Many sponsors are concerned with the risks and costs involved in ensuring that their electronic systems comply with the FDA’s ruling on
acceptance of Electronic Records and Electronic Signatures in place of their paper equivalents (21 CFR Part 11). Although the ruling has been in
place since 1997, there is often a lack of clarity concerning what characteristics and features a software solution must have to comply with 21 CFR
Part 11. Even when a solution meets all of its requirements, ensuring that procedural requirements are met may be a bigger challenge.
Although sponsors’ concerns are certainly valid, Part 11 compliance also provides an opportunity. Sponsors and the FDA share a common goal
of ensuring the integrity of their data, documentation and computer systems. If Part 11 compliance can be achieved by software configured to represent the sponsor’s desired business process, the burden on both system users and IT administrators can be minimal. The sponsor can then achieve benefits around both process automation and process transparency. The intent of this paper is to describe how NextDocs products provide a built-in platform for 21 CFR Part 11 compliance while providing capabilities that allow sponsors to automate, monitor and control their processes.
University Institute of Pharmaceutical Sciences is a flag bearer of excellence in Pharmaceutical education and research in the country. Here is another initiative to make study material available to everyone worldwide. Based on the new PCI guidelines and syllabus here we have a presentation dealing with the 21 code of federal regulation Part 11.
Thank you for reading.
Hope it was of help to you.
UIPS,PU team
Complying with 21 CFR Part 11 - Understanding the role of predicate ruleJasmin NUHIC
To obtain knowledge and understanding of 21 CFR Part 11 as how it applies to you as well as be advised of consequences which may result in failing to comply with this regulation.
If you’re involved with the life sciences industry, odds are you’ve heard the term “21 CFR Part 11.” You may have gathered that it’s a set of regulations related to computer systems, but unless you work in a compliance group, you might not understand what it’s about or why it’s important.
In our webinar, Sally Miranker, head of computer system validation in Perficient’s life sciences practice, "decoded" the secrets of 21 CFR Part 11 on this somewhat mysterious set of regulations.
Building on our popular blog post series, Sally explained the regulations in layman’s terms and offered implementation insights and case study examples.
University Institute of Pharmaceutical Sciences is a flag bearer of excellence in Pharmaceutical education and research in the country. Here is another initiative to make study material available to everyone worldwide. Based on the new PCI guidelines and syllabus here we have a presentation dealing with the 21 code of federal regulation Part 11.
Thank you for reading.
Hope it was of help to you.
UIPS,PU team
Complying with 21 CFR Part 11 - Understanding the role of predicate ruleJasmin NUHIC
To obtain knowledge and understanding of 21 CFR Part 11 as how it applies to you as well as be advised of consequences which may result in failing to comply with this regulation.
If you’re involved with the life sciences industry, odds are you’ve heard the term “21 CFR Part 11.” You may have gathered that it’s a set of regulations related to computer systems, but unless you work in a compliance group, you might not understand what it’s about or why it’s important.
In our webinar, Sally Miranker, head of computer system validation in Perficient’s life sciences practice, "decoded" the secrets of 21 CFR Part 11 on this somewhat mysterious set of regulations.
Building on our popular blog post series, Sally explained the regulations in layman’s terms and offered implementation insights and case study examples.
Data Integrity app Link: https://play.google.com/store/apps/details?id=com.innovativeapps.dataintegrity&hl=en
One Step Ahead in Pharma Compliance
Across the internet, there are millions of resources are available which provide information about Computer System Validation.
Refer above Data Integrity app which helps you to understand current regulatory agencies thinking on Data Integrity.
What is 21 CFR Part 11?:
21 CFR Part 11:
Allow the industry to use electronic records and signatures alternatively to paper records and hand-written signatures
21 CFR Part 11 applies:
To all FDA regulated environments
When using computers in the creation, modification, archiving, retrieval or transmission of data or records
To records required by predicate rules – GLP, GCP, GMP – that impact patient safety
To new and old systems
Purpose of Part 11
Ensure data is not corrupted or lost
Data is secure
Approvals cannot be repudiated
Changes to data can be traced
Attempts to falsify records are made difficult and can be detected
Types of Systems
Two types of systems that come under 21 CFR Part 11 – closed and open systems
Closed and Open Systems:
What is a Closed system?
A system to which access is controlled by person responsible for electronic records stored on it
What is an Open system?
A system to which access is not controlled by those responsible for the electronic records stored on it
21 CFR Part 11 Requirements:
21 CFR Part 11 lists the following controls for closed systems:
Validation
Device checks
Operational system checks
Accurate and complete copies
Accurate and steady retrieval
Limited access to systems and data
Authority checks
Electronic audit trail
Training/qualification of personnel
Accountability of signatures
Control over system documentation
Digital Signatures :
Use of digital signatures for open systems
Electronic Signatures
Requirements for signed electronic records
Linking records to signatures
Gain the latest insight (2013) into 21 CFR Part 11 Compliance from AITalent's latest Webinar.
Discover:
Part 11 – What it is not, the myths.
Part 11 – What it is, the facts.
Part 11 – What does the future hold?
Find out more: www.aitalent.co.uk
This presentation is about the validation of software. It focus on the validation of software used in pharmacy. It contains definition of validation, computer system and validation of computer system. It explains the models which are used for software validation and on example i.e. HPLC software validation.
An introduction to Life Sciences Computer System Validation, applicable regulation, SDLC phases, software categorisation, risk/ change/ deviation management, validation deliverable, risk based approach, regulatory inspection, audit findings, causes of compliance failure, key concepts in CSV etc.
Computer System Validation - The Validation Master PlanWolfgang Kuchinke
Computer System Validation (CSV) is the process used to ensure and document that a computerbased system is operating according to predefined requirements. CSV is necessary when replacing paper records, like
Case Report Forms for clinical trials, with an electronic system within the highly regulated data zone that impacts public health and safety. Necessary validation documents are for example the Standard Operating Procedures (SOPs), which outline how the computer system should be used. Here, we describe in detail the System Validation Master Plan, the most important document in Computer System Validation. In contains topics, like: Validation Policy, Definition of Validation, Rules and Regulations in CSV, Legal basis, FDA 21 CFR Part 11, FDA Guidance for industry, ICH Guideline GCP, Annex 11 EU-GMP, Validation Philosophy, Organisation validation document, Audit Reports, Organisation guidelines, Organisation quality management handbook, etc.
The steps of the Validation Life Cycle are: 1. System Specification, 2. System Classification, 3. Validation Planning, 4. Establishing of the validated state, 5. Maintaining the validated state, 6. System Retirement.
21 CFR Part 11 is a regulation issued by the U.S. Food and Drug Administration (FDA) that establishes requirements for electronic records and electronic signatures in the context of FDA-regulated industries, including pharmaceuticals, biotechnology, medical devices, and food and beverage. The regulation is titled "Electronic Records; Electronic Signatures" and is intended to ensure the reliability, integrity, and authenticity of electronic records and signatures used in FDA-regulated activities.
21CFR regulations & its applicability in the industry and FDA perspective on the same and FDA check points on 21CFR regulations during their inspection.
Data Integrity app Link: https://play.google.com/store/apps/details?id=com.innovativeapps.dataintegrity&hl=en
One Step Ahead in Pharma Compliance
Across the internet, there are millions of resources are available which provide information about Computer System Validation.
Refer above Data Integrity app which helps you to understand current regulatory agencies thinking on Data Integrity.
What is 21 CFR Part 11?:
21 CFR Part 11:
Allow the industry to use electronic records and signatures alternatively to paper records and hand-written signatures
21 CFR Part 11 applies:
To all FDA regulated environments
When using computers in the creation, modification, archiving, retrieval or transmission of data or records
To records required by predicate rules – GLP, GCP, GMP – that impact patient safety
To new and old systems
Purpose of Part 11
Ensure data is not corrupted or lost
Data is secure
Approvals cannot be repudiated
Changes to data can be traced
Attempts to falsify records are made difficult and can be detected
Types of Systems
Two types of systems that come under 21 CFR Part 11 – closed and open systems
Closed and Open Systems:
What is a Closed system?
A system to which access is controlled by person responsible for electronic records stored on it
What is an Open system?
A system to which access is not controlled by those responsible for the electronic records stored on it
21 CFR Part 11 Requirements:
21 CFR Part 11 lists the following controls for closed systems:
Validation
Device checks
Operational system checks
Accurate and complete copies
Accurate and steady retrieval
Limited access to systems and data
Authority checks
Electronic audit trail
Training/qualification of personnel
Accountability of signatures
Control over system documentation
Digital Signatures :
Use of digital signatures for open systems
Electronic Signatures
Requirements for signed electronic records
Linking records to signatures
Gain the latest insight (2013) into 21 CFR Part 11 Compliance from AITalent's latest Webinar.
Discover:
Part 11 – What it is not, the myths.
Part 11 – What it is, the facts.
Part 11 – What does the future hold?
Find out more: www.aitalent.co.uk
This presentation is about the validation of software. It focus on the validation of software used in pharmacy. It contains definition of validation, computer system and validation of computer system. It explains the models which are used for software validation and on example i.e. HPLC software validation.
An introduction to Life Sciences Computer System Validation, applicable regulation, SDLC phases, software categorisation, risk/ change/ deviation management, validation deliverable, risk based approach, regulatory inspection, audit findings, causes of compliance failure, key concepts in CSV etc.
Computer System Validation - The Validation Master PlanWolfgang Kuchinke
Computer System Validation (CSV) is the process used to ensure and document that a computerbased system is operating according to predefined requirements. CSV is necessary when replacing paper records, like
Case Report Forms for clinical trials, with an electronic system within the highly regulated data zone that impacts public health and safety. Necessary validation documents are for example the Standard Operating Procedures (SOPs), which outline how the computer system should be used. Here, we describe in detail the System Validation Master Plan, the most important document in Computer System Validation. In contains topics, like: Validation Policy, Definition of Validation, Rules and Regulations in CSV, Legal basis, FDA 21 CFR Part 11, FDA Guidance for industry, ICH Guideline GCP, Annex 11 EU-GMP, Validation Philosophy, Organisation validation document, Audit Reports, Organisation guidelines, Organisation quality management handbook, etc.
The steps of the Validation Life Cycle are: 1. System Specification, 2. System Classification, 3. Validation Planning, 4. Establishing of the validated state, 5. Maintaining the validated state, 6. System Retirement.
21 CFR Part 11 is a regulation issued by the U.S. Food and Drug Administration (FDA) that establishes requirements for electronic records and electronic signatures in the context of FDA-regulated industries, including pharmaceuticals, biotechnology, medical devices, and food and beverage. The regulation is titled "Electronic Records; Electronic Signatures" and is intended to ensure the reliability, integrity, and authenticity of electronic records and signatures used in FDA-regulated activities.
21CFR regulations & its applicability in the industry and FDA perspective on the same and FDA check points on 21CFR regulations during their inspection.
Inbound Marketing with Interactive Solutions Finders on the HubSpot COSKula Partners
Learn how to build web based solution finders on the HubSpot COS. Capture valuable lead data for your sales team, and improve conversion rates for top of funnel offers.
Excel spreadsheets how to ensure 21 cfr part 11 compliancecomplianceonline123
Learn to create a GxP compliant Excel spreadsheet application. Understand how to validate Excel spreadsheets with minimal documentation. Learn to configure Excel for audit trails, security features, and data entry verification.
Share point configuration guidance for 21 cfr part 11 complianceSubhash Chandra
Since the release of the Microsoft Office SharePoint Server 2007, compliance has been a major focus of the Microsoft Office System. That focus continues with SharePoint 2010 and includes additional functionality that further enhances compliance capabilities.
A research and pilot work on preparing environment-
friendly Development Plans or Site Master Plans for upcoming industrial parks to showcase integration of clean/green/energy efficient and environment-friendly technologies at the planning stage itself is a much
needed effort.
Technology Transfer in Pharma Industry, Technology Transfer in Pharmaceutical Industry, Pharmaceutical Technology Transfer, Pharma Tech Transfer, Naseeb basha, Pharmaceutical Tech Transfer, Naseeb basha Technology Transfer in Pharma Industry, Naseeb basha Pharmaceutical Technology Transfer
Achieving 21 Code of Federal Regulations (CFR) Part11SamuelP9
Download Free Whitepaper on Achieving 21 Code of Federal Regulations (CFR) Part11 Compliance with SimplicityChrom Chromatographic Data System (CDS):
https://promotions.pharmafocusasia.com/perkinemler-21cfr-part2-whitepaper
For the most part, everyone in the medical device industry is familiar with the term “510(k)”, but not many people know that there are three different types of the premarket notification. The following are the different types of 510(k)’s a firm can submit: Traditional, special, and abbreviated. Each 510(k) is a premarket notification, which if cleared, grants the firm permission by the FDA to market the device; but each one has different benefits and processes that medical device firms can take advantage of...
21 CFR Part 11, commonly referred to as “Part 11” is a set of rules that specifies what is required for electronic records and signatures. The regulatory framework outlines the management of records in Electronic Quality Management Systems for Life Science and other FDA-regulated industries.
Why is it called 21 CFR Part 11?
What is 21 CFR Part 11? CFR stands for “Code of Federal Regulation.” 21 CFR Part 11, in particular, details the criteria under which electronic records and signatures are considered to be trustworthy and equivalent to paper records.
What are the 21 CFR rules?
21 CFR Rules set out guidelines on the usages and management of electronic records as well as electronic signatures. As such, as the user of electronic data records, you are guided by 21 CFR rules so that you can have optimal benefits from the data and also act in integrity.
(a) The regulations in this part set forth the criteria under which the agency considers electronic records, electronic signatures, and handwritten signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper.
(b) This part applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted, under any records requirements set forth in agency regulations. This part also applies to electronic records submitted to the agency under requirements of the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act, even if such records are not specifically identified in agency regulations. However, this part does not apply to paper records that are, or have been, transmitted by electronic means.
(c) Where electronic signatures and their associated electronic records meet the requirements of this part, the agency will consider the electronic signatures to be equivalent to full handwritten signatures, initials, and other general signings as required by agency regulations, unless specifically excepted by regulation(s) effective on or after August 20, 1997.
www.siroinstitute.com
Siro clinical research institute
Post graduate Diploma in Clinical Research
The 21 CFR Part 11 Compliance Checklist for Digital ApplicationsEMMAIntl
Are digital applications better than paper-based systems? Without a doubt, yes. Applications replace large cabinets of paper storage with a small computer. They not only save space and paper but also offer quick data or document search with easy updates. But there is one component where paper-based systems are better than applications and that is maintaining signatures. Physical signatures cannot be easily replicated. As a software developer, I have successfully developed complex dynamic forms with nested search queries, but it makes me ponder how can I validate a digital record or a signature that would make my developed system as reliable as a paper-based document management system?
In the work from home era, we all realized how important it is to digitize our important documents and what a lifesaver digital signatures are. With everything now getting electronically stored, electronic signatures and documentation are slowly replacing the paper-based system. That means we must now get ready to expand our digital storage plans rather than buying new filing cabinets...
The NextDocs Qualty Management System consists of a variety of pre configured solutions for managing SOPs, deviations, complaints, audit findings, change control and CAPA to deliver compliant, user-friendly solutions while minimizing the demands on business and IT Users.
For more information visit http://www.nextdocs.com
Sanofi Pasteur MSD Inoculates Itself Against Document Management Inefficiency...NextDocs
Overview
Sanofi Pasteur MSD offers the widest range of vaccines of any company doing business in Europe today. It delivers vaccines to more than 390 million people in 19 countries, but before it can deliver those vaccines to those millions of people, Sanofi Pasteur MSD must collect and submit thousands of documents to as many as 19 separate regulatory agencies. The challenge for the company was the manual process of finding, capturing, reviewing, approving, and storing these documents. There was no consistent process for managing this task, no central document repository, and no significant automation. To overcome the inefficiencies and to enable process transparency, they began searching for a document management solution designed to meet the needs of Life Sciences companies. This solution needed to comply with recognized standards, had to be easy to use by employees in many locations, and had to fit in with the company’s IT strategy. The solution? The Document Management System from NextDocs.
“Failure to follow established SOPs is one of the most frequently cited violations in FDA 483s and warning letters. The frequency of SOP-related violations points to the need for all regulated companies to review their SOPs, their methods for distributing compliant SOP training curricula, their methods of validating receipt and testing for comprehension of the materials, and their documentation of SOP training activities. Additionally, enterprise-wide training programs must include automated methods for new employee on boarding, and for annual refresher training. “
BioPharm International
Global Quality Assurance and Regulatory Compliance
by Denise Queffelec and David Peterson
The NextDocs' pre configured solution for managing procedural documentation addresses these key challenges to deliver a compliant, user-friendly solution while minimizing the demands on your already overtaxed business and IT users.
NextDocs’ collaborative solution for clinical trials, built on Microsoft SharePoint provides an integrated platform that streamlines processes, automates information exchange, and dramatically reduces administrative overhead associated with running clinical trials. Our clinical portal allows clinical teams to work together in an effective and efficient manner by keeping trial personnel connected, informed and on task – providing access to everyone at any time, from anywhere. NextDocs Clinical Document Management solution is based on the NextDocs compliance platform, which includes a comprehensive set of features that address all ICH, FDA, EMEA, and MHLW regulatory requirements.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
21 CFR Part 11 Challenges and Solutions - White Paper
1. 21 CRF Part 11 Challenges and Solutions
NextDocs Product Compliance
WHITE PAPER
WHITE PAPER November 2010
21 CFR Part 11 Challenges and Solutions
NextDocs Product Compliance
Kathie Clark
Director, Product Management
NextDocs Corporation
November 2010
NextDocs Corporation: 500 N. Gulph Road, Suite 240, King of Prussia, PA 19406. Tel: 610.265.9474 Web: www.nextdocs.com
2. 21 CFR Part 11 Challenges and Solutions
NextDocs Product Compliance
WHITE PAPER November 2010
Contents
Introduction.................................................................................................................................................... 3
21 CFR PART 11 Background ....................................................................................................................... 3
21 CFR Part 11 Definitions ......................................................................................................................... 3
Scope of 21 CFR Part 11 ........................................................................................................................... 4
Open vs. Closed Systems............................................................................................................................. 5
Electronic Record Functionality and Issues for NextDocs ....................................................................... 6
Electronic Signature Functionality and Issues for NextDocs ................................................................. 15
Summary ...................................................................................................................................................... 21
References ................................................................................................................................................... 21
2
NextDocs Corporation: 500 N. Gulph Road, Suite 240, King of Prussia, PA 19406. Tel: 610.265.9474 Web: www.nextdocs.com
3. 21 CFR Part 11 Challenges and Solutions
NextDocs Product Compliance
WHITE PAPER November 2010
Introduction
Many sponsors are concerned with the risks and costs involved in ensuring that their electronic systems comply with the FDA’s ruling on
acceptance of Electronic Records and Electronic Signatures in place of their paper equivalents (21 CFR Part 11). Although the ruling has been in
place since 1997, there is often a lack of clarity concerning what characteristics and features a software solution must have to comply with 21 CFR
Part 11. Even when a solution meets all of its requirements, ensuring that procedural requirements are met may be a bigger challenge.
Although sponsors’ concerns are certainly valid, Part 11 compliance also provides an opportunity. Sponsors and the FDA share a common goal
of ensuring the integrity of their data, documentation and computer systems. If Part 11 compliance can be achieved by software configured to
represent the sponsor’s desired business process, the burden on both system users and IT administrators can be minimal. The sponsor can then
achieve benefits around both process automation and process transparency.
The intent of this paper is to describe how NextDocs products provide a built-in platform for 21 CFR Part 11 compliance while providing capabilities
that allow sponsors to automate, monitor and control their processes.
21 CFR PART 11 Background
21 CFR Part 11 Definitions
The FDA provides the following definitions in 21 CFR Part 11 for Electronic Records and Electronic Signatures:
“Electronic record means any combination of text, graphics, data, audio, pictorial, or other
information representation in digital form that is created, modified, maintained, archived,
retrieved, or distributed by a computer system.”
“Electronic signature means a computer data compilation of any symbol or series of symbols
executed, adopted, or authorized by an individual to be the legally binding equivalent of the
individual’s handwritten signature.”
3
NextDocs Corporation: 500 N. Gulph Road, Suite 240, King of Prussia, PA 19406. Tel: 610.265.9474 Web: www.nextdocs.com
4. 21 CFR Part 11 Challenges and Solutions
NextDocs Product Compliance
WHITE PAPER November 2010
Scope of 21 CFR Part 11
The Code of Federal Regulations [1] statement of scope regarding Part 11 clarifies what Part 11 applies to:
The regulations in this part set forth the criteria under which the agency considers electronic records, electronic signatures, and handwritten
signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed
on paper.
a. This part applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted, under any
records requirements set forth in agency regulations. This part also applies to electronic records submitted to the agency under
requirements of the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act, even if such records are not specifically
identified in agency regulations. However, this part does not apply to paper records that are, or have been, transmitted by electronic
means.
b. Where electronic signatures and their associated electronic records meet the requirements of this part, the agency will consider
the electronic signatures to be equivalent to full handwritten signatures, initials, and other general signings as required by agency
regulations, unless specifically excepted by regulation(s) effective on or after August 20, 1997.
c. Electronic records that meet the requirements of this part may be used in lieu of paper records, in accordance with Sec. 11.2, unless
paper records are specifically required.
d. Computer systems (including hardware and software), controls, and attendant documentation maintained under this part shall be readily
available for, and subject to, FDA inspection.
In August 2003, FDA provided non-binding clarification pertaining to the scope of Part 11 and their intentions related to enforcing the provisions of
Part 11 in the document entitled “Guidance for Industry Part 11, Electronic Records; Electronic Signatures — Scope and Application” (published
8/28/2003).[2] Important comments on scope included the following:
“Under the narrow interpretation of the scope of Part 11, with respect to records required to be maintained under predicate rules or submitted to
FDA, when persons choose to use records in electronic format in place of paper format, Part 11 would apply. On the other hand, when persons
use computers to generate paper printouts of electronic records, and those paper records meet all the requirements of the applicable predicate
rules and persons rely on the paper records to perform their regulated activities, FDA would generally not consider persons to be “using electronic
records in lieu of paper records” under §§ 11.2(a) and 11.2(b). In these instances, the use of computer systems in the generation of paper records
would not trigger Part 11.”
4
NextDocs Corporation: 500 N. Gulph Road, Suite 240, King of Prussia, PA 19406. Tel: 610.265.9474 Web: www.nextdocs.com
5. 21 CFR Part 11 Challenges and Solutions
NextDocs Product Compliance
WHITE PAPER November 2010
Under this narrow interpretation, FDA considers Part 11 to be applicable to the following records or signatures in electronic format:
● Records that are required to be maintained under predicate rule requirements and that are maintained in electronic format in place of
paper format.
● Records that are required to be maintained under predicate rules, that are maintained in electronic format in addition to paper format, and
that are relied on to perform regulated activities.
● Records submitted to FDA, under predicate rules (even if such records are not specifically identified in Agency regulations) in electronic
format (assuming the records have been identified in docket number 92S-0251 as the types of submissions the Agency accepts in
electronic format).
● Electronic signatures that are intended to be the equivalent of handwritten signatures, initials, and other general signings required by
predicate rules.
Further FDA guidance states: “Electronic documents that bypass the controls for electronic files described in 21 CFR 11 are not considered official
documents for review.” [3]
Based upon this guidance, it is clear that document management systems used to create, review, approve and archive documentation produced
in support of predicate rules such as (but not limited to) Good Laboratory Practice, Good Clinical Practice, and Good Manufacturing Practice are
subject to 21 CFR Part 11.
Open vs. Closed Systems
An important consideration in evaluating the impact of 21 CFR Part 11 on NextDocs applications is whether the specific system implementation is
considered a closed or open system.
The FDA provides the following definitions in 21 CFR Part 11 for closed and open systems.
“Closed system means an environment in which system access is controlled by persons
who are responsible for the content of electronic records that are on the system.”
“Open system means an environment in which system access is not controlled by persons
who are responsible for the content of electronic records that are on the system.”
5
NextDocs Corporation: 500 N. Gulph Road, Suite 240, King of Prussia, PA 19406. Tel: 610.265.9474 Web: www.nextdocs.com
6. 21 CFR Part 11 Challenges and Solutions
NextDocs Product Compliance
WHITE PAPER November 2010
Electronic Record Functionality and Issues for NextDocs
The following table describes the functionality that NextDocs provides in support of 21 CFR Part 11.
21 CFR 11 Requirement [1] Supporting NextDocs Functionality Notes and References Potential Business Benefits
§ 11.10 CONTROLS FOR CLOSED SYSTEMS.
(a) Validation of systems to Validation is ultimately the responsibility “The Agency intends to exercise enforcement Most of our clients’ implementations
ensure accuracy, reliability, of the client as validation can only be discretion regarding specific Part 11 requirements require validation under a strict
consistent intended performed in the environment in which for validation of computerized systems (§ interpretation of part 11. In addition,
performance, and the ability the software will be used, and against 11.10(a) and corresponding requirements in § validation of any computer system that
to discern invalid or altered specifications defined by system users. 11.30). Although persons must still comply with manages essential records is highly
records. all applicable predicate rule requirements for recommended. Only execution of a
NextDocs offers a validation toolkit to validation (e.g., 21 CFR 820.70(i)), this guidance sound validation program ensures that a
streamline the validation process. The should not be read to impose any additional computerized system has been properly
toolkit includes a sample validation requirements for validation.” [2] installed and will function as expected,
master plan and traceability matrix, both under normal operations and when
ready-to-run scripts for IQ and OQ, “We suggest that your decision to validate stressed to its expected limits.
summary report templates, and sample computerized systems, and the extent of the
PQ scripts. validation, take into account the impact the NextDocs’ validation toolkit and expert
systems have on your ability to meet predicate advice significantly decrease time and
NextDocs also has standard professional rule requirements. You should also consider effort in implementing a validated system.
services packages that include the impact those systems might have on the Our configuration-only approach avoids
assistance with validation planning, PQ accuracy, reliability, integrity, availability, and the high risk associated with deploying
script preparation, and managing PQ authenticity of required records and signatures. custom software.
script execution and documentation Even if there is no predicate rule requirement
activities. to validate a system, in some instances it may NextDocs provides in-place software
still be important to validate the system. We upgrades that ensure lower cost of
recommend that you base your approach on a ownership for the system over time. With
justified and documented risk assessment and each software release, NextDocs updates
a determination of the potential of the system the relevant portions of the validation
to affect product quality and safety, and record toolkit to further simplify the work required
integrity. For instance, validation would not be by our clients. Clients can then use the
important for a word processor used only to updated toolkit as the basis for their re-
generate SOPs.” [2] validation.
6
NextDocs Corporation: 500 N. Gulph Road, Suite 240, King of Prussia, PA 19406. Tel: 610.265.9474 Web: www.nextdocs.com
7. 21 CFR Part 11 Challenges and Solutions
NextDocs Product Compliance
WHITE PAPER November 2010
21 CFR 11 Requirement [1] Supporting NextDocs Functionality Notes and References Potential Business Benefits
Many of our clients upgrade the underlying
software themselves without NextDocs’
involvement.
With a business-critical system such as
electronic document management, an
investment in validation yields a return
after go-live in the form of decreased
problem reports and clarity on how the
system meets user requirements.
(b) The ability to generate Actual generation of records is a client “The Agency intends to exercise enforcement Since the document management system
accurate and complete responsibility. NextDocs facilitates discretion with regard to specific Part 11 automatically manages properties that
copies of records in both generating copies of records by: requirements for generating copies of records (§ indicate the status, nature and scope of
human readable and 11.10 (b) and any corresponding requirement in each document, it is easy for an authorized
electronic form suitable • Viewing records in native electronic §11.30).” [2] user to locate records needed by a
for inspection, review, and format with any computer running regulatory authority (or internal auditor).
copying by the agency. one of several supported browsers. “We recommend that you supply copies of Therefore, the time to respond to a request
Persons should contact electronic records by: for records is decreased and confidence in
the agency if there are the ability to supply the correct records is
• Allowing records to be exported by
any questions regarding increased.
dragging and dropping to any de- • Producing copies of records held in com-
the ability of the agency to
sired file system location mon portable formats when records are
perform such review and
maintained in these formats . . .
copying of the electronic
records. • Providing sophisticated controlled,
uncontrolled and clean copy printing • Using established automated conversion or
capabilities export methods, where available, to make
copies in a more common format (ex-
amples of such formats include, but are not
limited to, PDF, XML, or SGML)” [2]
7
NextDocs Corporation: 500 N. Gulph Road, Suite 240, King of Prussia, PA 19406. Tel: 610.265.9474 Web: www.nextdocs.com
8. 21 CFR Part 11 Challenges and Solutions
NextDocs Product Compliance
WHITE PAPER November 2010
21 CFR 11 Requirement [1] Supporting NextDocs Functionality Notes and References Potential Business Benefits
(c) Protection of records to NextDocs systems automatically “lock “The Agency intends to exercise enforcement Measures are put in place to protect
enable their accurate and down” official versions of documents so discretion with regard to the Part 11 requirements documents against accidental deletion or
ready retrieval throughout the that they cannot be deleted or modified for the protection of records to enable their modification, such as might occur on a file
records retention period. without following system configurable accurate and ready retrieval throughout the system.
change control procedures. records retention period (§ 11.10 (c) and any
corresponding requirement in §11.30).”[2] Flexible support for archiving electronic
records enables NextDocs clients to
“FDA does not intend to object if you decide to support multiple scenarios, including but
archive required records in electronic format not limited to:
to non-electronic, media such as microfilm,
microfiche, and paper, or to a standard electronic • Maintaining electronic records
file format (examples of such formats include, but in the production NextDocs
are not limited to, PDF, XML, or SGML).” [2] system.
Archiving of documents and eventual destruction • Moving electronic records to
should be controlled by a records management other media formats.
policy and an SOP. This is generally a legal and
corporate policy issue rather than a technology
issue.
8
NextDocs Corporation: 500 N. Gulph Road, Suite 240, King of Prussia, PA 19406. Tel: 610.265.9474 Web: www.nextdocs.com
9. 21 CFR Part 11 Challenges and Solutions
NextDocs Product Compliance
WHITE PAPER November 2010
21 CFR 11 Requirement [1] Supporting NextDocs Functionality Notes and References Potential Business Benefits
(d) Limiting system access to Access to NextDocs can be controlled by In general, an SOP is needed on establishing Access can be controlled at the site or
authorized individuals. configuration. Security can be configured and maintaining user access to the system and/ sub-site level. For example, a repository
to use Active Directory or Active Directory or network. can be created for documents associated
Lightweight Directory Services accounts with a single product, clinical study or
or accounts created within SharePoint. clinical or manufacturing site if desired,
and system access limited to users having
Internal users with on-premises a need to access those documents.
deployments can access NextDocs
applications through single sign-on Access can also be controlled at the
without requiring additional system login library, list or individual document level.
unless performing a signature related
action in the system. Alternatively, if a The use of Active Directory means that
client’s Part 11 interpretation requires enabling access is fast and easy. Access
explicit sign-on to access the system, can even be granted by non-administrators
single sign-on can be disabled. using NextDocs workflows to approve
access requests. Requests can be
Internal users with hosted deployments expedited by configuring electronic forms
access NextDocs applications by that include only essential information
providing a user name and password. needed to confirm and activate a user
account.
External users access NextDocs
applications by providing a user name The resulting benefit is the ability to
and password. Depending on a client’s grant fast, targeted access to users both
security set-up, Virtual Private Network within and outside the organization. For
(VPN) access may be required as well. example, external investigators can be
granted clinical portal access in minutes,
without the need for any hard copy
paperwork, but with an electronic record
and corresponding audit trail instead.
9
NextDocs Corporation: 500 N. Gulph Road, Suite 240, King of Prussia, PA 19406. Tel: 610.265.9474 Web: www.nextdocs.com
10. 21 CFR Part 11 Challenges and Solutions
NextDocs Product Compliance
WHITE PAPER November 2010
21 CFR 11 Requirement [1] Supporting NextDocs Functionality Notes and References Potential Business Benefits
(e) Use of secure, computer- NextDocs records: An SOP may be needed to govern retention and Audit trails have value not only in fulfilling
generated, timestamped archiving of audit trail items. the requirements of Part 11, but also in
audit trails to independently • Record modification events including providing transparency into document
record the date and time check-in and check-out. management processes. For example:
of operator entries and
actions that create, modify, • If a defined process was not followed,
or delete electronic records.
• Move, copy, delete and undelete
events. the audit trail provides insight into the
Record changes shall not discrepancy occurred.
obscure previously recorded
information. Such audit trail • Electronic/Digital Signature events.
documentation shall be
• If a question arises over who partici-
pated in the approval of a document,
retained for a period at least • Lifecycle promotions and demotions
the audit trail will provide names and
as long as that required for
dates for all involved.
the subject electronic records • Workflow events
and shall be available for
agency review and copying. • If defined timelines are not being met,
• Permission changes audit trails can uncover if this was
due to delayed review or approval,
• Record viewing (configurable). multiple review cycles, or inexpertly
long times in preparing drafts.
Audit trails are supplemented by detailed
Audit trail entries include event, user workflow histories providing even more
name and server-based time/date stamp. insight into the actions taken on a
Local time/date stamps can also be document.
configured if desired.
Audit trail records are retained indefinitely
unless manually purged from the system.
NextDocs also provides access to and
copying of the audit trail. The audit trail
can be saved to Excel with a single
click for advanced sorting, filtering and
analysis.
10
NextDocs Corporation: 500 N. Gulph Road, Suite 240, King of Prussia, PA 19406. Tel: 610.265.9474 Web: www.nextdocs.com
11. 21 CFR Part 11 Challenges and Solutions
NextDocs Product Compliance
WHITE PAPER November 2010
21 CFR 11 Requirement [1] Supporting NextDocs Functionality Notes and References Potential Business Benefits
(f) Use of operational system These checks are implemented in a Since these operational checks are configurable, A NextDocs system guides a user through
checks to enforce permitted number of areas. Some examples NextDocs works with the client during the the creation, review, approval and release
sequencing of steps and include: requirements phase of a project to define the of a document in accordance with a series
events, as appropriate. specific checks that add value in the client’s of defined steps. Benefits include:
• Ensuring that documents follow a environment.
defined lifecycle • Decreased training time, since a user
is prompted to follow steps rather
• Ensuring that workflows are used than having to memorize them or
when needed to move a document consult documentation
through its lifecycle
• Decreased remediation time for IT
• Ensuring that documents are proper- and business administrators to repair
ly set up to display digital signatures flawed documents that were not cre-
before they can be signed ated or managed in accordance with
standards
• Ensuring that all required signatures
are collected before a document is • Increased standardization, making
approved documents easier to find and work
with
• Ensuring that documents meet re-
quirements such as having a valid
PDF rendition before becoming ap-
proved or effective
• Ensuring that all required metadata
is entered for a document
• Enforcing the use of approved tem-
plates for authoring
• Limiting pick lists to appropriate
values when creating or modifying
document properties
11
NextDocs Corporation: 500 N. Gulph Road, Suite 240, King of Prussia, PA 19406. Tel: 610.265.9474 Web: www.nextdocs.com
12. 21 CFR Part 11 Challenges and Solutions
NextDocs Product Compliance
WHITE PAPER November 2010
21 CFR 11 Requirement [1] Supporting NextDocs Functionality Notes and References Potential Business Benefits
(g) Use of authority checks to These checks are implemented in a Generally, a client will need an SOP on system As with operational checks, authority
ensure that only authorized number of areas. Some examples include security and/or SOP on physical security to checks result in decreased training time
individuals can use the limiting the following to authorized users: prevent access to system by unauthorized users. (since users will not be able to perform
system, electronically sign a operations in which they have not been
record, access the operation • Modifying a document’s content or trained) and decreased need for document
or computer system input or properties remediation.
output device, alter a record,
or perform the operation at
hand.
• Initiating or participating in workflows
• Applying digital/electronic signatures
• Modifying system configurations
• Generating controlled or uncon-
trolled copy prints
• Modifying essential information,
such as study investigators
• Approving requests for system ac-
cess
(h) Use of device (e.g., This requirement does not apply to
terminal) checks to NextDocs since the system does not
determine, as appropriate, have any functionality where information
the validity of the source of is valid only when entered from specific
data input or operational terminals.
instruction.
12
NextDocs Corporation: 500 N. Gulph Road, Suite 240, King of Prussia, PA 19406. Tel: 610.265.9474 Web: www.nextdocs.com
13. 21 CFR Part 11 Challenges and Solutions
NextDocs Product Compliance
WHITE PAPER November 2010
21 CFR 11 Requirement [1] Supporting NextDocs Functionality Notes and References Potential Business Benefits
(i) Determination that NextDocs maintains resumes and training Much of the burden of meeting this requirement NextDocs also provides built-in support
persons who develop, records s to provide evidence that our falls on the client. The client will need an SOP for maintaining training records within
maintain, or use electronic employees who develop and deploy our on training for users and administrators, and the system. Users can be assigned to
record/electronic signature software are trained and qualified to do must maintain applicable training records in roles, and those roles can be assigned
systems have the education, so. accordance with those SOPs. a training curriculum. The users then
training, and experience to receive notifications containing the details
perform their assigned tasks. NextDocs also provides client-specific The client can arrange an audit where NextDocs of the training to be completed. A training
training documentation to help our clients will present our methodology and practices. administrator can manage the ongoing
comply with this requirement. We also training and monitor progress of a user in
offer end user training, train-the-trainer completing assigned training. The training
training and administrator training. status of users for a specific document can
also be monitored and, if desired, used to
control document effectivity.
(j) The establishment of, Client responsibility
and adherence to, written
policies that hold individuals
accountable and responsible
for actions initiated under
their electronic signatures,
in order to deter record and
signature falsification.
13
NextDocs Corporation: 500 N. Gulph Road, Suite 240, King of Prussia, PA 19406. Tel: 610.265.9474 Web: www.nextdocs.com
14. 21 CFR Part 11 Challenges and Solutions
NextDocs Product Compliance
WHITE PAPER November 2010
21 CFR 11 Requirement [1] Supporting NextDocs Functionality Notes and References Potential Business Benefits
(k) Use of appropriate NextDocs’s documentation is maintained The client will need SOPs on document control If desired, a client can maintain system
controls over systems in our configuration management system applied to system operation and maintenance documentation within their NextDocs
documentation including: and available for review during audits. documentation (i.e. SOPs on use, operation and system. This will provide the necessary
maintenance, user guides and manuals, etc.). control over the documentation in terms of
Adequate controls over the However, ultimately it is the client’s change control and availability.
distribution of, access to, responsibility to control system The client will need SOPs on document change
and use of documentation documentation in their environment. control applied to system operation and
for system operation and maintenance documentation.
maintenance. NextDocs’ release notes describe the
names and versions of documentation
Revision and change control that apply to each product release.
procedures to maintain an In addition, each client receives
audit trail that documents documentation specific to their NextDocs
time sequenced development implementation.
and modification of systems
documentation.
§ 11.10 CONTROLS FOR CLOSED SYSTEMS.
§ 11.30 Controls for Open NextDocs systems that are hosted The client and validation team must determine if The ability to meet open systems
Systems. Same as § 11.10 may be considered open based on the the system is closed or open. requirements means that our clients
plus document encryption specific circumstances and the client’s can achieve benefits associated with
and use of appropriate 21 CFR Part 11 interpretation. The use application hosting if this is the most
digital signature standards to of digital signature is available in all appropriate solution for them.
ensure, as necessary under NextDocs products to fulfill the additional
the circumstances, record requirements imposed on open systems.
authenticity, integrity, and
confidentiality.
14
NextDocs Corporation: 500 N. Gulph Road, Suite 240, King of Prussia, PA 19406. Tel: 610.265.9474 Web: www.nextdocs.com
15. 21 CFR Part 11 Challenges and Solutions
NextDocs Product Compliance
WHITE PAPER November 2010
Electronic Signature Functionality and Issues for NextDocs
NextDocs clients have reported significant benefits in implementing electronic signature including:
● Decreased time to complete the approval process, especially when approvers are located in different buildings, different sites, or different
countries
● Increased transparency into the review and approval process, as it’s always clear which approvers have completed a task and which have
yet to complete it
● Decreased cost and complexity of handling and retrieving official paper copies
The following table describes the electronic signature functionality that NextDocs provides in support of 21 CFR Part 11.
21 CFR 11 Requirement[1] Supporting NextDocs Functionality Notes and References
§ 11.50 Signature manifestations.
(a) Signed electronic records shall contain information associated with Signatures can be applied directly against a document or within a
the signing that clearly indicates all of the following: workflow task.
(1) The printed name of the signer; Meaning of signature must be selected by the signer from a list that is
configured by an administrator. The available meanings of signatures
(2) The date and time when the signature was executed; and are based on what type of task is being performed. For example, the
meanings available in the list might be different for a QA Approval task
and a Regulatory Approval task. If appropriate for the business process,
(3) The meaning (such as review, approval, responsibility, or
it’s possible to configure the system to allow the signer to enter a custom
authorship) associated with the signature.
meaning.
NextDocs validates the signature and captures the user name, local date
and time and GMT/UTC offset, server date and time, and meaning for
signature. Local date and time or server date and time can be displayed
in the manifestation as desired. This information is recorded in the audit
trail.
15
NextDocs Corporation: 500 N. Gulph Road, Suite 240, King of Prussia, PA 19406. Tel: 610.265.9474 Web: www.nextdocs.com
16. 21 CFR Part 11 Challenges and Solutions
NextDocs Product Compliance
WHITE PAPER November 2010
21 CFR 11 Requirement[1] Supporting NextDocs Functionality Notes and References
b) The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this A document must have predefined locations for digital signature to be By using digital signature
section shall be subject to the same controls as for electronic records manifested. The digital signature appears in the preconfigured location, technology, NextDocs
and shall be included as part of any human readable form of the generally with a facsimile of the hard copy signature. The digital clients benefit from
electronic record (such as electronic display or printout). signature manifests in various document formats including MS Office and a standard that goes
PDF. beyond the requirements
of 21 CFR Part 11
including:
• Document modifi-
cations after sign-
ing will physically
change the appear-
ance of the signa-
ture to indicate it is
no longer valid.
• Signatures are
portable outside the
NextDocs system
in which they were
signed and univer-
sally accepted.
• Signatures meet
the more stringent
requirements of
some European
countries.
§ 11.70 Signature/record linking.
16
NextDocs Corporation: 500 N. Gulph Road, Suite 240, King of Prussia, PA 19406. Tel: 610.265.9474 Web: www.nextdocs.com
17. 21 CFR Part 11 Challenges and Solutions
NextDocs Product Compliance
WHITE PAPER November 2010
21 CFR 11 Requirement[1] Supporting NextDocs Functionality Notes and References
Electronic signatures and handwritten signatures executed to Signatures are bound directly to a specific version of a document. The advantage of a
electronic records shall be linked to their respective electronic records digital signature is that
to ensure that the signatures cannot be excised, copied, or otherwise NextDocs digital signatures are based on Public Key Infrastructure (PKI) the signature remains
transferred to falsify an electronic record by ordinary means. and are a result of a cryptographic operation that guarantees signer verifiable as valid even
authenticity, data integrity and non-repudiation of signed documents. The when the document
digital signature cannot be copied, tampered or altered. is removed from the
SharePoint repository
(such as when it is
Digital signatures appearing in a document automatically appear as
removed for submission
invalid when the document changes in any way.
publishing, archiving, or
transfer via email).
During change control the signature is removed for the draft version in
anticipation of future approval and signing.
§ 11.100 General requirements.
(a) Each electronic signature shall be unique to one individual and Since NextDocs is generally implemented such that user credentials are The client will need an
shall not be reused by, or reassigned to, anyone else. supplied via Active Directory (or Active Directory Lightweight Directory SOP on establishing
Services), compliance is built in. and maintaining user
accounts – generally
Active Directory will ensure that a user name cannot be re-used within a something that is already
given domain, and provide the ability to disable (rather than delete) users needed in order to
who are removed from the system. By maintaining a record of previous access the network.
users, reuse of user IDs will not be possible.
Clients will benefit from
NextDocs signatures authenticate the content of documents by attributing NextDocs seamlessly
the signer to the signed document. Every signer is identified by an issued integrating into their
certificate (or by that of an external trusted entity). This identification existing infrastructure
is based on the fact that the user is a recognized employee in the and policies around
organization. credential management
as opposed to deploying
and managing a wholly
separate system.
17
NextDocs Corporation: 500 N. Gulph Road, Suite 240, King of Prussia, PA 19406. Tel: 610.265.9474 Web: www.nextdocs.com
18. 21 CFR Part 11 Challenges and Solutions
NextDocs Product Compliance
WHITE PAPER November 2010
21 CFR 11 Requirement[1] Supporting NextDocs Functionality Notes and References
(b) Before an organization establishes, assigns, certifies, or otherwise Client responsibility. The client will need a
sanctions an individual’s electronic signature, or any element of such policy on verifying user
electronic signature, the organization shall verify the identity of the identity – generally
individual. something that is already
needed for employment
and network access.
(c) Persons using electronic signatures shall, prior to or at the time Client responsibility.
of such use, certify to the agency that the electronic signatures in
their system, used on or after August 20, 1997, are intended to be
the legally binding equivalent of traditional handwritten signatures. (1)
The certification shall be submitted in paper form and signed with a
traditional handwritten signature, to the Office of Regional Operations
(HFC–100), 5600 Fishers Lane, Rockville, MD 20857. (2) Persons
using electronic signatures shall, upon agency request, provide
additional certification or testimony that a specific electronic signature
is the legally binding equivalent of the signer’s handwritten signature.
§ 11.200 Electronic signature components and controls.
18
NextDocs Corporation: 500 N. Gulph Road, Suite 240, King of Prussia, PA 19406. Tel: 610.265.9474 Web: www.nextdocs.com
19. 21 CFR Part 11 Challenges and Solutions
NextDocs Product Compliance
WHITE PAPER November 2010
21 CFR 11 Requirement[1] Supporting NextDocs Functionality Notes and References
(a) Electronic signatures that are not based upon biometrics shall: Each time a signature is applied, both a user name and password are
required.
(1) Employ at least two distinct identification components such as an
identification code and password. NextDocs supports a configurable automatic time-out during periods of
system inactivity. This time-out will also end a user’s continuous and
(i) When an individual executes a series of signings controlled access to the system.
during a single, continuous period of controlled
system access, the first signing shall be executed
using all electronic signature components;
subsequent signings shall be executed using at
least one electronic signature component that is
only executable by, and designed to be used only
by, the individual.
(ii) When an individual executes one or more signings
not performed during a single, continuous period
of controlled system access, each signing shall
be executed using all of the electronic signature
components.
(2) Be used only by their genuine owners; and
(3) Be administered and executed to ensure that attempted use of
an individual’s electronic signature by anyone other than its genuine
owner requires collaboration of two or more individuals.
(b) Electronic signatures based upon biometrics shall be designed to NA – Biometrics are not used by NextDocs.
ensure that they cannot be used by anyone other than their genuine
owners.
19
NextDocs Corporation: 500 N. Gulph Road, Suite 240, King of Prussia, PA 19406. Tel: 610.265.9474 Web: www.nextdocs.com
20. 21 CFR Part 11 Challenges and Solutions
NextDocs Product Compliance
WHITE PAPER November 2010
21 CFR 11 Requirement[1] Supporting NextDocs Functionality Notes and References
§ 11.300 Controls for identification codes/ passwords. Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ
controls to ensure their security and integrity. Such controls shall include:
(a) Maintaining the uniqueness of each combined identification See item § 11.100 (a).
code and password, such that no two individuals have the same
combination of identification code and password.
(b) Ensuring that identification code and password issuances are This is a client responsibility, generally achieved through settings in
periodically checked, recalled, or revised (e.g., to cover such events Active Directory. Windows and Active Directory infrastructure can enforce
as password aging). password policy for complexity and expiration. Windows integrated
authentication and Basic authentication can leverage this automatically.
(c) Following loss management procedures to electronically NextDocs does not make use of tokens, cards, and other devices that
deauthorize lost, stolen, missing, or otherwise potentially bear or generate identification code or password information.
compromised tokens, cards, and other devices that bear or generate
identification code or password information, and to issue temporary or Windows and Active Directory administrators can deactivate users,
permanent replacements using suitable, rigorous controls. change users’ passwords, or require users to change passwords after
issuing a temporary password. Windows integrated authentication and
Basic authentication can leverage this automatically
(d) Use of transaction safeguards to prevent unauthorized use of This is a client responsibility, generally achieved through settings in Active
passwords and/or identification codes, and to detect and report in Directory.
an immediate and urgent manner any attempts at their unauthorized
use to the system security unit, and, as appropriate, to organizational The Microsoft Windows family of products can audit logon changes and
management. failed attempts. Group policy can enforce account lockout policy to help to
prevent brute force password guessing. Lockout policy is based on failed
attempts for a time window and users can be locked out for specified
times before they can attempt again (or not).
(e) Initial and periodic testing of devices, such as tokens or cards, NextDocs does not make use of tokens, cards, and other devices that
that bear or generate identification code or password information to bear or generate identification code or password information.
ensure that they function properly and have not been altered in an
unauthorized manner.
20
NextDocs Corporation: 500 N. Gulph Road, Suite 240, King of Prussia, PA 19406. Tel: 610.265.9474 Web: www.nextdocs.com
21. 21 CRF Part 11 Challenges and Solutions
NextDocs Product Compliance
WHITE PAPER November 2010
Summary
NextDocs solutions are packaged products deployed widely throughout the life sciences industry by configuring, not customizing, to meet user
requirements. Our client base ranges from small start-ups to top ten Biopharmaceutical, Medical Device, CRO and technology companies. Nearly
all of NextDocs clients require validated, Part 11 compliant software. We have worked with our clients to enable them to gain and demonstrate Part
11 compliance – and associated business benefits – as quickly and easily as possible.
Our recommended approach for clients creating a plan to deploy NextDocs products in a regulated environment is:
● Review this position paper and work with us to address any questions or concerns.
● Map out the activities and deliverables needed to achieve Part 11 compliance for your specific implementation.
● Determine how NextDocs can best support you by providing templates, creating plans and scripts, augmenting your staff to perform
validation activities, or simply providing advice.
References
[1]
Code of Federal Regulations, Title 21 - Food and Drugs, Part 11 - Electronic Records; Electronic Signatures
[2]
Guidance for Industry, Part 11, Electronic Records; Electronic Signatures - Scope and Application (FDA, August 2003)
[3]
Guidance for Industry: Providing Regulatory Submissions in Electronic Format — General Considerations (FDA, January 1999)
PAGE 21
NextDocs Corporation
500 N. Gulph Road, Suite 240, King of Prussia, PA 19406
Tel: 610.265.9474
NextDocs is the leading provider of regulatory document and quality management software solutions
based on SharePoint 2007. Our products are purpose-built for businesses in highly regulated
environments. By improving on Microsoft’s dynamic SharePoint platform, NextDocs document
management solutions are cost-effective, intuitive, flexible and scalable.
For more information visit: www.nextdocs.com