FDA 21 CFR Part 11 - Electronic records and signatures

Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine.

Such procedures and controls shall include the following: Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.

SoftExpert software enables certified users to digitally sign and verify electronic documents in their own computer. Digital Certificates provide a means of proving the signer’s identity in electronic transactions. Digital Signatures enable "authentication" of digital contents, assuring the recipient of a digital content of both the identity of the signer and the integrity of the content. A Digital Certificate is issued by a Certification Authority (CA) and signed with the CA's private key. The signer of a document cannot later disown it by claiming the signature was forged.

Complies with the latest GAMP validation guidelines and meet 21CFR Part11 requirements for electronic records and signatures to ensure it functions as intended.

SoftExpert Services provide comprehensive validation services, including onsite IQ (installation qualification), OQ (operational qualification), and PQ (performance qualification) tests to ensure that the system is fully compliant. For companies wanting to perform their own validation, SoftExpert Services offer a Validation Toolkit, which provides a detailed, pre-written validation test protocols and scripts.

The ability to generate accurate and complete copies of record in both human readable and electronic form suitable for inspection, review, and copying by the agency.

SoftExpert software supplies copies of electronic records by automated conversion and export methods in common formats (like PDF and XML), preserving the content and meaning of the record.

Each record created in SoftExpert software has the ability to be printed in a human readable format.

Protection of records to enable their accurate and ready retrieval throughout the records retention period.

SoftExpert software ensures that relevant records are preserved and protected from tampering during the required retention period with a flexible approach that combines hybrid electronic and/or paper storage for long term archiving.

Limiting system access to authorized individuals.

SoftExpert software requires an unique UserID and password for system access.

System administrators can optionally enforce automatic login authentication and/or authorization policies inside SoftExpert software through integrated single sign-on Active Directory Authentication Services. Single sign-on is a method of enterprise access control that enables a user to log in once and gain access to the resources of multiple software systems ensuring security and access policy across the enterprise.

Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.

The audit trail provides a history of record changes and operations, including an automatic capture of signature, date, time, sequencing of events, indicating which operator made the entries, and when the actions were executed.

Each addition, modification and deletion of a record or document is maintained with a computer-generated, time-stamped record. A new record is recorded for each change so as not to obscure previously recorded information. Audit records can be easily accessed and filtered for specific events (for example, changes to a certain field.). Audit records themselves can’t be modified or deleted.

Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.

Through use of SoftExpert configuration windows, sequencing of processing steps, events and checks can be enforced.

Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.

System administrators can determine appropriate levels of access to operations, records and documents for each user in the system, allowing data to be accessed in read/write, read only, or no access modes.

Password verification can be set as required any time a user applies their name (i.e. signature) to a record or document. The system can also require different passwords for system access and record signatures. All user passwords are encrypted for security.

Determination that persons who develop, maintain, or use electronic record / electronic signature systems have the education, training, and experience to perform their assigned tasks.

SoftExpert Services provide comprehensive product training program. Training courses are given for each level of user to ensure that every user can perform assigned tasks within the system.

The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.

SoftExpert audit log ensures the person who performed a record modification is recorded. In addition, to eliminate the potential for signature falsification when a user may momentarily leave their work station (from another user using their login session to change a record).

SoftExpert software can be quickly and easily be disabled by the user, and then re-enabled by entering their password to continue their session.

Use of appropriate controls over systems documentation including:

(1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.

(2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.

SoftExpert software requires appropriate levels of access to documents for each user in the system. It also comes with built in revision and change control capabilities.

All releases of SoftExpert system documentation include installation, administration and user guides. These documents are uniquely identifiable and associated with a specific release of the software.

Signed electronic records shall contain information associated with the signing that clearly indicates all of the following:

(1) The printed name of the signer;

(2) The date and time when the signature was executed; and

(3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature.

User name, date, time, and a description of the operation performed (i.e., review, approval, etc.) are automatically captured with every signature.

The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout).

Signature information and configurable watermark are stamped on the document in either electronic or printed format. Guarantee authenticity by sequentially numbering and date/time-marking documents as they are printed.

Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.

A signature is attached to the record in an unchangeable way in order to prevent falsification by copying an electronic signature to a different record. The signature information cannot be tampered with after approval.

Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else.

No two combinations of identification code and password may be the same, nor may be re-used.

Electronic signatures that are not based upon biometrics shall:

(1) Employ at least two distinct identification components such as an identification code and password. (i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be use only by, the individual. (ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.

(2) Be used only by their genuine owners.

SoftExpert software uses a combination of UserID and password for user identification.
During periods of continuous controlled system access, the system can be configured to require password verifications during record signings at a time or interval determined by the System Administrator.

The system can be configured to automatically require all signature components after a period of inactivity determined by the System Administrator.

Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include:

(a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password.

All UsedID/password combinations are unique.

b) Ensuring that identification code and password
issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).

UserID’s and passwords may be set to expire at predetermined intervals, requiring user to create a
new password.  Users are not allowed to reuse recent passwords.

Passwords must contain at least a configured minimum number of characters.

SofExpert software provides a Strong Password Validator that checks for uppercase, lowercase, numerical, length and special character. Strong passwords lower overall risk of a security breach by passwords that are hard to detect both by humans and by the computer.

Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.