New article
Recently updated
21 CFR Part 11 Supplement
Who is this article for?Users who want to learn about 21 CRF Part 11 Supplement.
No special access or permissions are required.
Title 21 CFR Part 11 of the Code of Federal Regulations; Electronic Records; Electronic Signatures sets out the requirements for the creation, modification, maintenance, archival, retrieval, and transmittal of electronic records and also the use of electronic signatures when complying with the Federal Food, Drug and Cosmetic Act or any other Food and Drug Administration (FDA) regulation.
This document presents the summary requirements set out in 21 CFR Part 11, along with Ideagen's response to the clauses.
Note: While Ideagen Quality Management delivers appropriate Technical Controls for 21 CFR Part 11 compliance, it is the responsibility of the user to implement the procedural and administrative controls.
To discuss Ideagen Quality Management and 21 CFR Part 11 further, contact us.
- Subpart B – Electronic Records 11.10 Controls for Closed Systems
- Subpart B – Electronic Records 11. 3 0 Controls for Open Systems
- Subpart B – Electronic Records 11. 5 0 Signature Manifestations
- Subpart B – Electronic Records 11. 7 0 Signature/Record Linking
- Subpart C – Electronic Signatures 11. 1 00 Electronic Signature Components and Control
- Subpart C – Electronic Signatures 11. 2 00 General Requirements
- Subpart C – Electronic Signatures 11 .300 Controls for Identification Codes/Passwords
1. Subpart B – Electronic Records 11.10 Controls for Closed Systems
| Section | Section Requirements | Ideagen's Response |
|---|---|---|
| 11.10 (a) | Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. |
Ideagen Quality Management has been designed, developed and tested to Ideagen’s documented Product Development lifecycle. A full audit trail details transactions in the system where any altered or invalid records would be evident through inconsistencies with the audit trail. |
|
11.10(b) |
The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the FDA. |
All modules contain reports that can be printed or viewed through its own in-built Report Designer. Existing reports can be edited and additional reports can be created and added to the system by the end user. All previewed reports may be exported to an electronic format. |
|
11.10(c) |
Protection of records to enable the accurate and ready retrieval throughout the records retention period. |
Ideagen Quality Management data is held securely in a Microsoft SQL Server database and readily available to users with sufficient access rights. The system has to be accessed by means of a User Name and Password. Passwords are encrypted in the database. Ideagen also provides recommended system requirements to ensure proper functioning of the software. |
|
11.10(d) |
Limiting system access to authorised individuals. |
Ideagen Quality Management’s security model allows the organisation to define user access to Ideagen Quality Management via a unique User Name and Password. Functionality is authorised on a user by user basis, user group basis or on a conditional basis (dynamic security). Ideagen Quality Management also provides configurable session time-out to ensure reauthentication is required after a predetermined period of user inactivity in the system. |
|
11.10(e) |
Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period of at least as long as that required for the subject electronic records and shall be available for agency review and copying. |
Ideagen Quality Management provides an audit trail that records all interactions with electronic records including record creation, modifications and deletions. These events are recorded with the name of the user performing the event and the date and time the event was performed. Viewing of the Audit log information is achieved via the Ideagen Quality Management Audit Log Viewer. This information can be easily exported to an electronic format. |
|
11.10(f) |
Use of operational system checks to enforce permitted sequencing of steps in a process, as appropriate. | Key Ideagen Quality Management modules have workflow capability and can be implemented to ensure actions can only be performed in the appropriate sequence. |
|
11.10(g) |
Use of authority checks to ensure that only authorised individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand. | Ideagen Quality Management’s security model allows the organisation to define user access to QPulse via a unique User Name and Password. Functionality is authorised on a user by user basis, user group basis or on a conditional basis (dynamic security). |
|
11.10(h) |
Use of device (e.g. terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction. | Where appropriate, Ideagen Quality Management look up lists and wizards can be defined to allow user to select from pre-defined options ensuring the validity of data entered. |
|
11.10(i) |
Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks. |
Ideagen Quality Management is developed under Ideagen's product lifecycle management system where Ideagen ensure that only suitably qualified and experienced staff work on the development and support of any Ideagen products. In addition it is the responsibility of the user to develop policies regarding product training, however, Ideagen'straining services when used in conjunction with the Ideagen Quality Management application provide additional areas of employee certification. |
|
11.10(j) |
The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification. |
The user must develop policies and procedures governing accountability; however, a full audit trail details transactions in the system where any altered or invalid records would be evident through inconsistencies with the audit trail. |
| 11.10(k) | Use of appropriate controls over systems documentation including: Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. |
It is the responsibility of the user to develop policies regarding controlled access to system manuals and system related documentation. |
| 11.10(k) | Use of appropriate controls over systems documentation including: Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation. |
It is the responsibility of the user to develop policies regarding controlled access to system manuals and system related documentation. Documentation provided by Ideagen is revision controlled. |
2. Subpart B – Electronic Records 11. 3 0 Controls for Open Systems
| Section | Section Requirements | Ideagen's Repsonse |
|---|---|---|
|
11.30 |
Controls for Open Systems |
Does not apply; Ideagen Quality Management is a closed system. |
3. Subpart B – Electronic Records 11. 5 0 Signature Manifestations
| Section | Section Requirements | Ideagen's Repsonse |
|---|---|---|
| 11.50(a) | Signed electronic records shall contain information associated with the signing that clearly indicates all the following: (1) The printed name of the signer; (2) The date and time when the signature was executed; and (3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature. |
Ideagen Quality Management allows configuration of key signature events. Where a signature event is performed, the electronic record is stamped with the name of the individual carrying out the signed activity and the date and time the signature was applied to the electronic record. The meaning of each signature is associated with the event. |
|
11.50(b) |
The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout). | The electronic signature data are maintained and secured in the same manner as electronic records. |
4. Subpart B – Electronic Records 11. 7 0 Signature/Record Linking
| Section | Section Requirements | Ideagen's Repsonse |
|---|
| 11.70 |
Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means. |
There are no ordinary means to remove or copy signatures from/to records. |
5. Subpart C – Electronic Signatures 11. 1 00 Electronic Signature Components and Control
| Section | Section Requirements | Ideagen's Repsonse |
|---|---|---|
| 11.100 |
(a) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else. | Ideagen Quality Management employs a unique user name to act as an electronic signature. No two users can have the same user name. |
6. Subpart C – Electronic Signatures 11. 2 00 General Requirements
| Section | Section Requirements | Ideagen's Repsonse |
|---|---|---|
| 11.200(a) (1) |
Electronic signatures that are not based upon biometrics shall: (1) Employ at least two distinct identification components such as an identification code and password. | Ideagen Quality Management uses a combination of a user name and password for identification. |
|
11.200(a) (1)(i) |
When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. |
The initial signing requires the entry of both the user name and password. Subsequent signings during a continuous period of access require only the entry of the password. The user name and password are reauthenticated for every signature event performed. |
|
11.200(a) (1)(ii) |
When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components. |
The initial signing, and all subsequent signings not performed during a single, continuous period of controlled system access, requires the entry of both the user name and password. |
| 11.200(a) (2) |
Electronic signatures that are not based upon biometrics shall: Be used only by their genuine owners. | It is beyond the scope of Ideagen Quality Management to ensure that users do not provide others with access to their user name and password. |
| 11.200(a) (3) |
Electronic signatures that are not based upon biometrics shall: Be administered and executed to ensure that attempted use of an individual’s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals. |
For the system to be breached in this manner, it would require the collaboration of the Ideagen Quality Management administrator and end user. |
|
11.200(b) |
Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners. | Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners. |
7. Subpart C – Electronic Signatures 11 .300 Controls for Identification Codes/Passwords
| Section | Section Requirements | Ideagen's Repsonse |
|---|---|---|
|
11.300(a) |
Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: (a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password. |
Ideagen Quality Management has a user name and password authentication protocol that will not allow the entry of duplicate user names. |
|
11.300(b) |
Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging). |
Ideagen Quality Management user passwords can be configured to expire after a set number of days. The user has a number of login attempts before disable user accounts. |
|
11.300(c) |
Following loss management procedures to electronically de-authorise lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable rigorous controls. |
Not applicable for Ideagen Quality Management as there are no devices that bear or generate identification code or password information. |
|
11.300(d) |
Use of transaction safeguards to prevent unauthorised use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorised use to the system security unit, and, as appropriate, to organisational management. |
Not applicable for Ideagen Quality Management as there are no devices that bear or generate identification code or password information. |
|
11.300(e) |
Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorised manner. | Not applicable for Ideagen Quality Management as there are no devices that bear or generate identification code or password information. |