Title 21 CFR Part 11

Accountability is an obligation to understand and justify results. For built environment professionals and facility executives, accountability means being answerable for the significant influence of complex mechanical and electrical systems on business and mission-oriented key performance indicators. These professionals can be accountable to organizations, tenants, patients, students, shareholders, and consumers. In the articles Accountable operational technology and RC-WebView: The accountable BUI, we considered the important role facility automation and operational technology (OT) systems play in built environment accountability. In some heavily regulated industries, built environment professionals and facility executives are also accountable to the general public through stringent legislation and regulation.

One example of regulation that has worldwide influence is the Code of Federal Regulations (CFR) Title 21, which prescribes rules for the U.S. Food and Drug Administration (FDA). Part 11 establishes the requirements for electronic records and signatures in processes and facilities regulated by Title 21. Designed to govern technology systems that manage information in GxP¹ processes, Title 21 has significant implications for pharmaceutical, medical device, biologic, biotech, contract research, and other regulated industries. Reliable Controls Authorized Dealers with RC-WebView^® 3.13 are equipped to provide simple, flexible, and sustainable built environment accountability in these environments.

Title 21 CFR Part 11

Title 21 regulates food and drugs manufactured or consumed in the United States under the jurisdiction of the FDA, the Drug Enforcement Administration, and the Office of National Drug Control Policy (Microsoft 2020). Although many countries have their own regulations and regulatory authorities for good practices in these fields, the size of the US market for food and pharmaceutical consumables makes Title 21 a common validation standard worldwide, particularly for manufacturing and logistics organizations.

Title 21 CFR Part 11 prescribes assurance that electronic records in regulated industry processes are accurate and available. This assurance is provided through the enforcement of improved cybersecurity, change control, electronic signatures, audit trails, and digital validation. IT and OT systems must have technological and procedural controls to protect data and ensure all records are authentic, incorruptible, and (where applicable) confidential (Ofni Systems n.d.). Specifically, the regulations “set forth the criteria under which the agency considers electronic records, [and] electronic signatures…to be trustworthy, [and] reliable” and state that digital records must be “readily available for, and subject to, FDA inspection” (Electronic Code of Federal Regulations [e-CFR] 2020).

Title 21 CFR Part 11 provides guidance for maintaining computer systems, including hardware and software, controls, and documentation in all regulated processes. All computer systems that store data that will be reported to the FDA or used to make quality decisions must be compliant. In laboratory situations, this includes records that prove quality, safety, strength, efficacy, or purity. In clinical environments, this includes data reported in clinical trials that determine quality, safety, or efficacy. In manufacturing environments, this includes decisions related to product quality. Critical to many of these metrics is indoor environmental control and monitoring during testing, manufacturing, and storage.

Basic regulatory requirements

Title 21 CFR Part 11 provides the following definitions of fundamental concepts in electronic record-keeping and validation (e-CFR 2020):

Closed system: An environment in which system access is controlled by persons who are responsible for the content of electronic records on the system.
Open system: An environment in which system access is not controlled by persons who are responsible for the content of electronic records on the system.
Electronic record: Any combination of text, graphics, data, audio, pictorial, or other digital information that is created, modified, maintained, archived, retrieved, or distributed by a computer system.
Digital signature: An electronic signature based on cryptographic methods of originator authentication, computed using rules and parameters such that the identity of the signer and the integrity of the data can be verified.
Electronic signature: A computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual’s handwritten signature.

For closed systems, where authenticated operators are accountable for the manipulation and management of data, procedures to ensure the authenticity, integrity, and confidentiality of electronic records are mandated when those records are created, modified, maintained, or transmitted. These controls apply to an automation system that monitors or controls a validated process or environment. Below are a few of the procedures designed to prevent claims by those accountable for electronic records that data is inaccurate or counterfeit (e-CFR 2020):

Limiting system access to authorized individuals.²
Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.³
Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records.⁴
Protection of records to enable their accurate and ready retrieval.⁵
Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.⁶

Open systems must follow the same requirements “from the point of their creation to the point of their receipt…and additional measures such as document encryption and use of appropriate digital signature standards to ensure…record authenticity, integrity, and confidentiality.”⁷

Electronic signatures are fundamental to providing accountability for electronic records. Changes to electronic records must be signed by, or digitally tied to, a specific person who is answerable for results. One of the means for providing this assurance is the use of “at least two distinct identification components such as an identification code and password.”⁸ This provision requires that a person authorized to manipulate digital records must have two distinct authenticators, perhaps one to access the system and another to change data. Although specific authentication must be provided for individual changes, the regulation allows for multiple changes during a single continuous period of controlled system access.

Finally, the regulation provides guidance for control of authenticators like passwords, including password maintenance policies, periodic testing, and collaborative user management.

Title 21 CFR Part 11 validation

The FDA does not certify IT/OT products or components as approved or compliant with Title 21 CFR Part 11; instead, the regulation provides prescriptive performance guidelines. IT/OT systems in FDA-regulated environments must be validated. Validation is a process, often performed by specialized third-party consultants, to confirm functional performance of an organization-level process or system. The validation process documents the operations the system performs, the system configuration required to perform correctly, and the testing that demonstrates system performance according to the defined specifications. Validation is performed for an entire process and typically includes the following components at a minimum:

Provisioning of IT and OT systems to ensure they manage electronic records within the parameters of the regulation.
Formal organization-level operational processes, policies, and procedures.
Formal system/process design and operational documentation.
Education and training for administrators, users, and support staff (e.g., IT teams).

RC-WebView can be a component of a Title 21 CFR Part 11−validated system for FDA-regulated processes and indoor environment monitoring or control. The intrinsic features of RC-WebView 3.13 described in RC-WebView: The accountable BUI make it appropriate for operating according to the regulation:

Access limitations, user authentication, and authority verification are provided through RC-WebView password management features that deliver user account and credential accountability.
Protection of records and management of data input and manipulation is ensured through dual-authentication change approval.
Assurance that operator actions are signed by, and thereby linked to, authorized users is reinforced by requiring dual approval for system security and user account changes.
Secure, computer-generated, time-stamped records of operator entries and actions that create, modify, or delete electronic data are presented in the RC-WebView audit trail.
Validation that electronic data is accurate and reliable is assured using digital signatures.
Validation of data transmission from creation to receipt is proved through watermarks and signed Excel exports.
Data entry and retrieval is simple to perform and manage in the RC-WebView browser user interface (BUI).
Date and time control are intrinsic to RC-WebView with simple authorization and detailed record time stamping.

Validation requires close coordination with organizations, operations, and design teams as well as the validation consultant. Prior to the validation process, Reliable Controls Authorized Dealers will likely be called on to provide design documentation that describes how the system is designed and operational documentation that describes how it should be used according to the requirements of Title 21 CFR Part 11. There will likely also be requirements for operator training. Organizations need to articulate policies and procedures that provide process-level documentation and external security as well as policies for internal security, change control, and training. Many validation service providers offer helpful checklists that simplify design process and validation preparation.⁹

Design considerations for Title 21 CFR Part 11–compliant systems

The RC-WebView Software Manual and online help provide guidance for the implementation of the intrinsic feature set expressly designed to satisfy the requirements of Title 21 CFR Part 11. There are a few simple but important additional design considerations.

The regulation is focused on accountability for electronic data. A significant portion of this answerability is provided by limiting who can make changes and keeping an accurate record of all changes, which can be done in a Reliable Controls system using RC-WebView. To ensure accountability, once deployed, only RC-WebView should be used to interact with the system. This is particularly important in validated systems. Once the validation process has begun and especially after complete, building operators should not deploy RC-Studio^® as it could be used to make unaccountable changes.

Similarly, RC-Archive^® should be provisioned using a custom installation without database utilities, as this feature set can also be used to modify electronic records without accountability.

Another consideration for validated systems is that using more smaller systems is more sustainable than using a larger validated enterprise. If any changes are made to a system, it is likely that the system would have to be revalidated. In a smaller segmented system, even simple changes that mandate revalidation have a lesser impact than if an entire enterprise encompassing several systems, users, and facilities has to be revalidated.

Lead the way

In industries regulated by the FDA, including pharmaceutical, medical device, biologic, biotech, and contract research, compliance with Title 21 CFR Part 11 is not optional or a value add; it is mandatory to daily operation. Before the COVID-19 pandemic, pharmaceutical spending in the United States was expected to grow to US$420 USD billion by 2023 (O’Brien 2019). Seventy percent of popular brand-name pharmaceuticals in the United States are imported (Gabriel Levitt 2017). This makes validation of OT systems in even this one regulated industry a global business opportunity. The next installment of Insight will discuss some ways we can bring our benefits to other FDA-regulated industries.

Built environment professionals and facility executives in regulated industries are accountable for seemingly countless key performance indicators. They have more than enough on their minds and endless demands on their time. RC-WebView 3.13 and Reliable Controls Authorized Dealers are an ideal combination to ease their burden with a simple, flexible, and accountable BUI for operational technology systems. By empowering these professionals with assurance that their electronic data is accurate and available, we can help them be better by design.

1 GxP guidelines established by the FDA regulate good practices. The “x” represents the variable disciplines in the pharmaceutical industry, including good manufacturing practice (GMP), good laboratory practice (GLP), good documentation practice (GDP), and good clinical practice (GCP).

2 21 CFR Part 11.10.d

3 21 CFR Part 11.10.g

4 21 CFR Part 11.10.e

5 21 CFR Part 11.10.c

6 21 CFR Part 11.10.a

7 21 CFR Part 11.11

8 21 CFR Part 11.200

9 An internet search for “Title 21 CFR Part 11 checklist” will return several examples of what to expect in a validation process.

Levitt, Gabriel. “How Can I Determine Where a Drug is Manufactured?” PharmacyChecker.com, October 15, 2017.

https://www.pharmacychecker.com/askpc/how-can-i-determine-where-a-drug-is-manufactured/#!.

Microsoft. Food and Drug Administration CFR Title 21 Part 11. March 23, 2020.

https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-fda-cfr-title-21-part-11?view=o365-worldwide#.

O’Brien, Jack. “Pharmaceutical Spending to Top $370B in 2019.” HealthLeaders, May 28, 2019.

https://www.healthleadersmedia.com/finance/pharmaceutical-spending-top-370b-2019.

Electronic Code of Federal Regulations (e-CFR). Title 21: Food and Drugs Part 11—Electronic Records; Electronic Signatures (2020). Code of Federal Regulations, National Archives and Records Administration (United States). Washington: Office of the Federal Register.

https://www.ecfr.gov/cgi-binretrieveECFR?gp=&SID=abccaeb2e4fdc79ac29dee6e80fe31b2&mc=true&n=pt21.1.11&r=PART&ty=HTML.

Ofni Systems. Introduction to 21 CFR Part 11 (n.d.).

http://www.ofnisystems.com/information/resources/introduction-to-21-cfr-11/.