactly how documents are created, maintained, edited, signed, and audited. Plan for bidirectional traceability where an audit report chosen by an auditor can be traced back to the original document and its author. If a document has been modified it is important to have a system in place that can show all change history. At the system level, it is important to plan for data loss recovery by implementing a robust data backup system. Finally, it is important to ensure that threat monitoring is in place to get timely alerts if there is an attempt at unauthorized access to your system. The planning phase usually requires close collaboration between the scientific and regulatory teams. At the conclusion of this step, you should have a good idea about the specific requirements for compliance to Part 11 and a shortlist of online vendors that meet those requirements. Create a spreadsheet of all your requirements and start communication with online vendors.

Step 2. Testing

After communicating your requirements with your chosen software vendors, request a product demo, on-site presentation, or trial of the software. At this stage, you can also request that the vendor provide any quality documents third-party audit reports, and compliance assessments. Use the trial period to assess the software. Ease of use, load testing, and system availability must be assessed. This step can be performed on multiple software tools in parallel using different members of a team who create a report at the end of the assessment period. It is critical to communicate your Part 11 requirement with the software vendor. If you are directly using a cloud platform provider, such as Amazon, Google or Microsoft, it is important to obtain their Part 11 compliance documentation. If using a third-party vendor, such as dropbox, then it is important to understand their cloud infrastructure and obtain a Part 11 compliance matrix from them. At LabLog (paid service), we use Microsoft Azure as our cloud platform (Part 11 compliant) and we provide all required compliance documents from Microsoft and LabLog to our clients. At the conclusion of this step, you will have one or two shortlisted vendors for further consideration.

Step 3. Vendor validation

Vendor validation is usually performed by the individual organization's quality and regulatory team. This involved assessing all vendor regulatory documents, audit reports, software development lifecycle, and test cases. Additionally, the vendor's quality management systems are examined. At LabLog we provide a client package that includes all of the requested documents. For example, we provide documentation to show that our quality management system adheres to ISO 9001 and that we have used third-party verification for Part 11 compliance of our software. At the conclusion of this step, you will have chosen your preferred software vendor.

Step 4. Written procedures

The quality or regulatory team in your organization starts drafting written standard operating procedures (SOPs) for user training and the use of the system. These documents are important to ensure that users adhere to the guidelines for use of the system. Procedures for electronic signatures, system access control, and user identity validation through the HR department will also need to be drafted. If planning to use electronic signatures, procedures must be in place that defines how signature level user authorization and the signature reason are defined. At LabLog (paid service), our team of regulatory experts helps clients streamline the creation of the required SOPs in addition to providing our own existing SOPs for system maintenance.

Step 5. User Training

It is preferred that a representative from the software vendor or an authorized expert is present on-site to ensure proper implementation of the system and for user training. LabLog™ is based in the United States and our team is able to perform on-site training if requested (paid service). A number of vendors can perform online training which can be live or recorded. In this case, it is important to schedule the training sessions and ensure attendance. A form is required to be filled out by all attendees to keep a record of the training.

Step 6. Audits and monitoring

After a couple of months of use, it is important to perform an in-house audit of the system to ensure compliance with Part 11. The audit can be performed by the individual organization's regulatory team or a third-party consulting firm. LabLog™ can recommend a number of expert consulting firms that can perform an impartial audit of your systems. This is crucial if you want to avoid receiving a warning letter or notice of violation following an audit by the FDA. 

Step 7. System improvements

Compliance to Part 11 requires a continuous assessment as the organization's needs can change and the software vendors adopt new technologies. It is important to continuously monitor the system performance and identify any bugs, performance issues, or user design improvements. Feedback must be sent to the chosen vendor for immediate remediation. In addition, refresher training must be performed for users of the system and password validity and user identity assessed on a continuous basis to ensure system integrity and trustworthiness.

Discussion

Migrating to the cloud and adhering to FDA Part 11 can bring many benefits, even for organizations that do not require compliance with FDA. With careful planning, it is possible to adopt a free online tool for a digital workflow that is compliant with FDA Part 11. As outlined here, adopting a free tool while meeting the Part 11 criteria requires a lot of effort by the individual organizations. Furthermore, 100% of the compliance responsibility will fall onto the individual organizations adopting a free online tool. If your company has dedicated teams for regulatory affairs and IT services, it may be possible to embrace the free digital workflow within a span of 3 to 4 months. Using a free online tool initially appears to have no cost burden on the adopting organization. However, the resources and the time consumed for implementation and maintenance will have a substantial cost and risk burden. Using a specialized lab notebook vendor, such as LabLog™, can substantially free up resources that can be used for more important tasks such as reducing time to market for new products.

Meet the FDA requirements and benefit from a trusted and secure digital workflow by using LabLog™. To learn more, click here to request a live 1:1 demo.

References

1. 5 Ways Cloud Services Reduce Costs for Life Sciences Organizations. https://labnotebook.app/blog/5-ways-cloud-services-reduce-costs-for-life-sciences-organizations

2. Title 21 CFR Part 11. Wikipedia. https://en.wikipedia.org/wiki/Title_21_CFR_Part_11

3. Part 11, Electronic Records; Electronic Signatures - Scope and Application Guidance for Industry. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/part-11-electronic-records-electronic-signatures-scope-and-application

All rights reserved, © 2019 Aiderbotics Corporation. LabLog™ is a registered trademark of Aiderbotics Corporation.