SmarTeam FDA Compliance Functional Compliance With Rule 21 CFR Part 11 July 2002
1 Introduction This document details how SmarTeam FDA Compliance complies with FDA regulations and specifically the 21CFR11 (commonly referred to as part 11), concerning electronic records and electronic signatures as well as software validation requirements. All requirements for electronic signatures and records listed in 21 CFR Part11 are handled by SmarTeam FDA Compliance. SmarTeam captures all notes and comments as they apply to each release revision and approval. An audit trail containing records with notes, electronic signatures, and change justifications is fully compliant with Part 11 requirements. This document is designed demonstrate that SmarTeam helps you achieve the goals set forth in subpart B section 11.10: in having a system that will be designed to ensure the authenticity, integrity and when appropriate the confidentiality of electronic records. Many medical device manufacturers are looking for a user-friendly, part 11-compliant system that is tightly integrated into the CAD design package to ensure control of the documents throughout the design life cycle. This document is not intended to be a comprehensive listing of all the 21CFR Part 11 regulations, but rather focuses only on those that are related to document management, electronic records and signatures. Please refer to the FDA regulations available at www.fda.gov for more information.
2 21CFR11 meeting the Part 11 requirements SmarTeam can be implemented both as a closed and an open system (as defined by the FDA). Most of SmarTeam s implementations are as a closed system. The core SmarTeam product already meets many of the requirements set forth in Part 11. In addition, SmarTeam announces SmarTeam FDA Compliance. This is a Part 11 addon, which enables companies to fully comply with the Part 11 requirements. This document details specific FDA requirements and the mechanisms by SmarTeam for the FDA allows for FDA compliancy. 2.1 Sub Part B 11.10 Electronic Records FDA Requirement The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. SmarTeam FDA Compliance Description SmarTeam provides a built-in query module, from which the authorized user can query for records, electronically view their information and related documentation on the screen, and printed them to paper. In addition the records can be exported to industry standard electronic forms such as Text, Microsoft Excel and XML. SmarTeam Corporation performs tight validation and QA testing of SmarTeam new releases. These procedures will be published to FDA customers as needed. In addition, during SmarTeam on site implementation, customer specific configuration, setup, personalization, customization and other enhancements that are done to comply with specific customer needs, will be documented thoroughly to cover all the functionality and test cases, to enable an ongoing validation process. SmarTeam for the FDA includes a complete audit trail: one central place to track all modifications to the database. This includes the following operations in SmarTeam: Add, Update, Delete, Change in state (life cycle change), Login information (user login,
success and failure). Protection of records to enable their accurate and ready retrieval throughout the records retention period. Limiting system access to authorized Individuals. Use of secure, computergenerated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying. SmarTeam s data is managed in a secure industry standard database, such as Oracle or SQL Server. The database controls access to the records. In addition, SmarTeam manages files and product related documentation in a secure vault system. SmarTeam handles users with users permissions (authorization rules) based on either user level or/and group level. More detailed security rules, based on objects, are obtained using existing scripts, which can be customized on site for specific company need. SmarTeam handles users with users permissions (authorization rules) based on either user level or/and group level. Authorization permissions can be set on different class level and operation level to ensure users can access only information they are allowed to, and perform allowed operations SmarTeam allows for management of users, with unique names and password. SmarTeam for the FDA includes a full audit trail with viewer utility for an administrator. This audit trail is the one central place to track all modifications to the database. These includes the following operations in SmarTeam: Add object Update object Delete object Change in state of object (life cycle change) Object approvals (Electronic Signatures) Login information (user login, success and failure) User management The administrator will be able to save and print the audit trail. The users, including system manager, can not delete or manipulate the audit trail information. New entries in the audit trail will not change previous entries in any way.
Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate. Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand. Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction. Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks. The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, SmartFlow is the SmarTeam module that enforces a workflow with predefined sequenced steps and tasks. A SmarTeam implementation will include the definition of the appropriate steps. The SmarTeam administrator sets-up permissions per user or groups and their assigned users, and can control access to all SmarTeam operations, including entry into the system. SmarTeam for the FDA includes specific authorization checks as follows: Double verification: General users must login with a user name that matches their operating system username. After this is verified, they will be asked to login a second time. Only administrators can login with a different user name. Verification upon signature: additional login sign-in is required from all approval authorized users in order to perform life cycle operationsrecord signature Password expiration: the user is forced to change passwords after expiration (expiration by number of logins or predetermined time) Audit Trail support: the user logins are tracked in the audit trail SmarTeam will restrict the work to registered users only, with license to utilize the software SmarTeam offers several levels of training on a regular basis. Some of these courses will be required to train the administrator. End user training will be required during implementation. Policies can be written by the implementation team, which apply to the way the company will use SmarTeam.
in order to deter record and signature falsification. Use of appropriate controls over systems documentation including: (1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. (2) Revision and change control procedures to maintain an audit trail that documents timesequenced development and modification of systems documentation System documentation regarding the FDA Part 11 requirements and the implementation of the system to complywill be managed as a class of information in SmarTeam. This will allow proper security and authorizations to manipulate and revise. 2.2 11.50, 11.70 Signature Manif estation and record linking FDA Requirement Signed electronic records shall contain information associated with the signing that clearly indicates all of the following: (1) The printed name of the signer (2) The date and time when the signature was executed (3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature SmarTeam FDA Compliance Description SmarTeam tracks modification and life cycle operations, and records for each object version: (1) The user performing the operation. (2) Timestamp of the new record (3) The type of operation being performed In addition, an Approval function allows approving users through a workflow process (or if required also without utilizing the flow) to electronically sign records. This keep on the record: (1) The full name of the signing user (2) Timestamp of the signature (3) Meaning approval A server side mechanism allow to silently integrate the signature into the managed files. SmarTeam for the FDA has an audit trail, which includes the following information per operation:
Full name of signer Date and time Meaning of the operation (Add object XYZ, Delete Check In etc.) The administrator can view the Audit Trail information in a tool similar to the NT Event Viewer. He/she can browse the sequenced Audit Trail records, organized by recording time stamp, and sort, save, and print the trail. Users will not be able to delete or manipulate the audit trail information. New entries in the audit trail will not change previous entries in any way. The audit trail will be managed in a secure database. Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means. SmarTeam saves the user information on the records, to document when a user created/updated or signed the records. This information is readily available at all times, and users will not be able to delete or manipulate it. Sub Part C Electronic Signatures 2.3 11.100 General Requirements FDA Requirement Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else. Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional SmarTeam FDA Compliance Description In SmarTeam s user table, the unique index on the table is the user login, thus there cannot be two users with the same user login. Policy and procedure will be processed and executed by the implementation team.
handwritten signatures. (1) The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations (HFC 100), 5600 Fishers Lane, Rockville, MD 20857. (2) Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer s handwritten signature
2.4 11.200 Electronic Signatures components and controls FDA Requirement Employ at least two distinct identification components such as an identification code and password. When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components. Subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. (ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components. Be administered and executed to ensure that attempted use of an individual s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals SmarTeam FDA Compliance Description SmarTeam requires the user to fill in a login name and password in order to gain access to the data and subsequently to electronically sign a document.. SmarTeam FDA Compliance allows running the same login procedure (like the one used on SmarTeam startup) from different places in the system (based on object classes and actions). SmarTeam FDA Compliance includes specific authorization checks as follows: Double verification: General users must login with a user name that matches their operating system username. After this is verified, they will be asked to login a second time. Only administrators can login with a different user name. Verification upon signature requires: additional login sign-in is required from all authorized users in order to perform life cycle operations electronic signatures. Password expiration: the user is forced to change passwords after expiration (expiration by number of logins or predetermined time) Audit Trail support: the user logins are tracked in the audit trail SmarTeam FDA Compliance records a failed login in the Audit Trail and sends an e- mail message to the designated administrator to tell him about the failure. The message includes the information of the failed logon, time stamp, and the machine (name or IP address).
2.5 11.300 controls for identification codes/passwords FDA Requirement Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password. Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging). Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management. SmarTeam FDA Compliance Description In SmarTeam s user table, the unique index on the table is the user login, thus there cannot be two users with the same user login. SmarTeam FDA Compliance includes a login expiration mechanism. The expiration method can be either by Counter (number of times a user logged into SmarTeam) or Time (how long each password can live). Upon expiration, the user must enter a new password. SmarTeam FDA Compliance records a failed login in the Audit trail and sends an e- mail message to the administrator to tell him about the failure. The message includes the information of the failed logon, time stamp, and the machine (name or IP address). In addition, user is locked out after 3 failed logins.