Comparison of 21 CFR Part 11 and Annex 11 of EU Guidelines to … · 2018-05-14 · Comparison of...

Comparison of 21 CFR Part 11 and Annex 11 of

EU Guidelines to GMP

UL PURE Learning

202 Carnegie Center Drive, Suite 301 Princeton, NJ 08540

Proprietary and Confidential

UL and the UL logo are trademarks of UL LLC © 2018. All Rights Reserved.

Table of Contents

1. Introduction .......................................................................................................................................... 1

2. Definitions and Terminology .............................................................................................................. 2

3. Complying with Part 11 and Comparison with Annex 11 ................................................................ 3

4. Subpart B – Electronic Records ......................................................................................................... 4

5. Subpart C – Electronic Signatures ................................................................................................... 14

6. About UL PURE Learning.................................................................................................................. 18

Proprietary and Confidential


REVISION HISTORY

Version # (Insert the Version # in ascending order.)

Summary of Change (Describe the change, and the section of the document where the change occurred.)

Revised By (Insert the author of the document or change.)

Date (Insert the date of the change.)

7

Changed company name from UL EduNeering to UL Compliance to Performance, and the company description was updated.

Section 4: The paper now states that one reason that Part 11 is not aligned with Annex 11 is that Part 11 is an “add on” regulation and some of these requirements are in the predicate regulations. Some Part 11 requirements are implicit and some are not explicit.

The paper also now notes that clients can audit UL Compliance to Performance to ensure you address Part 11 and Annex 11 expectations that companies validate systems involved in managing GxP processes. In Table 1: Subpart B

Mike Horn 10/24/2016

8

Revision History reduced. See Obsolete Revision 6 for revisions through 1 - 6.

Updated Company Logo and Name

UL Compliance to Performance to UL PURE Learning.

Rajani Tenepalli 04/26/2018

Proprietary and Confidential Page 1


1. Introduction In 1997, the U.S. Food and Drug Administration (FDA) issued the final rule (21 CFR Part 11) on the criteria under which electronic records and electronic signatures will be accepted in lieu of handwritten signatures and records executed on paper. Although Part 11 covers both electronic records and electronic signatures, the regulation is primarily a recordkeeping rule.

The scope of Part 11 has far reaching implications for all businesses in the FDA-regulated industries, including pharmaceutical, biotech, medical device, health care, and food companies. According to the rule, “this Part (Part 11) applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted, under any records requirements set forth in agency regulations.”1

With the final ruling, companies can take advantage of today’s electronic technology to improve and streamline existing processes. The cost of not taking advantage of electronic records and signatures can be detrimental to the competitiveness of a company’s position in its marketplace.

Similarly, the European Commission has set forth Guidelines for good manufacturing practice (GMP) for human and veterinary medicinal products manufactured in European Union, along with a set of “Annex” documents that provide further guidance for the interpretation of the GMP principles. Annex 11 is focused on the life cycle of Computerized Systems. In January 2011, the EU issued a revision to Annex 11, with effective date of 01 July 2011 to reflect the increased use and complexity of computerized systems. The initial principle behind Annex 11 can be summarized as follows:

“…the introduction of computerised systems into systems of manufacturing, including storage, distribution and quality control does not alter the need to observe the relevant principles given elsewhere in the Guide. Where a computerised system replaces a manual operation, there should be no resultant decrease in product quality or quality assurance. Consideration should be given to the risk of losing aspects of the previous system which could result from reducing the involvement of operators.”2

The UL PURE Learning Platform enables regulated industries to cost-effectively comply with Part 11 and Annex 11 while achieving optimal operational and regulatory compliance efficiencies. Companies can transition to a paperless environment that supports current good manufacturing practices (cGMP) using the UL PURE Learning Platform. Speed, accuracy, reliability, collaboration, and visibility are benefits that can directly be attributed to the elimination of the enormous overhead of maintaining an exhaustive paper trail and disparate legacy systems to conduct compliance training. The UL PURE Learning Platform is an integrated web-based training platform designed explicitly for regulated industries.

The purpose of this white paper is to provide businesses in the pharmaceutical, biotech, medical device, health care, and food industries with a baseline framework of how the UL PURE Learning Platform addresses the technical requirements of Part 11 and Annex 11. Although Part 11 and Annex 11 cover similar issues, they are not completely aligned and there are some significant differences between the two sets of rules. UL PURE Learning recognizes the demands of regulated industries and has created a flexible solution to address these differences. The objective is to help these industries quickly and cost-effectively comply with Part 11 and/or Annex 11.

1 Food and Drug Administration, 21 CFR Part 11 Electronic Records; Electronic Signatures, Final Rule Electronic Submissions; Establishment of Public Docket; Notice, page 36.

2 EU Annex 11, Computerised Systems, to the EU GMP Guideline Commission Directives 2003/94/EC for medicinal products for human use and directive 91/412/EEC for veterinary use.



2. Definitions and Terminology Term Definition

Biometrics A method of verifying an individual’s identity based on measurement of the individual’s physical feature(s) or repeatable action(s) where those features and/or actions are both unique to that individual and measurable.

CBT Computer Based Training

CD Control Document. Also known as CICS (Critical Information Control System). A particular type of training. Used to present such documents as SOPs, functional specifications, mechanical drawings, etc.

Closed System An environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system.

Computerized System A system including the input of data, electronic processing and the output of information to be used either for reporting or automatic control

CSV Files Comma separated value files

Digital Signature An electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.

Electronic Record Any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.

Electronic Signature A computer data compilation of any symbol or series of symbols, executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual’s handwritten signature.

ERES A frequently used acronym for Electronic Records/Electronic Signature

Handwritten Signature

The scripted name or legal mark of an individual handwritten by that individual and executed or adopted with the present intention to authenticate a writing in a permanent form. The act of signing with a writing or marking instrument, such as a pen or stylus, is preserved. The scripted name or legal mark, while conventionally applied to paper, may also be applied to other devices that capture the name or mark.

ILC Instructor Led Course. Also known as Instructor Based Training. A particular type of training. Used to track non-system events (e.g., non computer-based events). These events could include meetings, seminars, skill-based demonstrations, etc.

Open System An environment in which system access is not controlled by persons who are responsible for the content of electronic records who are on the system.



3. Complying with Part 11 and Comparison with Annex 11 21 CFR Part 11 is made up of three subparts that establish the requirements that regulated companies must minimally follow to achieve the level of integrity, reliability, and consistency of electronic records and signatures acceptable to the FDA. Unlike the EU’s Annex 11 guidance, 21 CFR Part 11 is a U.S. government regulation that establishes fully enforceable requirements under federal law. Complying with the Part 11 regulation requires a combination of strong management procedures and computer systems that meet the technical aspects of the rule, such as application security, audit trails, and password protection.

UL PURE Learning actively works with the pharmaceutical, biotech, medical device, health care, food industries, and the FDA to ensure that our solutions comply with the technical aspects of Part 11. Each customer’s security and standard operating procedures (SOPs) for supporting this regulation are unique. ComplianceWire is flexible and configurable to meet the training requirements of various SOP’s and implementations needed to facilitate this regulation.

Subpart A of Part 11 includes the general provisions of the regulation, including the scope, implementation, and definitions. Tables 1 and 2 below detail how ComplianceWire addresses the specific requirements outlined in Subparts B (electronic records) and C, electronic signatures, respectively.3

As noted above, Part 11 and Annex 11 are not completely aligned – for example, the following Annex 11 requirements do not have a corresponding cross-reference to a Part 11 requirement (one reason for this is that Part 11 is an “add-on” regulation and some of these requirements are in the predicate regulations. Some requirements are implicit in Part 11 and not explicit):

1 (risk management) 3 (suppliers and service providers) 4.1 (validation life cycle) 4.3 (systems inventory and GMP functionality) 4.4 (user requirements specifications) 4.5 (quality management system) 4.6 (process for customized systems) 4.7 (evidence of appropriate test methods) 7.2 (backup) 8.2 (batch release records) 12.2 (system criticality) 13 (incident management) 15 (batch release) 16 (business continuity) 17 (archiving)

3 The requirements in these tables have been extracted from the United States FDA regulations known as Title 21 of the Code of Federal Regulations, Part 11, titled "Electronic Signatures and Electronic Records".

Proprietary and Confidential Page 4 UL and the UL logo are trademarks of UL LLC © 2018. All Rights Reserved.

4. Subpart B – Electronic Records Subpart B of the regulation requires procedures and controls to ensure the authenticity, integrity, and confidentiality of electronic records, and to ensure that signed records cannot be readily repudiated as not genuine.


Part 11 Requirements Annex 11 Compliant UL Strategies

11.10 – Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following:

7.1 – Data should be secured by both physical and electronic means against damage.

7.2 – Regular back-ups of all relevant data should be done.

12.1 – Physical and/or logical controls should be in place to restrict access to computerized systems to authorized persons.

Yes

No

N/A

The methodology for the development of software systems at UL PURE Learning is described in our internal System Development Life Cycle SOP and is available for customer review during on-site audit inspections.

Backup Procedures SOP that outlines the backup plan of four major areas: backup to disk, backup to tape, off-site tape management, and monthly and yearly archive.

Only authorized individuals with a valid User ID, Password, and Company Code can log into the system. Password policies (including complexity and expiry requirements) can be established. Users who fail to login after a determined number of attempts can be locked out. Optionally, access to ComplianceWire can be limited to an established range of IP addresses.

ComplianceWire stores records in a secure SQL server database. Security features such as User ID/Password and security roles protect the records stored in the system throughout the records retention period. Additionally, passwords are stored encrypted in the database, the database connection string is stored and retrieved from a protected area on the server, and 128-bit Secure Socket Layers (SSL) encryption is used to protect information transmitted over the Internet.



11.10(a) – Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.

4.1 – Validation documentation and reports should cover the relevant steps of the life cycle. Manufacturers should be able to justify their standards, protocols, acceptance criteria, procedures and records based on their risk assessment.

Yes

No

N/A

The methodology for the development of software systems at UL PURE Learning is described in our internal System Development Life Cycle SOP and is available for customer review during on-site audit inspections. Appropriate documentation is generated by UL PURE Learning as work progresses in the development and testing of each ComplianceWire release. UL PURE Learning addresses risk with each release, whereby staff from Applications, Quality Assurance, and Project Management discuss the specific changes and document risk scenarios, mitigations, and overall risk level (high, medium, low). There is a formal Validation Package that provides documented evidence that the system consistently conforms to the requirements and is adequate for its intended use. Accordingly, UL PURE Learning validates all modifications and additions to the ComplianceWire system prior their release.

Per contractual agreement, each client may audit UL PURE Learning and review all applicable documentation. This to ensure you address Part 11 and Annex 11 expectations that companies validate systems involved in managing GxP processes, based on a company’s intended use requirements.

Controls for Closed Systems

4.2 – Validation documentation should include change control records (if applicable) and reports on any deviations observed during the validation process.

Yes

No

N/A

Deviations observed during the validation process are captured in our Product Release Checklist and Validation Summary Report. All test execution non-conformances are logged, tracked, and maintained in our Issue tracking system through resolution and closure.

4.3 – An up to date listing of all relevant systems and their GMP functionality (inventory) should be available. For critical systems, an up to date system description detailing the physical and logical arrangements, data flows and interfaces with other systems or processes, any hardware and software pre-requisites, and security measures should be available.

Yes

No

N/A

Several documents are generated and maintained that describe system features (User Stories and Acceptance Criteria Document), system design (System Design Document), Application Diagram, Network Diagram, System Inventory, etc.



4.5 – The regulated user should take all reasonable steps to ensure that the system has been developed in accordance with an appropriate quality management system.

Yes

No

N/A

The methodology for the development of software systems at UL PURE Learning is described in our internal System Development Life Cycle SOP and is available for customer review during on-site audit inspections. All Clients are encouraged to conduct an on-site audit of our Software Development Life Cycle (SDLC), as well as Development and Validation artifacts.

4.7 – Evidence of appropriate test methods and test scenarios should be demonstrated. Particularly, system (process) parameter limits, data limits and error handling should be considered. Automated testing tools and test environments should have documented assessments for their adequacy.

Yes

No

N/A

The methodology for the development of software systems at UL PURE Learning is described in our internal System Development Life Cycle SOP and is available for customer review during on-site audit inspections. Appropriate documentation is generated by UL PURE Learning as work progresses in the development and testing of each ComplianceWire release. There is a formal Validation Package that provides documented evidence that the system consistently conforms to the requirements and is adequate for its intended use. Accordingly, UL PURE Learning validates all modifications and additions to the ComplianceWire system prior their release. Objective evidence from test script execution is available during an on-site review.

Automated testing tools are not currently in use at UL PURE Learning.

4.4 – User Requirements Specifications should describe the required functions of the system, be based on documented risk assessment and GMP impact, and be traceable throughout the life cycle.

Yes

No

N/A

Several documents are generated and maintained that describe system features (Business and Functional Requirements Document), system design (System Design Document), Risk Logs, and Requirements Traceability Matrix.

4.8 – If data are transferred to another data format or system, validation should include checks that data are not altered in value and/or meaning during this migration process.

Yes

No

N/A

UL PURE Learning does not transfer data to another data format or system.



11.10(c) – Protection of records to enable their accurate and ready retrieval throughout the records retention period.

7.1 – Data should be secured by both physical and electronic means against damage. Access to data should be ensured throughout the retention period.


8.1 – It should be possible to obtain clear printed copies of electronically stored data.


Yes

No

N/A

ComplianceWire stores records in a secure SQL server database. Security features such as User ID/Password and security roles protect the records stored in the system throughout the records retention period. Additionally, passwords are stored encrypted in the database, the database connection string is stored and retrieved from a protected area on the server, and 128-bit SSL encryption is used to protect information transmitted over the Internet.


Users can create reports and select the information they wish to see when viewing information in various areas of ComplianceWire. The reports can be viewed online, downloaded, e-mailed, and printed in multiple formats (csv, PDF, Excel). Additional custom reports can be developed and incorporated as required to meet the specific needs of each client.

11.10(d) – Limiting system access to authorized individuals.

2 – All personnel should have appropriate qualifications, level of access and defined responsibilities to carry out their assigned duties.

12.1 – Physical and/or logical controls should be in place to restrict access to computerized systems to authorized persons. Suitable methods of preventing unauthorized entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, restricted access to computer equipment and data storage areas.

12.3 – Creation, change, and cancellation of access authorizations should be recorded.

Yes

No

N/A


ComplianceWire has many customizable features to assure that only authorized users can use or take action within the system. These include: a three-component user login, custom defined user security roles, password expiry and complexity policies, automatic session timeouts, and use of electronic signatures. Authorized users in ComplianceWire are assigned security role(s) that defines what features or operations each user is allowed to access or perform.

UL PURE Learning also maintains Data Center Operations and Security Standard Operating Procedures (SOPs) that govern the limiting of access to the Data Center.

UL PURE Learning does review and is responsible for creating and disabling accounts for UL PURE Learning personnel and these actions are recorded on an approved form. Clients would be responsible for creating/disabling accounts at the client level (UL PURE Learning does not manage user access within a client company’s instance).



11.10(b) – The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency.

8.1 – It should be possible to obtain clear printed copies of electronically stored data.

Yes

No

N/A

Users can create reports and select the information they wish to see when viewing information in various areas of ComplianceWire. The reports can be viewed online, downloaded, e-mailed, and printed in multiple formats (csv, PDF, Excel). Additional custom reports can be developed and incorporated as required to meet the specific needs of each client.

ComplianceWire stores records in a secure SQL server database. Security features such as User ID/Password and security roles protect the records stored in the system throughout the records retention period.

11.10(e) – Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.

7.1 – Access to data should be ensured throughout the retention period.

9 – Consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system generated “audit trail”). For change or deletion of GMP-relevant data the reason should be documented. Audit trails need to be available and convertible to a generally intelligible form and regularly reviewed.

12.4 – Management systems for data and for documents should be designed to record the identity of operators entering, changing, confirming or deleted data including date and time.

Yes

No

N/A

ComplianceWire stores records in a secure SQL server database. Security features such as User ID/Password and security roles protect the records stored in the system throughout the records retention period.

ComplianceWire provides an audit trail information in history tables. A chronological history of activity in the system Event Log is also captured. It records the user, the operation performed (event), and the date and time it was performed.

11.10(f) – Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.

N/A (no direct Annex 11 counterpart).

Yes

No

N/A

ComplianceWire enforces the proper sequencing of steps and events.



11.10(g) – Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.



Yes

No

N/A


ComplianceWire has many customizable features to assure that only authorized users can use or take action within the system. These include: a three-component user login, custom defined user security roles, password expiry and complexity policies, automatic session timeouts, and use of electronic signatures. Authorized users in ComplianceWire are assigned security role(s) that defines what features or operations each user is allowed to access or perform.

11.10(h) – Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.

6 – For critical data entered manually, there should be an additional check on the accuracy of the data. This check may be done by a second operator or by validated electronic means.

Yes

No

N/A

ComplianceWire has many customizable features, including functionality for the use of dual e-signatures on Forms.



11.30 – Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in §11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality.

5 – Computerized systems exchanging data electronically with other systems should include appropriate built-in checks for the correct and secure entry and processing of data, in order to minimize the risks.

7.1 – Data should be secured by both physical and electronic means against damage.



Yes

No

N/A

UL PURE Learning defines ComplianceWire as an open system due to the nature of the Internet. We have applied the extra controls required of an open system (for example, SSL encryption for data transactions within the system over the Internet) so that no matter how the client interprets ComplianceWire (open or closed), we can support the technology required to meet their interpretation.



ComplianceWire stores records in a secure SQL server database. Security features such as User ID/Password and security roles protect the records stored in the system throughout the records retention period. Additionally, passwords are stored encrypted in the database, the database connection string is stored and retrieved from a protected area on the server, and 128-bit SSL encryption is used to protect information transmitted over the Internet.

11.10(k) – Use of appropriate controls over systems documentation including: (1) adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance; and (2) revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.

N/A (no direct Annex 11 counterpart to 21 CFR 11.10(k)(1)).

10 – Any changes to a computerized system including system configuration should only be made in a controlled manner in accordance with a defined procedure.

Yes

No

N/A

UL PURE Learning has controls in place to control the distribution of, access to, and use and maintenance of the ComplianceWire documentation. All documentation is available for customer review during on-site audit inspections.

UL PURE Learning has an internal change control system that is followed by our personnel when making changes to the platform.



11.10(i) – Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks.


Yes

No

N/A

It is ultimately the responsibility of the customer to determine that the personnel involved with the operation of the system have the education, training, and experience to perform their assigned tasks. Dashboards and Reporting are available to monitor, remediate, and prevent training non-compliance.

UL PURE Learning regularly trains their employees through both external and internal trainings. We track our employee training in the UL PURE Learning platform to ensure compliance with required training as documented in our Training Matrix.

Controls for Open Systems

11.10(j) – The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.

N/A (no direct Annex 11 counterpart).

Yes

No

N/A

The requirement for policies that hold individuals accountable and responsible for actions initiated under their electronic signatures is a customer procedural requirement.

Signature Manifestations

11.50(a) – Signed electronic records shall contain information associated with the signing that clearly indicates all of the following: (1) the printed name of the signer; (2) the date and time when the signature was executed; (3) the meaning (such as review, approval, responsibility, or authorship) associated with the signature; and (4) the items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout).

14 – Electronic records may be signed electronically. Electronic signatures are expected to have the same impact as hand-written signatures, be permanently linked to their respective record, and include the time and date that they were applied.

Yes

No

N/A

ComplianceWire electronic signatures are comprised of the signer information, including (1) the First Name, Last Name, and User ID within the system; (2) the computer generated date and time stamp when the signature was executed; and (3) the meaning/reason associated with the signature (signature reasons are customizable by each customer to meet specific needs). In addition, the items identified in Part 11 sections 11.50(a)(1), (a)(2), and (a)(3) are subject to the same controls as for electronic records and are included as part of any human readable form of the electronic record (such as electronic display or printout).

Electronic signature information is displayed in applicable areas of the ComplianceWire system, and the electronic signatures are permanently linked to their respective records using encryption key unique values via SHA256 encryption.


Part 11 Requirements Annex 11 Compliant UL Strategies Signature/Record Linking

11.70 – Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.

14 – Electronic signatures are expected to be permanently linked to their respective record.

Yes

No

N/A

ComplianceWire is designed so that electronic signatures are permanently linked to their respective records using encryption key unique values via SHA256 encryption, and a system user cannot delete, modify, or copy another user's electronic signature. The table structure and encryption techniques used in the system also prevent people with operating system level access from modifying or copying signatures in any way.


5. Subpart C – Electronic Signatures Subpart C of the regulation pertains to electronic signatures. Electronic signatures must be unique to each individual and shall not be reused or reassigned. Identity of individuals must be verified before an electronic signature can be assigned or used. Subpart C also covers the administration controls requirements to ensure security and integrity of identification codes and passwords

Part 11 Requirements

11.100(a) – Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else.

N/A (no direct Annex 11 counterpart). Yes

No

N/A

Customer procedures must be established to meet this requirement. ComplianceWire uses an internal unique identifier associated with each EmployeeID, UserID, LastName, FirstName, MiddleName and password for signature. A valid Company Identifier is also required as part of the electronic signature value. If the end user or administrator changes any of these values, a new signature ID is generated. Each instance of the signature value is unique.

11.100(b) – Before an organization establishes, assigns, certifies, or otherwise sanctions an individual’s electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual.

N/A (no direct Annex 11 counterpart). Yes

No

N/A

Customer procedures must be established to meet this requirement.

The customer must accept the Terms of Use statement before gaining access to ComplianceWire. This statement includes disclaimers of both liability and warranty/accuracy and use of electronic signatures information.

11.100(c) – Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures.

14.a –Electronic signatures are expected to have the same impact as hand-written signatures.

Yes

No

N/A





Electronic Signature Components and Controls

11.200(a)(1) – Electronic signatures that are not based upon biometrics shall: (i) employ at least two distinct identification components such as an identification code and password, (ii) when an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.


Yes

No

N/A


Access to ComplianceWire is protected by requiring the user to enter three distinct identification components (User ID, Password and Company Code).

Each time a user executes an electronic signature in ComplianceWire, the user is required to enter two of the electronic signature components (User ID of the current logged in user and current Password), regardless of the period of controlled system access activity.

11.200(a)(2) – Electronic signatures that are not based upon biometrics shall be used only by their genuine owners.


Yes

No

N/A




11.200(a)(3) – Electronic signatures that are not based upon biometrics shall be administered and executed to ensure that attempted use of an individual’s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.


Yes

No

N/A





11.200(b) – Electronic signatures based upon biometrics shall be

designed to ensure that they cannot be used by anyone other than their

genuine owners.


Yes

No

N/A

ComplianceWire does not offer a Biometric option for personnel identification as part of the standard functionality. This

interoperability can be developed and incorporated as required to meet the specific needs of each client.

Controls for Identification Codes/Passwords

11.300(a) – Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password.


Yes

No

N/A




11.300(b) – Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).

11 – Computerized systems should be periodically evaluated to confirm that they remain in a validated state and are compliant with GMP. Such evaluations should include, where appropriate security.


Yes

No

N/A


ComplianceWire includes advanced configurable settings allowing customers to define and manage password lengths, password expiry, password complexity, password reuse history, and account lockouts.

11.300(c) – Following loss management procedures to electronically de-authorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls.


Yes

No

N/A


ComplianceWire does not use tokens, cards, or other devices that bear or generate identification code or password information.


11.300(d) –Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.


Yes

No

N/A


ComplianceWire can be configured to lockout users who fail to login after a determined number of attempts. All invalid login attempts are recorded in the Audit Log.

Intrusion protection is enabled at the hardware level of the website server and intrusion events are recorded in the server's event logs which are monitored.

11.300(e) – Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have been altered in an unauthorized manner.

11 – Computerized systems should be periodically evaluated to confirm that they remain in a validated state and are compliant with GMP. Such evaluations should include, where appropriate . . . security.

Yes

No

N/A

ComplianceWire does not use tokens, cards, or other devices that bear or generate identification code or password information.



6. About UL PURE Learning Since 1980, UL has been providing computer-based instruction, compliance management solutions, and advisory services to corporate and government customers with a strong focus on the needs of Life Sciences, Health Care, Energy, and Industrial sectors. Currently, more than one million active users around the world rely on our technology and courses, recording over 20 million training item completions annually.

UL’s PURE Learning partners its customers to successfully enter new markets, manage compliance, optimize quality and elevate performance by supporting processes at every stage of a company’s evolution.

For more than 30 years, UL has served corporate and government customers in the Life Science, Health Care, Energy and Industrial sectors. Our global quality and compliance management approach integrates ComplianceWire, training content and advisory services, enabling clients to align learning strategies with their quality and compliance objectives.

Since 1999, our unique partnership with the FDA provides online training tools to train and certify more than 35,000 federal, state, local and global FDA investigators in the areas of quality and compliance. UL and the FDA jointly develop content and deliver it via ComplianceWire.

UL is a premier global independent safety science company that has championed progress for 120 years. Its more than 12,000 professionals are guided by the UL mission to promote safe working and living environments for all people.

UL PURE Learning is headquartered in Princeton, NJ, with offices in Houston, TX, United Kingdom, and Hong Kong.

For more information for how UL’s software and advisory services can be of service to your organization, please contact us at:

+1-877-338-6337 or +1-609-627-5300 www.ulpurelearning.com

[email protected]

***End of Document***

Comparison of 21 CFR Part 11 and Annex 11 of EU Guidelines to … · 2018-05-14 · Comparison of...

Documents

Transcript of Comparison of 21 CFR Part 11 and Annex 11 of EU Guidelines to … · 2018-05-14 · Comparison of...