W H I T E

What you should know

Executive Summary This document provides an overview on Title 21 CFR Part 11 and how to deploy enabling technologies to achieve compliance.

P A P E R

The Role of Information Systems in Title 21 CFR Part 11 Compliance:

Introduction

Part 11 Requirements Summary

As regulatory compliance requirements continue to rise for life sciences companies, the need for comprehensive record keeping is becoming more acute. Fortunately, electronic record keeping and management systems can greatly facilitate the speed, accuracy, and ease with which mandated documentation can be kept and retrieved for the FDA and other regulatory agencies.

Part 11 requires that companies who choose electronic records in place of paper adhere to the following provisions:

Using electronic records instead of paper records greatly increases the speed and efficiency of the regulatory compliance process, making it easier to identify trends and inconsistencies, reducing mistakes due to human error, and facilitating data analysis.

• Integrate electronic signatures. Signatures may be based on a unique identifier, such as an ID and unique password, or they can be biometric—meaning they are based on a physical characteristic, such as a fingerprint or a retina scan. Biometric signatures can provide an additional element of security, but implementation costs can be prohibitive.

Because it may be easier to gain unauthorized access to electronic records than to paper records, electronic product information management also involves certain potential security risks.. Should unauthorized access be gained, alterations made to electronic records may be virtually undetectable and untraceable, making falsification, mistakes, and unauthorized changes difficult to trace. To address these potential risks, the FDA has worked together with the life sciences industry to devise a policy known as Title 21 CFR Part 11 (Electronic Records/ Electronic Signatures). Title 21 CFR Part 11 establishes criteria by which the FDA will accept electronic records as equivalent to paper records, and electronic signatures as equivalent to traditional handwritten signatures. It is applicable to records required by previously published regulations (predicate rules), as well as new regulations. Predicate rules include Good Laboratory Practice (GLP), Good Clinical Practice (GCP), and Good Manufacturing Practice (GMP). Part 11 does not mandate that companies to automate their record keeping. Any company that prefers not to automate—or whose electronic documentation systems are not compliant—may continue to use paper records and handwritten signatures. However, organizations that decide to automate their record keeping must ensure that their system adheres to the many regulations in Part 11. It is also critical the system be validated, standard operating procedures be implemented (in order to ensure the systems are used in a compliant manner), and personnel be provided with appropriate training.

• Ensure that only authorized individuals can access the system, perform an operation, alter a record, or electronically sign a record. Companies can determine appropriate levels of access for different employees.

• Use computer-generated, time-stamped audit trails. An audit trail should provide a history of record changes and operations, including an automatic capture of signature/date/time, indicating which operator made the entries, and when the actions were executed. • Protect record archives. A record must be retained for as long as required by the predicate rule mandating it. • Have the ability to generate accurate and complete copies of records. Records must be readily available in human readable and electronic form for inspection, review, and copying by the FDA. • Employ appropriate controls over systems documentation. There must be adequate controls over the access to, and use of, documentation for system operation and maintenance. Modification of systems documentation must be maintained in an audit trail. • Procure or verify appropriate education, training, and experience for employees. Persons who develop, maintain, or use electronic records or signature systems must be qualified to do so. • Use operational system checks. Use checks to ensure proper sequencing of steps and events. • Employ additional controls for open systems. Open systems are those in which the individuals responsible for the content of electronic records do not control system access. Appropriate controls include document encryption, creating and executing role-based access control, and the use of appropriate digital signature standards. • Validate systems. Electronic record keeping systems must be validated to ensure they function as intended.

Ross Enterprise | White Paper



Specific Requirements Concerning Electronic Signatures In addition to the requirements above, controls for electronic signatures must be implemented to ensure they are used only by their genuine owners and are equivalent to handwritten signatures. These controls include: • Non-biometric signatures must include at least two components. For example, an identification component (such as a unique user ID) and a password could be used. • Signatures must be unique. No two combinations of identification code and password may be the same, nor may be re-used. • Password aging. Passwords must be periodically changed. • Signatures must include information about operation performed. User name, date, time, and a description of the operation performed (i.e., review, approval, etc.), must be automatically entered with every signature. • Signatures must appear in human-readable form, and be visible on the electronically viewed or printed record. • Signature linking. A signature must be attached to the record in an unchangeable way in order to prevent falsification by copying an electronic signature to a different record. • User identity verification. The identities of all potential users must be verified before assigning user privileges. • All signature components must be entered for one or more signings if not performed during a continuous period of controlled system access. When multiple signings are executed during a continuous period of controlled system access, the first must be executed using all signature components. Subsequent signings during that period must use at least one of the components that is only executable by the user (i.e., password). • Users must certify in writing that their electronic signature is equivalent to their handwritten signature. This will discourage password sharing, which is an accepted practice in many companies, making it more difficult for signers to repudiate their signature. • Individuals must be held accountable for actions taken under their electronic signatures. In order to deter falsification of signatures and records, written policies must be established and enforced to hold users responsible for records to which their electronic signatures are attached. • Passwords should be known only to users. Policies must be established and enforced to ensure that at least two people must collaborate in order for an individual to use someone else’s electronic signature.

Enforcement of Part 11 Regulations The FDA is increasingly vigilant about Part 11 enforcement. Routine audits now include checking for Part 11 compliance, and the FDA is issuing an increasing number of warning letters, 483s (Inspectional Observations), and fines to companies who fail to comply or who have not developed a reasonable timeline for promptly doing so. It’s important to note that Part 11 does not force companies to automate their record keeping. Any company that prefers not to automate—or whose electronic documentation systems are not compliant—may continue to use paper records and handwritten signatures. However, for companies that want to reap the benefits associated with electronic record keeping, compliance is not only a smart business decision, but also an imperative that will help avoid incurring warnings or orders that could lead to costly fines, or even delayed product launches. It’s also worth noting that Part 11 does not grandfather legacy systems. This means the rule not only applies to all records created after it went into effect (August 20,1997), but it also applies to records in older systems that have been modified, archived, or otherwise converted to electronic records since that time.

Achieving Part 11 Compliance OIn order to achieve compliance, companies will have to make sure the software they use for their electronic record keeping enables them to follow the many regulations described in Part 11. Additionally, companies must validate the software, implement standard operating procedures (SOPs) that ensure the systems are used in a compliant manner, and provide personnel with appropriate training. One important question facing companies will be whether it is cost-efficient—or even possible—to reconfigure their systems to conform to the many requirements laid out in Part 11. They may find that instead of retrofitting old systems, it makes more sense to determine which of these systems can be replaced by new ones that enable compliance. Opting to implement new technologies may provide a faster, easier, and more complete route to achieve Part 11 compliance. It may also provide an opportunity to re-evaluate current systems to determine which solutions will be most beneficial to business plans.

Implementing Enabling Technology—The Ross Solution ARoss Systems (Ross) offers a complete Enterprise Resource Planning (ERP) suite comprised of solutions that enable companies to work with their customers and suppliers to produce better products more quickly and Ross Enterprise | White Paper



at higher profit margins. Ross’ ERP suite, iRenaissance, allows communication and collaboration throughout the product lifecycle, from inception through sales and servicing. Ross helps its many customers—including leading-edge pharmaceutical and medical device companies—to take full advantage of the benefits associated with electronic records. With iRenaissance employed as their operational system of record, Ross customers can eliminate the need for paper-based records and handwritten signatures, and instead comply with the regulations outlined in the Quality Systems Regulation (Part 820), as well as Part 11. Since the Ross iRenaissance suite is pre-configured for compliance with the FDA provisions for electronic records described above, it provides an integrated platform for Ross customers to become compliant.

Robust Security Ross’ solution uses a number of methods to ensure that only authorized individuals can access the system. Ross administrators create new users within the system, linking a unique user ID, sign-in password, and approval password for each individual to use as their electronic signature. User IDs are permanently stored in the database so even when users are deleted, their user IDs may never be reused. The Ross iRenaissance suite also uses configurable password management to allow parameters to be set for minimum password length, password uniqueness, and password aging (minimum or maximum password age, for example). Users log into the system using their Ross-specific user ID and password. After three unsuccessful login attempts, the system times-out to deter unauthorized users from gaining access, and also sends the administrator a notification. An approval password is set up for each user, providing an additional level of security. Role-based access is also controlled by Ross administrators, who can assign user-specific roles and privileges within the ERP system. (For example, production personnel may be permitted to view only the current revision of documentation.) Passwords are known only to their users; system administrators do not have access to password information. As a result, any use of someone else’s electronic signature requires the collaboration of at least two individuals. Ross iRenaissance solutions also support delegation of signature authority with proper audit trails. If a user is unavailable to sign-off on a record, he or she can delegate signature authority to an alternate user. This eliminates any need for password sharing, thereby maintaining the authenticity of electronic signatures. Electronic signatures in ERP include: user name, actions executed, and a date/time stamp. In addition, the Ross iRenaissance suite automatically links electronic signatures to the object. This means no one, including

a system administrator, can copy or otherwise alter electronic signatures. Following initial login to a Ross iRenaissance solution using both, a user ID and password, a user may execute electronic signatures using the second approval password, which is different from the sign-in password. To perform multiple signings that are not carried out during a single, continuous session, the user ID and both passwords must be used. At the network level, Ross uses industry-standard robust security to ensure record authenticity, especially in cases where the corporate network needs to interact with public networks. The software itself is completely compatible with the many variations of IT infrastructure common at most corporations—including both open and closed systems—with virtually unrestricted and highly restricted access, respectively. In all cases, the highest priority is placed on data integrity and confidentiality.

Complete Audit Trails The Ross iRenaissance suite supports thorough and complete audit trails. A computer-generated time stamp is created based on the server time clock, with the optional feature of additionally noting local time for users in different time zones. The History Tab captures all actions executed, along with the date and time stamp. The Signoff Tab includes all electronic signature approvals and/or rejections, along with comments and date/time stamp. Archival protection of records is ensured by retaining all prior revisions of documents, drawings, software, and any attached data. This ensures a complete lifecycle history of all records. The history of each record—which includes all electronic signatures and actions performed under them—can be both, displayed on screen, and printed out by users with the appropriate privileges.

Electronic Record System Validation Part 11 requires validation of electronic record keeping systems to ensure accuracy, reliability, and consistency. Ross rigorously tests its products to verify these attributes. However, Ross customers are ultimately responsible for ensuring the software functions as intended for their specific use. To simplify the validation process, Ross has developed a Best-Practice Approach (BPA) to implementing and validating the iRenaissance solution. The iRenaissance BPA includes: • A complete set of regulatory compliant validation documents (Validation Source Book), which are readily customized for each client engagement • On-site regulatory compliance training to ensure all key stakeholders are aware of, and educated on, the regulatory compliance impact of implementing iRenaissance • A turnkey set of professional services designed to meet the unique requirements of every customer.

Ross Enterprise | White Paper



From document development to complete validation project outsourcing, Ross assists customers in guiding their project to a rapid, cost effective, regulatory-compliant outcome.

Summary A While the benefits of electronic product information management in the life sciences industry are clear, electronic record keeping also involves certain potential security risks. Hence the FDA’s issuance of Title 21 CFR Part 11 in 1997. However, it’s still up to each individual company to ensure the systems used for this purpose—whether newly deployed or existing legacy systems—enable them to comply with all the regulations in Part 11. In some instances involving legacy systems, companies have determined it is simply not cost-efficient—or even possible—to reconfigure these applications to conform to the many requirements laid out in this FDA policy. Instead, they have opted to implement new technologies in order to provide a faster, easier, and more complete route to achieve compliance.

Ross Systems has created the iRenaissance ERP suite to support electronic records and signatures compliant with Part 11. Given the complexity of the policy’s requirements, the advantages of a highly integrated solution like iRenaissance can be significant. By maintaining full compliance with FDA regulations, interruptions to the product chain can be minimized and profits maximized. Most importantly, where security and public safety are concerned, it simply makes strong economic sense to take advantage of contemporary systems designed specifically to address the requirements of the life sciences industries.

Ross Enterprise | White Paper



About Ross Enterprise Ross Systems, Inc., a software unit of CDC Corporation (NASDAQ: CHINA), delivers innovative software solutions that help manufacturers worldwide fulfill their business growth objectives through increased operational efficiencies, improved profitability, strengthened customer relationships and streamlined regulatory compliance. Focused on the food and beverage, life sciences, chemicals, metals and natural products industries and implemented by more than 1,200 customer companies worldwide, the company’s family of Internet-architected solutions is a comprehensive, modular suite that spans the enterprise, from manufacturing, financials and supply chain management to customer relationship management, performance management and regulatory compliance. For more information please visit www.rossinc.com. About CDC Software CDC Software, The Customer-Driven Company,™ is a provider of enterprise software applications designed to help organizations deliver a superior customer experience while increasing efficiencies and profitability. CDC Software’s product suite includes CDC Factory (manufacturing operations management); Ross ERP (enterprise resource planning) and SCM (supply chain management); IMI warehouse management and order management; Pivotal CRM and Saratoga CRM (customer relationship management); Respond (customer complaint and feedback management); c360 CRM add-on products, industry solutions, and development tools for the Microsoft Dynamics CRM platform; Platinum HRM (human resources); and business analytics solutions. These industry-specific solutions are used by more than 6,000 customers worldwide within the manufacturing, financial services, health care, home building, real estate, and wholesale and retail distribution industries. The company completes its offerings with a full continuum of services that span the lifecycle of technology and software applications, including implementation, project consulting, outsourced business services, application management, and offshore development. CDC Software is the enterprise software unit of CDC Corporation and is ranked number 12 on the Manufacturing Business Technology 2007 Global 100 List of Enterprise and Supply Chain Management Application vendors. For more information, please visit www.CDCsoftware.com.

USA: Global Headquarters Ross Systems, Inc. Two Concourse Parkway Suite 800 Atlanta, GA 30328 USA

United Kingdom Ross Systems UK, Ltd. Pioneer House 7 Rushmills Northampton NN4 7YB United Kingdom

t: +1 770.351.9600 f: +1 770.351.0036

t: +44 1 604 630050 f: +44 1 604 630495

Spain Ross Systems Iberica Frederic Mompou 5 Ed Euro 3 08960 Sant Just Barcelona Spain

Netherlands Ross Systems Sparrenheuvel 32, 3708 JE Zeist Postbus 967, 3700 AZ Zeist Netherlands t: +31 30 288 8454 f: +31 30 288 5238

t: +34 93 480 28 50 f: +37 93 480 28 55

For more information or a complete list of our worldwide offices, please visit www.rossinc.com. Copyright © CDC Software 2008.  All rights reserved. The CDC Software logo and Ross Enterprise logo are registered trademarks and/or trademarks of CDC Software.