How the FDA Module Addresses Title 21 CFR Part 11

The following tables cite each section of U.S. Code of Federal Regulations Title 21 Part 11 and list the corresponding Meridian Enterprise and FDA Module features that support that section.

Subpart B: Electronic Records

§11.10 Controls for Closed Systems

This section describes how the FDA Module for Meridian Enterprise addresses the controls that pharmaceutical companies must put in place for closed systems, which are environments in which the persons who are responsible for the content control system access. An example of a closed system would be an information system that is contained within an organization's local area network or intranet.

These controls require that “Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine.”

Requirements compliance summary
Section	Requirement Summary	Meridian Enterprise/FDA Module Support
§11.10(a)	Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.	You are responsible for a program's suitability as used in the regulatory environment. Accruent can assist you with the validation process by providing a comprehensive set of validation protocols, documentation, and additional services for the deployment of the solution. Accruent has a strong quality management system and project delivery methodology, and is open to allowing an organization to perform an audit to confirm the level of quality is acceptable. Accruent also recommends that an organization implement policies and procedures that include a periodic audit of the production system to ensure accuracy, reliability, and consistent intended performance in the installed, active environment is maintained. Accruent can assist in the development of such policies and procedures, as well as in system configuration, to ensure that the system is optimally configured and used in a way that complies with Title 21 CFR Part 11. The FDA Module provides a comprehensive auditing feature that tracks over 50 events, including creation, modification, and deletion of records, identifying both the user and the date of the action. No alteration to records can be accomplished without an audit log database entry being created.
§11.10(b)	The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency.	The FDA Module stores both the native file and a PDF rendition of each document, which can both be exported. All documents can be viewed by Meridian Enterprise or opened with the application that created the document. Secure, read-only access can be granted to any individual for review and inspection of documents, associated metadata, and audit log database information. Meridian Enterprise permits properties to be associated with each document and provides a powerful mechanism to query and report on all information located in the vault. These reports can be previewed on screen or exported to multiple standard formats. All or any portion of the audit log database can be queried, viewed, and printed using any reporting tools that are compatible with the audit log database.
§11.10(c)	Protection of records to enable their accurate and ready retrieval throughout the records retention period.	Record content, metadata, and audit log database information is secured within the system via user ID and password combination and a role-based security mechanism applied to objects within the system. The record content is managed in a secure vault system. The metadata and audit log database are managed in an industry standard database such as Oracle or SQL Server. Prior revisions of records can be maintained and secured via user roles. All records in the system can be retrieved readily and accurately, as well as exported electronically and in human readable form. All documents and associated metadata are available for retrieval until they are deleted from the vault. Accruent recommends that organizations develop policies and procedures to cover record retention and disposition, as well as system backup and recovery. The policy should include specific rules for deleting and purging documents at the end of their lifecycle. Accruent can assist in the development of these procedures, as well as system configuration.
§11.10(d)	Limiting system access to authorized individuals.	The FDA Module requires that each user log in with a user ID and password to gain access to the system. Individual users and groups can be granted access to the systems objects, such as vaults and folders, by the Meridian Enterprise administrator. The user ID and password can be authenticated against the operating system controls. Therefore, the same corporate rules and procedures defined and configured for network access will be applied against access to the secure Meridian Enterprise vault. Alternatively, user accounts can be created and maintained by the system. All access attempts after the number of retries has been exceeded are logged to the FDA Module audit log database, along with user ID, full name, date, and time of access attempt, and whether the attempt was successful. The system can be configured to email an administrator upon invalid logons or account lockouts.
§11.10(e)	Use of secure, computer-generated, time-stamped audit databases to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit database documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.	The FDA Module audit log database records the user ID, date and time, and unambiguous description of over 50 events, including all electronic record creation, update, and delete operations. The audit log database is secure from subsequent unauthorized alteration, and all updates to the audit log database will not obscure any previous values. The audit log database can be maintained throughout the records retention period, is available in human readable form, and can be exported in both hard copy and electronic format so the agency can copy and review this information.
§11.10(f)	Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.	Operational system checks are implemented based on an organization's procedures and will enforce permitted sequencing of steps and events as appropriate. Required steps such as approval routing cannot be skipped. When a workflow task is ready to be performed by a user, the task appears on the user's personal to-do list in the Meridian Enterprise user interface. The task for the next step in the workflow is not created until the user completes the task for the current step. A Meridian Enterprise implementation would include the definition of such appropriate steps.
§11.10(g)	Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.	The Meridian Enterprise system authenticates users against the Windows domain to provide them access. Upon successful log on to the system, users have access to system functions and features based on the permissions granted them from within the system. Changes to the role-based permissions will be recorded in the audit log database.
§11.10(h)	Use of device (for example, terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.	The system is tightly integrated with the security of the Windows domain and therefore inherits all such security policies. The system additionally ensures that the user logging on to Meridian Enterprise is the same user that is currently logged on to the workstation and domain. Accruent recommends the use of a screen saver timeout policy to require a user to be re-authenticated prior to regaining system access.
§11.10(i)	Determinations that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks.	As part of its deployment of Meridian Enterprise and the FDA Module, an organization can perform an audit of the Accruent quality management system, including applicable procedures, guidelines, standards, and project records. Accruent maintains personnel qualification and training records. Accruent recommends an organization require appropriate system training of its users. Accruent can provide user and administrator training as part of deployment.
§11.10(j)	The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.	Accruent recommends an organization develop policies that identify the required functions of each role within the system to govern accountability. Accruent can assist in the development of such policies as requested.
§11.10(k)(1)	Use of appropriate controls over systems documentation including: Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.	Accruent recommends an organization develop procedures for governing the control of system operational documentation and maintenance schedules, and upgrades. Meridian Enterprise and the FDA Module can be used for this purpose.
§11.10(a)(2)	Use of appropriate controls over systems documentation including: Revision and change control procedures to maintain an audit database that documents time-sequenced development and modification of systems documentation.	Accruent recommends an organization develop procedures for governing the control of system operational documentation. Meridian Enterprise and the FDA Module can be used for this purpose.

§11.30 Controls for Open Systems

Requirements compliance summary
Section	Requirement Summary	Meridian Enterprise/FDA Module Support
§11.30	Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and confidentiality of electronic records from the point of their creation to the point of receipt. Such procedures and controls shall include those identified in §11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality.	The FDA Module will authenticate the user against the domain and provide object integrity. Confidentiality may be preserved in an organization by configuring varying security mechanisms including firewalls, proxy servers, and SSL. The FDA Module does not yet support the use of digital signatures.

§11.50 Signature Manifestations

Requirements compliance summary
Section	Requirement Summary	Meridian Enterprise/FDA Module Support
§11.50(a)(1-3)	Signed electronic records shall contain information associated with the signing that clearly indicates all of the following: (1) The printed name of the signer; (2) The date and time when the signature was created; and, (3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature.	The FDA Module enables the signing of electronic records during workflow transitions between states. Workflows are associated to particular document types by the System Administrator and project folders by the workflow manager. Users can provide comments to documents under review or can delegate the review task to other authorized reviewers. The workflow transitions indicate the meaning of the signing and are logged to the audit log database, whether approved or rejected by the user. The audit log database contains the user's name, date and time of signing, and the meaning of the signing. Each signer is required to re-authenticate themselves by entering their user ID and password at the time of the signing. The signing information, including user full name, date, time and reason, is manifested on the document.
§11.50(b)	The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout).	A server-side process creates a PDF rendition of a document prior to the signing event. The signing information is then added to the PDF rendition directly or to an additional signature page. The signature information is also logged to the audit log database and linked to the metadata. The signature page is a predefined, customizable template associated with a document type and signing event as configured by the System Administrator.

Requirements compliance summary
Section	Requirement Summary	Meridian Enterprise/FDA Module Support
§11.70	Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied or otherwise transferred so as to falsify an electronic record by ordinary means.	A comprehensive audit log database provides a link between the document and the signature. The signature information in the audit log database cannot be copied, removed, or overwritten. The signature information on the PDF rendition and signature page, along with associated security measures ensures that the signature information cannot be copied, removed, or transferred.

Requirements compliance summary
Section	Requirement Summary	Meridian Enterprise/FDA Module Support
§11.100(a)	Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else.	The FDA Module authenticates users with the Windows domain and therefore inherits the same security model. If configured to use Meridian Enterprise user accounts, the system checks for the uniqueness of both user ID and password across all users, guaranteeing exclusivity. Accruent recommends an organization develop procedures to ensure that a user ID is only assigned to one individual, that the user sets their own password upon initial log on, and that each individual agrees not to divulge their password.
§11.100(b)	Before an organization establishes, assigns, certifies or otherwise sanctions an individual's electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual.	Accruent recommends an organization develop procedures to ensure that user IDs are assigned to the correct individuals with appropriate security.
§11.100(c)(1-2)	Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures. (1) The certification shall be submitted in paper form, and signed with a traditional handwritten signature, to the Office of Regional Operations (HFC- 100), 5600 Fishers Lane, Rockville, MD 20857. (2)Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer's handwritten signature.	Accruent recommends an organization develop procedures to notify the agency of their intention to use electronic signatures, and to ensure that users understand that their electronic signatures are considered equivalent to traditional handwritten signatures. The FDA Module signing event provides the signer with a notice indicating that their electronic signature is considered equivalent to a traditional handwritten signature. The notice can be configured by the System Administrator and should be in accordance with an organizations related procedures.

§11.200 Electronic Signature Components and Controls

Requirements compliance summary
Section	Requirement Summary	Meridian Enterprise/FDA Module Support
§11.200(a)(1)	Electronic signatures that are not based upon biometrics shall: Employ at least two distinct identification components such as an identification code and password.	The FDA Module utilizes a combination of separate components, including user ID and password.
§11.200(a)(1)(i)	When an individual executes a series of signings during a single continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.	The FDA Module requires both user ID and password for authentication to the system and for any single signing event. Additionally, it can be configured to prompt the user for only a password during batch signing events.
§11.200(a)(1)(ii)	When an individual executes one or more signings not performed during a single continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.	The FDA Module requires both user ID and password for all signing events during a single continuous period of controlled system access.
§11.200(a)(2)	Electronic signatures that are not based upon biometrics shall: Be used only by their genuine owners	The FDA Module authenticates users against the Windows domain. Illegal attempts to log on to the system are recorded to the audit log database. Accruent recommends an organization develop procedures to ensure that a user ID is only assigned to one individual, that the user sets their own password upon initial log on, and that each individual agrees not to divulge their password.
§11.200(a)(3)	Electronic signatures that are not based upon biometrics shall: Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.	Accruent recommends an organization develop procedures that each individual agrees not to divulge their password. The system will ensure uniqueness of user IDs and passwords. Accruent recommends the use of a screen saver timeout policy to require a user to be re-authenticated prior to regaining system access.
§11.200(b)	Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners.	The FDA Module does not currently support electronic signatures based upon biometrics.

§11.300 Controls for Identification Codes/Passwords

Requirements compliance summary
Section	Requirement Summary	Meridian Enterprise/FDA Module Support
§11.300(a)	Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password.	When the system is configured to use user IDs and passwords that are authenticated against the operating system controls, the corporate domain policies configured for network access will be applied against access to the secure Meridian Enterprise vault. The operating system will ensure that no two individuals have the same combination of identification code and password. Accruent recommends an organization develop procedures to ensure the uniqueness of each combined identification code and password.
§11.300(b)	Ensuring that identification code and password issuances are periodically checked, recalled, or revised, (for example, to cover such events as password aging).	Accruent recommends an organization develop procedures to ensure that user ID and password issuance are periodically checked, recalled, and revised. When both the user ID and password are authenticated against the operating system controls, policies can be employed to force password expiration after a specified period of time. User accounts may also be cleared or have passwords reset by the System Administrator which force the user to change their password upon re‑authentication to the system.
§11.300(c)	Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls.	Accruent recommends an organization develop procedures for loss management. Through the operating system, accounts may be cleared or passwords reset, forcing the user to change the password upon re‑authentication.
§11.300(d)	Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.	All access attempts are logged to the FDA Module audit log database, along with user ID, full name, date and time of access attempt, and whether the attempt was successful. The system can be configured to email a System Administrator upon a designated number of failed log on attempts. The FDA Module requires that each user log on with a user ID and password to gain access to the system. Individual users and groups can be granted access to the systems objects, such as vaults and folders by the Meridian Enterprise System Administrator. The user ID and password are authenticated against the operating system controls. The operating system tools can be configured to send an email notification to a System Administrator upon invalid log on attempts or upon account lockout. Therefore, the same corporate rules and procedures defined and configured for network access will be applied against access to the secure Meridian Enterprise vault.
§11.300(e)	Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information, to ensure that they function properly and have not been altered in an unauthorized manner.	This requirement is not applicable to the FDA Module or the Meridian Enterprise system.