FDA Title 21 CFR Part 11: What Is It?

Digitizing your lab’s operations has numerous benefits over traditional manual methods, but it also introduces compliance risks.

Modern labs are switching from paper and spreadsheets to LIMS platforms – but this convenience can come with a cost. Labs in FDA-regulated industries must ensure they comply with a variety of regulations, including 21 CFR Part 11.

In this guide, we’ll help you understand 21 CFR Part 11, what it requires of your lab, and how to choose a compliant LIMS. 

NOTE: The information in this blog post is intended for educational purposes only. Companies should ensure compliance by referring to the full text of 21 CFR Part 11 and official government sources.

What is 21 CFR Part 11?

21 CFR Part 11 is a set of regulations established by the United States Food and Drug Administration (FDA) that outlines the requirements for electronic records and electronic signatures. 

Labs in industries regulated by the FDA – such as pharmaceutical, medical device, and biotechnology companies – are required to follow the standards defined in 21 CFR Part 11 to demonstrate to the FDA that their electronic records and signatures are “trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper” (see Subpart A, §11.1(a)).

Which Labs Are Required to be 21 CFR Part 11 Compliant?

If your lab is regulated by the FDA or engages in activities related to FDA-regulated products, you will be subject to 21 CFR Part 11.

It’s worth noting that you do not need to be part of a drug or device company to be subject to 21 CFR Part 11. Even independent labs that do contract work for drug or medical device companies need to worry about being compliant.

If your lab works in one of these industries or contacts for a company in them, you need to be 21 CFR Part 11 compliant:

• Pharmaceutical
• Medical device
• Clinical
• Biotech
• Food and beverage

What Does 21 CFR Part 11 Require for Labs?

For complete guidance, we recommend reading the full text of 21 CFR Part 11 and official government sources to ensure compliance. 

At a high level, though, if your lab is subject to 21 CFR Part 11, then you will need to meet the following requirements:

• System validation: Laboratories must validate computer systems handling electronic records to ensure accuracy, reliability, and consistent intended performance. Documentation of this validation process is required.
• Data integrity: Implement measures to generate accurate, reliable, and time-stamped records, ensuring data integrity and confidentiality. Prevent unauthorized access or alteration of data.
• Electronic signatures: Electronic signatures must be as legally binding as traditional handwritten signatures. Implement secure systems for unique identification and authentication of individuals providing signatures.
• Audit trails: Secure, computer-generated, time-stamped audit trails are required to record the creation, modification, or deletion of electronic records, ensuring traceability and accountability.
• Operational system checks: Employ operational system checks to enforce permitted sequencing of steps and events, ensuring procedural compliance and data integrity.
• Record retention: Maintain electronic records in a retrievable format for the required retention period, ensuring they are readily available for review or inspection.

As you can see, many of the requirements of 21 CFR Part 11 relate to the systems and software that your lab has in place. You must keep track of your data, validate your systems, and have audit trails in the software you use. 

Are LIMS Automatically 21 CFR Part 11 Compliant?

If your lab uses a LIMS, you might ask if it’s compliant. 

Not every LIMS will be automatically compliant. That’s because compliance depends on how the LIMS is implemented and validated for the intended use within your lab. There are six key areas you need to consider when evaluating the compliance support of a LIMS vendor:

1. Security & User Access Controls
2. Configuration and customization
3. Validation
4. Vendor support
5. Ongoing compliance
6. Custom-dev solutions

Security & User Access Controls

To be 21 CFR Part 11 compliant, a LIMS must provide security measures to prevent any kind of breach of data as well as have internal locking rules to prevent unauthorized workflow access and editing. The LIMS must give you the tools to ensure a secure workflow to protect sensitive information and verify that authorized personnel are the ones releasing information. For example, some lab staff may not be trained to handle patient information or the release of reports.

Configuration and Customization

A LIMS can be designed to support 21 CFR Part 11 compliance through features that control access, ensure data integrity, provide audit trails, and manage electronic signatures. However, it's the laboratory's responsibility to configure and customize the system to meet the specific regulatory requirements applicable to its operations. Later, we’ll show you how QBench LIMS is designed with compliance support in mind.

Validation 

A LIMS must be properly validated for its intended use to be compliant. This involves documenting that the system performs correctly and consistently as expected, ensuring that electronic records are reliable, accurate, and tamper-evident.

Vendor Support

Some LIMS vendors claim their systems are "21 CFR Part 11 ready" or "compliant," meaning the system has built-in features that support compliance. However, the actual compliance depends on how the system is implemented, including user access controls, audit trail functionalities, electronic signatures, and data backup and recovery procedures. Make sure that the vendor has the expertise to help you configure those 21 CRF Part 11 compliance features within your workflow.

Ongoing Compliance

Compliance with 21 CFR Part 11 is not a one-time event but an ongoing process. Laboratories must ensure that their LIMS continues to comply with the regulation as the system is updated or as laboratory processes change. This includes regular reviews, re-validation as necessary, and updates to procedures and training.

Custom-Dev Solutions

Some laboratories might use custom-developed LIMS or adapt other software solutions to manage their laboratory data. Even in these cases, the systems must be evaluated and configured to ensure they meet the requirements of 21 CFR Part 11, including security, auditability, and data integrity controls. For any custom-developed features, the LIMS needs to provide you with validation scripts for you to ensure the features are working as intended.

Is QBench 21 CFR Part 11 Compliant Immediately After Implementation?

To use electronic records or electronic signatures, labs regulated by 21 CFR Part 11 must ensure that their records are stored in stable, secure, and reliable systems – however, these systems must work as intended with each specific lab’s hardware and must be supported by the lab’s internal security controls to meet the full scope of 21 CFR Part 11 requirements

Therefore, while QBench is an industry-leading modern LIMS, implementing QBench – or any equivalent cloud-based LIMS on the market – won’t automatically make a lab 21 CFR Part 11 compliant. QBench has the vendor support to ensure you go live with a compliant LIMS. We also approach implementations slightly differently than many vendors. We equip you to know how to stay compliant – We’ll make sure that as you add and change workflows, you know how to stay compliant. Maintaining your records and your workflows is one of the hardest parts of staying compliant. QBench makes that easy.

QBench can provide a reliable, easy-to-use LIMS that, when used together with complementary lab security controls, satisfies the systems requirements of 21 CFR Part 11. Read on to see how QBench can support your compliance efforts. 

How QBench Supports 21 CFR Part 11 Compliance

QBench LIMS can help your lab be 21 CRF Part 11 compliant through the following:

• Digital record maintenance
• Accessible and accurate records
• Stock and customizable permissions
• Robust audit trails
• Enforce protocols with step sequencing and locks
• Configurable authentication options
• Secure, Reliable Signatures

‍Digital Record Maintenance

‍Subpart A, §11.2: “persons may use electronic records in lieu of paper records or electronic signatures in lieu of traditional signatures, in whole or in part”

QBench is designed to be the source of truth for your laboratory’s operations. Log samples and subsamples into QBench and assign them to batches (and even map these onto plates!). From there, assign either individual assays or full panels, then record your data in fields and worksheets specific to your workflow. Finally, report your results directly to your customers: authorized QBench users can generate reports, which they can sign with a personally configured digital signature (or which they can print and sign) and then send reports to their customers – all without leaving QBench.

Subpart B, §11.10(k): “Use of appropriate controls over systems documentation”

Customers are responsible for access and change controls for any QBench documentation they maintain (such as SOPs and other manuals). QBench’s QMS module gives you the tools to enforce document access and change controls, such as document versioning, who made a document change, when a document was changed, who signed off on document changes, and who was trained on any document updates.

Accessible, Accurate Records

‍Subpart B, §11.10(b): “Accurate and complete copies of records in both human-readable and electronic form”

Subpart B, §11.10(c): “Protection of records to enable their accurate and ready retrieval throughout the records retention period”

QBench provides an easy-to-use interface to find and retrieve records. Customers can easily review their data in QBench by going to the relevant data type list page.

Customers can also download their QBench data to Excel and CSV files from most data type list pages in QBench, and configure their downloads to include as little or as much data as they require. Many customers also connect QBench to their other systems using QBench’s API, which securely and accurately transfers your data to your other critical systems. Reports generated in QBench can also be opened or downloaded in bulk. The QBench support team can also be consulted for larger-scale duplication or storage of records.

Additionally, users cannot fully delete data from QBench. Data stored in QBench is retained indefinitely throughout the platform's use. For more detailed information about QBench’s data practices, request access to our data white paper.

Stock and Customizable Permission Options

‍Subpart B, §11.10(d): “Limiting system access to authorized individuals”

All users must be added to QBench (either in the application or through an organization’s single sign-on (SAML) provider) to have access to data in QBench. Once a user is added to QBench, their access can be further limited based on preexisting or custom-created roles. These roles can limit users’ ability to edit, view, and/or delete specific data types and relationships, putting you in full control of data access within your organization.

QBench’s default user roles have varying levels of read/write/view access. For example, while Technicians can edit only test data for their team and can’t generate reports, Managers can view and edit their full team’s data and can view and generate reports.

If role separation looks different in your lab, QBench’s default roles can be customized using our granular permissions manager, or you can create your own unique roles.

Robust Audit Trails

‍Subpart B, §11.10(e): “Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records”

QBench maintains a detailed audit trail of the creation, modification, reporting, and publication of data and records. Major data types like orders, samples, tests, sources, and batches record which Users modify data and when which can be identified with a timestamp.

QBench also maintains similarly detailed records of Report and Document generation and modification. This history can be cross-referenced with the Login Activity list or (if enabled) the Activity Log, which captures the login activity of all QBench LIMS and Customer Portal Users (include what IP addresses they logged in from) to help identify suspicious activity.

These records of modifications are retained indefinitely throughout your use of the platform unless you request the data to be purged (for more information, request our data white paper).

‍Enforce Protocol with Step Sequencing and Locks

‍Subpart B, §11.10(f): “Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate”

QBench administrators can create locks for orders and tests based on filters, including when orders and tests and leave specific statuses. For example, to ensure that test data is reviewed by a team lead before being marked as completed, administrators use a workflow with multiple In-Progress statuses, which must be cleared before data can be sent for reporting.

To do this, an administrator can create a second In Progress status (for example, “Pending Review”) and then create a filter for tests in the Pending Review status on the test list page. From there, they can go to Field and Data Type Settings to create a test locking rule that locks tests when they enter the “Pending Review” status and must be unlocked by either specific individuals or members of a specified team to be edited or released.

For a less granular approach, you can also customize permission types so that certain users can only edit, order, and test in certain specific steps, requiring your users to move orders and tests to different statuses for them to progress through your lab.

QBench users who use panels and batch protocols can also enforce a priority for the completion of assays in a panel and steps in batch protocols, giving labs another tool to ensure that assay protocols are followed completely and in order.

Configurable Authentication Options

‍Subpart B, §11.10(g): “Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand”

QBench administrators can implement a range of checks and controls to support their authentication procedures. Administrators can:

• Change the inactivity timeout, requiring their Users to frequently re-verify their credentials
• Implement default or customized roles; once a User is authenticated in QBench, they will only be permitted to do actions that their role allows (e.g. view Test results instead of edit them, view Reports instead of generate them)
• Enable IP whitelisting through QBench support or a customer’s network security provider (e.g. a VPN) to only allow access to QBench from approved networks
• Enforce multi-factor authentication (MFA) for all Users, requiring them to successfully enter a code sent to their email or an approved MFA application before logging into QBench (see Subpart C, §11.300)
• Require Users to enter a PIN before generating a report (see Subpart C, §11.300)

QBench also comes with the following authentication controls built-in:

• Multiple user accounts cannot be created with the same email address, meaning no two individuals can have identical login credentials
• Enforced password rotation every 90 days
• Account deactivation, so administrators can deactivate accounts consistent with their procedures for terminating employees or inactive or compromised accounts
• Attempting to access an account without the correct credentials will temporarily lock an account (however, QBench does not support notifications from account lockouts at this time)

Any authority checks on operating systems or output devices would need to be implemented by customers.

Secure, Reliable Signatures

21 CFR Part 11 outlines several lab internal controls (such as verifying the identity of those signing via electronic signature) – QBench helps support these internal procedures and controls.

Administrators can also require that Users signing a Report provide a unique PIN, adding an extra layer of security to your results reporting process. When this setting is enabled, Users with Report signing permission will be required to set and verify a PIN for their account before creating any Reports. Then, for a User to sign a Report, they would need to log in to QBench using their username and password (or signing in through their organization’s Single Sign-On provider, if configured) AND correctly enter their PIN.

When PINs are required to generate Reports, Users will always be prompted to enter a PIN. If a User is signing 10 distinct Reports for multiple actions during one period of system access (e.g. loading 10 different Test detail pages), the User will be prompted for their PIN each time; however, f the User is signing 15 Reports through one action, they will be prompted for their PIN once (see Subpart C, §11.200(a)(1)). If a User logs out of QBench after signing a Report, they will need to log back in and then enter their PIN when generating any new Reports.

QBench supports your policies prohibiting account and credential sharing by assigning each account a unique, traceable user ID (see Subpart C, §11.100(a)) and prohibiting the creation of multiple accounts using the same email. Regardless of what signature a user applies to a report, their unique user ID is recorded as the user ID that generated (and if applicable, signed) the report, helping you easily verify that the signature you see corresponds to the assigned user of the account. Signatures users apply also cannot be shared between or lent to other accounts (see Subpart B, §11.70).

Report templates can also be configured to display this ID (as well as the user account’s email address) and can also be configured to display the printed name of the signer, the date and time when the signature was executed, and the meaning conveyed by the signature (such as whether the signer reviewed, approved, is responsible for, or the author of the document (see Subpart B, §11.50(a)).

When configuring your report templates, you can also make the final product password-protected, helping to discourage lower-effort tampering of documents that have left QBench.

When a lab uses QBench, any attempts to inappropriately use a signature would require the action of multiple actors, either via:

• Outside malicious activity: for a malicious actor to sign a report from a user’s account, a user would have to (intentionally or unintentionally, e.g. through phishing, keylogging, etc.) provide their password and/or PIN
• Allowing others to sign on their behalf: a user would have to give their login credentials and PIN to another (second) person

Even administrative users cannot collaborate to sign reports on behalf of other users.

QBench Works With You to Achieve Compliance

Compliance with 21 CFR Part 11 (and similar electronic record and signature security regulations) can seem daunting, particularly for small labs. 

While QBench cannot make your lab automatically compliant with 21 CFR Part 11, our focus on security and reliability and attention to the technological requirements of the regulations help you take the guesswork out of compliance and allow you to focus on the policy and procedural elements of compliance – and hopefully with some extra time for your day-to-day operations.