Compliance With CFR21 Part11

8/8/2019 Compliance With CFR21 Part11

1/14


2/14

Page 2 EnterpriseWizard Compliance with CFR 21 Part 11 EnterpriseWizard

EnterpriseWizard Compliance with CFR 21 Part 11 1

Overview 1

Verifiable Support for End-User Requirements 1

Electronic Signature Support 1

Precise Access Controls 2

Change Tracking and History 2

Auditability 2

Security 2

21 CFR Part 11 Compliance Matrix 2

Subpart AGeneral Provisions 3

Sec. 11.1 Scope. 3

Sec. 11.2 Implementation. 4

Sec. 11.3 Definitions. 5

Subpart B--Electronic Records 6

Sec. 11.10 Controls for closed systems. 6

Sec. 11.30 Controls for open systems. 8

Sec. 11.50 Signature manifestations. 9

Sec. 11.70 Signature/record linking. 9

Sec. 11.100 General requirements. 10

Sec. 11.200 Electronic signature components and controls. 11

Sec. 11.300 Controls for identification codes/passwords. 12


3/14


Almost all industries depend upon software for the efficient, auditable and reliable execution of theirbusiness processes. For most companies subject to FDA regulation, this requires compliance with CFR 21Part 11 if these processes involve the use of electronic signatures on data required to be maintained bythe FDA predicate rule or used to demonstrate compliance with such a rule.

This paper provides an overview of the rule and describes how EnterpriseWizard supports it.

According to the FDAs definition, an electronic record means any combination of text, graphics, data,

audio, pictorial, or other information representation in digital form that is created, modified, maintained,archived, retrieved, or distributed by a computer system.

As stated by the FDA in its guidance documents, CFR 21 Part 11 ensures companies "employ proceduresand controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality ofelectronic records, and to ensure that the signer cannot readily repudiate the signed record as not genu-ine.

These predicate rules address the research, production and control of FDA regulated articles such asmanufacturing/laboratory processes, clinical/pre-clinical research, adverse event reporting, producttracking and marketing submissions and reports.

Fulfilling these requirements is aided by a system that meets the following criteria:

As the FDA notes in its guidance documents on CFR 21 Part 11, establishing documented end user (i.e., aperson regulated by FDA) requirements is extremely important for computer systems validation. Withoutfirst establishing end user needs and intended uses, we believe it is virtually impossible to confirm that thesystem can consistently meet them. Once you have established the end users needs and intended uses,

you should obtain evidence that the computer system implements those needs.

This requirement is greatly facilitated by a system that is not only easily configurable to end-user re-quirements, but fully exposes how those requirements have been met. For example, the tools for settingaccess permissions and configuring workflows should be driven entirely through the browser and providea visual representation of the resulting configuration. If the configuration depends upon custom program-ming, it becomes opaque to everyone except a programmer skilled in that language and only such aprogrammer can certify that it implements the user needs correctly or make necessary adjustments.

The system must support electronic signatures at multiple levelsit should not only enforce the use ofelectronic signatures when changing controlled records, but the presence of these guards should be easilyverifiable and the use of each signature fully auditable.


4/14


User access to individual records and to particular fields within those records must be precisely controlledby security groups. In addition, the system should be capable of restricting access based upon IP addressand should support integration with biometric controls.

Every change to each record must be recorded, with a timestamp showing who made the change, whatthey changed and when the change occurred. The system should be capable of displaying what the en-tire record looked like at any point in the past. Further, the solution must make it possible to capture andcollate data, such as who logged in, what IP address they came from, what records they edited, etc.

The system must be auditable in multiple senses. It must make it easy to show an auditor what a definedbusiness process is, how the system enforces the process, and how the process has been followed in any

particular instance.

The software and any hosting infrastructure should be subject to regular security audits from an inde-pendent third party and the results of that audit should be made available upon request.

The following tables describe how EnterpriseWizard supports compliance with 21 CFR Part 11.

As noted by the FDA, Electronic record and electronic signature systems consist of both manual proceduralcontrols and technical controls implemented through computer systems,so while the use of compliant soft-ware is a necessary condition for Part 11 compliance, it is not a sufficient condition, because several as-pects of the rule depend upon the organization following appropriate procedures. These are indicatedin this matrix with the response, The customer is responsible for adhering to this requirement.

The term Acknowledged is used to indicate areas where the recommendation has been read and un-

derstood, but there is no specific functionality required on the part of the software.
http://www.enterprisewizard.com/features.htm#ActivityLogshttp://www.enterprisewizard.com/features.htm#ActivityLogshttp://www.enterprisewizard.com/features.htm#415http://www.enterprisewizard.com/features.htm#415http://www.enterprisewizard.com/features.htm#415http://www.enterprisewizard.com/features.htm#ActivityLogs


5/14


(a) The regulations in this part set forth the criteriaunder which the agency considers electronic re-cords, electronic signatures, and handwritten signa-tures executed to electronic records to be trustwor-thy, reliable, and generally equivalent to paperrecords and handwritten signatures executed onpaper.

EnterpriseWizard supports electronic signatures by posi-tively identifying the user through a unique username andpassword combination. This information is controlled andcentrally managed via a license server. LDAP integrationallows the administrator to use LDAP to replace/supplement the built-in user management.

(b) This part applies to records in electronic formthat are created, modified, maintained, archived,retrieved, or transmitted, under any records re-quirements set forth in agency regulations. This partalso applies to electronic records submitted to theagency under requirements of the Federal Food,Drug, and Cosmetic Act and the Public Health Ser-vice Act, even if such records are not specificallyidentified in agency regulations. However, this partdoes not apply to paper records that are, or havebeen, transmitted by electronic means.

Acknowledged

(c) Where electronic signatures and their associatedelectronic records meet the requirements of thispart, the agency will consider the electronic signa-tures to be equivalent to full handwritten signatures,initials, and other general signings as required byagency regulations, unless specifically excepted byregulation(s) effective on or after August 20, 1997.

Acknowledged

(d) Electronic records that meet the requirements ofthis part may be used in lieu of paper records, inaccordance with 11.2, unless paper records arespecifically required.

Acknowledged

(e) Computer systems (including hardware and soft-ware), controls, and attendant documentation main-tained under this part shall be readily availablefor, and subject to, FDA inspection.

EnterpriseWizard shall comply with any request to in-spect its hardware, software, controls and attendantdocumentation by the FDA.

(f) This part does not apply to records required tobe established or maintained by 1.326 through1.368 of this chapter. Records that satisfy the re-

quirements of part 1, subpart J of this chapter, butthat also are required under other applicablestatutory provisions or regulations, remain subject tothis part.

[62 FR 13464, Mar. 20, 1997, as amended at 69FR 71655, Dec. 9, 2004]

Acknowledged


6/14


Sec. 11.2 Implementation. EnterpriseWizard Compliance

(a) For records required to be maintained but notsubmitted to the agency, persons may use electronicrecords in lieu of paper records or electronic signa-tures in lieu of traditional signatures, in whole or inpart, provided that the requirements of this partare met.

Acknowledged

(b) For records submitted to the agency, personsmay use electronic records in lieu of paper recordsor electronic signatures in lieu of traditional signa-tures, in whole or in part, provided that:

Acknowledged

(1) The requirements of this part are met; and Acknowledged

(2) The document or parts of a document to be sub-mitted have been identified in public docket No.92S-0251 as being the type of submission the

agency accepts in electronic form. This docket willidentify specifically what types of documents orparts of documents are acceptable for submission inelectronic form without paper records and theagency receiving unit(s) (e.g., specific center, office,division, branch) to which such submissions may bemade. Documents to agency receiving unit(s) notspecified in the public docket will not be consideredas official if they are submitted in electronic form;paper forms of such documents will be consideredas official and must accompany any electronic re-cords. Persons are expected to consult with the in-tended agency receiving unit for details on how

(e.g., method of transmission, media, file formats,and technical protocols) and whether to proceedwith the electronic submission.

Acknowledged


7/14


Sec. 11.3 Definitions. EnterpriseWizard Compliance

(a) The definitions and interpretations of termscontained in section 201 of the act apply tothose terms when used in this part.

Acknowledged

(b) The following definitions of terms also applyto this part:

Acknowledged

(1)Act means the Federal Food, Drug, and Cos-metic Act (secs. 201-903 (21 U.S.C. 321-393)).

Acknowledged

(2)Agency means the Food and Drug Administra-tion.

(3)Biometrics means a method of verifying anindividual's identity based on measurement ofthe individual's physical feature(s) or repeatableaction(s) where those features and/or actions

are both unique to that individual and measur-able.

EnterpriseWizard includes APIs to integrate with biometric

systems. As it is a software product, it does not include theuse of specific biometric hardware.

(4)Closed system means an environment in whichsystem access is controlled by persons who areresponsible for the content of electronic recordsthat are on the system.

EnterpriseWizard can be configured as either an open orclosed system.

(5)Digital signature means an electronic signa-ture based upon cryptographic methods of origi-nator authentication, computed by using a set ofrules and a set of parameters such that the iden-tity of the signer and the integrity of the datacan be verified.

EnterpriseWizard uses a set of rules based on securitygroup settings that uniquely identifies the user from theirusername and password combination. The internal securitysettings in these tools determine the access and privileges ofthe signed in user. The transfer of all information is pro-tected through cryptography.

(6)Electronic record means any combination oftext, graphics, data, audio, pictorial, or otherinformation representation in digital form that iscreated, modified, maintained, archived, re-trieved, or distributed by a computer system.

Acknowledged

(7)Electronic signature means a computer datacompilation of any symbol or series of symbolsexecuted, adopted, or authorized by an individ-ual to be the legally binding equivalent of theindividual's handwritten signature.

Acknowledged

(8)Handwritten signature means the scriptedname or legal mark of an individual handwrittenby that individual and executed or adopted withthe present intention to authenticate a writing ina permanent form. The act of signing with a writ-ing or marking instrument such as a pen or stylusis preserved. The scripted name or legal mark,while conventionally applied to paper, may alsobe applied to other devices that capture thename or mark.

EnterpriseWizard includes APIs to integrate with biometricsystems. As it is a software product, it does not include theuse of specific biometric hardware.


8/14


(9)Open system means an environment in whichsystem access is not controlled by persons whoare responsible for the content of electronic re-cords that are on the system.

EnterpriseWizard can be configured as either an open orclosed system.

Sec. 11.10 Controls for closed systems. EnterpriseWizard Compliance

Persons who use closed systems to create, mod-ify, maintain, or transmit electronic records shallemploy procedures and controls designed toensure the authenticity, integrity, and, when ap-propriate, the confidentiality of electronic re-cords, and to ensure that the signer cannot read-ily repudiate the signed record as not genuine.Such procedures and controls shall include thefollowing:

EnterpriseWizard supports controls to ensure the authentic-ity, integrity, and, when appropriate, the confidentiality ofelectronic records as detailed below.

(a) Validation of systems to ensure accuracy,reliability, consistent intended performance, andthe ability to discern invalid or altered records.

In addition to access controls that determine who can viewor modify individual records or fields within records, Enter-priseWizard provides History tracking that shows exactlywhat changes particular users made to each record, and asnapshot of the entire record before and after each change.In addition, audit logs may be configured to track the IPaddress of the user who altered or viewed each record andrules may be configured to flag records as invalid based

upon criteria defined by the administrator.

(b) The ability to generate accurate and com-plete copies of records in both human readableand electronic form suitable for inspection, re-view, and copying by the agency. Persons shouldcontact the agency if there are any questionsregarding the ability of the agency to performsuch review and copying of the electronic re-cords.

EnterpriseWizard provides the ability to generate accurateand complete copies of records in both human readableand electronic form. Records may be printed both on paperand to a file; they also can be exported in PDF, Word, Ex-cel, .CSV and TXT formats for inspection, review, and copy-ing by the agency.

(c) Protection of records to enable their accurateand ready retrieval throughout the records re-tention period.

Automated system backups export records in a format thatensures full accuracy and allows them to be retrievedthroughout the record retention period.

(d) Limiting system access to authorized individu-als.

EnterpriseWizard access controls include login/passwordcontrols and security group permissions that limit access toauthorized individuals. In addition, access may be limitedbased upon the users IP address.


9/14


10/14


(j) The establishment of, and adherence to,written policies that hold individuals account-able and responsible for actions initiated un-der their electronic signatures, in order to de-ter record and signature falsification.

The customer is responsible for adhering to this require-ment.

(k) Use of appropriate controls over systemsdocumentation including:

(1) Adequate controls over the distribution of,access to, and use of documentation for systemoperation and maintenance.

The system includes generic online help, tutorials anddocumentation on system capabilities.

Access control and distribution of attached files containingdocumentation for system operation and management aremanaged by EnterpriseWizard Rules.

(2) Revision and change control procedures tomaintain an audit trail that documents time-sequenced development and modification ofsystems documentation.

Revision and change control procedures for system spe-cific documentation are supported through Workflow Ac-tions and Guards while History and Audit logs documentthe development and modification of system documenta-tion.

Sec. 11.30 Controls for open systems. EnterpriseWizard Compliance

Persons who use open systems to create, mod-ify, maintain, or transmit electronic records

shall employ procedures and controls designedto ensure the authenticity, integrity, and, asappropriate, the confidentiality of electronicrecords from the point of their creation to thepoint of their receipt. Such procedures andcontrols shall include those identified in 11.10,as appropriate and additional measures suchas document encryption and use of appropri-ate digital signature standards to ensure, asnecessary under the circumstances, record au-thenticity, integrity, and confidentiality.

EnterpriseWizard can be used as an open system or aclosed system depending on the access to the server via

an IP address and port. Through the use of the usernameand password combination and internal security groups,the administrator has the ability to secure the system asrequired for compliance.


11/14


Sec. 11.50 Signature manifestations. EnterpriseWizard Compliance

(a) Signed electronic records shall contain infor-mation associated with the signing that clearlyindicates all of the following:

EnterpriseWizard supports these requirements as detailedbelow:

(1) The printed name of the signer; The name of the signer is displayed.

(2) The date and time when the signature wasexecuted; and

A date and timestamp are clearly displayed and main-tained by History

(3) The meaning (such as review, approval, re-sponsibility, or authorship) associated with thesignature.

The meaning associated with each signature is captured inthe associated field description.

(b) The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject tothe same controls as for electronic records andshall be included as part of any human readable

form of the electronic record (such as electronicdisplay or printout).

Items (a)1,2,3 are subject to the same controls as electronicrecords and are included in any human readable form ofthe electronic record as controlled by access permission.

Sec. 11.70 Signature/record linking. EnterpriseWizard Compliance

Electronic signatures and handwritten signaturesexecuted to electronic records shall be linked totheir respective electronic records to ensure thatthe signatures cannot be excised, copied, or oth-erwise transferred to falsify an electronic recordby ordinary means.

Electronic signatures are directly linked to their electronicrecords.

Such signatures cannot be excised, copied or otherwise

transferred. Further, the history of every record modifica-tion performed in EnterpriseWizard is not modifiable andcontains the details of the action taken as well as a time-stamp and the user who performed the action.


12/14

Page 10 EnterpriseWizard Compliance with CFR 21 Part 11 EnterpriseWizar

Sec. 11.100 General requirements. EnterpriseWizard Compliance

(a) Each electronic signature shall be unique toone individual and shall not be reused by, orreassigned to, anyone else.

The unique username and password combination requiredby EnterpriseWizard ensures the user is authenticated whenlogging in. All records created by a user are permanentlylinked to the creators unique username, and only the

logged in users name may be placed into a signature field

by that user.

(b) Before an organization establishes, assigns,certifies, or otherwise sanctions an individual'selectronic signature, or any element of such elec-tronic signature, the organization shall verify theidentity of the individual.

The administrator is responsible for verifying that each userentered into the system is properly identified before enter-ing a unique username and password combination for saiduser.

Administrators can set strong passwords rules that are ap-

plied universally, including the ability to enforce a minimumpassword length, both alphabetic and numeric values in apassword, mixed case letters in a password and dictionarywords usages. The system controls incorrect password us-ages, locks the user's account for 5 minutes after a configur-able number of invalid entries and invalidates passwordsafter a configurable number of invalid entries. Passwordscan optionally expire in x days. LDAP can be used in-stead of these features to centrally manage users.

All records created by a user are permanently linked to thecreators unique username.

The organization is responsible for sanctioning an individ-uals access to the system.

(c) Persons using electronic signatures shall, priorto or at the time of such use, certify to theagency that the electronic signatures in their sys-tem, used on or after August 20, 1997, are in-tended to be the legally binding equivalent oftraditional handwritten signatures.

The customer is responsible for this requirement.

(1) The certification shall be submitted in paperform and signed with a traditional handwrittensignature, to the Office of Regional Operations(HFC-100), 5600 Fishers Lane, Rockville, MD20857.


(2) Persons using electronic signatures shall, uponagency request, provide additional certificationor testimony that a specific electronic signature isthe legally binding equivalent of the signer'shandwritten signature.



13/14


Sec. 11.200 Electronic signature components andcontrols.

EnterpriseWizard Compliance

(a) Electronic signatures that are not based uponbiometrics shall:

EnterpriseWizard satisfies these requirements as detailedbelow:

(1) Employ at least two distinct identificationcomponents such as an identification code andpassword.

EnterpriseWizard uses a username and password combina-tion to identify the logged in user.

(i) When an individual executes a series of sign-ings during a single, continuous period of con-trolled system access, the first signing shall beexecuted using all electronic signature compo-nents; subsequent signings shall be executed us-ing at least one electronic signature componentthat is only executable by, and designed to beused only by, the individual.

EnterpriseWizard requires the user to initiate a continuousperiod of controlled system access with a username andpassword combination. Each action that the individual exe-cutes within this period creates a historical record that con-tains information about the action and user.

The username entered at login positively identifies the user.The system may further be configured to require that theuser enter an additional identification code with each sign-

ing.

(ii) When an individual executes one or moresignings not performed during a single, continu-ous period of controlled system access, eachsigning shall be executed using all of the elec-tronic signature components.

EnterpriseWizard requires the user to initiate a continuousperiod of controlled system access with a username andpassword combination. Each action that the individual exe-cutes within this period creates a historical record that con-tains information about the action and user.

(2) Be used only by their genuine owners; and The customer is responsible for this requirement.

(3) Be administered and executed to ensure thatattempted use of an individual's electronic signa-ture by anyone other than its genuine owner re-

quires collaboration of two or more individuals.

The use of an individuals signature by anyone other than its

genuine owner requires that the imposter actually login tothe system as the true owner. This requires knowledge of

the username and password, and only the System Adminis-trator can change another users password. Further, the sys-tem may be configured so that the administrator can onlymake such a change if it is approved by a second user.

(b) Electronic signatures based upon biometricsshall be designed to ensure that they cannot beused by anyone other than their genuine owners.

EnterpriseWizard includes APIs to integrate with biometric

hardware devices. As a software product, it does not in-clude the use of specific hardware.


14/14


Sec. 11.300 Controls for identification codes/passwords.

EnterpriseWizard Compliance

Persons who use electronic signatures basedupon use of identification codes in combinationwith passwords shall employ controls to ensuretheir security and integrity. Such controls shallinclude:

EnterpriseWizard requires that a named user logs into theapplication using a unique login and password. Administra-tors can set strong password rules that are applied univer-sally. LDAP can also be used to centrally manage users.

(a) Maintaining the uniqueness of each com-bined identification code and password, suchthat no two individuals have the same combina-tion of identification code and password.

EnterpriseWizard uses a username and password touniquely identify the person logged into the system andenforces that no two individuals can have the same user-name.

(b) Ensuring that identification code and pass-word issuances are periodically checked, re-called, or revised (e.g., to cover such events aspassword aging).

Administrators can set strong password rules, includingtimed expiration rules, that are applied universally. LDAPcan also be used to centrally manage users.

(c) Following loss management procedures toelectronically deauthorize lost, stolen, missing,or otherwise potentially compromised tokens,cards, and other devices that bear or generateidentification code or password information,and to issue temporary or permanent replace-ments using suitable, rigorous controls.


(d) Use of transaction safeguards to preventunauthorized use of passwords and/or identifi-cation codes, and to detect and report in animmediate and urgent manner any attempts attheir unauthorized use to the system security

unit, and, as appropriate, to organizationalmanagement.

EnterpriseWizard supports the restriction of system accessbased upon IP address and as an additional safeguardmay be configured to trigger immediate notifications to thesystem security unit and organizational management if anunusual pattern of activity is detected.

(e) Initial and periodic testing of devices, suchas tokens or cards, that bear or generate iden-tification code or password information to en-sure that they function properly and have notbeen altered in an unauthorized manner.


Authority: 21 U.S.C. 321-393; 42 U.S.C. 262.

Source: 62 FR 13464, Mar. 20, 1997, unless otherwise noted.

EnterpriseWizard, Inc. (www.enterprisewizard.com) Tel: 888.727.2209 is the leading provider ofpowerful, easy-to-deploy, and cost-effective Web-based software solutions for customer support, changemanagement, ITIL, CRM and custom business process management for organizations with complexproducts or services. Its adaptable platform has attracted hundreds of customers, ranging from startupsto Fortune 100 companies such as Chevron, NEC and Emerson Electric.

Date post:	10-Apr-2018
Category:	Documents
Upload:	enterprisewizard
View:	219 times
Download:	1 times