Businesses that operate in an industry regulated by the Food and Drug Association (FDA) should be familiar with Title   21 CFR Part 11. If your business operates in the life sciences space, this regulation applies to your organization.   Commonly referred to as Part 11, this legislation impacts the way the life science companies manage their   applications and data because of the consequences on consumers. A poorly tested drug or a software malfunction in   a medical device can cause serious harm to a patient. To avoid such incidents and to bring more regulation to the   industry, the FDA has instituted 21 CFR Part 11.

 What is 21 CFR Part 11?

 21 CFR Part 11 lists the guidelines that life sciences organizations need to follow when managing data and   applications. The FDA requires that organizations involved in data collection and reporting, adhere to processes that   ensure the integrity of the data at all times. In this way, the FDA can ensure that only the highest quality products   reach consumers, and those that are defective are identified early on and handled responsibly.

 Who needs to comply with 21 CFR Part 11?

 There are primarily three types of environments that need to comply with 21 CFR Part 11:

 »»  Laboratories that supply test results on any materials

 »»  Clinical testing units that manage data regarding clinical trials

 »» Manufacturing plants that record product development and quality

 Any life sciences business or organization that manufactures or sells food and healthcare products is regulated by 21  CFR Part 11.

 Staying compliant with 21 CFR Part 11

 Instituted in 1997, 21 CFR Part 11 is important legislation, but many life sciences businesses are faced with   challenges in their attempt to be compliant. With the changing landscape of technology, organizations need to   ensure that they remain compliant with the legislation as their infrastructure and application stacks change.

 In today’s world of SaaS driven software models, Salesforce is frequently relied upon to develop cutting edge   applications in the life science space. Salesforce brings control and simplicity to application development but also   brings with it new challenges surrounding compliance. If you build life sciences applications using the Salesforce   platform, you need to ensure that you are in compliance with 21 CFR Part 11.

 Why is Governance important?

 The cost of not complying

 It is mandatory for all organizations under the purview of the FDA to meet these compliance regulations. The FDA   regularly conducts inspections to gauge whether companies understand and are compliant with 21 CFR Part 11.

 Failure to comply with this legislation will not result in lost revenue. However, it is a serious risk to take. Non-  compliance could lead to heavy penalties and may even result in the FDA closing your organization. Because of what   is at stake, it is critical for you to ensure your organization complies with 21 CFR Part 11.

 It is possible for implementation to be done in a manual manner. In this approach, you would need to document   entire processes in either electronic files or on paper. This requires keeping records of important changes with   handwritten sign-offs. Implementing 21 CFR Part 11 compliance for large quantities of data may seem   overwhelming  with numerous records and multiple signatures required throughout the process. This approach is   outdated, time-consuming, and prone to errors. Fortunately, there’s help available with compliance-aware tools like   Flosum.

 Flosum is an application lifecycle management (ALM) and release management tool for Salesforce applications that   monitors and gives you control over the end-to-end lifecycle of your software delivery chain. It is built to drive   efficiency across the development pipeline, but more importantly, it ensures your applications and data comply with   21 CFR Part 11.

 Ten ways Flosum helps you comply with 21 CFR Part 11

 Flosum enables you to fully comply with 21 CFR Part 11. It considers all aspects of the legislation and ensures you   can meet every requirement. Here are ten ways Flosum can benefit your business and help you comply with 21 CFR   Part 11:

 Maintain electronic records for the software development lifecycle.

 To comply with 21 CFR Part 11, you must have full control over each of the developer orgs within Salesforce.

 You need to be aware of how code was maintained from start to finish. This includes knowing how code is merged,   tested, and deployed. This requires complete electronic records; you simply cannot rely on a static documentation of   the process.

 Flosum is a great platform for collaborative development. It allows multiple development, QA, and IT teams to make   changes to the application code while recording every change that is made. This gives you an actual revision history,   complete with timestamps, members, and changes made at every point of the lifecycle.

 Track electronic records for change control

 Your electronic records should clearly show any changes made to an application’s code, along with who made the   change, the time the change was made, and the precise details of the change. This is necessary for 21 CFR Part 11   and is also essential for post-mortem analysis.

 Previously, you could simply record a broad release history at the application level without drilling down to the   individual developer level. Flosum changes that by allowing you to record every code change with detailed   tracebacks. You can go to the source of each change, no matter how big or small. This is essential for compliance, but   it also gives you an edge operationally as you are able to easily do root-case analysis for quicker fixes and bug   resolutions.

 Validate your systems

 Validation comes into play with every change made to an application. This helps to ensure that each new update you   test and deploy is reliable and meets the standard for quality and compliance.

 Flosum is able to map business requirements to the development effort. This way your QA team can assess the   quality of new features to ensure they meet your specific requirements. Upon each new release, every part of the   application that was modified is checked for quality. If there are any flags, the release can easily be rolled back and   fixed.

 Segregate duties between teams

 Separation of duties is important in ensuring the quality of life sciences applications. The person who develops the   code should not be the one testing it, and the one deploying it should be different as well. While it is easy to set each   person’s responsibility for a release at the start, the hard part is recording each person’s activity across the pipeline.

 Flosum is able to separate duties effectively by managing the profiles and permissions for your Salesforce   organization. This gives you a way to proactively define who can perform what action, and avoid any unauthorized   access or activity by users. Additionally, Flosum tracks changes made by all individuals, no matter which team they   are on. This ensures full compliance no matter how large your application becomes.

 Use secure, computer-generated, time-stamped audit trails

 Audit trails are collected automatically when any change occurs in the system. They tell you who made the change   and give you deeper visibility into the system. Audit trails enable you to control and enforce changes and are a key   part of compliance.

 Flosum tracks all changes to an organization automatically and presents you with a detailed audit trail for review. It   flags any releases that have not been tested adequately and helps you to identify the exact people involved in the   release so the issue can be fixed. Not only does Flosum provide you with necessary visibility, but it also gives you   control over the entire development process.

 Document sign-offs at every stage

 For every change of your application, someone has to sign off at the various stages within the pipeline. Someone   from Business needs to sign off that the release meets all of the initial requirements. Next, a person from QA has to   sign off that the release meets all technical requirements and is aligned with requirements from Business.   Traditionally, sign off is a manual process that happens on paper, or at best via email. However, this is not enough for   compliance with 21 CFR Part 11.

 Sign-offs are built into Flosum so that all approvals from QA and Business are documented by default, including who   signed off and when. Beyond this, Flosum’s change management process ensures that all components are reviewed   before any code is released.

 Maintain electronic signatures

 For clear visibility into the development process, approvals are required for each step of the process. Previously this   was done informally in conversations or through emails which did not allow approvals to be tracked at scale. This is   not enough for compliance with 21 CFR Part 11.

 Flosum integrates with external eSignature solutions, like DocuSign, and lets you track approvals at every stage of   the process. You can define which kinds of changes require an eSignature and enforce these rules by default. Going   paperless is not just environmentally responsible, but it also it brings control and visibility to your development while   ensuring that you are compliant with 21 CFR Part 11.

  Improve software quality

 While compliance is required by the FDA, 21 CFR Part 11 offers the benefit of improving your entire software delivery   chain.

 Flosum is an application lifecycle management (ALM) tool for Salesforce. It brings control and visibility to every step   of your development. With additional features like version control, continuous integration, and automatic rollback,   you can drive improved quality and reliability for your applications.

 Gain end-to-end visibility

 You may often be in the dark, wondering about the status of an important new update to your application. By   implementing 21 CFR Part 11 compliance, you gain deeper visibility into every step of your development process.

 Flosum provides metrics at every level – organization, team, and individual. It has various reports that can be   customized and shared, so you are always aware of the status of any release. Flosum does not just provide an   overview; it allows for you to drill down into detailed changes to identify code artifacts that have been changed, the   timestamp for the change, and the exact person who made the change. This kind of visibility brings confidence to   your development.

 Minimize costs

 As you implement your compliance plan, it is important to keep a budget in mind. Often, it can be expensive to   implement a manual review of your processes, which is why this is frequently an outsourced job. If done in-house,   you need to hire specialized talent and provide them with the required tools.

 Flosum has compliance built into it. This makes it easy to set up and implement compliance measures, even if you   are  not a compliance expert. You will not need to invest in extra tools, and you can greatly reduce the manual effort   required for compliance, saving both time and money.

 Conclusion

 Compliance with 21 CFR Part 11 should not be taken lightly; it is a legal requirement for organizations mandated by   the FDA. As your development becomes more reliant on Salesforce, you need to ensure that you are in compliance   with 21 CFR Part 11.

 A lack of compliance can result in severe penalties. Something this important should not be left to outdated, manual   processes. You need an ALM tool like Flosum that has built-in compliance with 21 CFR Part 11. Flosum automatically   tracks and reports on every record and signature across your software delivery pipeline, giving you complete control   over compliance. With Flosum, you can view compliance metrics at the top level, and drill down to the minute details   to identify when changes were made, by whom, and what impact each change had on the application.

 Apart from compliance, Flosum also brings improvements to your software quality and brings consistency to your   processes. For executives, it provides visibility into every step of the development process. For Salesforce developers   and administrators, it offers cutting edge collaborative features like version control, continuous integration, and   automatic rollback.

 Complying with 21 CFR Part 11 is essential for life sciences organizations and cannot be ignored or left to a manual   process. Flosum offers an out-of-the-box solution that includes the underlying requirements to keep you compliant   with 21 CFR Part 11. Leverage Flosum so that you can remain compliant as your organization grows and your   technology and tools change.

signup for our blog

Flosum

“Flosum is the best native release management tool that you will fall in love with. I have gained confidence in my role and has given me the ability to view release management from a whole different perspective.”

Faizan Ali

Faizan Ali
Salesforce Consultant at Turnitin