E N T E R P R I S E C O N T E N T M A N AG E M E N T O N T H E D O C U M E N T U M P L AT F O R M

Table of Contents:

21 CFR Part 11 Compliance Position for FirstDoc Applications

Page 1 Introduction

Introduction

21 CFRPart 11 Scope

The intent of this paper is to outline the capabilities that CSC’s FirstDoc® products provide for compliance with the FDA’s ruling on Electronic Records and Electronic Signatures (21 CFR Part 11). The final decision concerning compliance of any application, including FirstDoc applications, rests with our clients and is subject to their interpretation of Part 11.

Page 2 FDA’s Guidance for Industry

Page 3 Electronic Records and Electronic Signatures

All FirstDoc Part 11 related requirements are documented in detail in the FirstDoc FDE Functional Requirements Specification document. Appropriate test scripts are written and executed for these requirements, and documented in product and project binders. CSC advises that anyone engaged in Part 11 analysis and/or implementation familiarize themselves with the details that the FDA provides regarding Part 11 applicability in the referenced documents.

Open vs. Closed Systems

21 CFR Part 11 Scope Page 4 Electronic Record Functionality and Issues for FirstDoc Applications (Table 1) Page 11 Electronic Signature Functionality and Issues for FirstDoc Applications (Table 2)

Page 13 Audit Trail Functionality and Issues for FirstDoc Applications (Table 3)

Page 15 References

The Code of Federal Regulations’ statement of scope regarding Part 11 is as follows: (a) The regulations in this part set forth the criteria under which the agency considers electronic records, electronic signatures, and handwritten signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper. (b) This part applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted, under any records requirements set forth in agency regulations. This part also applies to electronic records submitted to the agency under requirements of the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act, even if such records are not specifically identified in agency regulations. However, this part does not apply to paper records that are, or have been, transmitted by electronic means. (c) Where electronic signatures and their associated electronic records meet the requirements of this part, the agency will consider the electronic signatures to be equivalent to full handwritten signatures, initials and other general signings as required by agency regulations, unless specifically excepted by regulation(s) effective on or after August 20, 1997.

| 21 CFR Part 11 Compliance Position for FirstDoc Applications |

1

(d) Electronic records that meet the requirements of this part may be used in lieu of paper records, in accordance with Sec. 11.2, unless paper records are specifically required. (e) Computer systems (including hardware and software), controls and attendant documentation maintained under this part shall be readily available for, and subject to, FDA inspection

FDA’s Guidance for Industry In August 2003, the FDA provided non-binding clarification pertaining to the scope of Part 11 and their intentions related to enforcing the provisions of Part 11 in the document entitled “Guidance for Industry Part 11, Electronic Records; Electronic Signatures — Scope and Application” (published 8/28/2003). Important comments on scope included the following passage. “Under the narrow interpretation of the scope of Part 11, with respect to records required to be maintained under predicate rules or submitted to FDA, when persons choose to use records in electronic format in place of paper format, part 11 would apply. On the other hand, when persons use computers to generate paper printouts of electronic records, and those paper records meet all the requirements of the applicable predicate rules and persons rely on the paper records to perform their regulated activities, FDA would generally not consider persons to be “using electronic records in lieu of paper records” under §§ 11.2(a) and 11.2(b). In these instances, the use of computer systems in the generation of paper records would not trigger part 11.” Under this narrow interpretation, the FDA considers Part 11 to be applicable to the following records or signatures in electronic format (part 11 records or signatures): • Records that are required to be maintained under predicate rule requirements and that are maintained in electronic format in place of paper format. • Records that are required to be maintained under predicate rules, that are maintained in electronic format in addition to paper format and that are relied on to perform regulated activities. • Records submitted to FDA, under predicate rules (even if such records are not specifically identified in Agency regulations) in electronic format (assuming the records have been identified in docket number 92S-0251 as the types of submissions the Agency accepts in electronic format). • Electronic signatures that are intended to be the equivalent of handwritten signatures, initials and other general signings required by predicate rules.

| 21 CFR Part 11 Compliance Position for FirstDoc Applications |

2

Electronic Records and Electronic Signatures The FDA provides the following definitions in 21 CFR Part 11 for Electronic Records and Electronic Signatures. Electronic Record “Electronic record means any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.” Electronic Signature “Electronic signature means a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual’s handwritten signature.”

Open vs. Closed Systems An important consideration in evaluating the impact of 21 CFR Part 11 on FirstDoc-based applications is whether the specific system implementation is considered a closed or open system. The FDA provides the following definitions in 21 CFR Part 111 for closed and open systems. Closed system means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system. Open system means an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system.

The FDA has the following comment about dial-in access: “The agency advises that dial-in access over public phone lines could be considered part of a closed system where access to the system that holds the electronic records is under the control of the persons responsible for the content of those records.”1 It is the responsibility of the validation team to determine if the system is open or closed.

| 21 CFR Part 11 Compliance Position for FirstDoc Applications |

3

Electronic Record Functionality and Issues for FirstDoc Table 1 discusses the functionality that FirstDoc provides in support of 21 CFR Part 11. 21 CFR 11 REQUIREMENT2

CORRESPONDING FIRSTDOC FUNCTIONALITY

BUSINESS PROCESS ISSUES

NOTES AND REFERENCES

§ 11.10 CONTROLS FOR CLOSED SYSTEMS (a) Validation of systems to ensure accuracy, reliability, consistent intended performance and the ability to discern invalid or altered records.

FirstDoc is developed in accordance with the CSC LS QMSadvantage™, an ISO 9001:2000 certified Quality Management System. QMSadvantage and FirstDoc have been audited by many pharma-ceutical clients. As part of a formal vendor audit, CSC can provide evidence that FirstDoc is developed and tested in accordance with QMSadvantage. FirstDoc has been validated by many clients. CSC offers a validation package (consisting of validation plan, traceability matrix, and IQ/OQ/PQ protocol templates and OQ protocols) with each release of the FDRD, FDQ&M, and FDTMF products.

To assist our clients with audit trail information, CSC has provided an Audit Trail section later on in this white paper.

Comment on validation of commercial software: “The agency disagrees with the comment’s claim that all commercial software has been validated. The agency believes that commercial availability is no guarantee that software has undergone ‘thorough validation’ and is unaware of any regulatory entity that has jurisdiction over general purpose software producers. The agency notes that, in general, commercial software packages are accompanied not by statements of suitability or compliance with established standards, but rather by disclaimers as to their fitness for use. The agency is aware of the complex and sometimes controversial issues in validating commercial software. However, the need to validate such software is not diminished by the fact that it was not written by those who will use the software.”3 “The Agency intends to exercise enforcement discretion regarding specific part 11 requirements for validation of computerized systems (§ 11.10(a) and corresponding requirements in § 11.30). Although persons must still comply with all applicable predicate rule requirements for validation (e.g., 21 CFR 820.70(i)), this guidance should not be read to impose any additional requirements for validation. We suggest that your decision to validate computerized systems, and the extent of the validation, take into account the impact the systems have on your ability to meet predicate rule requirements. You should also consider the impact those systems might have on the accuracy, reliability, integrity, availability and authenticity of required records and signatures. Even if there is no predicate rule requirement to validate a system, in some instances it may still be important to validate the system. We recommend that you base your approach on a justified and documented risk assessment and a determination of the potential of the system to affect product quality and safety, and record integrity. For instance, validation would not be important for a word processor used only to generate SOPs.”4

| 21 CFR Part 11 Compliance Position for FirstDoc Applications |

4

21 CFR 11 REQUIREMENT2

CORRESPONDING FIRSTDOC FUNCTIONALITY

BUSINESS PROCESS ISSUES

NOTES AND REFERENCES

§ 11.10 CONTROLS FOR CLOSED SYSTEMS (b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records.

Documentum will satisfy this requirement in conjunction with a company’s records management policy. Features of Documentum that support generation of accurate and complete copies in human readable form include the generation of PDF renditions and the ability to view and print these renditions in accordance with a system’s defined security rules.

The business process should “The Agency intends to exercise include review and approval enforcement discretion with regard to of the submitted and specific part 11 requirements for archived formal documents generating copies of records (§ 11.10 (normally PDF). (b) and any corresponding requirement in §11.30).”5 “We recommend that you supply copies of electronic records by: • Producing copies of records held in common portable formats when records are maintained in these formats … • Using established automated conversion or export methods, where available, to make copies in a more common format (examples of such formats include, but are not limited to, PDF, XML, or SGML)”6

Additional support for this requirement is provided by FirstDoc’s automatic PDF rendition generation feature. Each time the content of a document is modified and the modifications checked in, FirstDoc generates a PDF rendition from an approved rendition generation station if the format supports transformation to PDF. Automatic transformation to PDF ensures that all documents will be readable in the foreseeable future. (c) Protection of records to enable their accurate and ready retrieval throughout the records retention period.

• Documents may be retained in the system throughout their retention period, or an archiving process developed to store them outside the system. Documentum’s built-in archiving capability can be used to migrate content offline while maintaining metadata in the docbase. • FirstDoc uses Documentum’s robust security, which limits the capability for modifying and deleting records to designated users. FirstDoc automatically applies security to Approved documents that prevents them from being deleted or modified.

• Archiving of documents and eventual destruction should be controlled by a records management policy and an SOP. This is generally not a technology issue, but a legal and corporate policy issue. • FirstDoc can track retention information to assist in managing documents in accordance with retention policies.

• “… the retention period for a given record will generally be established by the regulation that requires the record. Where the regulations do not specify a given time, the agency would expect firms to establish their own retention periods.”7 • “The Agency intends to exercise enforcement discretion with regard to the part 11 requirements for the protection of records to enable their accurate and ready retrieval throughout the records retention period (§ 11.10 (c) and any corresponding requirement in §11.30).”8 • “FDA does not intend to object if you decide to archive required records in electronic format to nonelectronic media such as microfilm, microfiche and paper, or to a standard electronic file format (examples of such formats include, but are not limited to, PDF, XML, or SGML).”9

| 21 CFR Part 11 Compliance Position for FirstDoc Applications |

5

21 CFR 11 REQUIREMENT2

CORRESPONDING FIRSTDOC FUNCTIONALITY

BUSINESS PROCESS ISSUES

NOTES AND REFERENCES

§ 11.10 CONTROLS FOR CLOSED SYSTEMS (c) ... continued

• The FirstDoc product also includes an optional Records Management module which implements retention policies and allows deletion of records which have reached the end of their retention periods in accordance with a standard process.

(d) Limiting system access to authorized individuals.

• The underlying Documentum application implements a secure username and encrypted password (generally the network password) to limit access to authorized individuals.

• In general, an SOP is needed on establishing and maintaining user profiles for the system and/or network.

• FirstDoc augments Documentum security by providing automatic application of a client’s defined security scheme. Users cannot modify security outside of the rules defined by the client. (e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.

• FirstDoc uses the Documentum audit trail capability augmented by audit trail entries produced for custom FirstDoc events. Example events include checkin, save, destroy, status change and user acknowledgements, such as review and approval outcome — including electronic signature.

• The client must determine which actions should be captured in the audit trail, as Documentum can be configured to capture a number of actions. • An SOP will be needed to govern retention and archiving of audit trail items and to describe the clients’ policy regarding the official electronic record.

• “It is the agency’s intent that the audit trail provide a record of essentially who did what, wrote what, and when … • To maintain audit trail integrity, the agency believes it is vital that the audit trail be created by the computer system independently of operators. The agency believes it would defeat the purpose of audit trails to permit operators to write or change them … • The agency does not believe part 11 needs to require recording the reason for record changes because such a requirement, when needed, is already in place in existing regulations that pertain to the records …

| 21 CFR Part 11 Compliance Position for FirstDoc Applications |

6

21 CFR 11 REQUIREMENT2

CORRESPONDING FIRSTDOC FUNCTIONALITY

BUSINESS PROCESS ISSUES

NOTES AND REFERENCES

§ 11.10 CONTROLS FOR CLOSED SYSTEMS (e) ... continued

• Since the audit trail must be maintained for the life of the record, Documentum’s Purge Audit Trail capability should not be used unless the audit trail has been migrated offline as controlled by a client’s SOP. Note: This assumes that the approved record is the electronic record. Audit trail entries for draft, minor versions of records can be deleted using the FirstDoc purge minor version functionality if the clients’ policies dictate.

• The client must determine which actions should be captured in the audit trail, as Documentum can be configured to capture a number of actions. • An SOP will be needed to govern retention and archiving of audit trail items and to describe the clients’ policy regarding the official electronic record.

• FirstDoc provides the capability for authorized users to change document metadata on approved records. In this case, an audit trail entry captures the previously recorded values so they are not obscured.

(f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.

These checks are implemented within a number of system functions. They include client-defined control over: 1.

Enforcing the use of approved templates only in creating documents

2. Limiting property values to predefined dictionary lists wherever possible

• A few comments objected to the requirement that time be recorded, in addition to dates, and suggested that time be recorded only when necessary and feasible. FDA believes that recording time is a critical element in documenting a sequence of events. Within a given day a number of events and operator actions may take place, and without recording time, documentation of those events would be incomplete … • Although FDA acknowledges that not every operator “action,” such as switching among screen displays, need be covered by audit trails, the agency is concerned that revising the rule to cover only “critical” operations would result in excluding much information and actions that are necessary to document events thoroughly … • The agency believes that, in general, the kinds of operator actions that need to be covered by an audit trail are those important enough to memorialize in the electronic record itself. These are actions which, for the most part, would be recorded in corresponding paper records according to existing recordkeeping requirements.”10

During requirements definition, a client will define the level of control and checking to be enforced within the system.

“The agency advises that the purpose of performing operational checks is to ensure that operations (such as manufacturing production steps and signings to indicate initiation or completion of those steps) are not executed outside of the predefined order established by the operating organization. The agency advises that authority checks, and other controls under § 11.10, are intended to ensure the authenticity, integrity and confidentiality of electronic records, and to ensure that signers cannot readily repudiate a signed record as not genuine.”11

3. Requiring entry of mandatory attributes 4. Enforcing storage in a pre-defined hierarchy (cabinet/folder structure)

| 21 CFR Part 11 Compliance Position for FirstDoc Applications |

7

21 CFR 11 REQUIREMENT2

CORRESPONDING FIRSTDOC FUNCTIONALITY

BUSINESS PROCESS ISSUES

NOTES AND REFERENCES

§ 11.10 CONTROLS FOR CLOSED SYSTEMS (f) ... continued

5. Enforcing a defined document lifecycle and approval process 6. Ensuring that all required electronic signatures are obtained (if electronic signatures are used)

(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.

These checks are implemented within a number of system functions. They include client-defined control over authorization for: • Document creation • Document access (delete, write, read, etc.) (via ACL security) • Changing status • Initiating and participating in the review and approval process

In addition, a client will need a SOP on system security and/or a SOP on physical security to prevent access to system by unauthorized users.

• “The nature, scope and mechanism of performing such checks is up to the operating organization. FDA believes, however, that performing such checks is one of the most fundamental measures to ensure the integrity and trustworthiness of electronic records. . • Such controls include. ... limiting access to the database search software. Absent effective controls, it is very easy to falsify electronic records to render them indistinguishable from original, true records.”12

• Signing documents (if electronic signatures are used) • Establishing document relations including change request relationships • Performing various types of business administration functions including dictionary maintenance, training record control, etc. (h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.

This requirement in general does not apply to FirstDoc since the system does not have any functionality where information is valid only when entered from specific terminals. If a specific client has this requirement, CSC will address the requirement for that client.

• “The nature, scope and mechanism of performing such checks is up to the operating organization. FDA believes, however, that performing such checks is one of the most fundamental measures to ensure the integrity and trustworthiness of electronic records. • Such controls include ... limiting access to the database search software. Absent effective controls, it is very easy to falsify electronic records to render them indistinguishable from original, true records.”13

| 21 CFR Part 11 Compliance Position for FirstDoc Applications |

8

21 CFR 11 REQUIREMENT2

CORRESPONDING FIRSTDOC FUNCTIONALITY

BUSINESS PROCESS ISSUES

NOTES AND REFERENCES

§ 11.10 CONTROLS FOR CLOSED SYSTEMS (i) Determination that persons who develop, maintain, or use electronic record/ electronic signature systems have the education, training and experience to perform their assigned tasks.

• CSC maintains resumes and training records on all team members.

• The client will need an SOP on training for developers, users and administrators.

• CSC provides training to key client team members including business users, business administrators, and system administrators.

• The client will need to maintain applicable training records in accordance with an SOP.

• Upon request, CSC can provide developer training to non-CSC developers employed by the client.

(j) The establishment N/A of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification. (k) Use of appropriate controls over systems documentation including: 1.

Adequate controls over the distribution of, access to and use of documentation for system operation and maintenance.

2. Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.

• The client may need to conduct various vendor audits. CSC has been audited by many pharmaceutical clients and welcomes the opportunity to present our methodology and practices in an audit. The client will need a policy detailing the use of electronic signatures as legally binding equivalent of handwritten signatures, and holding users accountable for actions initiated under their electronic signatures.

• Electronic audit trail for the appropriate document types must be enabled if documentation is maintained in electronic format.

• The client will need SOPs on document control applied to system operation and maintenance documentation (i.e., SOPs on use, operation and maintenance, manufactere. manuals). • The client will need SOPs on document change control applied to system operation and maintenance documentation (i.e., SOPs on use, operation and maintenance, Manuals).

• “The agency advises that, although the intent of proposed § 11.10(i) is to address qualifications of those personnel who develop systems within an organization, rather than external ‘vendors’ per se, it is nonetheless vital that vendor personnel are likewise qualified to do their work. The agency agrees that periodic examination or certification of personnel who perform certain critical tasks is desirable. However, the agency does not believe that at this time a specific requirement for such examination and certification is necessary.”14

“The agency considers the compromise of electronic signatures to be a very serious matter, one that should precipitate an appropriate investigation into any causative weaknesses in an organization’s security controls.”15

• “The agency advises that § 11.10(k) is intended to apply to systems documentation, namely, records describing how a system operates and is maintained, including standard operating procedures. The agency believes that adequate controls over such documentation are necessary for various reasons. For example, it is important for employees to have correct and updated versions of standard operating and maintenance procedures. If this documentation is not current, errors in procedures and/or maintenance are more likely to occur. Part 11 does not limit an organization's discretion as to how widely or narrowly any document is to be distributed, and FDA expects that certain documents will, in fact, be widely disseminated. However, some highly sensitive documentation, such as instructions on how to modify system security features, would not routinely be widely distributed. Hence, it is important to control distribution of, access to, and use of such documentation.… • § 11.10(k)(2) covers the system documentation records regarding overall controls (such as access privilege logs, or system operational specification diagrams).”16

| 21 CFR Part 11 Compliance Position for FirstDoc Applications |

9

21 CFR 11 REQUIREMENT2

CORRESPONDING FIRSTDOC FUNCTIONALITY

BUSINESS PROCESS ISSUES

NOTES AND REFERENCES

§ 11.10 CONTROLS FOR CLOSED SYSTEMS § 11.30 Controls for Open Systems. Same as § 11.10 plus document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity and confidentiality.

• If the system is judged to be an open system, it would require encryption and digital signature standards. This is not part of FirstDoc and can be contracted as an option if needed.

• The client and validation team must determine if the system is closed or open.

• “The agency advises that this section is intended to apply to systems documentation that can be changed by individuals within an organization. If systems documentation can only be changed by a vendor, this provision does not apply to the vendor’s customers. The agency acknowledges that systems documentation may be in paper or electronic form. Where the documentation is in paper form, an audit trail of revisions need not be in electronic form. Where systems documentation is in electronic form, however, the agency intends to require the audit trail also be in electronic form, in accordance with § 11.10(e).”17

| 21 CFR Part 11 Compliance Position for FirstDoc Applications |

10

Electronic Signature Functionality and Issues for FirstDoc Applications Electronic signature is an available but optional module for FirstDoc R&D. There are several reasons why this functionality is optional for FirstDoc R&D applications: • Electronic signature technology must be chosen based on a client’s proposed electronic publishing tool. • Not all of CSC’s R&D clients are ready to address the business issues surrounding the use of electronic signature for R&D documents. CSC has created a white paper/questionnaire to assist our clients in understanding these issues and determining how to address them. FirstDoc uses a username/password (infometric) based electronic signature methodology. CSC is able to integrate a biometric solution for electronic signature upon request. 21 CFR 11 REQUIREMENT2

FIRSTDOC COMPLIANCE RESPONSE

NOTES AND REFERENCES

§ 11.50 SIGNATURE MANIFESTATIONS (a) Signed electronic records shall contain information associated with the signing that clearly indicates all of the following: 1. The printed name of the signer 2. The date and time when the signature was executed 3. The meaning (such as review, approval, responsibility, or authorship) associated with the signature.

• FirstDoc validates the signature, translates the user ID to the full user name, and captures the user name, local date and time, server date and time and reason for signature as non-editable properties of the document. • Meaning of signature is selected by the user from a list that is controlled by a system administrator. The available meanings of signature are based on what type of task is being performed. For example, the meanings available in the list might be different for a Regulatory Approval task and a Study Director task. For GMP applications, the meanings available in the list might be different for a QA Approval task and a Technical Approval task. • FirstDoc will imprint signature pages and screens with the time zone reference selected by the client.

Although we realize that this information has been withdrawn, it is in line with the FDA’s current thinking. • “In the preamble to the final rule for part 11, entitled ‘21 CFR Part 11 Electronic Records; Electronic Signatures,’ we stated: ‘Regarding systems that may span different time zones, the agency advises that the signer's local time is the one to be recorded.’ We have reconsidered this position, and the guidance presented here reflects our current thinking and supersedes the position in comment 101 with respect to the time zone that should be recorded. • You should implement time stamps with a clear understanding of what time zone reference you use. Systems documentation should explain time zone references, as well as zone acronyms or other naming conventions. For example the time zone reference might be a central point like Greenwich Mean Time, a point local to the computer where the activity linked to the time stamp occurs, or a point where the time stamp clock (e.g., a time stamp server) is located.”18 • It is recommended that each client document their policy for how they will control the time on their servers.

(b) The items identified in • FirstDoc adds a signature page to paragraphs (a)(1), (a)(2), and the document PDF that displays all (a)(3) of this section shall be required signature information, subject to the same controls as including the full name of each for electronic records and shall user who signed the document. be included as part of any human • Signature information is also readable form of the electronic displayed as non-editable record (such as electronic display properties on the Properties or printout). screen.

| 21 CFR Part 11 Compliance Position for FirstDoc Applications |

11

21 CFR 11 REQUIREMENT2

FIRSTDOC COMPLIANCE RESPONSE

NOTES AND REFERENCES

§ 11.70 SIGNATURE/RECORD LINKING (a)Electronic signatures and • Signature information is stored handwritten signatures executed as document properties. to electronic records shall be • Signature information is also linked to their respective displayed as non-editable properties electronic records to ensure that on the Properties screen. the signatures cannot be excised, • Signatures are removed when a copied, or otherwise transferred document is edited, copied, or to falsify an electronic record by otherwise modified. ordinary means. (b) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else.

• The client will need an SOP on

•

(c) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual’s electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual.

establishing and maintaining user profiles as applied to the assigning of a unique ID code/password combination to only one individual and maintaining a list of user profile information in perpetuity. Documentum can assist with this via the ability to disable (rather than delete) users who are removed from the system. By leaving the users in the system, but disabling them, re-use of their user IDs will not be possible.

• “For consistency with the proposed definition of handwritten signature, and to clarify that electronic signatures are those of individual human beings, and not those of organizations (as included in the act’s definition of ‘person’), FDA is changing ‘person’ to ‘individual’ in the final rule.”19

The client will need SOPs on establishing and maintaining user profiles as applied to the verification of a user identity.

(d) Persons using electronic • The client will need to submit a signatures shall, prior to or at the letter to the FDA certifying that time of such use, certify to the they consider electronic signatures agency that the electronic are the legally binding equivalent signatures in their system, used to handwritten signatures. on or after August 20, 1997, are • The client will need SOPs on intended to be the legally binding establishing and maintaining user equivalent of traditional profiles showing that a given handwritten signatures. individual accepts that the electronic signature is the legally 1. The certification shall be binding equivalent of handwritten submitted in paper form and signatures. signed with a traditional handwritten signature, to the Office of Regional Operations (HFC-100), 5600 Fishers Lane, Rockville, MD 20857. 2. Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer’s handwritten signature.

| 21 CFR Part 11 Compliance Position for FirstDoc Applications |

12

21 CFR 11 REQUIREMENT2

FIRSTDOC COMPLIANCE RESPONSE

NOTES AND REFERENCES

§ 11.70 SIGNATURE/RECORD LINKING (e) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners.

FirstDoc can support the use of biometric solutions through customizations. Customizations for biometrics are not in the scope of this document.

§ 11.300 CONTROLS FOR IDENTIFICATION CODES/PASSWORDS Persons who use electronic signatures based upon the use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: (a) Maintaining the uniqueness of • Documentum and Unix/Windows each combined identification Server will provide most of this code and password, such that no functionality. See Item § 11.10 (a). two individuals have the same • The client will need an SOP on combination of identification establishing and maintaining user code and password. profiles. (b) Ensuring that identification • Both Trusted Unix and Windows code and password issuances are Server can be used to require periodically checked, recalled, or periodic aging of passwords. revised (e.g., to cover such events • The client will need an SOP on as password aging). establishing and maintaining user profiles. (c) Following loss management procedures to electronically deauthorize lost

• The client will need an SOP covering loss management for passwords. • If devices are used, the client must have an SOP covering loss management.

(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes.

• Both Trusted Unix and Windows

•

Server can be used to disable user accounts after a configurable number of unsuccessful attempts. The client will need an SOP containing the procedure for reactivating accounts.

(e) Initial and periodic testing of If such devices are used, the client devices, such as tokens or cards, must have such a policy in place. that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner.

Audit Trail Functionality and Issues for FirstDoc Applications Audit Trails is an included feature in FirstDoc. Documentum has its own audit trail capabilities, with FirstDoc adding on to Documentum's audit trail system. Table 3 discusses the Audit Trails functionality that FirstDoc provides in support of 21 CFR Part 11.

| 21 CFR Part 11 Compliance Position for FirstDoc Applications |

13

21 CFR 11 REQUIREMENT1

FIRSTDOC COMPLIANCE RESPONSE

NOTES AND REFERENCES

§ 11.10(E),(K)(2) AUDIT TRAIL (a) Use of secure, computergenerated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.

• FirstDoc uses the Documentum

•

•

audit trail capability augmented by audit trail entries produced for custom FirstDoc events. Example events include check-in, save, destroy, status change and user acknowledgements, such as review and approval outcome — including electronic signature. Since the audit trail must be maintained for the life of the record, Documentum's Purge Audit Trail capability should not be used unless the audit trail has been migrated offline as controlled by a client's SOP. Note: This assumes that the approved record is the electronic record. Audit trail entries for draft, minor versions of records can be deleted using the FirstDoc purge minor version functionality if the clients' policies dictate. FirstDoc provides the capability for authorized users to change document metadata on approved records. In this case, an audit trail entry captures the previously recorded values so they are not obscured.

• “It is the agency's intent that the audit trail •

•

•

•

•

(b) Use of appropriate controls over systems documentation including: 1. Adequate controls over the distribution of, access to and use of documentation for system operation and maintenance. 2. Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.

• Electronic audit trail for the appropriate document types must be enabled if documentation is maintained in electronic format.

provide a record of essentially who did what, wrote what, and when … To maintain audit trail integrity, the agency believes it is vital that the audit trail be created by the computer system independently of operators. The agency believes it would defeat the purpose of audit trails to permit operators to write or change them … The agency does not believe part 11 needs to require recording the reason for record changes because such a requirement, when needed, is already in place in existing regulations that pertain to the records … A few comments objected to the requirement that time be recorded, in addition to dates, and suggested that time be recorded only when necessary and feasible. FDA believes that recording time is a critical element in documenting a sequence of events. Within a given day a number of events and operator actions may take place, and without recording time, documentation of those events would be incomplete … Although FDA acknowledges that not every operator “action,” such as switching among screen displays, need be covered by audit trails, the agency is concerned that revising the rule to cover only “critical” operations would result in excluding much information and actions that are necessary to document events thoroughly … The agency believes that, in general, the kinds of operator actions that need to be covered by an audit trail are those important enough to memorialize in the electronic record itself. These are actions which, for the most part, would be recorded in corresponding paper records according to existing recordkeeping requirements.”20

• “The agency advises that § 11.10(k) is intended to apply to systems documentation, namely, records describing how a system operates and is maintained, including standard operating procedures. The agency believes that adequate controls over such documentation are necessary for various reasons. For example, it is important for employees to have correct and updated versions of standard operating and maintenance procedures. If this documentation is not current, errors in procedures and/or maintenance are more likely to occur. Part 11 does not limit an organization’s discretion as to how widely or narrowly any document is to be distributed, and FDA expects that certain documents will, in fact, be widely disseminated. However, some highly sensitive documentation, such as instructions on how to modify system security features, would not routinely be widely distributed. Hence, it is important to control distribution of, access to, and use of such documentation.… • § 11.10(k)(2) covers the system documentation records regarding overall controls (such as access privilege logs, or system operational specification diagrams).”21

| 21 CFR Part 11 Compliance Position for FirstDoc Applications |

14

Quoted References 1

Federal Register / Vol 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulations 21 CFR Part 11 [Docket No. 92N-0251] RIN0910-AA29 [http://www.fda.gov/ora/compliance_ref/part11/frs/back ground/11cfr-fr.htm]

2 “Code of Federal Regulations, Title 21, Food and Drugs, Part 11, Electronic Records; Electronic Signatures.” (Volume 1 Revised as of April 1, 2003, From the U.S. Government Printing Office via GPO Access [CITE: 21CFR11]). http://www.access.gpo.gov/nara/cfr/waisidx_03/21cfr11_03 .html 3 Federal Register / Vol 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulations 21 CFR Part 11 [Docket No. 92N-0251] RIN0910-AA29 [http://www.fda.gov/ora/compliance_ref/part11/frs/back ground/11cfr-fr.htm] 4 Guidance for Industry, Part 11, Electronic Records; Electronic Signatures. Scope and Application (FDA, Division of Drug Information, HFD-240 Center for Drug Evaluation and Research (CDER) http://www.fda.gov/cder/guidance/index.htm) 5 Federal Register / Vol 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulations 21 CFR Part 11 [Docket No. 92N-0251] RIN0910-AA29 [http://www.fda.gov/ora/compliance_ref/part11/frs/back ground/11cfr-fr.htm] 6 Guidance for Industry, Part 11, Electronic Records; Electronic Signatures. Scope and Application (FDA, Division of Drug Information, HFD-240 Center for Drug Evaluation and Research (CDER) http://www.fda.gov/cder/guidance/index.htm) 7 Federal Register / Vol 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulations 21 CFR Part 11 [Docket No. 92N-0251] RIN0910-AA29 [http://www.fda.gov/ora/compliance_ref/part11/frs/back ground/11cfr-fr.htm] 8 Guidance for Industry, Part 11, Electronic Records; Electronic Signatures. Scope and Application (FDA, Division of Drug Information, HFD-240 Center for Drug Evaluation and Research (CDER) http://www.fda.gov/cder/guidance/index.htm) 9 Ibid. 10 Federal Register / Vol 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulations 21 CFR Part 11 [Docket No. 92N-0251] RIN0910-AA29 [http://www.fda.gov/ora/compliance_ref/part11/frs/back ground/11cfr-fr.htm] 11 Ibid. 12 Ibid. 13 Ibid. 14 Ibid. 15 Ibid. 16 Ibid. 17 Ibid. 18 Guidance for Industry 21 CFR Part 11; Electronic Records; Electronic Signatures Time Stamps (Withdrawn Guidance from FDA, Office of Regulatory Affairs Docket number 00D-1542.) 19 Federal Register / Vol 62, No. 54 / Thursday, March 20, 1997 / Rules and Regulations 21 CFR Part 11 [Docket No. 92N-0251] RIN0910-AA29 [http://www.fda.gov/ora/compliance_ref/part11/frs/back ground/11cfr-fr.htm] 20 Ibid.

Additional References •

Glossary of Computerized System and Software Development Terminology (Division of Field Investigations, Office of Regional Operations, Office of Regulatory Affairs, FDA 1995) (http://www.fda.gov/ora/inspect_ref/igs/gloss.html)

•

General Principles of Software Validation; Final Guidance for Industry and FDA Staff (FDA, Center for Devices and Radiological Health, Center for Biologics Evaluation and Research, 2002) (http://www.fda.gov/cdrh/comp/guidance/938.html)

•

Guidance for Industry, FDA Reviewers, and Compliance on Off-The-Shelf Software Use in Medical Devices (FDA, Center for Devices and Radiological Health, 1999) (http://www.fda.gov/cdrh/ode/guidance/585.html)

•

Pharmaceutical CGMPs for the 21st Century: A Risk- Based Approach; A Science and Risk-Based Approach to Product Quality Regulation Incorporating an Integrated Quality Systems Approach (FDA 2002) (http://www.fda.gov/oc/guidance/gmp.html)

| 21 CFR Part 11 Compliance Position for FirstDoc Applications |

15

CSC The Americas 575 East Swedesford Road Wayne, Pennsylvania 19087 United States +1.866.287.3792 Europe Unit 20 St. Asaph Business Park St. Asaph , Denbigshire LL17 0LJ United Kingdom +44.1.745.582600

About CSC The mission of CSC is to be a global leader in providing technology enabled business solutions and services. With the broadest range of capabilities, CSC offers clients the solutions they need to manage complexity, focus on core businesses, collaborate with partners and clients, and improve operations. CSC makes a special point of understanding its clients and provides experts with real-world experience to work with them. CSC is vendor-independent, delivering solutions that best meet each client’s unique requirements. For more than 45 years, clients in industries and governments worldwide have trusted CSC with their business process and information systems outsourcing, systems integration and consulting needs. The company trades on the New York Stock Exchange under the symbol “CSC.”

Copyright © 2008 Computer Sciences Corporation. All rights reserved. DS08_0548