Note: This document outlines Alchemy and Alchemy Customer roles and responsibilities related to the assessment and compliance of 21 CFR 11 as delineated by Food and Drug Administration (FDA) requirements.
Part 1 – FDA requirements
21 CFR 11 was published in March of 1997 with an effective date of August 20, 1997. The regulation requires organizations to have in place three levels of control for electronic records and electronic signatures:
- Technical controls in the form of functions built into software that ensure the reliability and integrity of electronic records and signatures
- Administrative controls or Standard Operating Procedures (SOPs) for the use of electronic records and electronic signatures
- Procedural controls or Standard Operating Procedures (SOPs) for using the system
Alchemy software is designed to be compliant with 21 CFR 11 technical controls, with the end user or Alchemy customer implementing policies and procedures to ensure the systems are fully compliant with the regulations.
General Requirements for Electronic Records and Electronic Signatures
This regulation contains the Food and Drug Administration requirements for electronic records and electronic signatures to be considered trustworthy, reliable and equivalent to paper records and handwritten signatures executed on paper. It applies to electronic records that are created, modified, maintained, archived, retrieved or transmitted under any record requirements relevant to FDA regulations. Electronic records meeting this criteria are considered equivalent to full handwritten signatures, initials or other signings and can be used in lieu of paper records. Computer systems including hardware, software, controls and documentation maintained under 21CFR11 may be requested for review during an FDA inspection.
21 CFR 11 Section | Brief Description of Requirement | Intertek Alchemy Platform Compliant? |
11.10 Controls for Closed Systems | ||
11.10 (a) | Systems Validation | Yes |
11.10 (b) | Copies of records are complete and accurate | Yes |
11.10 (c) | Records are protected | Yes |
11.10 (d) | Access is limited to authorized individuals | User's SOP |
11.10 (e) | There are secure computer-generated, time stamped audit trails | Yes |
11.10 (f) | Operational system checks are used for sequencing | N/A |
11.10 (g) | Authority checks are in place | Yes |
11.10 (h) | Device checks are used | N/A |
11.10 (i) | Education, training and experience suitable for use of the system | User’s SOP |
11.10 (j) | Accountability and responsibility for electronic signatures is determined | User’s SOP |
11.10 (k) (1) | Distribution, use of, and access to documentation are controlled | User’s SOP |
11.10 (k) (2) | Modifications to documentation has clear audit trail | Yes |
11.50 Signature Manifestations | ||
11.50 (a) (1) | Signed electronic records include printed name of signer | Yes |
11.50 (a) (2) | Signed electronic records include time & date of execution | Yes |
11.50 (a) (3) | Signed electronic records include meaning of signature | Yes |
11.50 (b) | Signatures have same controls as electronic records | Yes |
11.70 Signature / Record Linking | ||
11.70 | Electronic signatures are linked to their records | Yes |
11.100 General Requirements | ||
11.100 (a) | Signatures are unique to one individual | Yes |
11.100 (b) | Procedure in place to verify individual’s identity | User’s SOP |
11.100 (c) | Declaration of equivalence to handwritten signature on file | User’s SOP |
11.200 Electronic Signature Components and Controls | ||
11.200 (a) (1) | Two distinct identification components are used | Yes |
11.200 (a) (1) (i) | All components on first signing, at least one component on subsequent signings within same session are used | Yes |
11.200 (a) (1) (ii) | All components on signings in separate sessions are used | Yes |
11.200 (a) (2) | Used only by their genuine owner | User’s SOP |
11.200 (a) (3) | Misuse requires collaboration of two (2) or more individuals | Yes |
11.300 Controls for Identification Codes / Passwords | ||
11.300 (a) | Identification code/password combination are unique | Yes |
11.300 (b) | Checked, recalled or revised on a periodic basis | Yes |
11.300 (c) | Loss management procedures for Identification cards or other devices | User’s SOP |
11.300 (d) | Transaction safeguards in place to detect, prevent, and report misuse | Yes |
The regulation references two types of systems. A closed system defined as an environment in which system access is controlled by the person who is responsible for the content of the electronic records that are on the system. An open system defined as an environment in which system access is not controlled by persons responsible for the content of electronic records that are on the system. Although Alchemy customers complete the training, Alchemy manages, stores and reports on the records therefore the Alchemy platform is a closed system.
The Chart below outlines the nine (9) sections of 21 CFR 11 and where compliance accountability rests with the end user or Alchemy customer.
21 CFR 11 Section | Brief Description of Requirement | User SOP |
11.10 Controls for Closed Systems | ||
11.10 (d) | Access is limited to authorized individuals | Alchemy requires that credentials be entered when accessing records in Manager, and when facilitating training in Playbook and Coach. The Alchemy customer must ensure windows credentials are in place and SOPs are followed when accessing Alchemy Player |
11.10 (i) | Education, training and experience suitable for use of the system | Describe how facilitators and administrators are trained to use the Alchemy platform |
11.10 (j) | Accountability and responsibility for electronic signatures is determined | Describe how the employee database is set up and maintained |
11.10 (k) (1) | Distribution, use of and access to documentation are controlled | Describe the access levels set up within the facility or organization for use of the Alchemy platform |
11.100 General Requirements | ||
11.100 (b) | Procedure in place to verify individual’s identity | Describe the enrollment process used within the facility and any tie in to the plant employee roster |
11.100 (c) | Declaration of equivalence to handwritten signature on file | Describe how the Alchemy enrollment process ties into the employees training record |
11.200 Electronic Signature Components and Controls | ||
11.200 (a) (2) | Used only by their genuine owner | Describe how the facility ensures employees do not take training under another employees name |
11.300 Controls for Identification Codes / Passwords | ||
11.300 (c) | Loss management procedures for Identification cards or other devices | If using badge readers describe the process with in the facility to manage badges that are lost |
11.300 (e) | Periodic testing of identification cards or other devices | Describe the process for testing that badge readers are working correctly on a periodic basis. |
**Please Note: Compliance with 21 CFR 11 can only be achieved when using the Intertek Alchemy Platform as recommended.