apriso & fda 21 cfr part 11€¦ · 3 apriso and fda 21 cfr part 11 executive summary as a...

Apriso and FDA 21 CFR Part 11

JUNE 2010

2 Apriso and FDA 21 CFR Part 11

Table of Contents

Executive Summary .................................................................................... 3

Introduction ................................................................................................ 4

What is Compliance? .................................................................................. 4

Cost Effective Compliance .......................................................................... 4

Apriso and 21 CFR Part 11 ......................................................................... 5

Part 11: Electronic Records and Signatures ................................................. 6

Objectives of the Regulation ..................................................................................6

Content of 21 CFR Part 11 ....................................................................................7 Key FDA Definitions ..............................................................................................7

Cost Challenges and Complexity of Implementation ..................................... 8

Conclusion ................................................................................................. 9

About Apriso Solutions.............................................................................. 10

About Dassault Systèmes & DELMIA ........................................................ 10

Appendix A: Detailed Mapping Table ........................................................ 11

© 2009, 2010, 2011, 2014 Apriso Corporation This white paper, the software described in it, and other program materials are copyrighted works of Apriso Corporation, with all rights reserved. Trademark Information Apriso and FlexNet are registered trademarks of Apriso Corporation.

Limitation of Liability The information in this document represents to the best of our ability the product functionality of Manufacturing Execution, Manufacturing Operations Management and other software products. These materials are subject to change without notice. These materials are provided by Apriso Corporation for informational purposes only, without representation or warranty of any kind. Apriso Corporation shall not be liable for errors or omissions with respect to the materials. The only warranties for Apriso Corporation products and services are those that are set forth in

the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an

additional warranty. Version 1402.0


Executive Summary

As a manufacturer regulated by the FDA 21 CFR Part 11 regulations, you understand that the

integrity of your manufacturing processes must be achieved and maintained in order to sustain

compliance. Your customers, shareholders and employees rely upon this integrity. Your

lifeblood depends on this integrity.

In July 2013, Dassault Systèmes acquired Apriso Corporation, including the product and

solution portfolio that has powered the production, warehouse and quality operations for some

of the world’s largest manufacturers. These products and solutions are now part of the

DELMIA brand. If our system should fail, so too will the livelihood of our customers.

Having created and maintained many solutions for Life Sciences manufacturers, Dassault

Systèmes can leverage this industry experience to provide you a highly efficient solution to

address your manufacturing requirements – while at the same time ensuring compliance to the

FDA’s 21 CFR Part 11 regulations, and supporting Good Manufacturing Practices.

While there is no official

‘certification seal’ for such

compliance, our actions and

satisfied customers act as our

validation point, demonstrating that

it is possible to have a highly

flexible manufacturing and

operations execution system that

provides the necessary functionality

to manufacture your product, while

at the same time addressing each

of the FDA requirements to achieve

and maintain compliance with this

regulation.

The purpose of this document is to

demonstrate that DELMIA’s Apriso

application suite can support the

intent of the 21 CFR Part 11

regulatory guidelines. Specific

implementations will vary by manufacturer, based on your own unique circumstances,

proprietary business processes and supply chain network. Apriso solutions have sufficient

functionality to enable compliance to this FDA regulation, and can provide such adherence to

the policy in a cost effective manner, through an approach that minimizes custom integration

and programming work.


Introduction

A common question that is often asked whether Apriso solutions comply with the electronic

records and signatures portion of FDA 21 CFR Part 11 (Food and Drug Administration Title 21

Code of Federal Regulations Part 11). In this context, the word “comply” can be

misunderstood. There is no formal software certification to label a product compliant,

otherwise the FDA would ask for such declarations and audit the software vendors instead of

the manufacturers. It is in how a product is architected, applied and managed in production

that determines compliance.

A better question to ask is “Do Apriso applications have the architecture and key features

necessary to support adherence to 21CFR Part 11?"

Absolutely!

What is Compliance?

Complying with Part 11 regulation requires a combination of disciplined management and

procedural controls, such as notification, training, Standard Operating Procedures and

administration. Each of these processes must be put in place by the user, in addition to the

technical control features available in any given computer system.

Therefore, it is not possible for any vendor to offer a turnkey “Part 11 compliant system” …

unless they become a part of your organization, to manage its use and ongoing integrity.

At best, vendors can offer an application containing the required technical features to manage

the intent of these regulatory guidelines. So, for those innovative manufacturers that wish to

leverage technology to drive efficiencies in their operations, due diligence is required to select

an appropriate application, based on several attributes including architecture, process to

implement as well as how the system will be managed over time.

Cost Effective Compliance

Each manufacturer has a set of unique needs and interpretation of Part 11, as well as its own

security policy and Standard Operating Procedures (SOP) for supporting the regulation.

Dassault Systèmes’ DELMIA brand recognizes the specific needs of pharmaceutical and

medical device manufacturers, and can offer its flexible Apriso solution to address these

differences, facilitating an efficient compliance implementation process.

Apriso solutions can be continuously improved, which obviously helps manufacturers to

comply quickly and cost-effectively with Part 11 regulations by reducing the amount of custom

configuration work needed to support 21 CFR Part 11.


In addition to supporting these compliance requirements within Good Manufacturing Practice

(GMP) environments, Apriso solutions provide companies with an operational infrastructure

and an applications suite that facilitates continuous improvement in manufacturing processes

and products.

Apriso and 21 CFR Part 11

Apriso is an integrated, component-based Manufacturing Operations Management (MOM)

solution for monitoring and controlling shop floor Production, Quality, Warehouse, Maintenance

and Labor activities. Apriso software was developed using a rigorous product development

methodology. Consequently, it can easily support and meet FDA 21 CFR Part 11 regulations.

Using Apriso security and audit trail features in combination with security features of underlying

software components such as Microsoft Windows, Microsoft SQL or Oracle databases, a

system can be established that prevents unauthorized access to data records and

configuration files.

Apriso enables manufacturers to cost effectively comply with regulatory compliance

requirements, while at the same time improving operational performance and efficiencies.

Companies can transition to a paperless manufacturing environment by adopting Apriso to

execute and manage their manufacturing processes – from production, quality and warehouse

tasks to those spanning the supply chain. Speed, accuracy, reliability, collaboration and

visibility are benefits that can be directly attributed to the elimination of the enormous overhead

of maintaining exhaustive paper trails and disparate legacy systems to meet process and

product compliance.

With Apriso, FDA regulated manufacturers have a centralized, integrated view of the entire

product life cycle – from design to new product introduction, then manufacturing and field

maintenance to obsolescence. Detailed electronic Batch Records (eBR) or electronic Device

History Records (eDHR) are electronically created, validated and archived for powerful query

and analysis. Quality data, including deviation or non-conformance, corrective action and

statistical process control (SPC) are tightly tied to production, warehouse, maintenance and

other activities for improved root-cause analysis, creating a closed-loop quality system.


Part 11: Electronic

Records and Signatures

Objectives of the Regulation

Manufacturers in industries regulated by the U.S. FDA are required to maintain and submit

records associated with the products they manufacture. These records contain information

about the product as well as hand written signatures of the individuals who executed the

process and/or authorized the execution across a multitude of steps.

Historically, these records have been kept in a paper format and submitted for review to the

FDA upon request. Computer systems have become readily accepted in the manufacturing

environment, however, the storage and management of these records in electronic format was

explored to see whether the maintenance of these records in this format offered volume and

cost benefits over the paper equivalent.

Equally compelling were the efficiencies available in reducing human errors by utilizing

“directed” manufacturing – real-time linkages to material availability, flexible quality checks and

reporting, as well as continuous improvement efforts based on alerts, sounds or other readily

available information. These advantages – which have been leveraged for years in highly

competitive non-regulated industries – had to be balanced with the need for security as part of

the overall evaluation of paper-based versus electronic record management.

Consequently, questions were raised about the integrity of electronic media and traceability of

any changes during or after an operations task. Additionally, the handwritten signatures that

were used to authorize and execute production processes were legally binding to the owners

of those signatures, providing legal recourse should a product recall or safety issue arise in the

future. Similarly, any electronic signature process would have to be structured and managed

in the same fashion prior to considering the transition to a non paper-based system.

The Food and Drug Administration (FDA) issued the final rule in 1997 on the criteria under

which the Agency will accept electronic signatures and records in lieu of handwritten, paper-

based signatures and records. The scope of this regulation, 21 CFR Part 11, is significant,

impacting all computer systems related to the manufacturing of a medical, pharmaceutical or

biological product. According to the rule, “This Part (21 CFR Part 11) applies to records in

electronic form that are created, modified, maintained, archived, retrieved or transmitted.”

FDA Regulation 21 CFR Part 11 provides the guidelines for collecting and storing regulatory

required records electronically. It provides the definition of an electronic signature and the

rules for executing and storing signature events. The regulation only applies where the

records being maintained are subject to FDA review. In manufacturing, that is a very large

contingent of data, information, approvals and change control records that may become part of

an eBR or eDHR.


Apriso solutions provide the capabilities to support and enforce each of the outlined

requirements for e-signatures, as referenced within the FDA guidelines document. This

functionality is an embedded component within each of the relevant Apriso applications

impacted by the FDA guidelines.

Content of 21 CFR Part 11

Reference made to the 21 CFR Part 11 regulations includes the following:

Subpart A – General Provisions

11.1 Scope

11.2 Implementation

11.3 Definitions

Subpart B – Electronic Records

11.10 Controls for closed systems

11.30 Controls for open systems

11.50 Signature manifestations

11.70 Signature/record linking

Subpart C – Electronic Signatures

11.100 General requirements

11.200 Electronic signature components and controls

11.300 Controls for identification codes / passwords

Key FDA Definitions

FDA regulation defines in § 11.3 a list of terms that need to be understood precisely:

Closed System: refers to “an environment in which system access is controlled by persons

who are responsible for the content of electronic records that are on the system.” 1

Open System: refers to “an environment in which system access is not controlled by

persons who are responsible for the content of electronic records that are on the system.”

Electronic Record: “Any combination of text, graphics, data, audio, pictorial or other

information representation in digital form that is created, modified, maintained, archived,

retrieved, or distributed by a computer system.”

Biometrics: “A method of verifying an individual’s identity based on measurement of the

individual’s physical feature(s) or repeatable action(s) where those features and/or actions

are both unique to that individual and measurable.”

Electronic Signature: “A computer data compilation of any symbol or series of symbols,

executed, adopted, or authorized by an individual to be the legally binding equivalent of

the individual’s handwritten signature.”

Digital Signature: “An electronic signature based upon cryptographic methods of

originator authentication, computed by using a set of rules and a set of parameters such

1 This document assumes that Apriso products will only be used in “closed” systems.


that the identity of the signer and the integrity of the data can be verified.”

Handwritten Signature: “The scripted name or legal mark of an individual handwritten

by that individual and executed or adopted with the present intention to authenticate

writing in a permanent form. The act of signing with writing or marking instruments such

as a pen or stylus is preserved. The scripted name or legal mark, while conventionally

applied to paper, may also be applied to other devices that capture the name or mark.”

The Apriso solution can support the usage of these defined terms within your solution, in

accordance to the Part 11 requirements. Of course, the benefit of adopting an electronic or

digital approval process is the ease of use and scalability of performance, so an ideal solution

will avoid the use of paper, facilitating a seamless process.

Cost Challenges and

Complexity of Implementation

While the industry has moved away from custom system development in preference for

“packaged” solutions, these options vary greatly in implementation and life cycle management

efforts. Users need to have clear expectations on the complexities, costs and risks associated

with configuring and validating 21 CFR Part 11 compliant applications.

Initial project costs are always scrutinized against anticipated return on investment or value

creation – as they should be. Most organizations would benefit by incorporating similar

scrutiny of life cycle costs associated with modifications as their own products and business

models change.

Manufacturing in the Life Sciences industries has historically had a lower rate of change than

the Consumer Products, Electronics or Automotive industries. However, this trend is certainly

changing due to more extensive supply chains, supplier relationships and the need to invoke

continuous improvement efforts to maintain margins. The costs associated with supporting a

dynamic business across a distributed manufacturing and distribution network can be arduous

and potentially hidden, depending on any given solution’s architectural structure and roll out

configuration.

The reality is that no software solution provider can deliver a completely ‘out-of-the-box’

solution to address the unavoidable complexities of establishing a completely electronic

approval process across a globally distributed manufacturing enterprise. There are simply too

many variables, dynamic business processes and other ‘moving parts’ for this to realistically

exist.


Conclusion

Apriso solutions are based on the best practices learned while working with its global

customers in regulated industries. Based on the system’s architecture – built with embedded

Business Process Management (BPM) functionality and a Services Oriented Architecture

(SOA) to ease integration to existing enterprise applications – it would be hard to find another

solution that offers more flexibility to address such a complex challenge. And, over time Apriso

solutions continue to improve – industry best practices are easily added by leveraging their

proprietary global process governance and management capabilities.

Can Apriso deliver a compliant 21 CFR Part 11 solution? Yes. Can it do so out of the box?

No, but the custom configuration required to achieve compliance has been minimized based

on global best practices gained from hundreds of deployments. And, based on the extreme

flexibilities included within the system, future changes can be accommodated quickly,

continuing to improve your return on investment from such a system.

Dassault Systèmes has put significant effort to integrate security configuration, e-signature and

audit trail of electronic records within its suite of Apriso applications. The ending result is to

reduce both initial project costs and more importantly, the incremental costs associated with

system changes required to support the future improvements in our customer’s products and

businesses.

Disclaimer

The regulatory information used to determine compliance is based on FDA 21 CFR Part 11 defined at the time of this publication, as of August 2008, referenced at: www.fda.gov/ora/compliance_ref/part11/frs/background/11cfr-fr.htm.

http://www.fda.gov/ora/compliance_ref/part11/frs/background/11cfr-fr.htm




About Apriso Solutions

Since 1993, some of the world’s largest and most successful manufacturers have leveraged

Apriso software and services solutions to ease the challenges of global manufacturing

operations management. With Apriso, manufacturers can improve organizational agility so as

to adapt more quickly and effectively to change. This agility enables firms to take advantage of

new market opportunities by delivering the right product at the right time for the lowest total

cost. Manufacturers choose Apriso to help manage today’s manufacturing transformation of

thinking global while acting local.

Apriso software solutions have won numerous awards and accolades for their ability to tightly

synchronize global manufacturing operations and supply chain networks to deliver real-time

visibility, control and synchronization of business processes performed across plants and the

product supply network. Leverage an Apriso solution to establish a common set of operational

standards that can be managed holistically on a global scale while still being continuously

improved to meet your local market and customer needs.

Apriso Corporation was acquired by Dassault Systèmes in July 2013, and is now a product

portfolio within its DELMIA brand. Apriso products and solutions provide a connection between

the virtual world of digital manufacturing and the real world of manufacturing production.

About Dassault Systèmes & DELMIA

Dassault Systèmes, the 3DEXPERIENCE Company, serves 170,000 customers across 140

countries, providing virtual universes for sustainable innovation. Dassault Systèmes’ DELMIA

brand offers products that connect the virtual and real worlds. As part of DELMIA, the Apriso

product portfolio – including its suite of manufacturing operations management applications –

helps manufacturers transform their global operations to achieve and sustain operational

excellence. Learn more at apriso.com, visit our blog at apriso.com/blog, or follow us on Twitter

at @Apriso.

www.apriso.com

http://www.apriso.com/

http://www.apriso.com/blog

https://twitter.com/apriso


Appendix A:

Detailed Mapping Table

The following table explains in detail how Apriso applications comply to Section 21 CFR Part 11, Subparts B & C

Reference 21 CFR Part 11 Section Requirements (excerpts)

Apriso Capabilities

SUBPART B Electronic Records

§11.10 Controls for closed systems.

§11.10 Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to assist with the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to help confirm that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following:

Apriso shall be used as a closed system in regulated industries.

§11.10(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.

Does the system provide the functionality to identify invalids or altered records?

The Apriso QA process has validated that records created or modified within the products are accurately captured. A full audit trail shows the creation and changes made. All records can be protected from unauthorized access so they cannot be altered. It is the customer’s responsibility to ensure each application developed is properly validated.

The system verifies record creation and prevents creation of invalid records. For example, a process that has been released cannot be modified without revision control. This provides visibility of the revision that was used in production, and also prohibits users from changing contents of an object once it is released.

Apriso is available on SQL server and Oracle databases. Integrity is also performed by database constraints. Procedures need to be defined and executed to protect from changes performed directly in the database by a database administrator.

§11.10(b) The ability to generate accurate and complete copies of record in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records.

Apriso records are kept in an SQL-compliant database (Microsoft SQL or Oracle). To read the records, users must use a Apriso standard screens or separate reporting tool such as Microsoft SQL Server reporting services tools, or Crystal Reports. Apriso provides Standard reporting capability to query and report all records in human readable and electronic form (pdf, doc, html).



Apriso Capabilities

§11.10( c) Protection of records to enable their accurate and ready retrieval throughout the records retention period

All Apriso data are protected in a secure database. Apriso has control in place to protect records to enable their accurate and ready retrieval throughout the records retention period. All transactions, including updates and changes, are captured and stored in a database. With appropriate security access, the information is accessible for viewing, printing, and exporting throughout the records retention period. Customers are responsible for putting procedures in place to ensure availability.

Apriso provides archiving data back-up and restore features based on standard database technologies. As a result, production system performance is optimized for performance while still retaining full data integrity of the offline system.

Apriso recommends hardware for use in archiving based on specific sizing and performance requirements.

Apriso recommends to use long-term storage medium based on corporate retention policy and reporting needs. This database is available for access by query tools once it has been established on direct access medium (disk, CD, etc).

§11.10(d) Limiting system access to authorized individuals

Access to Apriso application is limited to authorized users by using unique usernames and passwords. Users are limited to transactions they can perform based on their roles and skills. Users that are inactive for a specified period of time can be automatically ‘timed out’ and logged off the system. Apriso provides pre-defined privilege level class of users from system administrator, supervisor, designer or operator. User passwords stored in the database are encrypted to provide an additional level of security. The System Administration feature allows for the creation, set up, maintenance, and enforcement, including disabling of user accounts.

Apriso allows external synchronization with LDAP, Windows or SAP systems.

Customers are responsible for putting procedures in place to ensure proper management of user access rights, including consistency with 3rd party software used to support Apriso application such as Microsoft Windows, Microsoft SQL server or Oracle database.



Apriso Capabilities

§11.10(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying

An audit trail is maintained for every transaction made within the system. The transaction detail history includes the user ID of the person that executed the transaction, time and date stamp, type of transaction, and the respective metrics of quantity, etc. that were executed. Date & time stamps are taken in Apriso from the application server (which can be properly synchronized with UTC clocks) so all date & time stamps are consistent, independent of local time.

Business processes built with Apriso Process Builder are fully revision controlled with single/double electronic signature in order to provide full traceability of process configuration. The transfer of any configured Apriso entity between servers using Global Process Manager can also be controlled using single/double electronic signature. All transfers across servers are version controlled with audit trail. All validation or rejection with electronic signatures is tracked with the Apriso Audit trail.

For key master data records (tables), it is possible to configure audit trail and e-signature to track any change, including new and past values, author identification, reason codes and comments documenting the change.

A full audit trail of database additions, changes and deletions within the relational database management system (e.g., the SQL Server or Oracle database transaction log) provides record of all database changes, including changes to master files.

This audit trail is secure and cannot be modified using ordinary means. The audit trail can be backed up just the same way as data is backed up as described in §11.10(c). This audit trail information can be accessed through database queries to create standard reports through any standard database query application or pre-configured inquiries and reports. End users cannot disable this audit trail as this audit trail is protected through administrative security permissions.

Apriso is available on SQL server and Oracle databases. Integrity is also performed by database constraints. Procedures need to be defined and executed to protect from changes performed directly in the database by a database administrator.

§11.10(f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate

Apriso provides graphical business process modeling (Process Builder) capabilities that define the sequencing of steps. During execution, the sequence of steps is enforced by the system based on predefined conditions.

Electronic signature check can be included at any given step to make sure that step is executed and validated by the right person or right profile. A complete record of the process execution of each signed step is kept in the history records.

It is the responsibility of the customer to ensure the sequence checks are properly implemented based on each specific process conditions.



Apriso Capabilities

§11.10(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter record, or perform the operation at hand

Apriso has an authorization and authentication model that requires users to be authenticated through username/password. Based on user role and skill set, the system restricts the transactions a user can perform. Apriso supports user employee definition with:

• Unique login name and badge ID and password

• Privilege role e.g. operator, system admin., supervisor, designer

• Password duration • User account expiration

• Disabling of accounts • Skill such as training certification against product, work

instruction, equipment, etc. with expiration

Only the authorized user profile can electronically sign a record and can create, read, update or delete specific types of information. Access to specific tasks can be restricted to given skills.

Sufficient flexibility within the Apriso system supports creation of an electronic signature in virtually any user defined business process, which can then be available at every step in every workflow.

Customers should implement policies and procedures to define authorized access to the system, and to insure proper enforcement of electronic signatures within their business processes.

§11.10(h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction

Access may be restricted to certain stations for each feature. Barcode scanner usage can be forced at specific terminals to prevent data entry errors.

Additional graphical user entry widgets are supported to check the validity of data entry (buttons, drop down list ...).

It is also possible to configure specific verification rules for each entry by using coherence limits or more complex user defined calculation formulas to prevent manual data errors.

If the results are coming from equipment (such as a scale) the system can also ensure that equipment has a valid calibration.

Business rules and additional verification or control steps can be configured to validate the source of data input.



Apriso Capabilities

§11.10(i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks

Apriso employees who define, design, build, maintain and test Apriso software are highly trained to perform their assigned tasks. Their qualifications are documented and managed by the Apriso Human Resources department.

Apriso helps support the enforcement of the operator’s certification by using the definition of user skills. Apriso can be set up to automatically identify and enforce only trained users for specific tasks, operations, equipment, work instructions, and part/BOM combinations. Further, integration can be established between HR or training databases to verify current training records and certifications for individuals performing tasks.

It is the responsibility of company implementing Apriso to ensure that users are properly trained to use of electronic records/signature.

§11.10(j) The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.

Beyond the scope of Apriso

This is the responsibility of customer implementing the system - they must define policies and procedures that outline the significance of electronic signatures, in terms of individual responsibility, and the consequences of falsification for both the company and the individual. Features exist within Apriso to support verification of any given employee's legal signature against specific actions.

§11.10(k.1) 1. Use of appropriate controls over systems documentation including adequate controls over the distribution of, access to, and use of documentation for system maintenance.

Standard Apriso product technical documentation including user guide, system usage, implementation guides and maintenance is delivered to customer in PDF or HTML format. Each release has a complete set of documentation applicable for that release. It is the customer responsibility to distribute and control access to this documentation.

§11.10(k.2) 2. Use of appropriate controls over systems documentation including revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.

Process changes in the system are revision controlled. It is the customer’s responsibility to adhere to their standard operating procedure for approval of changes and management of revision control. Process changes in the system are revision controlled. It is the customer’s responsibility to adhere to their standard operating procedures for approval of changes and management of revision control.

§11.30 Controls for open systems.

§11.30 Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt.


Apriso is not intended to be used as Open System in regulated industry (like over the web) but typically used as a closed system such an internal company application (Intranet).



Apriso Capabilities

§11.50 Signature manifestations.

§11.50(a) (a) Signed electronic records shall contain information associated with the signing that clearly indicates all of the following: (1) The printed name of the signer; (2) The date and time when the signature was executed; and (3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature.

For each transaction that requires electronic signatures, once the electronic signature is executed, Apriso stores: the full name of the signing user, the date and time of the electronic signature, recorded in local time or UTC, the reason code and comment documenting the meaning associated with the signature.

Apriso provides standard screens to display records of signature information in human readable form without specific query development. Additional database queries can create reports on electronic records and can include the specified information on the electronic signatures.

§11.50(b) (b) The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout).

All signature information become part of the audit trail of any manufactured item to which they are linked. This data is archived, backed up, and readily accessible. The signature data is treated the same as the process data.

§11.70 Signature/ record linking

§11.70 Electronic Signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.

The system permanently links electronic records for a specific transaction with electronic signatures. Once this linkage is created, it cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means. User’s passwords are maintained in Apriso database for validation in an encrypted format to protect from unauthorized use.

SUBPART C Electronic Signatures

§11.100 General Requirements.

§11.100(a) Each electronic signature shall be unique to one individual and shall not be reused by, or assigned to, anyone else

Apriso ensures the unique user identifier and password. If a user id is deactivated, another user with the same name cannot be created. It also provides the authentication model that can optionally be integrated with the operating system using single sign-on capabilities or using Active Directory (LDAP).

It is the responsibility of the customer to verify the identity of all individuals who will utilize the system.

§11.100(b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual’s electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual.


Customer’s management procedure should include the verification of the identity of an individual prior to sanctioning an individual’s electronic signature.

Once user has been sanctioned and a unique account & pass-word has been created in Apriso, user still must enter his login and password to access the Apriso application. This process validates the identity of the user to the Apriso application.

apriso & fda 21 cfr part 11€¦ · 3 apriso and fda 21 cfr part 11 executive summary as a...

Documents