Guidelines to easily manage CFR-11 Compliance with Semarchy xDM
CFR-11, as it is colloquially referred to is a set of regulations on electronic records and electronic signatures defining the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records. This regulation applies to drug makers, medical device manufacturers, biotech companies, biologics developers, CROs, and other FDA-regulated industries.
As it applies to your company’s data management strategy, it is necessary to know that compliance falls into two distinct categories: Data Management, and Data Hosting.
Semarchy xDM enables compliance on the data management side. However, note that those seeking hosting compliance are comprehensively covered when hosting Semarchy in the cloud with AWS and other leading providers. AWS, for example, has a host of features around security, data protection, and compliance. For more details, please visit the AWS Site and read their whitepaper on the matter.
Overview and Scope
The regulations set forth the criteria under which the U.S. Food and Drug Administration (FDA) considers electronic records, electronic signatures, and handwritten signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper.
Semarchy xDM is used for records required to be maintained but not submitted to the FDA. Data governed in Semarchy xDM is used in documents submitted to the FDA, but it does not directly generate any documents identified in public docket No. 92S-0251.
Controls for closed systems.
Semarchy xDM is intended for use as a closed system in which the MDM software is controlled by the Semarchy customer who is responsible for the content of electronic records that are on the system.
|(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.||Semarchy xDM ensures accuracy, reliability, and consistent performance through the use of industry-standard relational database Technology.
The Installation Qualification (IQ) should be certified by relevant parties responsible for Computer Systems Validation, who own that document. The Semarchy Customer Success Staff is always available both at the time of implementation, and anytime thereafter (with agreed-upon) support hours to ensure that software is operating (whether on premises or in a cloud-hosted environment) correctly.
Operational Qualification (OQ) and Performance Qualification (PQ) can be measured via metrics in xDM. These would explain, for example the completeness of data across the system for a given field or set of attributes.
Workflows can be utilized for alerts, hard errors, and remediation of these attributes the responsible party of for these efforts.
|(b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records.||Accurate and complete copies of records are available in the tool’s browser-based user interface, through programmatic web services APIs, and through direct database access.|
|(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period.||Records are fully protected and readily available by the user of standard database backup technologies and corresponding backup policies throughout the required retention period.
Ready retrieval – xDM users can readily access data, via free text search or standard data exploration, for the purposes of review/update.
Retention period — xDM can purge any data in the system according to retention periods defined by an authorized administrator. Removal of data can be done on an ad hoc basis when required, or processes can be designed to purge data after retention periods have expired.
Logging and traceability are available for any field in the system.
|(d) Limiting system access to authorized individuals.||System access is limited to authorized individuals both at the application level and at the database access level. Authorization is typically delegated to a standard authorization technology (for example, Active Directory, LDAP, OKTA, OpenID Connect, or similar provider).|
|(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.||Secure, computer-generated, time-stamped audit trails are automatically applied to all data authored in Semarchy xDM.|
|(f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.||Customer-defined workflows are created in Semarchy xDM, and these enforce the allowed sequencing of tasks.|
|(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.||User roles are defined and managed in Semarchy xDM to provide authority checks to ensure that only authorized individuals can use the system. The Semarchy customer has control over the precise operations allowed for each role.|
|(h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.||Validity of source data is checked with server-side validation rules managed by the Semarchy customer. Being a browser-based application, Semarchy xDM has no need to perform additional device-based checks of the data.
xDM is tested and quality-assured against the following internet browsers:
Internet Explorer 11 and later
Note that we test regularly on new browser releases.
|(i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks.||The determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks is the responsibility of the Semarchy customer rather than the Semarchy software.
Standard Developer and Data Steward training available is available via the Semarchy Customer Success Team. “Train the Trainer” services are available (for a fee) and can be conducted online or in-person, based on request and prior arrangement with the Customer Success Team.
|(j) The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.||Semarchy xDM provides the means to document and manage policies. Holding individuals accountable and responsible for actions is the domain of the Semarchy customer.|
|(k) Use of appropriate controls over systems documentation including:
(1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.
(2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.
|Semarchy xDM generates comprehensive documentation for the integration points of the system as well as the details of the data model and implemented workflows. Access to the documentation and complementary user manual documentation is owned by the Semarchy customer. Generated documentation as well as an XML version of the deployed model may be preserved in source control system for complete metadata audit trail.|
Controls for open systems
Not applicable to Semarchy xDM.
The Semarchy xDM customer controls all details of the implemented data model. Therefore the customer can guarantee that name, date, meaning, and any additional required information may be mandatory information for any record as appropriate.
Not directly applicable to Semarchy xDM.
Semarchy xDM ensures the linkage between authorized users and data which these users have reviewed and approved. This allows the customer to easily find all supporting data related to submitted documents. The link between a signature and a submitted document is maintained outside of Semarchy xDM.
Semarchy xDM does not generate documents submitted directly to the FDA. Therefore it does not manage signatures directly. It is important, however, that Semarchy xDM maintain the integrity of the association between an individual and his/her electronic signature which is managed externally and the data being approved within Semarchy xDM.
|(a) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else.||The Semarchy xDM customer is responsible for ensuring each electronic signature is unique to one individual and linked to an authorization server. Semarchy xDM ensures that the electronic signature cannot be reused by other individuals by delegating authorization duties to this authentication server and preventing unauthorized access to the system.|
|(b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual’s electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual.||The Semarchy xDM customer is responsible for verify the identity of the individual who use the system.|
|(c) Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997,are intended to be the legally binding equivalent of traditional handwritten signatures.||Certifying to the FDA that the electronic signatures in their system are intended to be the legally binding is the responsibility of the Semarchy xDM customer.|
Semarchy xDM makes use of a relational database to hold both data and metadata. Semarchy customers may choose to use either Oracle or PostgreSQL.
Oracle DB Capabilities for CFR-11
Oracle provides many applications which are compatible with CFR-11. This Oracle Security presentation includes additional technical details about how Oracle technologies including the RDBMS can support CFR-11 solutions.
PostgreSQL database Capabilities for CFR-11
Many CFR-11 compliant solutions use PostgreSQL as a data source. Tracking business-level changes to data is the responsibility of the Semarchy xDM software, and this is supported by PostgreSQL’s ability to track all technical-level changes to data.
The information contained in this document is for general information purposes only. The information is provided by Semarchy and while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the information contained on this document for any purpose. Any reliance you place on such information is therefore strictly at your own risk.