Title 21 CFR Part 11 of the Code of Federal Regulations deals with the Food and Drug Administration (FDA) guidelines on electronic records and electronic signatures in the United States. 21 CFR Part 11, as it is commonly called, defines the criteria under which electronic records and electronic signatures are considered to be trustworthy, reliable and equivalent to paper records (Title 21 CFR Part 11 Section 11.1 (a)).
These guidelines are therefore also applicable to any learning delivery platform (e.g: LMS, CMS, etc) that is used by any organization governed by 21 CFR Part 11. The following table shows the details of 21 CFR requirements, and the relevant functionalities required on an LMS to be compliant.
21 CFR Part 11 Requirement and required LMS Features:
|Sub-section||21 CFR PART 11 Requirements||Compliant functionality expected in LMS|
|11.10b||The system shall generate accurate and complete copies of records in human readable and electronic form suitable for inspection, review and copying.||The LMS offers extensive reports in printable and electronic format. Each report can be customized based on the search parameters selected.|
|11.10d||The system shall limit system access to authorized individuals.||LMS is strictly accessed by user id and password. Based on access levels (user, admin, instructor, developer, etc), different user functions are available. Global and regional access controls can easily be modified by global Admins at HQ.|
|11.10e||The system shall employ secure, computer-generated date/time stamped audit trails to independently record operator entries and actions that create, modify, or delete electronic records, without obscuring previously recorded information.||The LMS utilizes advanced audit trail tables (and Insert, Update, and Delete triggers) to monitor User passwords, active status data, learning transcript records, access levels, training and learning records.|
|11.10f||The system shall enforce required steps and events sequencing, as appropriate (e.g., key steps cannot be bypassed or similarly compromised).||The LMS offers features like:
1. Mandatory fields ensure that all required information is entered and cannot be bypassed when creating user or master data on the LMS.
2. Assignment rules set for e-modules ensure that a user cannot bypass mandatory training.
|11.10g||The system shall ensure that only authorized individuals can use the system, electronically sign a record, access the operations or computer system input or output device, alter a record, or perform the operation at hand.||The LMS is strictly accessed by user id and password. Based on access levels, different authorized user functions are available. User access controls can easily be modified by global Admins.|
|11.10h||The system shall determine, as appropriate, the validity of the source of data input or operational instruction.||The LMS must provide time-stamps and geo location of all data- whether entered by validated master users or data that is automatically generated. Data that is periodically deleted must be recorded in retrievable logs.|
|The system shall ensure all signed electronic records contain the printed name of the signer, date/time signature was executed, and the meaning associated with the signature (e.g. approval, responsibility, authorship).|| All course content like curriculum, e-course, e-test, classroom session, documents, podcasts, and videos should be identifiable with a single owner. Date and time of ownership should be recorded as well.
All certificates provided at the end of training should include one or more signatures from the organizational matrix.
|11.50 (b)||The system shall ensure the three signature elements (described in the previous requirement) of a signed electronic record are a part of any human readable form of the electronic record (e.g. electronic display or printout).|| All data validation points must be qualified by at least 3 parameters, for e.g:
|11.70 (a)||The system shall ensure electronic signatures are linked to their respective electronic records and that these electronic signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.||The addition of and updates to user ids and date stamps to various records is automatically completed by the LMS, rather than through any user interface.
Signatures are input as JPGs, so no one can edit them.
Certificates are generated automatically as pdfs, with the signature images hard coded into them- again no scope of editing.
|11.100 (a)||The system shall ensure that each electronic signature is unique to one individual and shall not be reused by, or reassigned to, anyone else.||User accounts cannot be shared, i.e, user IDs in the system should apply to one and only one person. Employee ID and e-mail ID are the unique keys. User ids can be updated or modified due to errors or life changes. Any changes are automatically updated across the entire system.|
|11.200 (a) 1||The system shall employee at least two distinct identification components such as an identification code and a password.||LMS uses a user id and a password for access.|
|11.200 (a) (1) (i) a||The system requires the use of all electronic signature components for the first signing during a single continuous period of controlled system access.||Once the user has logged off, the LMS requires the user to enter both their User ID and Password to log back in again.|
|11.200 (a) (1)
| The system shall allow all subsequent signing during the same continuous period of controlled system access to use at least
one electronic signature component
|If the session times out after logging in, only the password may require to be entered.|
|11.200 (a) (1)
|The system shall ensure users are timed out during periods of specified inactivity.||The LMS has an automatic log out feature to timeout users during periods of inactivity.|
|11.200 (a) (1)
|The system shall require the use of all electronic signature components for the signings not executed during a single continuous period of controlled system access.||In the LMS, a “single continuous period” is defined as the time between login and logout. The logout would either be explicit or based on a timeout as described above.|
|11.200 (a) (2)||The system shall ensure non-biometric electronic signatures can only be used by their genuine owner.||The LMS requires the use of user id and password for identification. The implementation of this requirement is more procedural, in that user ids and passwords should be protected and not shared. The password may be configured using the LMS API, is to be of a certain length and format, and is to be changed every XX days.|
|11.200 (a) (3)||The system shall require all attempted uses of an individual’s electronic signature by anyone other than its genuine owner require collaboration of two or more individuals.||User IDs and passwords should not be shared. Usually, this cannot be ensured by the LMS as it is a human behavior.|
|11.300 (a)||The system shall require each combination of identification code and password is unique, such that no two individuals have the same combination of identification code and password.||The LMS utilizes a unique user id as a primary key (employee ID) in the database which makes it impossible to apply the same user id to different users.|
|11.300 (b)||The system shall require that passwords be periodically revised.||The LMS API system can be set to require that passwords be changed every XX days. In addition, organizations can use single- sign-on option to ensure that password revision meets their internal policies and procedures.|
|11.300 (d)||The system shall employ transaction safeguards preventing the unauthorized use of password and/or identification codes.||An archived user can no longer access the system. The archived user id and password will not work to access or log into the LMS.|
|11.300 (d)||The system shall detect and report unauthorized use of password and/or identification codes to specified units.||The system will throw an error if someone tries to log-in with incorrect user ID or password. Also, if user wants to reset password, they have to produce their correct user id. And for forgotten user ID, user has to produce correct e-mail ID.|