This slideshow analyzes the 21CFR11 requirements with respect to CERF ELN by Lab-Ally, and justifies how CERF ELN is compliant with the requirements. The reader should expect to gain information about 21CFR11 requirements, CERF functionality and customization.
2. Contents
• Background of 21CFR11
• CERF design around 21CFR11
• Code of Federal RegulationsTitle 21, part 11
• Subpart B—Electronic Records
• 11.10 Controls for Closed Systems
• 11.30 Controls for Open Systems
• 11.50 Signature Manifestations
• 11.70 Signature/record linking
• Subpart C –Electronic Signatures
• 11.100 – General Requirements
• 11.200 – Electronic signature components and controls
• 11.300 – Controls for identification codes/passwords
3. Background
• 21 CFR Part 11 published in 1997
• Does it apply to you?
• Medical Device
• Pharmaceuticals
• Biologics
• FDA published Guidance for industry in 2003 describes
how 21 CFR should be implemented
• In July 2010 FDA announced that compliance with Part 11
would be part of routine quality inspections
• Electronic Lab Notebooks used to organize data for medical
devices, pharma, or biologics should address 21 CFR 11
4. CERF Electronic Lab Notebook
21 CFR 11 Compliant
• Collaborative data and document managing solution
• IQ,OQ,PQValidation Packages available
• Ultra-long-term storage of files, records and resources
• Semantic traceable metadata
• Used by
• Pharma companies, Medical DeviceCompanies
• Academia
• When used in regulated environments CERF must be
compliant
• For more about CERF click CERF 5.0,Why CERF?
7. 11.10 (a)
• “Validation of systems to ensure accuracy, reliability, consistent
intended performance, and ability to discern invalid or altered
records.”
• CERF internallyValidated at
software release
• IQ,OQValidation Package
ensures consistent intended
performance
• CERF tracks all document
changes, versions documents
8. 11.10 (b)
• “The ability to generate accurate and complete copies of records
in both human readable and electronic form suitable for
inspection, review, and copying by the agency. Persons should
contact the agency if there are any questions regarding the
ability of the agency to perform such review and copying of the
electronic records.”
• Print to PDF and Print toWord
Functions allow exporting of
records for review.
• Records are readable and
reviewable
• Notebooks also exportable in .xml
9. 11.10 (c)
• “Protection of records to enable their accurate and ready
retrieval throughout the records retention period.”
• Records stored in MySQL database
• All document changes are tracked,
users cannot directly modify or delete
records in CERF, all actions are
mediated(and recorded) through
CERF server
• Documents retrievable at any time
given appropriate user permissions
10. 11.10 (d)
• “Limiting system access to authorized individuals.”
• Each username has affiliated
workgroup privileges for
• Record access
• Signature permission
• Record modification
access
• template access
• Users may not have multiple
sessions open at one time
11. 11.10 (e)
• “Use of secure, computer-generated, time-stamped audit trails to
independently record the date and time of operator entries and actions that
create, modify, or delete electronic records...” Such audit trail documentation
shall be retained for a period at least as long as that required for the subject
electronic records and shall be available for agency review and copying.”
• CERF captures audit trail
information any time data is
created, modified or deleted
• Creation data/time
• Modified date/time
• Username, object which
modified
• Action taken, new content
12. 11.10 (e) cont.
• “...Record changes shall not obscure previously recorded
information...”
• All previous metadata is
saved with each record
version, and no previously
recorded information is
deleted or obscured
13. 11.10 (e) cont.
• “...Such audit trail documentation shall be retained for a period at
least as long as that required for the subject electronic records and
shall be available for agency review and copying.”
• CERF audit trail records are
available for the lifespan of
the CERF server deployment
14. 11.10 (f)
• “Use of operational system checks to enforce permitted
sequencing of steps and events, as appropriate.”
• User must log in and remain in a
session to alter records
• CERF has record Check-Out and
Check-in so only certain users
may modify at a time
• Customizable business policies to
fine tune workflows
15. 11.10 (g)
• “Use of authority checks to ensure that only authorized individuals can use
the system, electronically sign a record, access the operation or computer
system input or output device, alter a record, or perform the operation at
hand.”
• Business Policies define log in log
out workflows, signature
workflows, record alteration
access
• Only the system admin will have
access to the host server
hardware and operation system,
admin also defines business
policies
16. 11.10 (h)
• “Use of device (e.g., terminal) checks to determine, as
appropriate, the validity of the source of data input or
operational instruction.”
• CERF Desktop Clients act as
appropriated device to
access CERF server
• Desktop clients must be
configured for specific CERF
servers
17. 11.10 (i)
• “Determination that persons who develop, maintain, or use
electronic record/electronic signature systems have the
education, training, and experience to perform their assigned
tasks.”
• Organizations must ensure
their users are qualified.
USER
DEPENDENT
18. 11.10 (j)
• “The establishment of, and adherence to, written policies that
hold individuals accountable and responsible for actions initiated
under their electronic signatures, in order to deter record and
signature falsification.”
• Organizations must
establish their own written
policies for CERF usage of
electronic signatures.
USER
DEPENDENT
19. 11.10 (j)
• “The establishment of, and adherence to, written policies that
hold individuals accountable and responsible for actions initiated
under their electronic signatures, in order to deter record and
signature falsification.”
• Organizations must
establish their own written
policies for signature
workflow.
USER
DEPENDENT
20. 11.10 (k)
• “Use of appropriate controls over systems documentation
including: Adequate controls over the distribution of, access to,
and use of documentation for system operation and
maintenance.”
• CERF administrators have
the highest level control of
CERF, organizations are
responsible for assigning
and maintaining
administrative roles, as well
as CERF documentation
USER
DEPENDENT
21. 11.10 (k) cont.
• “Revision and change control procedures to maintain an audit
trail that documents time sequenced development and
modification of systems documentation.”
• Organizations are responsible
for the ways in which they
organize records in CERF,
however Lab-Ally provides
system operation and
maintenance documentation.
USER
DEPENDENT
23. 11.30
• “Persons who use open systems to create, modify, maintain, or transmit
electronic records shall employ procedures and controls designed to ensure
the authenticity, integrity, and, as appropriate, the confidentiality of
electronic records from the point of their creation to the point of their
receipt. Such procedures and controls shall include those identified in 11.10,
as appropriate, and additional measures, e.g., document encryption and use
of appropriate digital signature standards to ensure, as necessary under the
circumstances, record authenticity, integrity, and confidentiality”
Not
Applicable
• CERF is a Closed System
• CERF supports technology
for open implementation
• encryption
24. 11.50(a) - Signature manifestations
• “Signed electronic records shall contain information associated with the
signing that clearly indicates all of the following: (1)The printed name of the
signer; (2)The date and time when the signature was executed; and (3)The
meaning (such as review, approval, responsibility, or authorship) associated
with the signature.”
• CERF signatures contained full
printed name, date/time of
signature, the signature
meaning, the role of the signer,
and any comments provided.
25. 11.50(b)
• “The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this
section shall be subject to the same controls as for electronic
records, and shall be included as part of any human readable
form of the electronic record (such as electronic display or
printout)”
• Electronic signature records
are secure from
unauthorized access, can be
displayed or printed
26. 11.70 – Signature/record linking
• “Electronic signatures and handwritten signatures executed to
electronic records shall be linked to their respective electronic
records to ensure that the signatures cannot be excised, copied,
or otherwise transferred to falsify an electronic record by
ordinary means.”
• Once signature is
established on resource,
irrevocable link is
established between
signature and object. It
cannot be altered
28. 11.100(a) – General requirements
• “Each electronic signature shall be unique to one individual and
shall not be reused by, or reassigned to, anyone else.”
• CERF enforces uniqueness
of username and password
combination
• Digital Signature password
required for signing
29. 11.100(b)
• “Before an organization establishes, assigns, certifies, or
otherwise sanctions an individual's electronic signature, or any
element of such electronic signature, the organization shall verify
the identity of the individual”
• Organizations must verify
their members to assign
them digital signatures
USER
DEPENDENT
30. 11.100(c)
• “Persons using electronic signatures shall, prior to or at the time of such use,
certify to the agency that the electronic signatures in their system, used on
or after August 20, 1997, are intended to be the legally binding equivalent of
traditional handwritten signatures. (1)The certification shall be submitted in
paper form and signed with a traditional handwritten signature, to the
Office of Regional Operations (HFC-100), 5600 Fishers Lane, Rockville, MD
20857. (2) Persons using electronic signatures shall, upon agency request,
provide additional certification or testimony that a specific electronic
signature is the legally binding equivalent of the signer's handwritten
signature. ”
• Organizations must verify
their CERF users who will
use electronic signatures
USER
DEPENDENT
31. 11.200(a)(1) – Electronic signature components and
controls
• “Electronic signatures that are not based upon biometrics shall:
Employ at least two distinct identification components such as
an identification code and password.”
• CERF requires a user id and
password
32. 11.200(a)(1)(i)
• “When an individual executes a series of signings during a single,
continuous period of controlled system access, the first signing
shall be executed using all electronic signature components;
subsequent signings shall be executed using at least one
electronic signature component that is only executable by, and
designed to be used only by, the individual.”
• CERF requires initial login,
and is required to provide
digital signature password
during each signing
33. 11.200(a)(1)(ii)
• “When an individual executes one or more signings not
performed during a single, continuous period of controlled
system access, each signing shall be executed using all of the
electronic signature components.”
• CERF requires initial login,
and is required to provide
digital signature password
during each signing
34. 11.200(a)
• “Electronic signatures shall: (2) Be used only by their genuine
owners; and (3) Be administered and executed to ensure that
attempted use of an individual's electronic signature by anyone
other than its genuine owner requires collaboration of two or
more individuals.”
• CERF user ids, passwords, and
digital signature passwords, are
unique and known only to the
individual users
• CERF allows a peer review
signature workflow that requires
multiple individuals users to input
their signature password
35. 11.200(b)
• “Electronic signatures based upon biometrics shall be designed
to ensure that they cannot be used by anyone other than their
genuine owners”
• Biometric devices and
software is outside of CERF
scope. Customized solutions
may be available for CERF.
USER
DEPENDENT
36. 11.300 - Controls for identification codes/passwords
“Persons who use electronic signatures based upon use of identification codes
in combination with passwords shall employ controls to ensure their security
and integrity. Such controls shall include:
(a) Maintaining the uniqueness of each combined identification code and
password, such that no two individuals have the same combination of
identification code and password.”
• CERF enforces unique user id
and password combinations
• No duplicate user id
• Password control is
customizable per business
policies
37. 11.300(b)
“Ensuring that identification code and password issuances are periodically
checked, recalled, or revised (e.g., to cover such events as password aging)”
• CERF supports password aging
• Business policies can set
• Period of time between
password renewal
• Uniqueness of new
password
38. 11.300(c)
“Following loss management procedures to electronically deauthorize lost,
stolen, missing, or otherwise potentially compromised tokens, cards, and
other devices that bear or generate identification code or password
information, and to issue temporary or permanent replacements using
suitable, rigorous controls.”
• CERF does not use identification
devices
• Administrator has ability to disable
user accounts, and reset password
• User must immediately modify
password upon first log-in
USER
DEPENDENT
39. 11.300(d)
“Use of transaction safeguards to prevent unauthorized use of passwords
and/or identification codes, and to detect and report in an immediate and
urgent manner any attempts at their unauthorized use to the system security
unit, and, as appropriate, to organizational management.”
• Customizable safeguards
• No. of password attempts before
account disable
• Account time-out after inactivity
• Only one session per user
• Admin has access to logs detailing
user log in activity
40. 11.300(e)
“Initial and periodic testing of devices, such as tokens or cards, that bear or
generate identification code or password information to ensure that they
function properly and have not been altered in an unauthorized manner.”
• CERF does currently not use
identification devices or tokens
• Lab-Ally offers IQ,OQ,PQ
validation of CERF to ensure
proper function
USER
DEPENDENT
41. Is 21CFR11 the only rule set a regulated
organization should worry about?
• By itself 21CFR11 includes many safeguards that are required by FDA
regulated studies but anyone working in a regulated environment should
also strive to follow other best practice guidelines such as
• ALCOA-PLUS
• Good Documentation practice (GDP)
• ISO 15489 and related standards
42. Is CERF fully 21CFR11 compliant “out of the
box”
• A common misconception related to data management software is that is
can be “validated” as 21CFR11 “out of the box”. In fact, no system should be
considered fully compliant until it has been validated by a suitably qualified
expert in-situ. Compliance involves a range of factors such as user training,
and behavior patterns, IT oversight, system configuration and more that can
ONLY be determined once the product has been deployed on site.
43. Conclusion
• For ELNs in industry, 21CFR11 compliance is necessary
• Computer SystemValidation also often necessary, Lab Ally offers IQ,OQ,PQ
Validation packages
• CERF ELN is a robust system designed with 21CFR11 in mind
• CERF is compliant with 21CFR11, dependent on organizational choices , as
detailed by the requirements demarcated with the text “USER DEPENDENT”
• Compliance with 21CFR is necessary, and aids in data organization,
organization efficiency, and enhances industry standards.
• Thank you for viewing this presentation. Please contact Lab-Ally for any
questions, concerns, or inquiries.
44. References
• “Title 21, Chapter I, Subchapter A, Part 11.” Electronic Code of Federal Regulations,
FDA, 14 May 2018
https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?CFRPar
t=11
• “CERF 21 CFR PART 11 COMPLIANCE.” Cerf-Notebook.com, Lab Ally, 2016, cerf-
notebook.com/files/pdf/CERF%2021CFR11%20compliance.pdf. http://cerf-
notebook.com/resources/21-cfr-11-compliant-eln/