21 CFR Part 11 Compliance Guide for Jira (Atlassian)
21 CFR Part 11 Compliance Guide for Jira (Atlassian)
Jake Stowe
April 12, 2024
Table of Contents
- Is Jira FDA 21 CFR Part 11 Compliant?
- Adjusting issues in Jira to prevent companies from falling out of FDA 21 CFR Part 11 compliance
- 21 CFR Part 11, Subpart C–Electronic Signatures in Jira, § 11.100 Electronic signature components and controls.
- How Ketryx can ensure companies are compliant with the FDA and 21 CFR Part 11 in Jira
- FDA 21 CFR Part 11 Compliance in Jira interview with Part 11 experts, Jake Stowe and Lee Chickering:
FDA 21 CFR Part 11, also known as Part 11, are complex regulations all medical device software companies (and other companies under FDA regulation) in the United States must comply with. Part 11 regulations require detailed planning and documentation, proof the organization uses a compliant quality management system (QMS), as well as proof that all electronic records, electronic signatures, and handwritten signatures attached to electronic records are dependable and credible.
In the words of the FDA, “Part 11 applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted under any records requirements set forth in Agency regulations. … We intend to enforce all other provisions of Part 11 including, but not limited to, certain controls for closed systems in § 11.10.
Is Jira FDA 21 CFR Part 11 Compliant?
Yes, Jira could be FDA 21 CFR Part 11 compliant, only if it is configured with the correct features. However, Jira, by design, is not Part 11 compliant. The main issue with the default configuration in Jira is the lack of an audit trail when tickets are changed or deleted. Jira only cares about the current state of tickets and does not provide an immutable audit trail for each record. Jira does not show who made a change to the record, when the changes were made or the difference between the old and revised record. This is one major issue that companies must address to stay in 21 CFR Part 11 compliance.
When using Jira, companies need to make sure evidence can be created and exported to be able to show they meet Part 11 requirements, such as: knowing how to use the specific company’s computer systems and software, tracking data changes, preventing and/or detection of falsified records, storing data securely and ensuring data is neither corrupted or lost, and ensuring that approval and verification of signatures cannot be disputed.
Adjusting issues in Jira to prevent companies from falling out of FDA 21 CFR Part 11 compliance
21 CFR Part 11, Subpart B – Electronic Records in Jira, § 11.10 Controls for closed systems.
Subpart B, Section 11.10 of 21 CFR Part 11 states that Persons who use closed systems must have “use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records.” A very important flaw to note in Jira is the irreversibility of the ‘Delete’ operation. Deleting an issue in Jira permanently removes the issue, comments, and attachments, with no way of retrieving the deleted data. If information is permanently deleted—with no audit trail to show when or what item was deleted, or by whom—companies will automatically fall out of compliance with 21 CFR Part 11.
21 CFR Part 11, Subpart C–Electronic Signatures in Jira, § 11.100 Electronic signature components and controls.
Subpart C, Section 11.100 of 21 CFR Part 11 states, “When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.”
How Ketryx can ensure companies are compliant with the FDA and 21 CFR Part 11 in Jira
Ketryx lifecycle management software effectively solves all of Jira’s non-compliance problems with 21 CFR Part 11. If users integrate Jira with Ketryx, there is no need for multiple plugins, guess work, or the tedious amount of time and effort administrators need to exert in order to be 21 CFR Part 11 compliant. With the integration, Ketryx transforms companies' Jira instance into 62304 compliance. Ketryx preserves companies data by validating the system to maintain the integrity of all data and gives Ketryx users 21 CFR Part 11 signature compliance in the front-end of Jira.
FDA 21 CFR Part 11 Compliance in Jira interview with Part 11 experts, Jake Stowe and Lee Chickering:
21 CFR Part 11 Compliance in Jira – Abridged Interview Transcript:
The topic is 21 CFR part 11 and its application. One thing that I hate about the content in this space is that it's kind of all deliberate, not maybe deliberately, but it's a lot of people using a lot of big fancy words for things that are not really at the end of the day that complicated.
Initially built for pharmaceuticals to be applied to manufacturing facilities, 21 CFR part 11 is a set of regulations promulgated by the FDA in the late 1990s to adapt to the industries they were regulating and who were starting to use electronic media to record sensitive data, rather than paper.