WP_UL Compliance wth 21CFR Part_11

Complying with 21 CFR Part 11:
Electronic Records and Signatures

Complying with 21 CFR Part 11:
Electronic Records and Signatures
In 1997, the Food and Drug Administration (FDA) issued the final rule on the criteria
under which electronic signatures and records will be accepted in lieu of handwritten
signatures and records executed on paper.
The scope of this regulation, 21 CFR Part 11, has far reaching implications for all
businesses in the Pharmaceutical, Biotech, Medical Device, Health Care, and Food
industries. According to the rule, “this Part (21 CFR Part 11) applies to records
in electronic form that are created, modified, maintained, archived, retrieved or
transmitted.”1
With the final ruling, companies can take advantage of today’s electronic technology
to improve and streamline existing processes. The cost of not taking advantage of
electronic records and signatures can be detrimental to the competitiveness of a
company’s position in its marketplace.
UL EduNeering’s ComplianceWire® system enables FDA regulated industries to cost-
effectively comply with Part 11 while achieving optimal operational and regulatory
compliance efficiencies. Companies can transition to a paperless environment that
supports current Good Manufacturing Practices (cGMP) with ComplianceWire.
Speed, accuracy, reliability, collaboration and visibility are benefits that can directly
be attributed to the elimination of the enormous overhead of maintaining an
exhaustive paper trail and disparate legacy systems to conduct compliance training.
ComplianceWire is an integrated web-based training platform designed explicitly for
FDA-regulated industries.
The purpose of this white paper is to provide businesses in the Pharmaceutical, Biotech,
Medical Device, Health Care, and Food industries with a baseline framework of how
ComplianceWire addresses the technical requirements of Part 11. Each industry has
a set of unique needs and interpretation of Part 11. ComplianceWire recognizes the
demands of FDA regulated industries and has created a flexible solution to address
these differences. The objective is to help these industries quickly and cost-effectively
comply with Part 11. ComplianceWire not only complies with Part 11, but also provides
companies with an operational infrastructure that will help facilitate the compliance
training they require.
1 Food and Drug Administration, 21 CFR Part 11 Electronic Records; electronic Signatures; Final Rule
Electronic Submissions; Establishment of Public Docket; Notice, page 36.

Complying with 21 CFR Part 11
Table of Contents:
DEFINITIONS AND
TERMINOLOGY. . . . . . . . . . . . . . . 3
FDA DEFINITIONS AND
TERMINOLOGY. . . . . . . . . . . . . . . 3
LEVELS OF CONTROL . . . . . . . . . 4
COMPLYING WITH PART 11 . . . 4
Table 1: Subpart B –
Electronic Records. . . . . . . . . . . . 5
Controls for Closed Systems . . . . 5
Controls for Open Systems. . . . . . 8
Signature Manifestations . . . . . . . 8
Signature/Record Linking . . . . . . . 9
Table 2: Subpart C –
Electronic Signatures . . . . . . . . . 9
General Requirements. . . . . . . . . . 9
Electronic Signature
Components and Controls . . . . 10
Controls for Identification
Codes/Passwords. . . . . . . . . . . . . 11
DEFINITIONS AND TERMINOLOGY
A general glossary of terms, acronyms and abbreviations used in ComplianceWire and associated
documentation is maintained as a separate training aid document on ComplianceWire. Click the
Support tab, click the Tools link, click the Platform Documentation link, and select the Reference
Guide Glossary document.
TERM Definition
CBT Computer Based Training
A particular type of training. Used to present such documents as SOPs,
functional specifications, mechanical drawings, etc.
Control Documents Also known as CICS (Critical Information Control System)
CSV Files Comma separated value files
ILC Instructor Led Course (also known as Instructor Based Training)
A particular type of training. Used to track non-system events (e.g., non-
computer-based events). These events could include meetings, seminars,
skill-based demonstrations, etc.
FDA DEFINITIONS AND TERMINOLOGY
There are seven key terms that the FDA has defined for this regulation.
TERM Definition
Closed System An environment in which system access is controlled by persons who are
responsible for the content of electronic records that are on the system.
Open System An environment in which system access is not controlled by persons who
are responsible for the content of electronic record who are on the system.
ER/ES A frequently used acronym for Electronic Records/Electronic Signature
Electronic Record Any combination of text, graphics, data, audio, pictorial or other
information representation in digital form that is created, modified,
maintained, archived, retrieved or distributed by a computer system.
Electronic Signature A computer data compilation of any symbol or series of symbols,
executed, adopted or authorized by an individual to be the legally
binding equivalent of the individual’s handwritten signature.
Digital Signature An electronic signature based upon cryptographic methods of originator
authentication, computed by using a set of rules and a set of parameters
such that the identity of the signer and the integrity of the data can be
verified.
Handwritten
Signature
The scripted name or legal mark of an individual handwritten by that
individual and executed or adopted with the present intention to
authenticate a writing in a permanent form. The act of signing with a
writing or marking instrument such as a pen or stylus is preserved. The
scripted name or legal mark, while conventionally applied to paper, may
also be applied to other devices that capture the name or mark.
Biometrics A method of verifying an individual’s identity based on measurement of
the individual’s physical feature(s) or repeatable action(s) where those
features and/or actions are both unique to that individual and measurable.

LEVELS OF CONTROL
The 21 CFR Part 11 regulation requires organizations to have in
place three levels of control:
• Administrative Controls = e.g. policies for Part 11 and the use of
electronic signatures.
• Procedural Controls = SOPs for using ComplianceWire.
• Technical Controls = Functions built into the system that ensure
the reliability and integrity of electronic records and signatures.
ComplianceWire is designed to be compliant with 21 CFR Part
11 technical controls, but it is the user who is responsible for
providing policies and procedures for using the system.
TECHNICAL
CONTROLS
ComplianceWire®
designedtobecompliant
PROCEDURAL
CONTROLS
21CFRPart11
Requirementsdefined
intheregulations
ADMINISTRATIVE
CONTROLS
Proceduresfor
ComplianceWire
(companyinternalguidelines)
UL
Responsibility
User
Responsibility
COMPLYING WITH PART 11
21 CFR Part 11 is made up of two major subparts that provide guidelines that regulated companies must minimally follow to achieve
the level of integrity, reliability and consistency of electronic records and signatures acceptable to the FDA. Complying with the Part
11 regulation requires a combination of strong management procedures and computer systems that meet the technical aspect of the
guideline such as application security, audit trails, and password protection.
UL EduNeering actively works with the Pharmaceutical, Biotech, Medical Device, Health Care, Food industries and the FDA to ensure
that our solutions comply with the technical aspect of Part 11. Each customer’s security and standard operating procedures (SOPs) for
supporting this regulation are unique. ComplianceWire is flexible and configurable to meet the training requirements of various
SOPs and implementations needed to facilitate this regulation. Tables 1 and 2 detail how ComplianceWire addresses the specific
requirements outlined in Subpart B and C, electronic records and signatures, respectively.2
2 The requirements in these tables have been extracted from the United States FDA regulations known as Title 21 of the Code of Federal Regulations,
Part 11, titled “Electronic Signatures and Electronic Records.”

Table 1: Subpart B – Electronic Records
Subpart B of the regulation requires procedures and controls to ensure authenticity, integrity confidentiality of electronic records, and
that signed records cannot be readily repudiated as not genuine.
Section REQUIREMENTS COMPLIANT UL STRATEGIES
§11.10 Controls for Closed Systems
Persons who use closed systems to create, modify, maintain or transmit electronic records shall employ procedures and
controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records,
and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls
shall include the following:
(a) Validation of systems to ensure
accuracy, reliability, consistent intended
performance, and the ability to discern
invalid or altered records.
YES Appropriate documentation is generated by UL
EduNeering as work progresses in the development and
testing of each ComplianceWire release. There is a formal
Validation Plan that provides documented evidence that
the system consistently conforms to the requirements and
is adequate for its intended use. According to this plan,
UL EduNeering validates all modifications and additions
to the ComplianceWire system prior to their release. Per
contract, each client may audit UL EduNeering and review
all applicable documentation.
(b) The ability to generate accurate and
complete copies of records in both
human readable and electronic form
suitable for inspection, review and
copying by the agency. Persons should
contact the agency if there are any
questions regarding the ability of the
agency to perform such review and
copying of the electronic records.
YES Users can create reports and select the information
they wish to see when viewing information in various
areas of ComplianceWire. The reports can be viewed
online, downloaded, e-mailed, and printed in multiple
formats (csv, Excel, pdf). Additional custom reports can
be developed and incorporated as required to meet the
specific needs of each client.
(c) Protection of records to enable their
accurate and ready retrieval throughout
the records retention period.
YES ComplianceWire stores records in a secure SQL server
database. Security features such as User ID/Password and
security roles protect the records stored in the system
throughout the records retention period. Additionally,
passwords and electronic signatures that are stored are
encrypted in the database, the database connection string
is stored and retrieved from a protected area on the server,
and 128-bit SSL encryption is used to protect information
transmitted over the Internet.
(d) Limiting system access to authorized
individuals.
YES Only authorized individuals with a valid User ID, Password,
and Company Code can log into the system. Password
policies (including complexity and expiry requirements)
can be established. Users who fail to login after a
determined number of attempts can be locked out.
Optionally, access to ComplianceWire can be limited to an
established range of IP addresses.

Continued
(e) Use of secure, computer-generated, time-
stamped audit trails to independently
record the date and time of operator
entries and actions that create, modify,
or delete electronic records. Record
changes shall not obscure previously
recorded information. Such audit trail
documentation shall be retained for a
period at least as long as that required
for the subject electronic records and
shall be available for agency review and
copying.
YES ComplianceWire provides a chronological history of
activity in the system in the Event Log. The user, the
operation performed (event), and the date/time it was
performed are recorded.
There is a complete audit trail (User Account History) of all
changes made to user accounts. The field changed, the old
value, the new value, the user making the change, and the
date/time of the change are recorded.
There is a chronological history (Group Membership
History, Suggested Group Membership History) of all
changes made to user groups. The user making the
change, the date/time of the change, and the action taken
are recorded. The action taken includes users added to and
removed from the group.
There is a complete audit trail (Training History) of all
changes made to training items. The field changed, the old
There is a complete audit trail (Roster History) of all
changes made to class rosters. The field changed, the old
There is a chronological history (Curriculum History) of
all changes made to curriculums. The user making the
change, the date/time of the change, and the action taken
are recorded. The action taken includes training items
added to and removed from the curriculum.
(f) Use of operational system checks to
enforce permitted sequencing of steps
and events, as appropriate.
YES ComplianceWire is designed and coded to minimize
required sequencing of work. In most cases, actions can
be performed in any order to meet the specific operating
procedures of our clients.
Where necessary, ComplianceWire enforces the proper
sequencing of steps and events.
(g) Use of authority checks to ensure that
only authorized individuals can use
the system, electronically sign a record,
access the operation or computer system
input or output device, alter a record, or
perform the operation at hand.
YES ComplianceWire has many customizable features to
assure that only authorized users can use or take action
within the system. These include: a three-component user
login, custom defined user security roles, password expiry
and complexity policies, automatic session timeouts, and
use of electronic signatures.
Authorized users in ComplianceWire are assigned security
role(s) that define what features or operations each user is
allowed to access or perform.
(h) Use of device (e.g., terminal) checks to
determine, as appropriate, the validity of
the source of data input or operational
instruction.
YES Optionally, access to ComplianceWire can be limited to
users with valid IP addresses.
The capability of dual e-signatures on Forms functionality
is available.

Continued
(i) Determination that persons who develop,
maintain, or use electronic record/
electronic signature systems have the
education, training, and experience to
perform their assigned tasks.
YES It is ultimately the responsibility of the customer to
determine that the personnel involved with the operation
of the system have the education, training and experience
to perform their assigned tasks.
UL EduNeering regularly trains their employees through
both external and internal trainings. UL EduNeering tracks
our employee training in the ComplianceWire system.
Dashboards and Reporting are available to monitor,
remediate, and prevent training non-compliance.
(j) The establishment of, and adherence
to, written policies that hold individuals
accountable and responsible for
actions initiated under their electronic
signatures, in order to deter record and
signature falsification.
YES Customer procedural requirement.
(k) Use of appropriate controls over systems documentation including:
(1) Adequate controls over the distribution
of, access to, and use of documentation
for system operation and maintenance.
YES UL EduNeering has control over the distribution of, access
to, and use and maintenance of the ComplianceWire
documentation. All documentation is available for
customer review during on-site audit inspections.
Additionally, system users can access training aids online.
These aids are available via downloadable files. These files
include the User Reference Guide (in individual chapter
format). UL EduNeering provides this information as a
convenience, and leaves control and further distribution of
those documents as the responsibility of the customer.
(2) Revision and change control procedures
to maintain an audit trail that documents
time-sequenced development and
modification of systems documentation.
YES Internal change controls are in place and are followed by
UL EduNeering personnel when any changes are made to
the application or to controlled documents.
The methodology for the development of software
systems at UL EduNeering is described in our internal
System Development Life Cycle SOP and is available for
customer review during on-site audit inspections.

§11.30 Controls for Open Systems
Persons who use open systems to
create, modify, maintain, or transmit
electronic records shall employ
procedures and controls designed to
ensure the authenticity, integrity, and,
as appropriate, the confidentiality of
electronic records from the point of their
creation to the point of their receipt.
Such procedures and controls shall
include those identified in §11.10, as
appropriate, and additional measures
such as document encryption and
use of appropriate digital signature
standards to ensure, as necessary under
the circumstances, record authenticity,
integrity, and confidentiality.
YES Note:
UL EduNeering defines ComplianceWire as an open system
due to the nature of the Internet.
UL EduNeering considers ComplianceWire an open system
because it is the more conservative position to take and
therefore better serves all of our clients. We have applied
the extra controls required of an open system (for example,
SSL encryption over the Internet) so that no matter how
the client interprets ComplianceWire (open or closed),
we can support the technology required to meet their
interpretation.
ComplianceWire utilizes Secure Socket Layers (SSL) for data
transaction within the system and utilizes eSignatures in
customer-selected areas of the system.
UL EduNeering optionally limits system access to specific
IP ranges.
§11.50 Signature Manifestations
Note: ComplianceWire electronic signatures consist of two parts: a human readable/meaningful portion and a
computer readable/meaningful portion.
(a) Signed electronic records shall contain information associated with the signing that clearly indicates all of the following:
(1) The printed name of the signer. YES ComplianceWire electronic signatures are comprised of the
signer information, including the First Name, Last Name,
and User ID within the system.
(2) The date and time when the signature
was executed.
YES ComplianceWire electronic signatures are comprised of
the computer generated date and time stamp when the
signature was executed.
(3) The meaning (such as review, approval,
responsibility, or authorship) associated
with the signature.
YES ComplianceWire electronic signatures are comprised
of the meaning/reason associated with the signature.
Signature reasons are customizable by each customer to
meet specific needs.
(4) The items identified in paragraphs (a)
(1), (a)(2), and (a)(3) of this section shall
be subject to the same controls as for
electronic records and shall be included
as part of any human readable form of
the electronic record (such as electronic
display or printout).
YES All eSignature records meet the same requirements as the
signed record as defined in 11.10c. Electronic signature
information is displayed in applicable areas of the
ComplianceWire system.

§11.100 General Requirements
(a) Each electronic signature shall be unique
to one individual and shall not be reused
by, or reassigned to, anyone else.
YES ComplianceWire uses an internal unique identifier
associated with each User ID, Password, and Company
Identifier as the electronic signature value. Each instance
of the signature value is unique.
(b) Before an organization establishes,
assigns, certifies, or otherwise sanctions
an individual’s electronic signature, or
any element of such electronic signature,
the organization shall verify the identity
of the individual.
N/A Customer procedures must be established to meet this
requirement.
The customer must accept the Terms of Use statement
before gaining access to ComplianceWire. This statement
includes disclaimers of both liability and warranty/
accuracy and use of electronic signatures information.
(c) Persons using electronic signatures
shall, prior to or at the time of such use,
certify to the agency that the electronic
signatures in their system, used on or
after August 20, 1997, are intended
to be the legally binding equivalent of
traditional handwritten signatures.
requirement.
(1) The certification shall be submitted in
paper form and signed with a traditional
handwritten signature, to the Office of
Regional Operations (HFC-100), 5600
Fishers Lane, Rockville, MD 20857.
requirement.
(2) Persons using electronic signatures shall,
upon agency request, provide additional
certification or testimony that a specific
electronic signature is the legally binding
equivalent of the signer’s handwritten
signature.
requirement.
§11.70 Signature/Record Linking
(a) Electronic signatures and handwritten
signatures executed to electronic
records shall be linked to their respective
electronic records to ensure that the
signatures cannot be excised, copied,
or otherwise transferred to falsify an
electronic record by ordinary means.
YES ComplianceWire is designed so that a system user cannot
delete, modify, or copy another user’s eSignature. The table
structure and encryption techniques used prevent people
with operating system level access from modifying or
copying signatures in any way.
Table 2: Subpart C – Electronic Signatures
Subpart C of the regulation pertains to electronic signatures. Electronic signatures must be unique to each individual and shall not be
reused or reassigned. Identity of individuals must be verified before an electronic signature can be assigned or used. Subpart C also
covers the administration controls requirements to ensure security and integrity of identification codes and passwords.

§11.200 Electronic Signature Components and Controls
(a) Electronic signatures that are not based upon biometrics shall:
(1) Employ at least two distinct identification
components such as an identification
code and password.
YES Access to ComplianceWire is protected by requiring the
user to enter three distinct identification components
(User ID, Password and Company Code).
(i) When an individual executes a series
of signings during a single, continuous
period of controlled system access, the
first signing shall be executed using
all electronic signature components;
subsequent signings shall be executed
using at least one electronic signature
component that is only executable by,
and designed to be used only by, the
individual.
YES Each time a user executes an electronic signature signing
in ComplianceWire, the user is required to enter two of the
electronic signature components (User ID of the current
logged in user and current Password), regardless of the
period of controlled system access activity.
(ii) When an individual executes one or more
signings not performed during a single,
continuous period of controlled system
access, each signing shall be executed
using all of the electronic signature
components.
YES Each time a user executes an electronic signature signing
in ComplianceWire, the user is required to enter two of the
electronic signature components (User ID of the current
logged in user and current Password), regardless of the
period of controlled system access activity.
(2) Be used only by their genuine owners. YES The currently logged in user who has a valid account in
ComplianceWire can only execute the eSignature.
Customer procedures must be established to meet this
requirement.
(3) Be administered and executed to ensure
that attempted use of an individual’s
electronic signature by anyone other than
its genuine owner requires collaboration
of two or more individuals.
requirement.
(b) Electronic signatures based upon
biometrics shall be designed to ensure
that they cannot be used by anyone other
than their genuine owners.
N/A ComplianceWire does not offer a Biometric option
for personnel identification as part of the standard
functionality. This interoperability can be developed and
incorporated as required to meet the specific needs of each
client.

§11.300 Controls for Identification Codes/Passwords
Persons who use electronic signatures based upon use of identification codes in combination with passwords shall
employ controls to ensure their security and integrity. Such controls shall include:
(a) Maintainingtheuniquenessofeachcombined
identificationcodeandpassword,suchthatno
two individuals have the same combination of
identification code and password.
YES ComplianceWire uses an internal unique identifier
associated with each User ID, Password and Company
Identifier as the electronic signature value. Each instance
of the signature value is unique.
(b) Ensuring that identification code and
password issuances are periodically
checked, recalled, or revised (e.g., to cover
such events as password aging).
YES ComplianceWire includes advanced configurable settings
allowing customers to define and manage password
lengths, password expiry, password complexity, password
reuse history, and account lockouts.
(c) Following loss management procedures to
electronically deauthorize lost, stolen, missing,
or otherwise potentially compromised tokens,
cards, and other devices that bear or generate
identification code or password information,
and to issue temporary or permanent
replacements using suitable, rigorous controls.
N/A ComplianceWire does not use tokens, cards, or other
devices that bear or generate identification code or
password information.
(d) Use of transaction safeguards to prevent
unauthorized use of passwords and/
or identification codes, and to detect
and report in an immediate and urgent
manner any attempts of their unauthorized
use to the system security unit, and, as
appropriate, to organizational management.
YES ComplianceWire can be configured to lockout users who
fail to login after a determined number of attempts. All
invalid login attempts are recorded in the Event Log.
Intrusion protection is enabled at the hardware level of
the website server and intrusion events are recorded in
the server’s event logs which are monitored.
(e) Initial and periodic testing of devices, such
as tokens or cards, that bear or generate
identification code or password information
to ensure that they function properly and have
not been altered in an unauthorized manner.
N/A ComplianceWire does not use tokens, cards, or other
devices that bear or generate identification code or
password information.
Note: Integrating ComplianceWire with another user authentication system (e.g., Active Directory) for the purpose of single sign-on
migrates users’ passwords and the controls for the use of identification codes/passwords outside of ComplianceWire. In such situations,
ComplianceWire login and electronic signatures are dependent on the Client user authentication system, not on ComplianceWire credentials
or the management tools built into ComplianceWire. By permitting the integration of ComplianceWire with another user authentication
system, the Client assumes responsibility for ensuring that such user authentication system is included in and is governed by the Client’s
quality system controls and that such user authentication system meets or exceeds the requirements of 21 CFR Part 11.
UL EduNeering’s full-service solution includes:
State-Of-The-Art Data Center — delivering online training
through a company-owned, state-of-the-art data center designed
and operated with the highest level of security and reliability
- consistent with the rigorous requirements of the regulatory
setting in which clients operate. Through an application service
provider (ASP) model, UL EduNeering assumes full responsibility
for the management of training documentation, course updates,
and hosting of clients’ proprietary materials.
Client Services Department — available on a 24 hours a day, 7
days a week basis.
Consulting Division — assisting clients in addressing learning
design, conducting regulatory compliance assessments, and
implementing inter-connections to existing information
databases and systems used within the client organization.
Learning Services Department — creating or customizing courses
and other training related materials to meet client requests.
These proprietary materials follow the highest standards of adult
learning theory; include clear objectives, and tests for proficiency
and comprehension.
Taken together, UL EduNeering provides a unique one-stop
solution to clients’ compliance training needs.

uleduneering.com
About UL EduNeering
UL EduNeering is a business line within UL Life Health’s Business Unit. UL is a global
independent safety science company offering expertise across five key strategic businesses:
Life Health, Product Safety, Environment, Verification Services and Enterprise Services.
UL EduNeering develops technology-driven solutions to help organizations mitigate risks,
improve business performance and establish qualification and training programs through a
proprietary, cloud-based platform, ComplianceWire®.
For more than 30 years, UL has served corporate and government customers in the
Life Science, Health Care, Energy and Industrial sectors. Our global quality and compliance
management approach integrates ComplianceWire, training content and advisory services,
enabling clients to align learning strategies with their quality and compliance objectives.
Since 1999, under a unique partnership with the FDA’s Office of Regulatory Affairs (ORA),
UL has provided the online training, documentation tracking and 21 CFR Part 11-validated
platform for ORA-U, the FDA’s virtual university. Additionally, UL maintains exclusive
partnerships with leading regulatory and industry trade organizations, including AdvaMed,
the Drug Information Association, the Personal Care Products Council and the Duke Clinical
Research Institute.
202 Carnegie Center
Suite 301
Princeton, NJ 08540
609.627.5300
UL and the UL logo are trademarks of UL LLC © 2013.
WP/12/121213/LS

WP_UL Compliance wth 21CFR Part_11

More Related Content

What's hot

Similar to WP_UL Compliance wth 21CFR Part_11

WP_UL Compliance wth 21CFR Part_11