Does an LMS need to be 21 CFR Part 11 compliant
Reply to Thread
I am trying to ascertain if 21 CFR Part 11 is applicable for an electronic Learning Management System for a CRO who conducts GCP / GVP activities. I have reviewed the following guidance ‘Part 11, Electronic Records; Electronic Signatures - Scope and Application’. I understand the FDA interpret the scope in a narrow fashion and includes only those records which are under predicate rules or submitted to FDA. Whilst training records are not an essential document from a CRO under ICH GCP, proof of training is one of the 13 principles.
Can any confirm if a LMS is out of scope for 21 CFR Part 11 compliance?
Many thanks in advance
Matt Jones - Chair, DIGIT Committee
Thanks for the question.
While a LMS may not seem to be under the jurisdiction of 21 CFR Part 11, you have to take into consideration the useage of the system, and the requirement of the predicate rule - in this case GCP/ GVP.
Those regulations require that staff are trained and conduct their roles by knowledge and experience and this should be documented. In the paper world this would be a signed reviewed paper training record.
In the electronic world this training record is held in the LMS, and you need to have controls around this, to ensure training is done on time, by the right person, the training is current, and the time taken to conduct the training is appropriate. Usually an LMS would have signature functionality and be able to produce a validated output for internal audit or imnspection purposes.
Therefore, the principles of 21 CFR Part 11 would need to be respected with regard to electronic records, open and closed systems, and electronic signatures (if used).
The important part is the linkage back to the predicate rules and ensuring that you comply with these, as 21 Part 11 is a framework that it used in direct combination with these.
Other regulations and guidance should also be taken into consideration when looking at the LMS especially if this is holding annual safety training completion data, which will be requested in any PV inspection.
I hope this helps
If you need any further guidance please don’t hesitate to reach out
I would like to add an additional question/thought:
We noticed that some training companies offer online GCP courses with a final quiz and issue training certification without the involvement of electronic signatures. This means that although access to take the training course online requires a username/password, at the completion of the course, the training system does not request to confirm the reason for taking the course or a new authentication of the person completing the course (e.g. username/password combination).
Considering the previous discussion and the fact the a LMS needs to be compliant with 21 CFR part 11 regarding e-signatures, to what extent can these records from online courses be considered as 'valid e-records'?
Do training records need to be 21part11 compliant? They are not data from a trial. Straining is more secure and robust than F2F paper based training, so why is there any concern? Should a risk based approach be taken, as per E6 R2? what is the risk here?
Trev Simmons (DIGIT)
Trying to align Matt's previous response, and the updated queries and responses. There is no definitive answer on the need for validation of an LMS. As indicated by Matt, if a record is referred to in a Predicate rule, and that record is held in a system then in general 21CFRPart11 would apply.
If a CRO is conducting GCP/GVP activities then based on the above definition the LMS should be 21CFRPart11 Compliant. However for a software vendor where the training record is required by 21CFRPart 11 itself, then there are schools of thought supporting both the need for compliance and not.
As regards the Signature expectations in relation to the certificate for an LMS. The certificate is auto-generated on training completion, the trainee isnt signing to say they have done it, the system is providing them with proof of completion.
Ok if this is an online provider this is unlikely to be validated in the Life Sciences sense, however a simple risk assessment should allow you to accept and utilise the Certificates, As you indicated it s a closed system controlled by username and password, making sure that only the designated user can access the certificate and can only receive a certificate when training is 'completed'. The key signature on a training certificate would be the Trainer signature but in online systems this is autogenerated.
Remember you do not have to use an eSignature for a system to be 21 CFR Part11 compliant. You do not need an Esignature of the trainee, compared to a record of the fact they did the course, which will no doubt be in their account history and with the proof being the certificate provided.
Do a risk assessment as to how the system provides you with details in a manner similar to the paper world. A former trainer signature is replaced by a system generated signature that should be backed up with a trustable timestamp and training provider identifier.
After all many real world training certificates have digitised signatures on them, due to the impracticality of trainers signing every certificate.