Overview
The software platform has a range of security and compliance features that can be used to help organizations meet the requirements of FDA 21 CFR Part 11. It is important to note that compliance is an ongoing process, and therefore, organizations should regularly monitor and update their systems and policies to ensure adherence to the standards established by the FDA.
Title 21 CFR Part 11 is the part of Title 21 of the Code of Federal Regulations that establishes the United States Food and Drug Administration (FDA) regulations on electronic records and electronic signatures (ERES).
On this page:
FDA 21 CFR Part 11 requirements
Part 11, as it is commonly called, defines the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records.
Listed below are described some security-related features available in the product:
- Access Control: Security technique that regulates who or what can view or use resources in a computing environment.
- Password Encryption: System administrator does not possess access to the user. They are encrypted before being stored.
- Maximum and Minimum Age for Password: A feature that imposes a minimum password age before allowing it to change and a maximum age before expiring.
- Required Password changing: Forces the user to alter his password after the first login has been made.
- User Name and Password Minimum Length: Defines username and the password's minimum length.
- Block on Invalid Login Attempt: Blocks User if maximum number of invalid login attempts have been made.
- Store Password History: A range of the last 0-5 passwords can be stored to make sure the user does not repeat an already used one.
- Auto Log Off: User is logged off the system for inactivity or expiration date.
- Audit Trail Data: Security-relevant chronological record or set of records that provide documentary evidence of the sequence of activities that have affected at any time a specific operation.
Project Configuration
Audit Trail
Audit trails should be generated independently of the operator and include the local date and time of the actions that alter the record. They cannot overwrite the old data, and they must be stored as long as the record itself is stored.
To use the Audit Trail function, you must enable it. Go to Edit → Alarms → Groups, and click the Settings button.
A popup display will open with many checkboxes. Besides the Enable option, you can choose which actions will be stored in the Audit Trail database. The options are as follows:
- User Logon/Logoff: Stores informational data on user login/logout.
- Open/Close Displays: Stores informational data when displays are open or closed.
- Remote Connections: Stores information on remote client connections (Smart/Rich Clients).
- Custom Messages: Stores added custom messages.
- Tag Changes: Stores informational data of every tag change.
- Datasets (Insert/Updates or All Commands): Stores information on datasets.
- Operator Actions: Stores information on operator actions.
- Save Reports: Stores information when the save command is executed.
- System Warnings: Stores information related to the system.
For every project update indicated above, crucial information is stored alongside the event info in the Alarm Historian database columns:
- UserName: Indicates the user that was logged in at the time an event happened.
- ActiveTime Ticks: Date and time in which the event happened. It is worth mentioning that, despite this data being stored as Ticks in the database, the product is smart enough to automatically convert it to DateTime when it shows on a Display.
- Message: Detailed information on the event. It changes according to the event.
- Condition: Indicate which Audit Trail selection field the event came from.
Exporting Reports
To comply with the regulation, the software must be able to export digital and physical copies of Reports.
To create or edit a report:
- Go to Edit → Reports → Reports
- Select a report name or select the insert row (first row)
- Enter or select information, as needed
- Name: Enter a name for the report. The system will let you know if the name is not valid.
- Padding: Use padding when replacing a tag name with its value (the field starts with enough space for the same number of characters as the tag name):
- Compact — Removes any extra characters and displays only the tag.
- PadRight — Adds an extra space for each character to the right of the tag.
- PadLeft — Adds an extra space for each character to the left of the tag.
- SaveFormat: Selects the report format: XPS, HTML, Unicode, ASCII, PDF.
- SaveFileName: Enter a string with {ObjectProperties}. Use the full path.
- SaveTrigger: Enter an object property as the trigger.
- Append: Enter the file that appends the report.
- Size: The size of the report.
- EditSecurity: Check which user groups can edit the report.
- Header: Choose another report as the Header.
- Footer: Choose another report as the Footer.
- Legacy: Read-only. Shows if the report is a legacy.
- Description: Enter a description of the report.
It is possible to add several runtime objects to a Report. Some examples are:
- Tag values and properties.
- Client and Server property information.
- Symbols (TrendCharts are added as a symbol).
- Tables and DataGrids can be dynamically colored and translated according to the project’s localization setting.
The Report is saved using one of the following methods:
@Report.<ReportName>.Save // Property used to trigger the save report action @Report.<ReportName>.SaveCommand(int Orientation) // Orientation = 0 or blank -- Portrait Mode // Orientation = 1 -- Landscape Mode // saves the selected report into the path indicated by the SaveFileName property |
Security User Permissions
On Security → Permissions, it is possible to allow/disallow a user to edit different project tabs in the Engineering Environment. The available options are shown in the image below.
It is also possible to allow/disallow a user to perform different actions during Runtime.
To apply a created permission to a user, go to Security → Users (Permissions Columns), and select the desired option.
Security User Policies
On Security → Policies, there are three main configuration columns that can be important for CFR 11 compliance.
- Identification: Contains several password configuration options, detailed below:
- Allow Password Change: Indicates if a user, other than an administrator, can change its own password.
- Password Min Length: Minimum character length for password (0 means no restrictions).
- Block On Invalid Attempts: Maximum number of login attempts before blocking user (0 means no restrictions).
- Allow Share User: Indicates if user can be shared between stations.
- UserName Min Length: Minimum character length for username (0 means no restrictions).
- Password History: Remember last passwords (Range: 0-5).
- Min Password Age: Minimum password age in hours (0 means no restrictions).
- Max Password Age: Maximum password age in hours (0 means no restrictions).
- Block Aging: Maximum blocking age in hours (0 means no restrictions).
- ESign: When enabled, a password will be requested for Action Dynamics with eSign. The password remains valid for a specified timeout time (in minutes).
- Session: User can be logged off according to a determined Inactivity Time (in minutes) and/or after a maximum session duration (in hours).
To apply a created session configuration to a User, go to Security → Users (Policies Columns), and select the desired option.
FDA Compliance Table
This table can be used as check list and auxiliary tool on the certification process.
| Electronic Records and Electronic Signatures Compliance for FactoryStudio | ||||
|---|---|---|---|---|
| Item | Description | Reference | FrameworX | |
| 1 | The software must be validated, according to the current guidelines established by the FDA and GAMP. | FDA 21 CFR Part 11 | Publish resources, native to FactoryStudio. | |
| 2 | The software must have control that defines the default password exchange, performed by the user, at the first access. | FDA 21 CFR Part 11 | Implemented in Logon dialog, native to FactoryStudio. | |
| 3 | The software must allow copies of reports in electronic format PDF, XML, and other to be viewed and referenced when necessary. | FDA 21 CFR Part 11 11.10 ( b ) | It is possible to save files in PDF and XPS. The XPSViewer control is part of FactoryStudio. For PDF, the IE control, or the native report viewer can be used. | |
| 4 | The software must allow printed copies of the reports to be generated for the requested audit records. | FDA 21 CFR Part 11 11.10 ( b ) | You can save the report in XPS and then print it using the "TLib.PrintXPS" method. | |
| 5 | Electronic records should be available for consultation and for as long as needed. Established historical basis of the production base should be established. | FDA 21 CFR Part 11 11.10 ( c ) | Configurable in the project. | |
| 6 | The software must allow the archiving of the generated data. | FDA 21 CFR Part 11 11.10 ( c ) | Historian module, native to FactoryStudio. | |
| 7 | The software must have access control with different user profiles / groups such as operational level, administrator level and maintenance level. | FDA 21 CFR Part 11 11.10 ( d ) | Native to FactoryStudio. | |
| 8 | The software shall permit the unique identification of the user (Username & password). | FDA 21 CFR Part 11 11.10 ( d ) | Native to FactoryStudio. | |
| 9 | The software must control the minimum length of 8 characters to the user's password and accept upper and lower case characters. | FDA 21 CFR Part 11 11.10 ( d ) | Native to FactoryStudio. | |
| 10 | The software must require password expiration to occur according to the registered period (term in days). Ensure that the last 5 passwords are not reused and blocking access if the user does not change the password when requested. | FDA 21 CFR Part 11 11.10 ( d ) | Can be implemented via DialogOnOK script in Logon dialog. | |
| 11 | The user who promotes three unsuccessful access attempts (wrong password) should have their access blocked. The same can only be reactivated by the administrator and, recorded on the audit trail. | FDA 21 CFR Part 11 11.10 ( d ) | Can be implemented via DialogOnOK script in Logon dialog. | |
| 12 | The software must have a "timeout" function that can be triggered after a certain period in which the Logged in user is idle. | FDA 21 CFR Part 11 11.10 ( d ) | FactoryStudio has the setting for AutoLogOff after an inactivity, or session length. | |
| 13 | The software must have an "Audit trail", where all actions related to the creation, alteration and deletion of electronic records are kept. | FDA 21 CFR Part 11 11.10 ( e ) | FactoryStudio has an Audit Trail in a SQL database, it can include the commands that involve electronic records. | |
| 14 | The software should not allow the deletion of the electronic records. | FDA 21 CFR Part 11 11.10 ( e ) | Configurable in FactoryStudio Alarm and Database modules. | |
| 15 | "Audit Trail" must record date, time and user first and last followed by any changed information, referring to the action performed. | FDA 21 CFR Part 11 11.10 ( e ) | Configurable in FactoryStudio Alarm and Database modules. | |
| 16 | The software must allow information from the "Audit Trail" to be maintained over the same reporting period. | FDA 21 CFR Part 11 11.10 ( e ) | Archiving time is configurable in the project. | |
| 17 | Date and time of the "Audit Trail" should be recorded based on the Server, and cannot be generated from a location that can be altered. | FDA 21 CFR Part 11 11.10 ( e ) | Native to FactoryStudio. | |
| 18 | The "Audit trail" must contain actions of the process, that are related to the creation, change, activation or deletion of electronic records. | FDA 21 CFR Part 11 11.10 ( e ) | Configurable through the Alarm and Dataset modules in FactoryStudio. | |
| 19 | The software must monitor active and inactive user activity. | FDA 21 CFR Part 11 11.10 ( e ) | Native to FactoryStudio. | |
| 20 | The software should allow for the generation of copies of the Audit trail report, both in electronic and printed form. | FDA 21 CFR Part 11 11.10 ( e ) | FactoryStudio reporting allows for the creation of PDF and XPS files and online viewing. | |
| 21 | The software should control the execution of activities according to the process sequence. | FDA CFR 21 Part 11 11.10 ( f ) | Configurable in the Dataset module and Scripting engine inside FactoryStudio. | |
| 22 | The electronic record, and electronic signature, shall contain the following user information: Full name of the user and date / time that the record was electronically signed. | FDA 21 CFR Part 11 11.50 ( a1 ) & 11.50 ( a2 ) | Resource available through Datasets modules inside FactoryStudio. | |
| 23 | The electronic record shall contain the information of the actions carried out, such as execution, review, approval, explanation and electronic signature. | FDA 21 CFR Part 11 11.50 ( a3 ) | Resource available through Datasets modules inside FactoryStudio. | |
| 24 | User information, (full name, date & time) that is electronically signed, shall appear in both the printed and electronic format. | FDA 21 CFR Part 11 11.50 ( b ) | Resource available through Datasets modules inside FactoryStudio. | |
| 25 | The software should control unique signatures to each user. | FDA 21 CFR Part 11 11.10 ( d ) & 11.100 ( a ) | Resource available through Datasets and Security modules inside FactoryStudio. | |
| 26 | The software must maintain the history of the electronics signatures used, even after the user has logged off. | FDA 21 CFR Part 11 11.10 ( d ) & 11.200 ( a2 ) | Resource available through Datasets modules inside FactoryStudio. | |
| 27 | The software shall ensure that the electronic signature is related to electronic registration, and cannot be falsified. | FDA 21 CFR Part 11 11.10 ( d ) & 11.200 ( a2 ) | Resource available through Datasets and Security modules inside FactoryStudio. | |