FDA Title 21 CFR Part 11: What Is It?

Thanks to its flexibility, labs across industries have turned to QBench to help simplify and automate their operations. Some of these customers operate in FDA-regulated industries (or industries with similarly rigorous digital data rules), and find themselves needing to comply with a variety of FDA regulations, including 21 CFR Part 11. This white paper examines what compliance with 21 CFR Part 11 means, how QBench can help your lab get there, and additional steps labs should consider.

NOTE: The information in this blog post is intended for educational purposes only. Companies should refer to the full text of 21 CFR Part 11 and official government sources to ensure compliance.

What is 21 CFR Part 11?

21 CFR Part 11 is a set of regulations established by the United States Food and Drug Administration (FDA) that outlines the requirements for electronic records and electronic signatures. Labs in industries regulated by the FDA – such as pharmaceutical, medical device, and biotechnology companies – are required to follow the standards defined in 21 CFR Part 11 to demonstrate to the FDA that their electronic records and signatures are “trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper” (see Subpart A, §11.1(a)).

Is QBench 21 CFR Part 11 Compliant Immediately After Implementation

In order to use electronic records or electronic signatures, labs regulated by 21 CFR Part 11 must ensure that their records are stored in stable, secure, and reliable systems – however, these systems must work as intended with each specific labs’ hardware, and must be supported by the lab’s internal security controls to meet the full scope of 21 CFR Part 11 requirements

Therefore, while QBench is an industry-leading modern LIMS, implementing QBench – or any equivalent cloud-based LIMS on the market – won’t make a lab 21 CFR Part 11 compliant automatically.

What QBench can do is provide a reliable, easy-to-use LIMS which, when used together with complementary lab security controls, satisfies the systems requirements of 21 CFR Part 11.

How QBench Supports 21 CFR Part 11 Compliance

Digital Record Maintenance

Subpart A, §11.2

“persons may use electronic records in lieu of paper records or electronic signatures in lieu of traditional signatures, in whole or in part”

QBench is designed to be the source of truth for your laboratory’s operations. Log samples and subsamples into QBench, can assign them to batches (and even map these onto plates!). From there, assign either individual assays or full panels, then record your data in fields and worksheets specific to your workflow. Finally, report your results directly to your customers: authorized QBench users can generate reports, which they can sign with a personally-configured digital signature (or which they can print and sign) and then send reports to their customers – all without leaving QBench.

Accessible, Accurate Records

Subpart B, §11.10(b)

“Accurate and complete copies of records in both human readable and electronic form”

Subpart B, §11.10(c)

“Protection of records to enable their accurate and ready retrieval throughout the records retention period”

QBench provides an easy-to-use interface to find and retrieve records. Customers can easily review their data in QBench by going to the relevant data type list page.

Customers can also download their QBench data to Excel and CSV files from most data type list pages in QBench, and configure their downloads to include as little or as much data as they require. Many customers also connect QBench to their other systems using QBench’s API, which securely and accurately transfers your data to your other critical systems. Reports generated in QBench can also be opened or downloaded in bulk. The QBench support team can also be consulted for larger scale duplication or storage of records.

Additionally, most data cannot be fully deleted from QBench by users. Data stored in QBench is retained indefinitely over the course of customers’ use of the platform, unless a customer requests the data to be purged. For more detailed information about QBench’s data practices, see our data white paper.

Stock and Customizable Permission Options

Subpart B, §11.10(d)

“Limiting system access to authorized individuals”

All users must be added to QBench (either in the application or through an organization’s single sign-on (SAML) provider) to have access to data in QBench. Once a user is added to QBench, their access can be further limited based on preexisting or custom created roles, which can limit users’ ability to edit, view, and/or delete specific data types and relationships, putting you in full control of data access within your organization.

QBench’s default user roles have varying levels of read/write/view access – for example, while Technicians can edit only test data for their team and can’t generate reports, Managers can view and edit their full team’s data, and can view and generate reports.

If role separation looks different in your lab, QBench’s default roles can be customized using our granular permissions manager, or you can create your own unique roles.

Robust Audit Trails

Subpart B, §11.10(e)

“Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records”

QBench maintains a detailed audit trail of the creation, modification, reporting, and publication of data and records. Major data types like orders, samples, tests, sources, and batches record which Users modify data and when, which can be identified with a timestamp.

QBench also maintains similarly detailed records of Report and Document generation and modification. This history can be cross-referenced with the Login Activity list or (if enabled) the Activity Log, which capture the login activity of all QBench LIMS and Customer Portal Users (include what IP addresses they logged in from) to help identify suspicious activity.

These records of modifications are retained indefinitely over the course of the customers’ use of the platform, unless a customer requests the data to be purged (for more information, see our data white paper).

Enforce Protocol with Step Sequencing and Locks

Subpart B, §11.10(f)

“Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate”

QBench administrators can create locks for orders and tests based on filters, including when orders and tests and leave specific statuses. For example, to ensure that test data is reviewed by a team lead before being marked as completed, administrators use a workflow with multiple In Progress statuses which must be cleared before data can be sent for reporting.

To do this, an administrator can create a second In Progress status (for example, “Pending Review”), then create a filter for tests in the Pending Review status on the test list page. From there, they can go to Field and Data Type Settings to create a test locking rule that locks tests when they enter the “Pending Review” status, and must be unlocked by either specific individuals or members of a specified team to be edited or released.

For a less granular approach, you can also customize permission types so that certain users can only edit order and test in certain specific steps, requiring your users to move orders and tests to different statuses for them to progress through your lab.

QBench users who use panels and batch protocols can also enforce a priority for completion of assays in a panel and steps in batch protocols, giving labs another tool to ensure that assay protocols are followed completely and in order.

Configurable Authentication Options

Subpart B, §11.10(g)

“Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand”

QBench administrators can implement a range of checks and controls to support their authentication procedures. Administrators can:

  • Change the inactivity timeout, requiring their Users to more frequently re-verify their credentials
  • Implement default or customized roles; once a User is authenticated in QBench, they will only be permitted to do actions that their role allows (e.g. view Test results instead of edit them, view Reports instead of generate them)
  • Enable IP whitelisting through QBench support or a customers’ network security provider (e.g. a VPN) to only allow access to QBench from approved networks
  • Enforce multi-factor authentication (MFA) for all Users, requiring them to successfully enter a code sent to their email or an approved MFA application before logging into QBench (see Subpart C, §11.300)
  • Require Users to enter a PIN before generating a report (see Subpart C, §11.300)

QBench also comes with the following authentication controls built-in:

  • Multiple user accounts cannot be created with the same email address, meaning no two individuals can have identical login credentials
  • Enforced password rotation every 90 days
  • Account deactivation, so administrators can deactivate accounts consistent with their procedures for terminating employees or inactive or compromised accounts
  • Attempting to access an account without the correct credentials will temporarily lock an account (however, QBench does not support notifications from account lockouts at this time)
  • Regular QA testing to verify that passwords created by users are created correctly

Any authority checks on operating systems or output devices would need to be implemented by customers.

Guides Available for You

Subpart B, §11.10(k)

“Use of appropriate controls over systems documentation”

QBench’s system documentation is maintained in our Help Center, which customers can access 24/7, and which can only be edited by authorized QBench personnel. Access and change controls for any QBench documentation maintained by customers (such as SOPs and other manuals) are the responsibility of QBench customers.

Secure, Reliable Signatures

Half of the focus of 21 CFR Part 11

21 CFR Part 11 outlines several lab internal controls (such as verifying the identity of those signing via electronic signature) – QBench helps support these internal procedures and controls.

First, while QBench does not currently support biometric user authentication (triggering the requirements of Subpart C, §11.200(a)), it does require all users to authenticate using at least an email and password when logging into QBench. Administrators can also require that Users signing a Report provide a unique PIN, adding an extra layer of security to your results reporting process. When this setting is enabled, Users with Report signing permission will be required to set and verify a PIN for their account before creating any Reports. Then, in order for a User to sign a Report, they would need to login to QBench using their username and password (or signing in through their organization’s Single Sign-On provider, if configured) AND correctly enter their PIN.

When PINs are required to generate Reports, Users will always be prompted to enter a PIN. If a User is signing 10 distinct Reports over the course of multiple actions during one period of system access (e.g. loading 10 different Test detail pages), the User will be prompted for their PIN each time; however, f the User is signing 15 Reports through one action, they will be prompted for their PIN once (see Subpart C, §11.200(a)(1)). If a User logs out of QBench after signing a Report, they will need to log back in, then enter their PIN when generating any new Reports.

QBench supports your policies prohibiting account and credential sharing by assigning each account a unique, traceable user ID (see Subpart C, §11.100(a)), and prohibiting the creation of multiple accounts using the same email. Regardless of what signature a user applies to a report, their unique user ID is recorded as the user ID which generated (and if applicable, signed) the report, helping you easily verify that the signature you see corresponds to the assigned user of the account. Signatures users apply also cannot be shared between or lent to other accounts (see Subpart B, §11.70).

Report templates can also be configured to display this ID (as well as the user account’s email address), and can also be configured to display the printed name of the signer, the date and time when the signature was executed, and the meaning conveyed by the signature (such as whether the signer reviewed, approved, is responsible for, or the author of the document (see Subpart B, §11.50(a)).

When configuring your report templates, you can also make the final product password protected, helping to discourage lower-effort tampering of documents that have left QBench.

When a lab uses QBench, any attempts to inappropriately use a signature would require the action of multiple actors, either via:

  • Outside malicious activity: for a malicious actor to sign a report from a user’s account, a user would have to (intentionally or unintentionally [e.g. through phishing, keylogging, etc.]) provide their password and/or PIN
  • Allowing others to sign on their behalf: a user would have to give their login credentials and PIN to another (second) person

Even administrative users cannot collaborate to sign reports on the behalf of other users.

Working With You to Achieve Compliance

Compliance with 21 CFR Part 11 (and similar electronic record and signature security regulations) can seem daunting, particularly for small labs. While QBench cannot make your lab automatically compliant with 21 CFR Part 11, our focus on security and reliability and attention to the technological requirements of the regulations help you take the guesswork out of compliance, and allow you to focus on the policy and procedural elements of compliance – and hopefully with some extra time for your day-to-day operations.

We also strive to grow with our customers and their compliance needs. See functionality QBench can update to satisfy a regulatory change, or help you better meet existing ones? Customers can submit feature requests using Canny, which can be accessed by clicking your name and clicking the “Submit Feedback” option in the dropdown.

Together, we can make secure, reliable, and accurate digital records and signatures a reality.