21 CFR Part 11 Checklist

Transcription

1 21 CFR Part 11 Checklist GUIDE NOTOCORD Chemin de Ronde Croissy-sur-Seine my.notocord.com support@notocord.com +33 (0)

2 1. Preliminary information 1.1. Purpose and scope As part of NOTOCORD s customer s own evaluation program of their supplier, this document serves to gather all relevant information to evaluate NOTOCORD-hem software compliancy with 21 CFR Part 11 regulation. This document lists the 21 CFR Part 11 requirements and describes at best how NOTOCORD-hem software satisfies each requirement and how NOTOCORD can offer an application containing the required technical elements of a compliant system. NOTOCORD remains at your disposal should you require any further information. You can also address your own 21 CFR Part 11 compliancy questionnaire. The customer is designated as the ORGANIZATION in the whole document Product Information Product name: NOTOCORD-hem Evolution Version: Supplier: and above NOTOCORD Systems CFR Part 11 overview 21 CFR Part 11 is a rule contained in the Code of Federal Regulation (CFR), entitled Electronic Records; Electronic Signatures and edited by the United States Food and Drug Administration (FDA). Following the observation that the use of computer technologies would become widespread in all areas subject to FDA, the 21 CFR Part 11 was created in 1997 so that the electronic records and electronic signatures can be the equivalent to paper records and traditional handwritten signatures. The challenge of the 21 CFR Part 11 is to give confidence in the electronic records and electronic signatures, and therefore requires additional controls for computer systems that maintain electronic records, including validation of these computer systems. 21 CFR Part 11 applies to all laboratories regulated by the FDA and working in GLP (Good Laboratory Practice), GCP (Good Clinical Practice) and GMP (Good Manufacturing Practice). It concerns electronic records and electronic signatures security, reliability as well as the electronic management of these documents. Therefore, this regulation is applicable to the use of NOTOCORD-hem software in GLP environment. NOTOCORD is aware of the complexity in implementing 21 CFR Part 11. NOTOCORD relies on regulations as presented by FDA, on its validation consultant specialized in GxP regulations and on its 16-Jan NOTOCORD Systems Page 2 of 31 ID 62 - Version 2.0

3 customers feedback. Being compliant is therefore a criterion NOTOCORD has kept in mind when developing NOTOCORD-hem Software development at NOTOCORD Software development at NOTOCORD is carried out under a defined quality system. NOTOCORD is certified ISO 9001 and follows a software lifecycle management system defined by our policy for agile development that includes but is not limited to frequent iterations, integrations, testing, and internal delivery of software user requirements for functional testing Definitions AccessManager: security application designed to set access control policies (username, password, comment) for actions performed in NOTOCORD-hem Evolution. Active Directory: system software, included in Windows server, managing authentication and authorization of all users and computers within a Windows network. Change control: formal process used to ensure that changes to a product or a system are introduced in a controlled and coordinated manner. GLP (Good Laboratory Practice): - Source 21 CFR part 58 scope: Refers to practices defined by the Food and Drug Administration under 21 CFR part 58 for conducting nonclinical laboratory studies that support or are intended to support applications for research or marketing permits for products regulated by the Food and Drug Administration, including food and color additives, animal food additives, human and animal drugs, medical devices for human use, biological products, and electronic products. - Source OECD: refers to a quality system concerned with the organizational process and the conditions under which non-clinical health and environmental safety studies are planned, performed, monitored, recorded, archived and reported. IT (Information Technology): department and/or person(s) in charge of managing the company s information systems. ORGANIZATION: any company, pharmaceutical industry, Contract Research Organization, Academia, Hospital or any other entity using NOTOCORD-hem software. OS (Operating System): set of programs which manage computer hardware resources and provide common services for application software (e.g. Microsoft Windows, Linux, Android, etc.) QA (Quality Assurance): department and/or person(s) in charge of managing the company s Quality system. Release Notes: document summarizing changes made for each NOTOCORD-hem released commercial version. User: any person in the ORGANIZATION, operating NOTOCORD-hem software and related applications. 16-Jan NOTOCORD Systems Page 3 of 31 ID 62 - Version 2.0

4 Closed system: environment in which the system access is controlled by persons who are responsible for the content of electronic records that are on the system (source: 21 CFR part 11) Open system: environment in which the system access is not controlled by persons who are responsible for the content of electronic records that are on the system (source: 21 CFR part 11). Electronic record: any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system (source: 21 CFR part 11). Electronic signature: a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual's handwritten signature (source: 21 CFR part 11). 16-Jan NOTOCORD Systems Page 4 of 31 ID 62 - Version 2.0

5 2. 21 CFR part 11 requirements and compliance checklist The following is a detailed listing of each requirements and how NOTOCORD-hem satisfies each one Subpart A General Provisions 21 CFR part 11 requirements NOTOCORD compliance to 21 CFR part 11 Title Requirements Yes No N/A Comments (a) The regulations in this part set forth the criteria under which the agency considers electronic records, electronic signatures, and handwritten signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper. (b) This part applies to records in electronic form that 11.1 Scope are created, modified, maintained, archived, retrieved, or transmitted, under any records requirements set forth in agency regulations. This NOTOCORD-hem software utilization fits in the 21 CFR Part 11 scope. part also applies to electronic records submitted to the agency under requirements of the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act, even if such records are not specifically identified in agency regulations. However, this part does not apply to paper records that are, or have been, transmitted by electronic means. 16-Jan NOTOCORD Systems Page 5 of 31

6 21 CFR part 11 requirements NOTOCORD compliance to 21 CFR part 11 Title Requirements Yes No N/A Comments (c) Where electronic signatures and their associated electronic records meet the requirements of this part, the agency will consider the electronic signatures to be equivalent to full handwritten signatures, initials, and other general signings as required by agency regulations, unless specifically accepted by regulation(s) effective on or after August 20, (d) Electronic records that meet the requirements of this part may be used in lieu of paper records, in accordance with 11.2, unless paper records are specifically required. (e) Computer systems (including hardware and software), controls, and attendant documentation maintained under this part shall be readily available for, and subject to, FDA inspection. (f) This part does not apply to records required to be established or maintained by through of this chapter. Records that satisfy the requirements of part 1, subpart J of this chapter, but that also are required under other applicable statutory provisions or regulations, remain subject to this part Implementation (a) For records required to be maintained but not submitted to the agency, persons may use electronic NOTOCORD-hem gives the ORGANIZATION the tools to implement and respect 21 CFR part 11 requirements, as described in following 16-Jan NOTOCORD Systems Page 6 of 31

7 21 CFR part 11 requirements NOTOCORD compliance to 21 CFR part 11 Title Requirements Yes No N/A Comments records in lieu of paper records or electronic signatures in lieu of traditional signatures, in whole or in part, provided that the requirements of this part are met. (b) For records submitted to the agency, persons may use electronic records in lieu of paper records or electronic signatures in lieu of traditional signatures, in whole or in part, provided that: (1) The requirements of this part are met; and (2) The document or parts of a document to be submitted have been identified in public docket No. 92S-0251 as being the type of submission the agency accepts in electronic form. This docket will identify specifically what types of documents or parts of documents are acceptable for submission in electronic form without paper records and the agency receiving unit(s) (e.g., specific center, office, division, branch) to which such submissions may be made. Documents to agency receiving unit(s) not specified in the public docket will not be considered as official if they are submitted in electronic form; paper forms of such documents will be considered as official and must accompany any electronic records. Persons are expected to consult with the intended agency receiving unit for details on how (e.g., method rows. NOTOCORD-hem provides electronic records like: NSS files (raw data, calculated data, audit trail, configuration settings, etc.), Audit trail report in PDF format, Configuration report in PDF format. Data export in Excel format or TT format, etc. NOTOCORD-hem provides paper records like: Audit trail report, Configuration report. For more details, refer to the following rows and to Appendix, Records in human readable form. The implementation of 21 CFR part 11 is the ORGANIZATION s responsibility. 16-Jan NOTOCORD Systems Page 7 of 31

8 21 CFR part 11 requirements NOTOCORD compliance to 21 CFR part 11 Title Requirements Yes No N/A Comments of transmission, media, file formats, and technical protocols) and whether to proceed with the electronic submission. [ ] (4) Closed system means an environment in 11.3 Definitions which system access is controlled by persons who are responsible for the content of electronic records that NOTOCORD-hem is a closed system. are on the system. [ ] 2.1. Subpart B Electronic Records 21 CFR part 11 requirements NOTOCORD compliance to 21 CFR part 11 # Title Requirements Yes No N/A Comments Persons who use closed systems to create, modify, Controls closed systems for maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls Controls for closed system are provided by AccessManager application (AMG50a) with a security based on Windows authentication system. Procedures are managed by the SOP of the ORGANIZATION. shall include the following: (a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the NOTOCORD-hem software is developed under a formal quality system. From software requirements to final tests, the entire 16-Jan NOTOCORD Systems Page 8 of 31

9 21 CFR part 11 requirements NOTOCORD compliance to 21 CFR part 11 # Title Requirements Yes No N/A Comments ability to discern invalid or altered records. development process is traced in NOTOCORD s quality system. (b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records. For more details, refer to Appendix, Validation. Independently of NOTOCORD-hem in-house testing, the ORGANIZATION has to validate NOTOCORD system in its own environment according to its intended use. For that purpose, NOTOCORD provides validation services to help the ORGANIZATION in this process. With regard to records in electronic form, NOTOCORD-hem data is stored in secure NSS files. It is necessary to use NOTOCORD-hem software to view the records in NSS format. All NOTOCORD-hem raw data and analysis data contained in NSS records can be exported: - in Microsoft Excel for reporting, statistics calculations, graphs display or further visualizations. - in text files for conversion in other software formats. Moreover, NOTOCORD-hem generates printed copies of the audit trail report and the configuration report in PDF format. For more details, refer to Appendix, Records in human readable form. 16-Jan NOTOCORD Systems Page 9 of 31

10 21 CFR part 11 requirements NOTOCORD compliance to 21 CFR part 11 # Title Requirements Yes No N/A Comments All data and audit trails generated by NOTOCORD-hem are stored together in secure NSS files. (c) Protection of records to enable their accurate and ready retrieval throughout the records retention period. All NSS files are locally stored in a secure workfile directory, requiring administrative privileges for direct access. Records protection and storing is managed by the IT system of the ORGANIZATION. NOTOCORD ensures upwards compatibility of data files between software versions. For more details, refer to Appendix, Data authenticity and integrity. (d) Limiting system access to authorized individuals. (e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at Authorizations to run NOTOCORD-hem and to access its different functionalities are managed by AccessManager application (AMG50a). NOTOCORD-hem leverages the Microsoft Windows security system to manage users authentication and user security. For more details, refer to Appendix, User security and limited access to the system. An electronic and automatic audit trail is recorded in the NSS data file, and provides for each user action: date and time / printed name of user executing the action / control type / action category and description / user comment / old and new value. The audit trail is embedded in the NSS data file avoiding loss or 16-Jan NOTOCORD Systems Page 10 of 31

11 21 CFR part 11 requirements NOTOCORD compliance to 21 CFR part 11 # Title Requirements Yes No N/A Comments least as long as that required for the subject electronic records and shall be available for agency review and copying. alteration. Audit trail exists as long as the record exists. Audit trail can be printed. For more details, refer to Appendix, Audit Trail. (f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate. (g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand. This requirement is applicable for data acquisition, scheduled data recordings and data recalculation. In these cases, NOTOCORD-hem prevents the user from executing non-authorized reconfigurations. During data acquisition, including scheduled data recordings, actions on the Configuration Setup that could affect the data are not allowed: settings cannot be modified, analysis module cannot be added or deleted, only Display settings can be modified. Acquisition must be stopped, or scheduled recording must be aborted, to modify the Configuration Setup. During data recalculation, action on data or on the configuration is not allowed, except stopping the recalculation. Authorizations to run NOTOCORD-hem and to access its different functionalities are managed by AccessManager application (AMG50a). If a user attempts to run or use NOTOCORD-hem without a valid user account, an identification error message is displayed and running the program or accessing data are not allowed. Access rights to administrate AccessManager application can be 16-Jan NOTOCORD Systems Page 11 of 31

12 21 CFR part 11 requirements NOTOCORD compliance to 21 CFR part 11 # Title Requirements Yes No N/A Comments defined. For more details, refer to Appendix, User security and limited access to the system. NOTOCORD-hem is interacting with acquisition systems through acquisition servers. Users can connect different devices to the acquisition systems. Data input can only come via a direct device connection to NOTOCORD s acquisition servers. (h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction. (i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and NOTOCORD-hem acquisition servers check the type of device, driver and input channels. Data acquisition cannot be started if the device and driver are not correctly installed. Channels and acquisition settings are recorded in the configuration file (CFG format associated with the record). The rest of the acquisition chain (sensors, signal conditioners, etc.) and the devices configuration must be consistent with experiments. It is the ORGANIZATION s responsibility to implement procedures to ensure the process consistency. The configuration of the acquisition chain used, including models of devices chosen, should be recorded by the user. NOTOCORD s quality system includes formal job description and training requirements. NOTOCORD employees training evidences including training 16-Jan NOTOCORD Systems Page 12 of 31

13 21 CFR part 11 requirements NOTOCORD compliance to 21 CFR part 11 # Title Requirements Yes No N/A Comments experience to perform their assigned tasks. programs and assessments are recorded in NOTOCORD s quality management system. Different technical skills matrices are formalized and reviewed periodically. NOTOCORD-hem users training is managed by the Standard Operating Procedures (SOP) of the ORGANIZATION. NOTOCORD can provide Training services for users. (j) The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification. This requirement is managed by the ORGANIZATION. (k) Use of appropriate controls over systems documentation including: (1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. (2) Revision and change control procedures to maintain an audit trail that documents timesequenced development and modification of systems documentation. All software documentation is electronically archived as part of NOTOCORD s document control procedure. Any revision of the software development documentation (specifications, tests scenario and results) and final product documentation (products reference documentation) is controlled and traced according to NOTOCORD s document control procedure. Maintenance program and Release Notes are available to determine if changes may impact current activities of the ORGANIZATION. Any changes to the system of the ORGANIZATION, such as upgrades, security and performance patches, equipment repairs, etc. are 16-Jan NOTOCORD Systems Page 13 of 31

14 21 CFR part 11 requirements NOTOCORD compliance to 21 CFR part 11 # Title Requirements Yes No N/A Comments managed by Change control procedures of the ORGANIZATION. NOTOCORD provides assistance to upgrade NOTOCORD-hem systems in regulated environment via its Upgrade Validation Assistance (UVA) service pack. Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of Controls for open systems their creation to the point of their receipt. Such procedures and controls shall include those identified NOTOCORD-hem is a closed system. in 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality. (a) Signed electronic records shall contain information The use of Electronic signatures is managed by Windows Group associated with the signing that clearly indicates all of Policy and Active Directory. Signature the following: Electronic records (NSS files, audit trail) can be signed if controls are manifestation (1) The printed name of the signer; defined in AccessManager. s (2) The date and time when the signature was The NSS file and the audit trail contain: executed; and - the user ID, (3) The meaning (such as review, approval, - the full printed first and last name of the signer, 16-Jan NOTOCORD Systems Page 14 of 31

15 21 CFR part 11 requirements NOTOCORD compliance to 21 CFR part 11 # Title Requirements Yes No N/A Comments responsibility, or authorship) associated with the signature. - the date and time of the signature, - a comment to record the meaning associated with the signature, - the approval status. AccessManager must be configured to allow recording the above information. (e.g. check the Comment field, control the Review and Approval actions, etc.) For more details, see Appendix, Audit Trail. Electronic signatures are recorded into the Audit Trail and embedded in the NSS files, so that each signature will always be (b) The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the associated with the appropriate NSS file record, and have the same safeguards as the rest of the records stored in the Workfile directory. The Audit trail including the electronic signatures applied to the electronic record (such as electronic display or record can be displayed and are readable in the audit trail report printout). and can be printed. For more details on Workfile directory, see Appendix: Data authenticity and integrity. Electronic signatures and handwritten signatures Electronic signatures, associated with their respective actions, are Signature / record linking executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise recorded into the audit trail and embedded in the NSS file, so that each signature will always be associated with the appropriate NSS file record. The audit trail, containing the applied signatures cannot transferred to falsify an electronic record by ordinary be modified, excised, copied or transferred to another electronic 16-Jan NOTOCORD Systems Page 15 of 31

16 21 CFR part 11 requirements NOTOCORD compliance to 21 CFR part 11 # Title Requirements Yes No N/A Comments means. NSS file. With a NOTOCORD-hem GLP installation, the access to NSS files in the workfile directory is restricted. For more details, see Appendix: User security and limited access to the system, and Audit Trail Subpart C Electronic Signatures 21 CFR part 11 requirements 21 CFR part 11 compliance # Title Requirements Yes No N/A Comments The users security for NOTOCORD-hem is based on the Microsoft Windows security (Windows Group Policy and Active Directory), so General requirements (a) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned that unique user IDs and passwords are enforced. It is not possible to delegate or assign an electronic signature to to, anyone else. someone else. Configuration of user accounts and passwords are managed by the Standard Operating Procedures (SOP) of the ORGANIZATION. 16-Jan NOTOCORD Systems Page 16 of 31

17 21 CFR part 11 requirements 21 CFR part 11 compliance # Title Requirements Yes No N/A Comments (b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual's electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual. (c) Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures. (1) The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations (HFC-100), 5600 Fishers Lane, Rockville, MD (2) Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer's handwritten signature. Assignment and management of electronic signatures are the responsibility of the ORGANIZATION. Electronic signatures management and evidence to the agency are managed by the Standard Operating Procedures (SOP) of the ORGANIZATION. 16-Jan NOTOCORD Systems Page 17 of 31

18 21 CFR part 11 requirements 21 CFR part 11 compliance # Title Requirements Yes No N/A Comments (a) Electronic signatures that are not based upon (1) The electronic signature is composed of Windows unique login biometrics shall: and password. The two components must be configured in (1) Employ at least two distinct identification AccessManager application regarding each action. components such as an identification code and (i) N/A. NOTOCORD-hem does not propose a series of actions password. controlled with a single signing. (i) When an individual executes a series of signings (ii) Each action is controlled independently and each controlled Electronic signature components and controls during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. (ii) When an individual executes one or more signings not performed during a single, continuous access requires a signing. The actions with no access control defined in AccessManager are traced in the audit trail associated with the login of the previous signed user. All actions relevant to signing for the ORGANIZATION must be configured in AccessManager application (AMG50a) to be controlled with login AND Password. For more details, see Appendix, Electronic signatures. period of controlled system access, each signing shall be executed using all of the electronic signature components. (2) The confidentiality policy is managed by Windows Group Policy, Active Directory, and the Standard Operating Procedures (SOP) of the (2) Be used only by their genuine owners; and ORGANIZATION. 16-Jan NOTOCORD Systems Page 18 of 31

19 21 CFR part 11 requirements 21 CFR part 11 compliance # Title Requirements Yes No N/A Comments (3) Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals. (3) This requirement is managed by Windows Group Policy, Active Directory, and the Standard Operating Procedures (SOP) of the ORGANIZATION. (b) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners. NOTOCORD-hem system uses non-biometric electronic signatures Controls for identification codes /passwords Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: This requirement is managed by Windows Group Policy, Active Directory, and the Standard Operating Procedures (SOP) of the ORGANIZATION. (a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password. The uniqueness of the user ID and password combination is enforced by the Windows operating system user security. This requirement is managed by Windows Group Policy, Active Directory, and the Standard Operating Procedures (SOP) of the ORGANIZATION. 16-Jan NOTOCORD Systems Page 19 of 31

20 21 CFR part 11 requirements 21 CFR part 11 compliance # Title Requirements Yes No N/A Comments (b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging). (c) Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls. (d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management. Verification of IDs and passwords is managed by Windows Group Policy, Active Directory, and the Standard Operating Procedures (SOP) of the ORGANIZATION. The ORGANIZATION must configure Windows operating system user security functionalities (local management or Active Directory) to force users to change their passwords periodically. This is managed by the Standard Operating Procedures (SOP) of the ORGANIZATION. Access rights to administrate AccessManager application have to be defined. AccessManager application allows to de-authorize (or replace) users from accessing the system. Windows Group Policy and Active Directory allow to de-authorize (or replace) identification codes. NOTOCORD-hem cannot be accessed with non-authorized signatures and an Identification Error message is displayed. Neither NOTOCORD neither Microsoft provide a standard tool to detect and report such identification errors in an immediate and urgent manner. However third-parties tools exist that the IT department of the ORGANIZATION can use. 16-Jan NOTOCORD Systems Page 20 of 31

21 21 CFR part 11 requirements 21 CFR part 11 compliance # Title Requirements Yes No N/A Comments (e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner. NOTOCORD-hem does not use such devices. 16-Jan NOTOCORD Systems Page 21 of 31

22 3. Appendix: NOTOCORD-hem compliance overview 3.1. Data authenticity and integrity 21 CFR Part 11 requires authenticity and integrity of electronic records and the use of secure audit trails. NOTOCORD employs the following methods to ensure this: All data and audit trails generated by NOTOCORD-hem are stored together in secure NSS files. All NSS files are locally stored in a secure workfile directory, requiring administrative privileges to access directly (see Workfile directory security part below). Records protection and storage are managed by the IT department of the ORGANIZATION. NOTOCORD ensures upwards compatibility of data files between software versions. NOTOCORD recommends to back-up NSS files on networked servers, and to work locally on NSS files to prevent network interruptions during acquisition or analysis. Raw data are automatically recorded and saved to prevent from files corruption during system unexpected interruptions. Workfile directory security The workfile directory is selected during NOTOCORD-hem installation and is the Data folder where NSS data files are written by default. For a GLP NOTOCORD-hem installation, the workfile directory is locally shared by all users and is by default located at C:\Users\Public\Documents\Notocord\Data. The NOTOCORD-hem installer for a GLP installation restricts logged-on users access to NSS files in the workfile directory. Users can only modify NSS files in the workfile directory when using NOTOCORD-hem with their access controlled by AccessManager (AMG50a). With restricted access to the workfile directory, unauthorized users cannot modify, overwrite, delete data files or modify the audit trail contained within data files. To write data files within the secure workfile directory, NOTOCORD-hem software must be granted access to this Data folder. This is performed in two phases: Before the GLP installation, set up the Data Manager account (also called FOG account). During the GLP installation, configure the software to run under the Data Manager account. Then, access to NOTOCORD-hem different functionalities is managed by AccessManager access control strategy. For more information on this process and on the workfile directory security, refer to the Software installation guide, and to the application note GLP installation and workfile directory security available on 16-Jan NOTOCORD Systems Page 22 of 31

23 3.2. User security and limited access to the system 21 CFR part 11 requires to limit the system access to authorized individuals. Authorizations to run NOTOCORD-hem and to access its different functionalities are managed by AccessManager application (AMG50a). NOTOCORD-hem uses and relies on Microsoft Windows authentication security system and Active Directory to manage user authentication and security: Figure 1: Example access control to start acquisition User login: to run NOTOCORD-hem software, users must enter a unique user ID and password. Logins are all recorded in the system audit trail. Different access control can be configured for different NOTOCORD-hem functionalities through AccessManager application (AMG50a). User accounts management: NOTOCORD-hem uses Microsoft Windows user accounts and groups for security. System administrators can create different security groups specific to NOTOCORD-hem (see example on Table 1: Privilege levels example below) for different privilege levels, then associate existing Microsoft Windows users with these groups. These user accounts are then used to log in to NOTOCORD-hem. NOTOCORD-hem software access management: AccessManager is a security application designed to set access control policies (users authorization) for actions performed in NOTOCORDhem software. Access control policies apply to all experiments done on the workstation and may be shared to several networked workstations running NOTOCORD-hem software. Network accounts management: NOTOCORD-hem and AccessManager applications use Active Directory for network authorization and authentication of all users and computers within a network of Windows domain type. Table 1: Privilege levels example Group or User account Member of the Have rights to AccessManager local group Users configure AccessManager security policy, i.e. 16-Jan NOTOCORD Systems Page 23 of 31

24 Administrators NOTOCORD-hem Administrators associate the users and groups privileges to specific NOTOCORD-hem functionalities. configure general options on managing files (default file name, changing the workfile directory). set a centralized access rights policy. local group Power Users perform all actions in NOTOCORD-hem software, modify and delete NSS data files. Technicians local group Users create new files and run new acquisition, add event markers, edit the logbook, export data. Researchers local group Users Same rights as Technicians + change acquisition settings, modify experimental configuration and parameters settings, analyze data, recalculate. Reviewers local group Users review data file and stamp it as Reviewed. Approvers local group Users approve data file and stamp it as Approved. Then the data file cannot be modified, except with specific rights defined in AccessManager. Guests local group Users view audit trail and data, export data. 16-Jan NOTOCORD Systems Page 24 of 31

25 Figure 2: Privilege levels example in AccessManager following Table 1 below. If a user attempts to run NOTOCORD-hem without a valid user account, or does not belong to one of the defined user groups who is granted access in AccessManager, the user will not be allowed to run the program, access the data or access the function. In that case, an identification error message is displayed. To know how to select user accounts and define an access control policy, please refer to the AccessManager (AMG50a) reference document Audit Trail NOTOCORD-hem software automatically records all operator s actions that create, modify or delete data, to an electronic audit trail embedded in the NSS data file. The Audit Trail window is available via the File > Audit trail menu in NOTOCORD-hem main window. Each experiment is recorded in one data file that contains its own audit trail. The audit trail records all actions within the experiment that affect the data. Each entry in the audit trail is time-stamped, and records several information for each user action, such as: - Date and time of the action - Printed name and Windows account of the user executing the action - Access control type associated with the action 16-Jan NOTOCORD Systems Page 25 of 31

26 - Category of the action (Session, Acquisition, Configuration, Recalculation, Approval Status, etc.) - Description of the action - Comment entered by the user - Old and new value The screenshot below displays a general view of an audit trail specific to an experiment and a data file. Figure 3: Audit Trail window in NOTOCORD-hem tm Sections and items of the Audit Trail window are defined in the AMG50a reference document. The time stamp for each signature is provided by NSMLocal service from the computer where NOTOCORD-hem is installed (NOTOCORD-hem stores these time stamps in a native GMT format so that it can translate them into the appropriate time based on time zone. This enables users in different time zones to use the same files). To ensure consistency of time between NOTOCORD applications, a single time reference provided by NSMLocal service is used. To ensure consistency of time with the operating system, NOTOCORD recommends to restart the computer regularly and especially after a time change. The audit trail records actions such as: o E-signature for action subject to access control (configured in AccessManager) o Data creation, modification and deletion o Modifications to acquisition, configuration, or analysis settings o Etc. The exhaustive list of actions recorded into the NOTOCORD-hem audit trail is available in AccessManager (AMG50a) reference document. 16-Jan NOTOCORD Systems Page 26 of 31

27 Note 1: If no access control is defined for the current action then the name displayed belongs to the person who either signed in the current Windows session or the person who is lastly traced on an action subject to access control (identification or authentication) in NOTOCORD-hem Evolution. Note 2: all actions related to data display are not recorded, as these actions does not affect raw data and calculated data. Audit trail information is added sequentially. Previous audit trail entries are not modified or overwritten. The audit trail cannot be separated from the data associated with it. The audit trail is embedded in the NSS data file without risk of loss or alteration. The audit trail is maintained and available as long as the record is maintained. The audit trail information can be printed out in PDF for review and copy. Audit trail of AccessManager policy NOTOCORD provides a second audit trail related to traceability of actions performed in AccessManager application. All modifications made to the AccessManager policy (security configuration), such as granting or revoking functional privileges, designating AccessManager Administrators and other settings changed in AccessManager application, are recorded in the Windows Application Event Log of the workstation. Please, refer to AMG50a reference document for more information Electronic signatures To allow the ORGANIZATION to be compliant with 21 CFR part 11 regarding electronic signatures, NOTOCORD-hem uses and relies on Windows authentication security system and Active Directory. Electronic signatures are composed of two components: a unique Windows user ID and a password. Electronic signatures can be applied on any data collected in NOTOCORD-hem software (for instance, to sign a specific action, or to sign the review or approbation of an NSS data file). To perform an electronic signature, the user enters its unique user ID and password and specifies the signature meaning (e.g. responsibility, approval, or review) or the action description. Each action is controlled independently and each controlled access requires a signing. All actions relevant to signing for the ORGANIZATION must be configured in AccessManager application (AMG50a). With this solution, NOTOCORD gives the possibility to the ORGANIZATION to manage electronic signatures according to their Standard Operating Procedures (SOPs) in regards of 21 CFR part 11 requirements. It is up to the IT department of the ORGANISATION to configure Windows and Active Directory to ensure that electronic signatures are: unique to each individual, not reassigned to anyone else, revised periodically, 16-Jan NOTOCORD Systems Page 27 of 31

28 inactivated when an employee leaves the ORGANIZATION, etc. When an electronic signature is used, the following information is recorded and visible in the audit trail embedded in the NSS data file: the user ID, the full printed first and last name of the signer, the action s description the date and time of the signature, a comment to complete the meaning associated with the signature, the approval status (if applicable). AccessManager application allows to de-authorize (or replace) user accounts from accessing the system Records in human readable form 21 CFR part 11 requires that accurate and complete copies of records be available in human readable form suitable for the Agency inspection, review or copying. With regard to records in electronic form, NOTOCORD-hem data is stored in secure NSS files. To view the records in NSS format, it is necessary to use NOTOCORD-hem software. Several kinds of licenses exist from acquisition, through analysis and reviewing, to visualization-only purposes. However, NOTOCORD-hem software ensures several data export and presentation capabilities. All NOTOCORD-hem raw data and analysis data contained in NSS records can be exported: in Microsoft Excel format. NOTOCORD Excel Wizard allows to extract information from NOTOCORD-hem NSS files to Excel spreadsheets: The Excel Wizard is a set of extraction functions accessible directly in Microsoft Excel and dedicated to easy and fast reporting from NOTOCORD-hem Evolution to Excel. The Excel Wizard tools are automatically added to Microsoft Excel ribbon ( Figure 4) during NOTOCORD-hem Evolution installation. 16-Jan NOTOCORD Systems Page 28 of 31

29 Figure 4: NOTOCORD-hem tm wizards within Excel 2007 in text files format for conversion in other software formats: Figure 5: raw data export in TT format Moreover, NOTOCORD-hem can generate printed copies, in PDF or HTML format, of: the audit trail report: the configuration report: Figure 6: Audit Trail in PDF format 16-Jan NOTOCORD Systems Page 29 of 31

30 Figure 7: Configuration report in PDF format 3.6. Validation 21 CFR part 11 requires system validation. NOTOCORD-hem software in-house validation NOTOCORD-hem software is developed and tested under a formal quality system that is certified ISO The ISO 9001 Certificate is available on demand or on the NOTOCORD website. From software requirements to final tests, the entire development process is traced in NOTOCORD s quality system. For further information on the Quality Management System, NOTOCORD can provide on demand its Quality Manual or answer to a Vendor Audit questionnaire. Qualified auditors from the ORGANIZATION are welcomed, by appointment, to come at NOTOCORD headquarters in France to audit the software development process. NOTOCORD-hem software validation on-site 16-Jan NOTOCORD Systems Page 30 of 31

31 The ORGANIZATION has to validate NOTOCORD-hem software in its own environment according to its intended use. For that purpose, NOTOCORD provides validation services to assist the ORGANIZATION in this process. More information at: 4. Useful documents The document listed below are available on my.notocord.com. AMG50a reference documentation Software installation guide Application note: GLP installation and workfile directory security Build an Excel spreadsheet in a GLP environment (recommendations) 16-Jan NOTOCORD Systems Page 31 of 31