Managing Compliance to FDA21 CFR Part 11 – Electronic Records and Electronic Signatures

Managing Compliance to FDA21 CFR Part 11

Introduction

Part 11 of Title 21 of the Code of Federal Regulations applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted under any records requirements set forth in the Food and Drug Administration (FDA) regulations.
The final regulation published on March 20 1997 provided criteria for acceptance by the FDA of electronic records, electronic signatures, and handwritten signatures executed to electronic records as “trustworthy, reliable and generally equivalent to paper records and handwritten signatures executed on paper” (Chapter 1, Part 11).

Does Kovair provide all of the required information to an organization to support 21 CFR Part 11 Compliance?
As a vendor, Kovair is not responsible for all of the electronic information that a regulated organization needs to maintain or submit to the FDA. Kovair will, through this document, provide the support for 21 CFR Part 11 compliance regarding all the electronic records and signatures that are maintained within the Kovair Application Lifecycle Management system.

Is Kovair an Open System or a Closed System?
Two classes of systems are defined under the definitions in Subpart A, Section 11.3; A ‘Closed System’ and an ‘Open System’.
A Closed System is defined as one “in which system access is controlled by persons who are responsible for the content of electronic records”. These types of systems operate on the premise so that the organization that creates and maintains the system information is also responsible for configuring, operating and maintaining the actual system.
An Open System is one “in which the system access is not controlled by persons who are responsible for the content of electronic records.” Typically these are situations where the organization using the system has contracted a third-party entity for the operation and maintenance of that system.
The Kovair Application Lifecycle Management system should be considered a Closed System, as in a typical deployment the full control of configuration, operation and maintenance is given to the client organization that is going to use the system. The system is structured so that various individuals within the client organization may be responsible for the configuration and/or maintenance of different aspects of the system. However, the overall accountability for the system resides with the client organization.
Since the classic deployment of a Kovair Application Lifecycle Management system is a Closed System, this document will focus on the regulations only pertinent for such a system.

21 CFR Part 11 – Subpart B: Electronic Records

The following sections address Kovair support and Compliance to 21 CFR Part 11 – Subpart B.

11.10 Controls for Closed systems

Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following:

Regulation Kovair Implementation
(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. Kovair provides several validation checks, and full audit trail, as well as automated monitoring “policies” that check values to be within specified norms of validity. The policy engine will notify appropriate authorized personal on changes recorded in the system. Complete logging – All changes are logged for reporting.
(b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Kovair provides web-based and report based interfaces to obtain records in human readable format for inspection, review, and copying. The system also generates electronic forms for the records through file based export of the data.
c) Protection of records to enable their accurate and ready retrieval throughout the records retention period. Kovair allows users to have ready retrieval of the data anytime through the application interface. Protection of the data is managed by the Database and Database Administrator.
(d) Limiting system access to authorized individuals. Kovair employs the strategy of access groups to limit each of the authorized users’ access to data and functionality.
(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying. Kovair maintains a rich audit trail of all events performed in the system. The system will automatically track actions that involve creating, modifying or deleting an electronic record, and will capture the timestamp, operator, and values changed. Subsequent changes to the records accumulate to the existing audit-trail and will not obscure the previously recorded information in any way. This information is readily available to the agency through the Kovair user interface or through reports.
(f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate. Kovair allows the organization to create an enforceable and repeatable process through its process engine, which will determine the sequence of steps and events, as appropriate.
(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand. Kovair employs the strategy of usernames and passwords to authenticate and authorize users of the system. Usernames are tied to access groups within the system to limit access to data and functionality as desired.
(h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction. Kovair application only accepts data from validated process components and services installed with the system.
(i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks. Kovair provides on-site training on the operation of the system to enable users to perform their assigned tasks within the system. Kovair also provides embedded, context-sensitive help with the system to guide users.
(j) The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification. Written policies are established by each client organization. Kovair’s access groups and audit trail logs can be incorporated into those policies to assist with compliance.
(k) Use of appropriate controls over systems documentation including:
(1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.
(2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.
(k) This section refers to each organization’s system administration areas.
(1) Kovair provides installation, administration, configuration and end user documentation with the system deployment. On-site and web-based training are also provided to educate individuals on system operation and maintenance.
(2) Configuration changes made to Kovair post deployment are subject to the change control procedures enforced by the client organization. Kovair will log all changes made in the audit-trail to assist with compliance.

11.50 Signature Manifestations

(a) Signed electronic records shall contain information associated with the signing that clearly indicates all of the following: Implementation

Regulation Kovair Implementation
(1) The printed name of the signer; (1) Kovair logs the unique user name associated with the signing action.
(2) The date and time when the signature was executed; and (2) The date and time when the signature was executed is recorded through automated system time-stamps.
(3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature. (3) The label of the field the user is signing-off provides the meaning associated the action.
(b) The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout). (b) The Kovair audit log is stored as an electronic record. A human readable form is available as both an electronic display and a printout.

11.70 Signature/Record Linking

Regulation Kovair Implementation
Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means. Electronic signatures are linked to their respective electronic records in fields within each electronic records, and in the audit log.

21 CFR Part 11 – Subpart C: Electronic Signatures

The following sections address Kovair support and Compliance to 21 CFR Part ll – Subpart Ci

11.100 General Requirements

Regulation Kovair Implementation
(a) Each electronic signature shall be unique to each individual and shall not be reused by, or reassigned to anyone else. (a) Each electronic signature is enforced by unique User names in the system. There is no possibility of two people having the same user name.
(b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual’s electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual. (b) Verification of an individual’s identity is the responsibility of the organization.
(c) Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures. (c) Certification of an electronic signature is the responsibility of the organization.
(1) The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations (HFC–100), 5600 Fishers Lane, Rockville, MD 20857. (1) Certification of an electronic signature is the responsibility of the organization.
(2) Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer’s handwritten signature. (2) Certification of an electronic signature is the
responsibility of the organization

11.200 Electronic Signature Components and Controls

(a) Electronic signatures that are not based upon biometrics shall:

Regulation Kovair Implementation
(1) Employ at least two distinct identification components such as an identification code and password.
(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by the individual.
(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.
(1) Kovair requires both a unique username and password.
(i) Kovair required that the user be authenticated into the system using both the username and password, before the first electronic signature. Subsequent signings during a continuous period of controlled system access is identified by the username of the operator.
(ii) Kovair required that the user be authenticated into the system using both the username and password, before each signature when not performed during a single, continuous period of controlled system access.
(2) Be used only by their genuine owners; (2) Kovair requires that each individual is assigned a unique identification code and password.
(3) Be administered and executed to ensure that attempted use of an individual’s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals. (3) Each signature in Kovair is designed only to be executed by its genuine owner. Authorized exceptions to this practice would be the responsibility of each organization.
(b) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners. (b) Kovair does not support biometrics.

Persons who use electronic signatures based upon the use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include:

Regulation Kovair Implementation
(a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password. (a) Kovair requires that no two individuals have the same combination of identification code and password.
(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging). (b) Kovair does not natively dictate a password-aging schedule since this policy differs among organizations. It is the responsibility of the system administrator to implement and maintain such a schedule either through policy or through integrating Kovair with the organization LDAP system.
(c) Following loss management procedures to electronically de-authorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls. (c) All Kovair username accounts and respective passwords can de de-activated and de-authorized by the Kovair application administrator.
(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management. (d) Kovair logs each attempt by an operator to gain access into the system. The system will also proactively ensure that the same operator is not logged into the system in two different locations, and will de-activate earlier session in the event that should occur.
(e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner. (e) Kovair is software, and therefore independent of such devices.