SyberWorks Learning Management System Supports 21 CFR Part 11 FDA Compliance
Sign up for a demonstration today!
The SyberWorks Training Center Learning Management System provides a web-based tracking and management solution which supports 21 CFR Part 11 FDA compliance requirements for organizations in health-care, pharmaceutical, life-science, biotechnology, medical- manufacturing, medical-device, and other FDA-regulated industries. Title 21 CFR Part 11 requires companies to implement controls, including audits, system validations, audit trails, electronic signatures, and documentation for software and systems that are involved in processing many forms of data, as part of their business practices and product development.
Title 21 CFR Part 11 enacted the FDA's requirement that they be able to recognize electronic records and electronic signatures as trustworthy, reliable, and legal equivalents to paper records and handwritten signatures. This also allows companies to go to a “paperless” system of record keeping.
Under the FDA's 21 CFR Part 11 regulation, participating corporations must prove that their employee performance is in compliance with regulations, and that is where the SyberWorks Training Center Learning Management System can help.
Sign up for a demonstration today!
As per the regulation, the responsibility for FDA 21 CFR Part 11 compliance falls squarely on companies themselves. They must have appropriate policies, procedures, and technical controls in place, to be 21 CFR Part 11 compliant, so merely purchasing a learning management system with 21 CFR Part 11 compliant functionality does not itself satisfy compliance regulations.
Comparison of 21 CFR Part 11 System Requirement and SyberWorks Features:
|21 CFR Part 11 Technology Requirements||SyberWorks LMS 21 CFR Part 11 Functionality|
|11.10b||The system shall generate accurate and complete copies of records in human readable and electronic form suitable for inspection, review and copying||SyberWorks Learning Management System has a broad range of standard reports and ability to generate custom reports, in both printed and downloadable electronic formats.|
|11.10d||The system shall limit system access to authorized individuals.||SyberWorks LMS access is controlled by user id and password. Access to different functions and scope of data accessed is controlled by Function Permissions to Role and Function Data Scope tables. These permissions and data scoping rules may be customized.|
|11.10e||The system shall employ secure, computer-generated date/time stamped audit trails to independently record operator entries and actions that create, modify, or delete electronic records, without obscuring previously recorded information.||SyberWorks Learning Management System database audit-trail tables (and Insert, Update, and Delete triggers) exist for User password and active status data, learning transcript records, job role, competency, and learning event records.|
|11.10f||The system shall enforce required steps and events sequencing, as appropriate (e.g., key steps cannot be bypassed or similarly compromised).||In an educational setting, sequencing usually means enforcing desired course prerequisites or eligibility requirements. In the SyberWorks Learning Management System it is possible to enforce that lessons of a course be taken in order, and only after defined prerequisites are met.|
|11.10g||The system shall ensure that only authorized individuals can use the system, electronically sign a record, access the operations or computer system input or output device, alter a record, or perform the operation at hand.||SyberWorks LMS access is controlled by user id and password. Access to different functions and scope of data accessed is controlled by Function Permissions to Role and Function Data Scope tables. These permissions and data scoping rules may be customized.|
|11.10h||The system shall determine, as appropriate, the validity of the source of data input or operational instruction.||SyberWorks Learning Management System access is controlled by user id and password. Users may be required to re-input their password before confirming that they have read and understood a policy document. Similarly, administrators may be required to re-input their password before entering or editing course results. Online course results are stored automatically.|
|11.50 (a) (1), (2), (3)||The system shall ensure all signed electronic records contain the printed name of the signer, date/time signature was executed, and the meaning associated with the signature (e.g. approval, responsibility, authorship).||The SyberWorks LMS stores the user id of the signer along with the date/time that the signature was executed. The meaning of the signature is contained in the name of the database field used to hold the signature (e.g. AdminCreator, AdminEditor, Certifier, Approver, etc.)|
|11.50 (b)||The system shall ensure the three signature elements (described in the previous requirement) of a signed electronic record are a part of any human readable form of the electronic record (e.g. electronic display or printout).||The three signature items are included in all audit trail reports in the SyberWorks Learning Management System.|
|11.70 (a)||The system shall ensure electronic signatures are linked to their respective electronic records and that these electronic signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.||The addition of user ids and date stamps to various records is done automatically by the SyberWorks LMS, rather than through any user interface.|
|11.100 (a)||The system shall ensure that each electronic signature is unique to one individual and shall not be reused by, or reassigned to, anyone else.||SyberWorks LMS User ids in the system apply to one and only one person. However, it is a procedure to not change the name and property information associated with a user id, other than to correct errors or update information (e.g. address, phone, etc.), as required. If the user id itself is changed, the changes are propagated to all records in the system with that user id.|
|11.200 (a) 1||The system shall employee at least two distinct identification components such as an identification code and a password.||The SyberWorks Learning Management System uses a user id and a password for access. As confirmation of data input for SOPs and off-line course results, the system can be configured to require the re-input of the password.|
|11.200 (a) (1) (i) a||The system require the use of all electronic signature components for the first signing during a single continuous period of controlled system access||In the SyberWorks LMS, the first “signing” is when the administrator or other user logs into the system. This requires a user id and password. Alternatively, the system can use automatic Windows NT Authentication to identify the user.|
|11.200 (a) (1) (i) b||The system shall allow all subsequent signing during the same continuous period of controlled system access to use at least one electronic signature component.||As confirmation of data input for SOPs and off-line course results, the system can be configured to require the re-input of the password to the SyberWorks Learning Management System.|
|11.200 (a) (1) (i) c||The system shall ensure users are timed out during periods of specified inactivity||The SyberWorks LMS has a configurable “time-out” period. If there is no activity for that length of time, the user is logged off and must perform a complete login to re-access the system.|
|11.200 (a) (1) (ii)||The system shall require the use of all electronic signature components for the signings not executed during a single continuous period of controlled system access.||In the SyberWorks Learning Management System, a “single continuous period” means the time between login and logout. The logout would either be explicit or based on a timeout as described above. In both cases, a full login is then required, with both user id and password.|
|11.200 (a) (2)||The system shall ensure non-biometric electronic signatures can only be used by their genuine owner.||The SyberWorks LMS requires the use of user id and password for identification. The implementation of this requirement is more procedural, in that user ids and passwords should be protected and not shared. The password may be configured to be of a certain length and format, and to be changed every nn days. The system does not currently offer biometric electronic signatures but they may be added on a custom basis.|
|11.200 (a) (3)||The system shall require all attempted uses of an individual's electronic signature by anyone other that its genuine owner require collaboration of two or more individuals.||User ids and passwords should not be shared, and procedures should be in place to ensure this.|
|11.300 (a)||The system shall require each combination of identification code and password is unique, such that no two individuals have the same combination of identification code and password.||For the SyberWorks LMS, the user id is a primary key in the database, and as such, it is impossible to apply it to different users.|
|11.300 (b)||The system shall require that passwords be periodically revised.||The SyberWorks Learning Management System can require that passwords be changed every nn days. An audit trail is also kept of password changes.|
|11.300 (d)||The system shall employ transaction safeguards preventing the unauthorized use of password and/or identification codes.||When a user is deactivated in the system, their user id and password no longer function to log on to the SyberWorks LMS.|
|11.300 (d)||The system shall detect and report unauthorized use of password and/or identification codes to specified units.||The SyberWorks Learning Management System logs the date and time of attempted logins with user ids that don't exist. It also logs when a valid user id is accompanied by an incorrect password more than three times in succession. The system may be configured to deactivate such users and send an email message to a designated administrator.|
Sign up for a demonstration today!
While SyberWorks has attempted to consider all parts of the Part 11 rule in developing the SyberWorks LMS Product Suite and the instructions and advice contained in this web page, the system described has not been approved or mandated by FDA or any other governmental agency. SyberWorks makes no claims that following the advice herein described will disqualify companies or individuals from FDA sanction. Compliance responsibility lies with the using company, not SyberWorks.