Beruflich Dokumente
Kultur Dokumente
Create PDF files without this message by purchasing novaPDF printer (http://www.novapdf.com)
Title 21 CFR Chapter 11 Compliance with the Exact Globe Solution
Title 21 CFR Chapter 11 of the Code of Federal Regulations (CFR) deals with the Food
and Drug Administration (FDA) guidelines on electronic records and electronic signatures
for the life science industry in the USA. These guidelines have served as a model for
regulations in other jurisdictions and many elements can be found back in the rules for
(European) Good Manufacturing Practice (GMP) and the (currently: 37 members)
Pharmaceutical Inspection Convention (PIC/S). Title 21 CFR Chapter 11 describes how
electronic records and electronic signatures can be used as a substitute for paper records
and handwritten signatures. The Title 21 CFR Chapter 11 rules apply to drug makers,
medical equipment manufacturers, biotech companies and other FDA regulated
companies.
According to the FDA, an “electronic record means any combination of text, graphics,
data, audio, pictorial, or other information representation in digital form that is created,
modified, maintained, archived, retrieved, or distributed by a computer system.” Not all
electronic records are subject to 21 CFR Chapter 11, only those that are maintained in
accordance with FDA published predicate rules.
These rulings, such as the Good Laboratory Practice (GLP) and Current Good
Manufacturing Practice (CGMP), mandate what records must be maintained, what needs
to be contained in the record, whether signatures are required and how long records
must be maintained.
Ultimately, it is the life science industry that has to comply with 21 CFR Chapter 11 and
not the software manufacturer or its product. Therefore, there is no certification
guideline or certifying institute for software products. Moreover, the guidelines also deal
with the issuance and physical protection of passwords or the requirement that users be
adequately trained, which is all in the organizational realm. This white paper serves to
demonstrate where Exact Globe reinforces the compliance with 21 CFR Chapter 11, but
this white paper is not a proof that compliance is or will be achieved by using Exact
Globe.
Create PDF files without this message by purchasing novaPDF printer (http://www.novapdf.com)
Subpart A: General Provisions
Create PDF files without this message by purchasing novaPDF printer (http://www.novapdf.com)
21 CFR 11.2 - Implementation Exact Globe Compliance
(a) For records required to be maintained, acknowledged
but not submitted to the agency, persons
may use electronic records in lieu of paper
records or electronic signatures in lieu of
traditional signatures, in whole or in part,
provided that the requirements of this part
are met.
(b) For records submitted to the agency, acknowledged
persons may use electronic records in lieu
of paper records or electronic signatures in
lieu of traditional signatures, in whole or in
part, provided that:
(1) The requirements of this part are met; acknowledged
and
(2) The document or parts of a document Acknowledged
to be submitted have been identified in
public docket No. 92S-0251 as being the
type of submission the agency accepts in
electronic form. This docket will identify
specifically what types of documents or
parts of documents are acceptable for
submission in electronic form without
paper records and the agency receiving
unit(s) (e.g., specific center, office,
division, branch) to which such
submissions may be made. Documents to
agency receiving unit(s) not specified in
the public docket will not be considered as
official if they are submitted in electronic
form; paper forms of such documents will
be considered as official and must
accompany any electronic records. Persons
are expected to consult with the intended
agency receiving unit for details on how
(e.g., method of transmission, media, file
formats, and technical protocols) and
whether to proceed with the electronic
submission.
Create PDF files without this message by purchasing novaPDF printer (http://www.novapdf.com)
(3) Biometrics means a method of verifying The use of biometrics is not currently
an individual’s identity based on supported by Exact Globe.
measurement of the individual’s physical
feature(s) or repeatable action(s) where
those features and/or actions are both
unique to that individual and measurable.
(4) Closed system means an environment Exact Globe is configured as a closed
in which system access is controlled by system.
persons who are responsible for the
content of electronic records that are on
the system.
(5) Digital signature means an electronic Exact Globe uses the Windows login
signature based upon cryptographic settings for the network domain or active
methods of originator authentication, directory that uniquely identifies the user
computed by using a set of rules and a set from their username and password
of parameters such that the identity of the combination. The internal user rights and
signer and the integrity of the data can be roles in Exact Globe determine the access
verified and privileges of the signed in user.
(6) Electronic record means any Acknowledged
combination of text, graphics, data, audio,
pictorial, or other information
representation in digital form that is
created, modified, maintained, archived,
retrieved, or distributed by a computer
system.
(7) Electronic signature means a computer Exact Globe supports electronic signatures
data compilation of any symbol or series of by positively identifying the user through a
symbols executed, adopted, or authorized unique username and password
by an individual to be the legally binding combination.
equivalent of the individual’s handwritten
signature.
(8) Handwritten signature means the The use of biometrics is not currently
scripted name or legal mark of an supported by Exact Globe.
individual handwritten by that individual
and executed or adopted with the present
intention to authenticate in writing in a
permanent form. The act of signing with a
writing or marking instrument such as a
pen or stylus is preserved. The scripted
name or legal mark, while conventionally
applied to paper, may also be applied to
other devices that capture the name or
mark
(9) Open system means an environment in Exact Globe is configured as a closed
which system access is not controlled by system.
persons who are responsible for the
content of electronic records that are on
the system.
Create PDF files without this message by purchasing novaPDF printer (http://www.novapdf.com)
Subpart B: Electronic Records
The FDA distinguishes between open and closed systems. Closed systems are those
where access is controlled by persons who are responsible for the content of electronic
records on the system. Open systems are accessible by those who are not directly
responsible for the electronic records on the system.
(figure 1)
Create PDF files without this message by purchasing novaPDF printer (http://www.novapdf.com)
(b) The ability to generate accurate and Exact Globe reports include who made
complete copies of records in both human changes, when they made them, and the
readable and electronic form suitable for type of change. Changes are date/time-
inspection, review, and copying by the stamped. Change comments are included.
agency. Persons should contact the agency A verbose log file can be enabled to
if there are any questions regarding the capture the full detail and history of any
ability of the agency to perform such changes to records.
review and copying of the electronic The full record history can be tracked and
records. reassembled from this log. These reports
can be distributed in paper or electronic
form.
(c) Protection of records to enable their The assignment of rights and roles within
accurate and ready retrieval throughout Exact Globe gives complete control over
the records retention period. which users can complete specified actions
under use. The organization is ultimately
responsible for backing up and protecting
the records. (figure 1)
(d) Limiting system access to authorized Exact Globe applies individual rights and
individuals. roles set by the system administrator to
regulate access to menus and data.
(e) Use of secure, computer-generated, Exact Globe maintains a distinct audit trail
time-stamped audit trails to independently that can retained indefinitely. A verbose
record the date and time of operator log file can be enabled to capture the full
entries and actions that create, modify, or detail and history of any changes to
delete electronic records. Record changes records.
shall not obscure previously recorded
information. Such audit trail documentation
shall be retained for a period at least as
long as that required for the subject
electronic records and shall be available for
agency review and copying.
(f) Use of operational system checks to The ability to complete any given action is
enforce permitted sequencing of steps and controlled by individually assigned roles
events, as appropriate. and rights and is under the control of the
administrator to set what permissions are
allowed to what users to make what
changes at any given point in the process.
The configurable workflow allows
administrators to set up a workflow that is
appropriate for the process being
managed. The history of actions completed
within Exact Globe contains timestamp
information for when the action was
completed and by what user, showing the
sequence in which actions occurred. The
organization is ultimately responsible for
enforcing proper sequencing of steps and
events.
(g) Use of authority checks to ensure that Exact Globe uniquely identifies the user
only authorized individuals can use the from their username and password
system, electronically sign a record, access combination. The individually assigned
the operation or computer system input or roles and rights determine the access and
output device, alter a record, or perform privileges of the logged in user.
the operation at hand.
Create PDF files without this message by purchasing novaPDF printer (http://www.novapdf.com)
(h) Use of device (e.g., terminal) checks to The administrator of Exact Globe can
determine, as appropriate, the validity of enforce additional identification of each
the source of data input or operational device by enforcing a check of the MAC
instruction. address of each connecting client against a
permitted MAC address.
(i) Determination that persons who Access is controlled via usernames and
develop, maintain, or use electronic passwords assigned to those individuals
record/electronic signature systems have deemed appropriate. The organization is
the education, training, and experience to ultimately responsible for this requirement.
perform their assigned tasks.
(j) The establishment of, and adherence to, The organization is ultimately responsible
written policies that hold individuals for this requirement.
accountable and responsible for actions
initiated under their electronic signatures,
in order to deter record and signature
falsification.
(k) Use of appropriate controls over acknowledged
systems documentation including:
(1) Adequate controls over the distribution There is online help and documentation. It
of, access to, and use of documentation for is recommended that the organization
system operation and maintenance. maintains customized user guides that
reflect the specific workflows and settings
of the organization and access patterns of
the predefined user roles. The organization
is ultimately responsible for that
requirement.
(2) Revision and change control procedures The organization is ultimately responsible
to maintain an audit trail that documents for this requirement.
time-sequenced development and
modification of systems documentation.
Create PDF files without this message by purchasing novaPDF printer (http://www.novapdf.com)
(figure 2)
Create PDF files without this message by purchasing novaPDF printer (http://www.novapdf.com)
Subpart C: General Provisions
Create PDF files without this message by purchasing novaPDF printer (http://www.novapdf.com)
(figure 3)
10
Create PDF files without this message by purchasing novaPDF printer (http://www.novapdf.com)
(i) When an individual executes a series of Exact Globe requires the user initiate a
signings during a single, continuous period continuous period of controlled system
of controlled system access, the first access with a username and password
signing shall be executed using all combination. Each action that the
electronic signature components; individual executes within this period
subsequent signings shall be executed creates a historical record that contains
using at least one electronic signature information about the action and user.
component that is only executable by, and
designed to be used only by, the individual.
(ii) When an individual executes one or Exact Globe requires the user initiate a
more signings not performed during a continuous period of controlled system
single, continuous period of controlled access with a username and password
system access, each signing shall be combination. Each action that the
executed using all of the electronic individual executes within this period
signature components. creates a historical record that contains
information about the action and user.
(2) Be used only by their genuine owners; The organization is ultimately responsible
and for this requirement.
(3) Be administered and executed to This is a procedural issue since the
ensure that attempted use of an “Administrator” user has the ability to
individual’s electronic signature by anyone manage and maintain all users and
other than its genuine owner requires passwords. The “Administrator” user can
collaboration of two or more individuals. change any user’s password if necessary.
(b) Electronic signatures based upon The use of biometrics is not currently
biometrics shall be designed to ensure that supported by Exact Globe. A unique
they cannot be used by anyone other than username and password combination is
their genuine owners. required that identifies the individual
logged in and completing actions.
Administrators can set strong passwords
rules in the network domain or active
directory server that are applied
universally, including the ability enforce a
minimum password length, minimum
number of letter characters, numeric
characters, and minimum number of non-
alphanumeric characters in a password.
Passwords can be restricted so they cannot
be set to the user’s username, first name
or last name. Passwords can optionally
expire in “x” days. LDAP can be used
instead of these features to centrally
manage users.
All records created by a user are
permanently linked to the creators unique
user name.
11
Create PDF files without this message by purchasing novaPDF printer (http://www.novapdf.com)
(a) Maintaining the uniqueness of each Exact Globe uses a username and
combined identification code and password, password to uniquely identify the person
such that no two individuals have the same logged into the system. The password is
combination of identification code and not required by default but can be
password. enforced. Usernames must be unique and
are not case sensitive. All records created
by a user are permanently linked to the
user’s unique username.
(b) Ensuring that identification code and Administrators can set strong passwords
password issuances are periodically rules in the network domain or active
checked, recalled, or revised (e.g., to cover directory server that are applied
such events as password aging). universally.
(c) Following loss management procedures Exact Globe does not use tokens, cards, or
to electronically de-authorize lost, stolen, other devices at this time.
missing, or otherwise potentially
compromised tokens, cards, and other
devices that bear or generate identification
code or password information, and to issue
temporary or permanent replacements
using suitable, rigorous controls.
(d) Use of transaction safeguards to Exact Globe is a true client/server
prevent unauthorized use of passwords application that is accessed through a local
and/or identification codes, and to detect area network. Intruders would first have to
and report in an immediate and urgent have access to the network and then to the
manner any attempts at their unauthorized specific (database) server. Security is
use to the system security unit, and, as further enhanced as users are validated
appropriate, to organizational with a unique username and password
management. combination. In addition before the user is
logged in they must receive authorization
from the license server. Failed login
attempts are recorded. Administrators can
set strong password rules in the network
domain or active directory server that are
applied universally.
(e) Initial and periodic testing of devices, Exact Globe does not use tokens, cards, or
such as tokens or cards, that bear or other devices at this time.
generate identification code or password
information to ensure that they function
properly and have not been altered in an
unauthorized manner.
12
Create PDF files without this message by purchasing novaPDF printer (http://www.novapdf.com)
Exact. And it all comes together.
www.exact.com
The information contained in this document represents the current view of Exact on the issues discussed as of
the date of publication. Because Exact must respond to changing market conditions, this document should not
be interpreted to be a commitment on the part of Exact, and Exact cannot guarantee the accuracy of any
information presented after the date of publication.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or
for any purpose, without the express written permission of Exact.
Exact may have patents, patent applications, trademarks, copyrights, or other intellectual property rights
covering subject matter in this document. Except as expressly provided in any written license agreement from
Exact, the furnishing of this document does not give you any license to these patents, trademarks, copyrights,
or other intellectual property.
13
Create PDF files without this message by purchasing novaPDF printer (http://www.novapdf.com)