FDA 21 CFR Part 11 Compliance Design

Overview

The software platform includes a range of security and compliance features to help organizations meet the requirements of FDA 21 CFR Part 11. It is important to note that compliance is an ongoing process, so organizations should regularly monitor and update their systems and policies to ensure adherence to the standards established by the FDA.

Title 21 CFR Part 11 is part of Title 21 of the Code of Federal Regulations and establishes the United States Food and Drug Administration (FDA) regulations on electronic records and electronic signatures (ERES).

On this page:

• FDA 21 CFR Part 11 Requirements
• Implementation Guide
• Solution Configuration
• Validation Environment Setup
• Security and Access Control
• Audit Trail Configuration
• Electronic Signatures
• Data Integrity Controls
• Exporting Reports
• FDA Compliance Table
• Validation Documentation

FDA 21 CFR Part 11 Requirements

Part 11 defines the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records.

Listed below are security-related features available in the product:

• Access Control: Regulates who or what can view or use resources in a computing environment
• Password Encryption: System administrators do not have access to user passwords, which are encrypted before being stored
• Maximum and Minimum Age for Password: Imposes minimum password age before allowing changes and maximum age before expiring
• Required Password Changing: Forces users to change password after first login
• User Name and Password Minimum Length: Defines minimum length for usernames and passwords
• Block on Invalid Login Attempt: Blocks user if maximum number of invalid login attempts is reached
• Store Password History: Range of last 0-5 passwords stored to prevent reuse
• Auto Log Off: Logs user off due to inactivity or expiration
• Audit Trail Data: Security-relevant chronological record providing documentary evidence of activities

Implementation Guide

Step 1: Configure Validation Environment Using Execution Profiles

FDA validation requires separate environments for Development, Validation, and Production. FrameworX's Execution Profiles feature enables this separation without manual configuration changes.

Setting Up Execution Profiles

1. Navigate to Runtime → Execution Profiles

2. Configure Development Profile:

   - Select: Development tab
   - Enable Profile Settings: ?
   - Set ReadOnly on Modules: Select modules to protect
   - Configure test database connections
   

3. Configure Validation Profile:

   - Select: Validation tab
   - Enable Profile Settings: ?
   - Set ReadOnly on Modules: ? All modules
   - Use validation database connections
   

4. Production Profile:

   • Uses base configuration without replacements
   • Enable for final deployment
   • Can enable AutoStart for Windows service

Step 2: Configure Security Policies

Navigate to Security → Policies and create FDA-compliant policy:

Create "FDA_Compliant" Policy

Identification Settings:

AllowPasswordChange: True
PasswordMinLength: 8
BlockOnInvalidAttempts: 3 (automatic blocking)
AllowShareUser: False
UserNameMinLength: 6
PasswordHistory: 5
MinPasswordAge: 24 (hours)
MaxPasswordAge: 2160 (90 days)
BlockAging: 24 (hours)

ESign Settings:

Enabled: True
TimeoutMinutes: 5

Session Settings:

AutoLogOff: Both
InactivityMinutes: 15
DurationHours: 12

Step 3: Configure User Roles and Permissions

In Security → Users, create standard FDA roles:

Step 4: Configure Audit Trail

Enable Audit Trail

1. Go to Alarms → Global Settings

2. Configure:

   ? Enable Audit Trail
   Retention Days: 2555 (7 years minimum)
   Database: [Select SQL database]
   

3. Select events to audit:

   ? User Logon/Logoff
   ? Open/Close Displays
   ? Remote Connections
   ? Custom Messages
   ? Tag Changes
   ? Datasets (Save/Load or Modify)
   ? Operator Actions
   ? Save Reports
   ? System Warnings
   

Configure Audit Messages

For each critical tag requiring audit:

1. Navigate to Alarms → Groups
2. Configure Audit Trail columns:
   • TagName
   • UserName
   • ActiveTime (Ticks)
   • Message (custom for each action)
   • Condition
   • AuxValue fields for additional metadata

Step 5: Implement Electronic Signatures

Configure ESign for Critical Operations

1. In Security → Policies, ensure ESign is enabled with appropriate timeout
2. For critical controls in Displays → Draw:
   • Double-click control element
   • Enable Security dynamic
   • Check "ESign Required" checkbox
3. System will prompt for password confirmation when timeout expires

Signature Meaning Configuration

Configure signature meanings in Audit Trail messages:

• "Reviewed by" - for data review
• "Approved by" - for batch approval
• "Verified by" - for verification steps
• "Released by" - for product release

Step 6: Configure Change Control

Enable Track Changes

Navigate to Track Changes Tables to monitor:

• Recent Changes: List of modified objects
• Version Control: Configuration table versions
• Cross-Reference: Objects in use and locations
• Use Count: Usage frequency
• Unused Objects: Created but unused objects

Version Management

Use Version Control to:

• Track all configuration changes
• Maintain change history
• Document modification reasons
• Identify change authors and timestamps

Step 7: Build and Publish for Production

Create Read-Only Production Version

1. Go to Runtime → Build and Publish
2. Configure:

   ? Rebuild All? Validate DisplaysVersion: Set appropriate version (e.g., 1.0)
   

3. Click Build to validate
4. Click Publish to create read-only .dbrun file

Version Increment Strategy

• Major: Significant changes (1.0 → 2.0)
• Minor: Incremental updates (1.0 → 1.1)

The published .dbrun file:

• Is read-only and tamper-resistant
• Suitable for regulated production environments
• Maintains data integrity
• Prevents unauthorized modifications

Exporting Reports

To comply with regulation requirements for digital and physical copies:

Create FDA-Compliant Report

1. Go to Reports → Forms

2. Configure report properties:

   Name: [Report Name]
   SaveFormat: PDF (for archival)
   SaveFileName: {path with timestamp}
   EditSecurity: [Authorized groups only]
   

3. Add runtime objects:

   • Tag values and properties
   • Electronic signatures
   • Timestamps
   • User information

Save Reports Programmatically

@Report.<ReportName>.Save
// or with orientation
@Report.<ReportName>.SaveCommand(0) // Portrait
@Report.<ReportName>.SaveCommand(1) // Landscape

FDA Compliance Table

This table serves as a checklist for certification:

Validation Documentation Templates

Required Documentation

• [ ] User Requirements Specification (URS)
• [ ] Functional Requirements Specification (FRS)
• [ ] Design Specification (DS)
• [ ] Installation Qualification (IQ)
• [ ] Operational Qualification (OQ)
• [ ] Performance Qualification (PQ)
• [ ] Traceability Matrix

Standard Operating Procedures (SOPs)

• [ ] User Management SOP
• [ ] Password Management SOP
• [ ] Audit Trail Review SOP
• [ ] Backup and Recovery SOP
• [ ] Change Control SOP
• [ ] Electronic Signature SOP
• [ ] System Validation SOP

Best Practices

1. Regular Audits: Schedule periodic audit trail reviews
2. Training Records: Maintain user training documentation
3. Change Documentation: Use Track Changes for all modifications
4. Backup Verification: Test backup restoration procedures regularly
5. Version Control: Use Major/Minor versioning consistently
6. Password Policies: Review and update security policies quarterly
7. Validation Maintenance: Revalidate after significant changes

Conclusion

FrameworX provides comprehensive features supporting FDA 21 CFR Part 11 compliance through its integrated security, audit trail, electronic signature, and validation environment capabilities. Proper configuration and procedural controls, combined with these technical features, enable organizations to achieve and maintain compliance with FDA regulations.

FDA 21 CFR Part 11 requirements

Part 11, commonly referred to as, defines the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records.

Listed below are some security-related features available in the product:

• Access Control: A security technique that regulates who or what can view or use resources in a computing environment.
• Password Encryption: System administrators do not have access to user passwords, which are encrypted before being stored.
• Maximum and Minimum Age for Password: A feature that imposes a minimum password age before allowing it to change and a maximum age before expiring.
• Required Password Changing: Forces the user to change their password after the first login.
• User Name and Password Minimum Length: Defines the minimum length for usernames and passwords.
• Block on Invalid Login Attempt: Blocks the user if the maximum number of invalid login attempts has been reached.
• Store Password History: A range of the last 0-5 passwords can be stored to ensure the user does not repeat an already used one.
• Auto Log Off: Logs the user off the system due to inactivity or expiration.
• Audit Trail Data: A security-relevant chronological record or set of records that provide documentary evidence of the sequence of activities affecting a specific operation at any time.

Solution Configuration

Audit Trail 

Audit trails should be generated independently of the operator and include the local date and time of the actions that alter the record. They cannot overwrite old data and must be stored as long as the record itself is stored.

To use the Audit Trail function, you must enable it. Go to Alarms / Global Settings, and click the “Enable Audit Trail” checkbox.

After it’s enabled, you can choose which actions will be stored in the Audit Trail database. The options are as follows:

• User Logon/Logoff: Stores informational data on user login/logout.
• Open/Close Displays: Stores informational data when displays are open or closed.
• Remote Connections: Stores information on remote client connections (Smart/Rich Clients).
• Custom Messages: Stores added custom messages.
• Tag Changes: Stores informational data of every tag change.
• Datasets (Save/Load or Modify): Stores information on datasets.
• Operator Actions: Stores information on operator actions.
• Save Reports: Stores information when the save command is executed.
• System Warnings: Stores information related to the system.

For every solution update indicated above, crucial information is stored alongside the event info in the Alarm Historian database columns:

• UserName: Indicates the user who was logged in at the time the event occurred.
• ActiveTime Ticks: The date and time when the event happened. Although this data is stored as Ticks in the database, the product automatically converts it to DateTime when displayed.
• Message: Provides detailed information about the event, which varies depending on the event type.
• Condition: Indicates which Audit Trail selection field the event originated from.

Exporting Reports

To comply with the regulation, the software must be able to export digital and physical copies of Reports.

To create or edit a report:

• Go to Reports / Forms
• Select a report name or select the insert row (first row)
• Enter or select information, as needed

• Name: Enter a name for the report. The system will let you know if the name is not valid.
• Padding: Use padding when replacing a tag name with its value (the field starts with enough space for the same number of characters as the tag name):
  • Compact — Removes any extra characters and displays only the tag.
  • PadRight — Adds an extra space for each character to the right of the tag.
  • PadLeft — Adds an extra space for each character to the left of the tag.
• SaveFormat: Selects the report format: XPS, HTML, Unicode, ASCII, PDF.
• SaveFileName: Enter a string with {ObjectProperties}. Use the full path.
• SaveTrigger: Enter an object property as the trigger.
• Append: Enter the file that appends the report.
• Size: The size of the report.
• EditSecurity: Check which user groups can edit the report.
• Header: Choose another report as the Header.
• Footer: Choose another report as the Footer.
• Legacy: Read-only. Shows if the report is a legacy.
• Description: Enter a description of the report.

It is possible to add several runtime objects to a Report. Some examples are:

• Tag values and properties.
• Client and Server property information.
• Symbols (TrendCharts are added as a symbol).
• Tables and DataGrids can be dynamically colored and translated according to the solution’s localization setting.

The Report is saved using one of the following methods:

@Report.<ReportName>.Save
// Property used to trigger the save report action

@Report.<ReportName>.SaveCommand(int Orientation)
// Orientation = 0 or blank -- Portrait Mode
// Orientation = 1 -- Landscape Mode
// saves the selected report into the path indicated by the SaveFileName property

FDA Compliance Table

This table can be used as check list and auxiliary tool on the certification process.

In this section: