Title 21 CFR Part 11

Thinking Cap goes above and beyond to deliver the LMS software and on-site support you need to craft your Title 21 CFR Part 11 strategy.

What is Title 21 CFR Part 11?

Title 21 CFR Part 11 is the section of the Code of Federal Regulations (CFR) that deals with Food and Drug Administration (FDA) guidelines on electronic records and electronic signatures in the United States. It defines the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records.

What does it mean?

Organizations like pharmaceutical, medical supply and healthcare providers that fall under the 21 CFR Part 11 guidelines need to take extra precautions when using an LMS to disseminate information. Part 11 requires that both procedural controls (e.g. notification, training, SOPs, administration), and administrative controls are put in place by the user, in addition to the technical controls that a vendor can offer.

What does Thinking Cap do to support Title 21 CFR Part 11?

The Thinking Cap team has the technology, software, and expertise to ensure you remain in compliance with Title 21 CFR Part 11. While no vendor can offer a system that is compliant out-of-the-box with this regulation, Thinking Cap can help you stay within the guidelines with no disruption to your regular functionality.

Section Requirement Thinking Cap LMS Feature
11.10 (a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. Many standards provide Certifications of Validation, but this is not something the FDA offers. This means the responsibility to make sure your LMS is validated and requires you to look closely at the QA practice and release and patch methodology. Thinking Cap maintains a growing set of Automated Validation tests. We have coverage of 1300 scenarios with multiple test methods per scenario. Before each patch or release we provide full notes including the status of all tests.
11.10 (b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records. Thinking Cap LMS presents standard and custom reports in both screen and downloadable form. Downloaded reports are available as PDF or in CSV.
11.10 (d) Limiting system access to authorized individuals. Access to all parts of the application is controlled by username and password. Each account has roles and permissions that limit the functions and data the account can access. Thinking Cap allows for additional security tailored for the Title 21 CFR Part 11 environment, including: unique passwords; encrypted passwords; enforced strong password selection, and; automated password expiry. Under these hardened parameters, users cannot request a lost password but can regenerate a password after either correctly answering personal questions or through offline authentication. This enhanced security also allows for: automatic account locking for multiple failed attempts, and; recording of IP addresses for all accesses.
11.10 (e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying. Thinking Cap records everything to the log, including: a record of each action; when each action occurred, and; who the user who committed the action was. In the case of clients using PKI signatures for users, the log contains the personal signature of the user. You can export this log to CSV.
11.10 (f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate. Thinking Cap controls each procedure, including: adding a user; enrollments; and; creating a new course. Between course and competency map, access is controlled via domains enrollment and prerequisites. Within the course and competency map themselves, sequencing rules enforced by the LMS govern each step. A second layer of administrative log in can control access to sensitive course and learning paths to provide onsite verification of a user’s identity and increase the security of the user’s log in point.
11.10 (g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand. Every function of the LMS is defined as a permission. Roles are created as groupings of permissions and each user is given some combination of roles and individual permissions. Layered onto this is the segmenting of domains and sub domains that further limit a user’s access based on their domain membership and role in that domain.
11.10 (h) (1) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction. Thinking Cap will not accept connections, and therefore will not accept commands or data, from unauthenticated sources, or from authenticated sources where the IP address of a command does not match the originally authenticated access for a given session. In a hardened environment, the LMS will only communicate over HTPPS, which prevents a third party from modifying data being transmitted.
11.50 (a) (1), (2), (3)

 Signed electronic records shall contain information associated with the signing that clearly indicates all of the following:

(1) The printed name of the signer;

(2) The date and time when the signature was executed; and

(3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature.

The meaning of the signature is the action performed and recorded in the log. Thinking Cap stores this information along with the full name and account username of the signatory.
11.50 (b) The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout). The three signature items are included in all audit trail reports.
11.70 (a) Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means. Electronic signatures are linked and this link is protected by username and password protection of the data store. A hash of the audit trail made at each point provides a detection system of tampering, even by an authenticated user.
11.100 (a)  Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else. Uniqueness of username and password is enforced by the system. This uniqueness survives even the expiry of an account. Inactive accounts and their records are never removed from the system.
11.200 (a) (1) Employ at least two distinct identification components such as an identification code and password. Thinking Cap employs username and password protection, and enforces that the authenticated session maintains the continuity of IP address. Personal PKI-based digital signatures are also an optional addition.
11.200 (a) (1) (i) The system requires the use of all electronic signature components for the first signing during a single continuous period of controlled system access. All sessions begin with a digital signing. Additional signing may be required by more privileged / trusted users for access to defined materials where the in-person authentication of an individual is mandated as necessary i.e. tests and compliance learning.
11.200 (a) (1) (i) The system shall allow all subsequent signing during the same continuous period of controlled system access to use at least one electronic signature component. The system will continue to use the originating IP of each request after the first to maintain security of the session.
11.200 (a) (1) (i) The system shall ensure users are timed out during periods of specified inactivity.When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. Time out in a 21 CFR Part 11 environment is enforced after 20 minutes of inactivity.
11.200 (a) (1) (ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components All signing must be executed during a continuous period of controlled system access.
11.200 (a) (3) Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals. Sharing electronic signatures is not permitted.
11.300 (a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password. The system will not allow duplication. Two hashes of both the username and password are kept for comparison purposes to maintain integrity without storing actual information unencrypted.
11.300 (b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging). In hardened mode for use in a Title 21 CFR Part 11 environment,the system requires password changes every 30 days. This duration can only be reduced when operating in this mode.
11.300 (d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management. Thinking Cap uses intrusion detection to identify fraudulent transactions, including: multiple failed attempts at log in; log in from a large number of IP addresses, and; unusual activity in an account. The system will temporarily suspend accounts showing this activity and will required logged explanations of the activity by administrators, including actions taken.
11.300 (d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management. Administrators are alerted to all attempts to log in with: a valid username and invalid password, or; an invalid username and valid password.