The software platform includes a range of security and compliance features to help organizations meet the requirements of FDA 21 CFR Part 11. It is important to note that compliance is an ongoing process, so organizations should regularly monitor and update their systems and policies to ensure adherence to the standards established by the FDA.
Title 21 CFR Part 11 is part of Title 21 of the Code of Federal Regulations and establishes the United States Food and Drug Administration (FDA) regulations on electronic records and electronic signatures (ERES).
On this page:
FDA 21 CFR Part 11 requirements
Part 11, commonly referred to as, defines the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records.
Listed below are some security-related features available in the product:
- Access Control: A security technique that regulates who or what can view or use resources in a computing environment.
- Password Encryption: System administrators do not have access to user passwords, which are encrypted before being stored.
- Maximum and Minimum Age for Password: A feature that imposes a minimum password age before allowing it to change and a maximum age before expiring.
- Required Password Changing: Forces the user to change their password after the first login.
- User Name and Password Minimum Length: Defines the minimum length for usernames and passwords.
- Block on Invalid Login Attempt: Blocks the user if the maximum number of invalid login attempts has been reached.
- Store Password History: A range of the last 0-5 passwords can be stored to ensure the user does not repeat an already used one.
- Auto Log Off: Logs the user off the system due to inactivity or expiration.
- Audit Trail Data: A security-relevant chronological record or set of records that provide documentary evidence of the sequence of activities affecting a specific operation at any time.
Solution Configuration
Audit Trail
Audit trails should be generated independently of the operator and include the local date and time of the actions that alter the record. They cannot overwrite old data and must be stored as long as the record itself is stored.
To use the Audit Trail function, you must enable it. Go to Alarms → Groups, and click the Settings button.
A popup display will open with various checkboxes. Besides the Enable option, you can choose which actions will be stored in the Audit Trail database. The options are as follows:
- User Logon/Logoff: Stores informational data on user login/logout.
- Open/Close Displays: Stores informational data when displays are open or closed.
- Remote Connections: Stores information on remote client connections (Smart/Rich Clients).
- Custom Messages: Stores added custom messages.
- Tag Changes: Stores informational data of every tag change.
- Datasets (Insert/Updates or All Commands): Stores information on datasets.
- Operator Actions: Stores information on operator actions.
- Save Reports: Stores information when the save command is executed.
- System Warnings: Stores information related to the system.
For every solution update indicated above, crucial information is stored alongside the event info in the Alarm Historian database columns:
- UserName: Indicates the user who was logged in at the time the event occurred.
- ActiveTime Ticks: The date and time when the event happened. Although this data is stored as Ticks in the database, the product automatically converts it to DateTime when displayed.
- Message: Provides detailed information about the event, which varies depending on the event type.
- Condition: Indicates which Audit Trail selection field the event originated from.
Exporting Reports
To comply with the regulation, the software must be able to export digital and physical copies of Reports.
To create or edit a report:
- Go to Reports → Forms
- Select a report name or select the insert row (first row)
- Enter or select information, as needed
- Name: Enter a name for the report. The system will let you know if the name is not valid.
- Padding: Use padding when replacing a tag name with its value (the field starts with enough space for the same number of characters as the tag name):
- Compact — Removes any extra characters and displays only the tag.
- PadRight — Adds an extra space for each character to the right of the tag.
- PadLeft — Adds an extra space for each character to the left of the tag.
- SaveFormat: Selects the report format: XPS, HTML, Unicode, ASCII, PDF.
- SaveFileName: Enter a string with {ObjectProperties}. Use the full path.
- SaveTrigger: Enter an object property as the trigger.
- Append: Enter the file that appends the report.
- Size: The size of the report.
- EditSecurity: Check which user groups can edit the report.
- Header: Choose another report as the Header.
- Footer: Choose another report as the Footer.
- Legacy: Read-only. Shows if the report is a legacy.
- Description: Enter a description of the report.
It is possible to add several runtime objects to a Report. Some examples are:
- Tag values and properties.
- Client and Server property information.
- Symbols (TrendCharts are added as a symbol).
- Tables and DataGrids can be dynamically colored and translated according to the solution’s localization setting.
The Report is saved using one of the following methods:
@Report.<ReportName>.Save // Property used to trigger the save report action @Report.<ReportName>.SaveCommand(int Orientation) // Orientation = 0 or blank -- Portrait Mode // Orientation = 1 -- Landscape Mode // saves the selected report into the path indicated by the SaveFileName property
FDA Compliance Table
This table can be used as check list and auxiliary tool on the certification process.
| Electronic Records and Electronic Signatures Compliance | ||||
|---|---|---|---|---|
Item | Description | Reference | Software Platform | |
1 | The software must be validated, according to the current guidelines established by the FDA and GAMP. | FDA 21 CFR Part 11 | Publish resources, native to the software platform. | |
2 | The software must have control that defines the default password exchange, performed by the user, at the first access. | FDA 21 CFR Part 11 | Implemented in Logon dialog, native to the software platform. | |
3 | The software must allow copies of reports in electronic format PDF, XML, and other to be viewed and referenced when necessary. | FDA 21 CFR Part 11 11.10 ( b ) | It is possible to save files in PDF and XPS. The XPSViewer control is part of the software platform. For PDF, the IE control, or the native report viewer can be used. | |
4 | The software must allow printed copies of the reports to be generated for the requested audit records. | FDA 21 CFR Part 11 11.10 ( b ) | You can save the report in XPS and then print it using the "TLib.PrintXPS" method. | |
5 | Electronic records should be available for consultation and for as long as needed. Established historical basis of the production base should be established. | FDA 21 CFR Part 11 11.10 ( c ) | Configurable in the solution. | |
6 | The software must allow the archiving of the generated data. | FDA 21 CFR Part 11 11.10 ( c ) | Historian module, native to the software platform. | |
7 | The software must have access control with different user profiles / groups such as operational level, administrator level and maintenance level. | FDA 21 CFR Part 11 11.10 ( d ) | Native to the software platform. | |
8 | The software shall permit the unique identification of the user (Username & password). | FDA 21 CFR Part 11 11.10 ( d ) | Native to the software platform. | |
9 | The software must control the minimum length of 8 characters to the user's password and accept upper and lower case characters. | FDA 21 CFR Part 11 11.10 ( d ) | Native to the software platform. | |
10 | The software must require password expiration to occur according to the registered period (term in days). Ensure that the last 5 passwords are not reused and blocking access if the user does not change the password when requested. | FDA 21 CFR Part 11 11.10 ( d ) | Can be implemented via DialogOnOK script in Logon dialog. | |
11 | The user who promotes three unsuccessful access attempts (wrong password) should have their access blocked. The same can only be reactivated by the administrator and, recorded on the audit trail. | FDA 21 CFR Part 11 11.10 ( d ) | Can be implemented via DialogOnOK script in Logon dialog. | |
12 | The software must have a "timeout" function that can be triggered after a certain period in which the Logged in user is idle. | FDA 21 CFR Part 11 11.10 ( d ) | The software platform has the setting for AutoLogOff after an inactivity, or session length. | |
13 | The software must have an "Audit trail", where all actions related to the creation, alteration and deletion of electronic records are kept. | FDA 21 CFR Part 11 11.10 ( e ) | The software platform has an Audit Trail in a SQL database, it can include the commands that involve electronic records. | |
14 | The software should not allow the deletion of the electronic records. | FDA 21 CFR Part 11 11.10 ( e ) | Configurable in the software platform Alarm and Database modules. | |
15 | "Audit Trail" must record date, time and user first and last followed by any changed information, referring to the action performed. | FDA 21 CFR Part 11 11.10 ( e ) | Configurable in the software platform Alarm and Database modules. | |
16 | The software must allow information from the "Audit Trail" to be maintained over the same reporting period. | FDA 21 CFR Part 11 11.10 ( e ) | Archiving time is configurable in the solution. | |
17 | Date and time of the "Audit Trail" should be recorded based on the Server, and cannot be generated from a location that can be altered. | FDA 21 CFR Part 11 11.10 ( e ) | Native to the software platform. | |
18 | The "Audit trail" must contain actions of the process, that are related to the creation, change, activation or deletion of electronic records. | FDA 21 CFR Part 11 11.10 ( e ) | Configurable through the Alarm and Dataset modules in the software platform. | |
19 | The software must monitor active and inactive user activity. | FDA 21 CFR Part 11 11.10 ( e ) | Native to the software platform. | |
20 | The software should allow for the generation of copies of the Audit trail report, both in electronic and printed form. | FDA 21 CFR Part 11 11.10 ( e ) | The software platform reporting allows for the creation of PDF and XPS files and online viewing. | |
21 | The software should control the execution of activities according to the process sequence. | FDA CFR 21 Part 11 11.10 ( f ) | Configurable in the Dataset module and Scripting engine inside the software platform. | |
22 | The electronic record, and electronic signature, shall contain the following user information: Full name of the user and date / time that the record was electronically signed. | FDA 21 CFR Part 11 11.50 ( a1 ) & 11.50 ( a2 ) | Resource available through Datasets modules inside the software platform. | |
23 | The electronic record shall contain the information of the actions carried out, such as execution, review, approval, explanation and electronic signature. | FDA 21 CFR Part 11 11.50 ( a3 ) | Resource available through Datasets modules inside the software platform. | |
24 | User information, (full name, date & time) that is electronically signed, shall appear in both the printed and electronic format. | FDA 21 CFR Part 11 11.50 ( b ) | Resource available through Datasets modules inside the software platform. | |
25 | The software should control unique signatures to each user. | FDA 21 CFR Part 11 11.10 ( d ) & 11.100 ( a ) | Resource available through Datasets and Security modules inside the software platform. | |
26 | The software must maintain the history of the electronics signatures used, even after the user has logged off. | FDA 21 CFR Part 11 11.10 ( d ) & 11.200 ( a2 ) | Resource available through Datasets modules inside the software platform. | |
27 | The software shall ensure that the electronic signature is related to electronic registration, and cannot be falsified. | FDA 21 CFR Part 11 11.10 ( d ) & 11.200 ( a2 ) | Resource available through Datasets and Security modules inside the software platform. | |
In this section: