FDA 21 CFR Part 11 Solution

Compliance with FDA regulations on electronic records and electronic signatures (21 CFR Part 11)

Title 21 CFR Part 11 is a U.S. federal regulation specifying FDA guidelines for electronic records and electronic signatures. It requires most companies that deal with the FDA, such as pharmaceutical companies, to implement controls that ensure the integrity of their documents.

Assist 4.0 approach to compliance

To provide the security required for compliance with the 21 CFR Part 11 rule, the software has in place security functions which provide:

  • Access controls and authority checks via the use of user identification codes and passwords.
  • Electronic record security via the use of protected directories.
  • Time and date stamped audit trails.

The use of user identification codes and passwords enables control over who can log on to the system and who can perform particular functions within the Atharvana application software. It also provides the mechanism to allow electronic signature of electronic records.

The following are adhered to in Assist 4.0 software:

  • In the “User Name” field, a unique user identification code must be entered.
  • In the “Full Name” field, the user’s full name (not just one name or a nickname) must be entered.
  • In the “Description” field, either the individual’s title or user group designation must be entered.
  • In the “Password” and “Confirm password” fields, a case sensitive password of at least six characters must be entered. (Initially the system administrator must provide a temporary password.)
  • The “User must change password at next logon” check box must be selected.
  • The “Password never expires” and “User cannot change password” check boxes must be cleared.

As stated above, the unique user identification code is fundamental to the security of the system. The text of the “User Name”, “Full Name” and “Description” fields are included in reports and audit logs to identify the user who has changed or signed electronic records. It is essential that the “Full Name” field contains the user’s full name as it is a specific requirement of the 21 CFR Part 11 rule that the “printed name of the signer” is indicated on signed records (Section 11.50 (a) (1)). Users are also required to change their password when they first log on to the system, to ensure the security of the password.

Once the system administrator has set up the users, the Assist 4.0 software guides the system administrator through the required steps to set up the security. This covers the following issues:

  • Privilege groups—assigning users to a privilege level. The privileges are created when the software is run. Each privilege allows a different level of access within the Assist 4.0 application software. When certain functions are not allowed, the appropriate software controls are disabled.
  • Directory protection—specifying which directories will be protected and who will have access to each protected directory. The protected directories must be located on the local IPC (i.e. the IPC connected to the instrument).
  • Executable protection—restricting access to the Assist 4.0 application software by specifying the directory containing the Atharvana application executable files and who will have access to each executable.
  • Logon warning message—defining the warning message that is displayed at logon to Windows. The purpose of this message is to warn unauthorized operators of the consequences of using the restricted PC. The message may be edited to suit the user organization’s requirements.
  • Account policies—adjusting the account policies regarding password expiry period and number of unsuccessful logon attempts before lockout. In addition, the Assist 4.0 software automatically sets a number of Windows policies relating to password length, history and aging.


Controls for Electronic Records

The 21 CFR Part 11 rule contains a range of specific measures to ensure the integrity of the system operations and information stored in the system.
Accurate and complete copies (Compliance with Section 11.10 (a) & (b))
The Assist 4.0 application software utilizes the Windows copy function to produce electronic copies of files within and between protected directories on the local PC. The application can load and display its electronic records (incorporating the audit trails) stored in a protected directory on the local IPC. These items can also be printed using the application software.
The Assist 4.0 software provides files that can be used for review of the records, independent of the application software. The file formats available include ASCII, PRN, RTF and HTML.

Audit trails (Compliance with Section 11.10 (e)

Atharvana systems utilize audit logs provided by the Assist 4.0 software and by the Windows operating system. Audit logs are created by the application software. The application forces the complete collection of data including such things as method, instrument data, final results, etc. These audit logs also record who made the changes, when and why. When changes are made, the previous value and the new value for the altered field are recorded. The system will also prompt the user to enter a reason for the change, although including a reason is optional. The reason for change, or text stating that no reason was given, is stored with the record. The data and methods are also stored together. The application software and the operating system write to the Windows event log(s), recording authorization attempts, access to the application, saving of files, logon activity, and account privilege and audit policy changes. The application software audit logs cannot be deleted from the electronic records of which they are a part.

Protection of records (Compliance with Section 11.10 (c) & (e)

While the Assist 4.0 application protects the electronic records and provides an audit trail of any changes to those records, the user organization must also establish rigorous and systematic archiving and backup standard operating procedures to ensure that electronic records generated by Atharvana software are stored in such a manner that they can be retrieved and used over an extended period of time.
The Assist 4.0 software automatically sets the security access to the protected directories so that users (other than the authorized system administrator) cannot delete or alter records.

Validation (Compliance with Section 11.10 (a)

Atharvana can provide detailed information regarding its software design, development, testing, maintenance and archiving procedures. Atharvana offers installation qualification (IQ) and operation qualification (OQ) documentation and services. Atharvana can also assist the user organization with ongoing performance qualification (PQ) if required.

Controlling access and checking authority

Assist 4.0 systems use a combination of user identification code and password. The mechanism is used to provide both the ability to carry out authority checks and the ability to sign or authorize electronic records. (Compliance with Section 11.200 (a) (1))
Assist 4.0 systems carry out the following authority checks: (Compliance with Sections 11.10 (d) and (g))

  • Checks that the user identification code and password used to log on to the PC represent a valid user.
  • Checks that the logged on user is authorized to run particular applications.
  • Checks that the logged on user is authorized to carry out particular activities/functions within the application.
  • Checks that the logged on user is authorized to save records to a particular protected directory.
  • Checks that the user identification code and password used to sign (as an operator) a particular electronic record represent a valid user.
  • Checks that the user identification code and password used to approve a particular electronic record represent a user with the authority to approve a record.
  • Checks that the user identification code and password used to unlock an application represent a valid user.

Controlling user identification codes and passwords

The methods used to establish passwords and the policies used to control them are specifically designed to meet the stringent requirements of the 21 CFR Part 11 rule. The system requires the password to be at least six characters in length. Initially, the system administrator must provide a temporary password when setting up a user and, as mentioned previously, the system administrator must select the option to force the user to change the password at next logon. When the new user first logs on to the system, they are required by the system to change the password immediately. This ensures that only the individual user knows their particular user identification code and password combination and therefore that “attempted use of an individual’s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals” (Compliance with Section 11.200 (a) (3)).
Assist 4.0 system allows the Administrator to set the period after which passwords must be changed. The system requires that each time the user changes their password it must be different from the 12 (Windows NT) or 24 (Windows 2000 or XP) previous passwords used. The Atharvana software sets these parameters automatically at installation, but they can be adjusted by the system administrator to suit the organization’s requirements. (Compliance with Section 11.300 (b))
In Assist 4.0 system, the user account is disabled following a defined number (usually three) of failed attempts to enter the correct user identification code and password combination. When the user is attempting to log on, they are logging on to the PC itself. Therefore, if the logon attempt fails they do not gain access to use the PC and do not, at any stage, gain access to the application software. (Compliance with Section 11.300 (d))