Enabling SharePoint for 21 CFR Part 11 Compliance - Electronic Signature Use Case Sudeep Nambiar Technical Strategist www.linkedin.com/in/sudeepnambiar/
Thanks to our Sponsors! Platinum: Gold: Silver: Swag: Venue: Coordinators: - 2 -
TriState SharePoint User Group Meet right here in the Microsoft office 2 nd Tuesday of the month 5:30-8:00 pm Content for: End Users, Developers, IT Pros, Admins & Architects Presentations, Demos, Open-Discussions More Info: www.tristatesharepoint.org - 3 -
Paragon Solutions Value Envisioned. Value Delivered. Paragon is a professional services firm providing a full spectrum of consulting services from advisory through solution design and implementation for tighter alignment between business and IT. Corporate Facts: 500+ Employees Global Clients NJ Headquarters 3 US Offices & 2 overseas Dual-shore Development capability Privately owned, 32-year history Microsoft Certified Partner Advisor y Consulti ng System s Integrati on Service s SharePoint Capabilities: Shared Service Models Center of Excellence Business Solutions Governance and Growth Management Knowledge Communities Migrations/Upgrades
Agenda 21 CFR Part 11 An Overview 21 CFR Part 11 Requirements for Electronic Records and Signatures SharePoint Configuration Options and Gaps Custom Solution Demo - 5 -
21 CFR Part 11 What is it? Code of Federal Regulations (CFR) is an annual codification of the general and permanent rules published in the Federal Register by the executive departments and agencies of the Federal Government. CFR is structured into 50 subject matter titles some of which are related to specific industries [e.g. Agriculture, Banking, Food and Drugs, Telecommunications etc] Title 21 is the section that contains the rules and regulations that govern the Food and Drug Industry and consists of 9 volumes Part 11 is the portion of Title 21 that contains the guidance rules that govern Electronic Records and Electronic Signatures - 6 -
21 CFR What does it look like - 7 -
- 8 -
21 CFR Part 11 Definitions Electronic record means any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system Electronic signature means a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual's handwritten signature. Digital signature means an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified. Closed system means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system. - 9 -
21 CFR Part 11 What is it applicable to? FDA considers Part 11 to be applicable to the following records or signatures in electronic format: Records that are required to be maintained under predicate rule requirements and that are maintained in electronic format in place of paper format. Records that are required to be maintained under predicate rules, that are maintained in electronic format in addition to paper format, and that are relied on to perform regulated activities. Records submitted to FDA, under predicate rules (even if such records are not specifically identified in Agency regulations) in electronic format (assuming the records have been identified in docket number 92S-0251 as the types of submissions the Agency accepts in electronic format). Electronic signatures that are intended to be the equivalent of handwritten signatures, initials, and other general signings required by predicate rules. - 10 -
21 CFR Part 11 Requirements 11.10 Controls for Closed Systems Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Out of the box SharePoint features that can address some of the above requirements Access Control and Permissions. SharePoint Groups and permission levels Information Rights Management policies to restrict users from moving the documents outside of SharePoint Digital Signature capability available in Microsoft Word, Microsoft Excel Collect Signature workflow can be utilized to capture approval signatures. Gaps - Out of the box Digital signature capabilities are format specific and needs to be supported by the client application. - SharePoint Collect Signature workflow is only compatible with Microsoft word, Infopath and Excel files - Out of the box signature workflows are not robust. It is possible to complete a signature task without actually signing the document. - 11 -
21 CFR Part 11 Requirements 11.10 (a) Validation of Systems Systems validation ensures accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.. Addressing this requirement takes a couple forms: 1) Validation of the system as a whole, and 2) validation of the individual documents or records. Out of the box features that can be used to address validation of records SharePoint provides auditing features to facilitate validation Audit events like Document Creation, Modification etc can be captured in an audit log SharePoint maintains a workflow history to capture the events/outcomes that occur in a workflow Gaps - Workflow history gets purged periodically. - Workflow history is lost once the document is moved to record centers. - 12 -
21 CFR Part 11 Requirements 11.10 (e) Audit Trail Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying. Out of the box SharePoint features that can address the above requirement SharePoint provides audit capabilities at the document level, library level and site level. Workflow history is available to track workflow outcomes Gaps - Workflow history gets purged periodically. - Workflow history is lost once the document is moved to record centers. - 13 -
21 CFR Part 11 Requirements 11.10 (g) Protect records from unauthorized access Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand. Out of the box SharePoint features that can address the above requirement SharePoint provides authentication mechanisms and security groups that can be configured to meet parts of this requirement Workflow history is available to track workflow outcomes Gaps - Workflow history gets purged periodically. - Workflow history is lost once the document is moved to record centers. - Tasks are not locked down to assignees. - 14 -
21 CFR Part 11 Requirements 11.10 (j) Electronic Signature Policy The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification. Out of the box SharePoint/Office features that can address the above requirement are Digital signature capabilities present in the Office client applications can be leveraged to perform signature tasks Collect Signature workflow can be utilized to automate the collection of the electronic signatures Gaps - Out of the box workflows does not prevent OTHER users with appropriate permissions to complete signature tasks assigned to them - Workflow history is lost once the document is moved to record centers. - Only Word, Excel and Infopath forms are supported by the OOTB signature workflows. - 15 -
21 CFR Part 11 Requirements 11.50 (a) Signature Manifestation Signed electronic records shall contain information associated with the signing that clearly indicates all of the following: (1) The printed name of the signer; (2) The date and time when the signature was executed; and (3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature. 11.50 (b) Control of signature information The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout). 11.70 Signature/Record Linking Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means. Gaps - Out of the box Signature workflow supports only Word, Excel and Infopath formats - 16 -
21 CFR Part 11 Requirements 11.100 (a) Uniqueness Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else. 11.100 (b) Identity Verification Before an organization establishes, assigns, certifies, or otherwise sanctions an individual's electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual. 11.200 (a) Non-biometric Signatures Electronic signatures that are not based upon biometrics shall: (1) an individual executes a series of signings during a single, continuous period of controlled sysemploy at least two distinct identification components such as an identification code and password. (1) (i) When tem access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. (1) (ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components. (2) Be used only by their genuine owners; and (3) Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals. - 17 -
21 CFR Part 11 Requirements 11.300 (a) Uniqueness of identity Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password. 11.300 (b) Password Policy Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging). 11.300 (c) Deactivation of Users Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls. 11.300 (d) Unauthorized use of passwords or identification codes Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report on an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management. - 18 -
21 CFR Part 11 Solution Demo - 19 -
Thank You For more information about Paragon, see www.consultparagon.com - 20 -