Transition to modern cloud-based technologies provides numerous benefits for biotech and pharmaceutical companies. Benefits such as lower IT cost, higher profit margins, and shorter time to market (1), have driven life sciences companies to embrace cloud based solutions for data management. However there are numerous challenges associated with adopting cloud-based solutions in the regulated life sciences industry. For example, ensuring robust data security and effectively responding to regulatory audit requests can be challenging when coupled with rapidly changing technologies.
In terms of electronic document management, the regulation most relevant to life sciences companies that is the United States Food and Drug Administration’s (FDA) Title 21 CFR Part 11 (2). This set of regulations applies to companies that manufacture chemicals, drugs, and medical devices for use in the United States. The requirements of Title 21 CFR Part 11 cover computer hardware and software systems used for digital document storage. At its core, the purpose of Part 11 is to ensure data security and trustworthiness. Therefore, academic research laboratories that do not require FDA compliance can also benefit from the guidelines outlined in Part 11.
A variety of commercial software products make it possible to migrate from a paper based workflow to cloud-based document management. Most of these software packages, such as bear, dropbox, Evernote, offer a freemium pricing model, which allows you to manage documents online for free as long as you do not exceed their free-tier limits for storage space. Some paid apps are also commonly available for free though employers. For example, Microsoft Word is usually preinstalled on a team's computers. An alternative option is to use the free Google Docs solution, which provides both personal or business level document and spreadsheet management in the cloud. It is important to note that none of these solutions have built-in FDA Part 11 compliance. It is therefore important to establish proper quality procedures that ensure compliance while using the above mentioned free tools (Figure 1). The aim of this article is to provide guidance on how to achieve Part 11 compliance while using freely available online tools.
The FDA’s Title 21 Code of Federal Regulations Part 11 (3) also known as Part 11, lays out specific requirements for a digital document management workflow in laboratories that manufacture chemicals, drugs, and medical devices for use in the United States. The Part 11 criteria must be met before electronic documents and electronic signatures can be considered trustworthy and reliable by the FDA. The FDA expects that all digital documents maintained under this part will be readily available for inspection.
The Part 11 regulation applies to the entire lifecycle of a digital workflow for computerized laboratory document management. This starts with establishing the proper in-house procedures (SOPs) for digital document management. The individual organization will also be responsible for vendor validation, data storage and backups, user accountability, validity of electronic signatures and maintaining audit trails. As you can see, Title 21 Part 11 applies to all of the steps in a digital workflow used in a life sciences laboratory. This means that Part 11 is quite broad (Figure 2) and most companies in the biotech, pharmaceutical, and life sciences industries must comply with Part 11. In fact, since the publication of Part 11, the FDA has been enforcing this regulation rigorously and it has issued numerous warning letters for non-compliance to life sciences companies operating all around the word (selling products within the United States).
First published in 1997, the guidance for complying with Part 11 has been updated multiple times to take into account sponsor feedback and the changing technology. The FDA Part 11 can be considered as the data integrity and security part of an organizations Good Laboratory, Clinical, or Manufacturing Practices (GxP), which ultimately are designed for product and patient safety. Additionally, laboratories that do not require FDA compliance will benefit from adhering to Part 11 guidelines by securing their data and protecting their intellectual property. Learn more about application of Title 21 Part 11 in the context of GxP procedures by downloading LabLog's whitepaper on this topic.
Modern cloud software tools (free and paid) cannot be automatically assumed secure and compliant to the FDA regulations. A rigorous vendor validation and independent third-party audits are important to ensure compliance to internet security standards and government regulations.
Other less mature digital lab notebook vendors are often not built with compliance in mind, as they are targeted to purely academic research laboratories. LabLog™ has focused on compliance and security from the outset and is the only lab notebook app vendor that has this level of compliance.
Since Part 11 demands rigorous security and validation procedures, laboratories that do not necessarily require Part 11 compliance will tremendously benefit from a vendor that is Part 11 compliant and undergoes independent third-party verification. For example a laboratory working in the field of cancer research or rare diseases can benefit from the security measures and streamlined workflow that is built into LabLog™.
An organization adopting a free online tool for its digital workflow must consider the seven principles described below to ensure data security, trustworthiness and compliance to FDA Part 11 (Figure 3).
The first step in adopting a free online tool as your organization's digital laboratory notebook is comprehensive planning. All user needs must be considered. All product feature requirements must be evaluated to ensure a good fit. It is also important consider how the software will be distributed to your team for initial testing and final implementation. Also consider if electronic signatures will be executed on the documents saved online. An additional factor that can affect the choice of the software tool is integration with existing hardware and software tools used in the organization. Create a flow chart of the entire system, detailing exactly how documents are created, maintained, edited, signed and audited. Plan for bidirectional traceability where an audit report chosen by an auditor can be traced back to the original document and it's author. If a document has been modified it is important to have system in place that can show all change history. At the system level, it is important to plan for data loss recovery by implementing a robust data backup system. Finally, it is important to ensure that threat monitoring is in place to get timely alters if there is an attempt at unauthorized access to your system. The planning phase usually requires close collaboration between the scientific and regulatory teams. At the conclusion of this step, you should have a good idea about the specific requirements for compliance to Part 11 and a shortlist of online vendors that meet those requirements. Create a spreadsheet of all your requirements and start communication with online vendors.
After communicating your requirements with your chosen software vendors, request a product demo, on-site presentation or trial of the software. At this stage you can also request that the vendor provide any quality documents third-party audit reports and compliance assessments. Use the trial period to assess the software. Ease of use, load testing, and system availability must be assessed. This step can be performed on multiple software tool in parallel using different member of a team who create a report at the end of the assessment period. It is critical to communicate your Part 11 requirement with the software vendor. If you are directly using a cloud platform provider, such as Amazon, Google or Microsoft, it is important to obtain their Part 11 compliance documentation. If using a third party vendor, such as dropbox, then it is important to understand their cloud infrastructure and obtain a Part 11 compliance matrix from them. At LabLog (paid service), we use Microsoft Azure as our cloud platform (Part 11 compliant) and we provide all required compliance documents from Microsoft and LabLog to our clients. At the conclusion of this step, you will have one or two shortlisted vendors for further consideration.
Vendor validation is usually performed by the individual organization's quality and regulatory team. This involved assessing all vendor regulatory documents, audit reports, software development lifecycle and test cases. Additionally the vendor's quality management systems are examined. At LabLog we provide a client package that includes all of the requested documents. For example, we provide documentation to show that our quality management system adheres to ISO 9001 and that we have used third-party verification for Part 11 compliance of our software. At the conclusion of this step, you will have chosen your preferred software vendor.
The quality or regulatory team in your organization starts drafting written standard operating procedures (SOPs) for user training and the use of the system. These documents are important to ensure that users adhere to the guidelines for use of the system. Procedures for electronic signatures, system access control and user identity validation through the HR department will also need to be drafted. If planning to use electronic signatures, procedures must be in place that define how signature level user authorization and signature reason is defined. At LabLog (paid service), our team of regulatory experts help clients stream line the creation of the required SOPs in addition to providing our own existing SOPs for system maintenance.
It is preferred that a representative from the software vendor or an authorized expert is present on-site to ensure proper implementation of the system and for user training. LabLog™ is based in the United States and our team is able to perform on-site training if requested (paid service). A number of vendors can perform online training which can be live or recorded. In this case, it is important to schedule the training sessions and ensure attendance. A form is required to be filled out by all attendees to keep a record of the training.
After a couple of months of use, it is important to perform an in-house audit of the system to ensure compliance to Part 11. The audit can be performed by the individual organization's regulatory team or a third-part consulting firm. LabLog™ can recommend a number of expert consulting firms that can perform an impartial audit of your systems. This is crucial if you want to avoid receiving a warning letter or notice of violation following an audit by the FDA.
Compliance to Part 11 requires continuous assessment as the organization's needs can change and the software vendors adopt new technologies. It is important to continuously monitor the system performance and identify any bugs, performance issues, or user design improvements. Feedback must be sent to the chosen vendor for immediate remediation. In addition, refresher training must be performed for users of the system and password validity and user identity assessed on a continuous bases to ensure system integrity and trustworthiness.
Migrating to the cloud and adhering to FDA Part 11 can bring many benefits, even for organizations that do not require compliance to FDA. With careful planning it is possible to adopt a free online tool for a digital workflow that is compliant with FDA Part 11. As outlined here, adopting a free tool while meeting the Part 11 criteria requires a lot of effort by the individual organizations. Furthermore, 100% of the compliance responsibility will fall onto the individual organizations adopting a free online tool. If the your company has dedicated teams for regulatory affairs and IT services, it may be possible to embrace the free digital workflow within a span of a 3 to 4 months. Using a free online tool initially appears to have no cost burden on the adopting organization. However, the resources and the time consumed for implementation and maintenance will have a substantial cost and risk burden. Using a specialized lab notebook vendor, such as LabLog™, can substantially free up resources that can be used for more important tasks such as reducing time to market for new products.
1. 5 Ways Cloud Services Reduce Costs for Life Sciences Organizations. https://labnotebook.app/blog/5-ways-cloud-services-reduce-costs-for-life-sciences-organizations
2. Title 21 CFR Part 11. Wikipedia. https://en.wikipedia.org/wiki/Title_21_CFR_Part_11
3. Part 11, Electronic Records; Electronic Signatures - Scope and Application Guidance for Industry. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/part-11-electronic-records-electronic-signatures-scope-and-application
All rights reserved, © 2019 Aiderbotics Corporation. LabLog™ is a registered trademark of Aiderbotics Corporation.