CFR-11

Guidelines to easily manage CFR-11 Compliance with Semarchy xDM

CFR-11, as it is colloquially referred to is a set of regulations on electronic records and electronic signatures defining the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records. This regulation applies to drug makers, medical device manufacturers, biotech companies, biologics developers, CROs, and other FDA-regulated industries.

As it applies to your company’s data management strategy, it is necessary to know that compliance falls into two distinct categories: Data Management, and Data Hosting.

Semarchy xDM enables compliance on the data management side. However, note that those seeking hosting compliance are comprehensively covered when hosting Semarchy in the cloud with AWS and other leading providers. AWS, for example, has a host of features around security, data protection, and compliance. For more details, please visit the AWS Site and read their whitepaper on the matter.

Overview ​and ​Scope

The ​regulations ​set ​forth ​the ​criteria ​under ​which ​the ​U.S. ​Food ​and ​Drug ​Administration ​(FDA) considers ​electronic ​records, ​electronic ​signatures, ​and ​handwritten ​signatures ​executed ​to electronic ​records ​to ​be ​trustworthy, ​reliable, ​and ​generally ​equivalent ​to ​paper ​records ​and handwritten ​signatures ​executed ​on ​paper.

​Implementation

Semarchy xDM ​is ​used ​for ​records ​required ​to ​be ​maintained ​but ​not ​submitted ​to ​the ​FDA. Data ​governed ​in ​Semarchy xDM ​is ​used ​in ​documents ​submitted ​to ​the ​FDA, ​but ​it ​does ​not directly ​generate ​any ​documents ​identified ​in ​public ​docket ​No. ​92S-0251.

Electronic Records

​Controls ​for ​closed ​systems.

Semarchy xDM ​is ​intended ​for ​use ​as ​a ​closed ​system ​in ​which ​the ​MDM ​software ​is ​controlled by ​the ​Semarchy ​customer ​who ​is ​responsible ​for ​the ​content ​of ​electronic ​records ​that ​are ​on the ​system.

Requirement Explanation
(a) ​Validation ​of ​systems ​to ​ensure ​accuracy, reliability, ​consistent ​intended ​performance, and ​the ​ability ​to ​discern ​invalid ​or ​altered records. Semarchy ​xDM ​ensures ​accuracy, ​reliability, and ​consistent ​performance ​through ​the ​use of ​industry-standard ​relational ​database Technology.

The Installation Qualification (IQ) should be certified by relevant parties responsible for Computer Systems Validation, who own that document.  The Semarchy Customer Success Staff is always available both at the time of implementation, and anytime thereafter (with agreed-upon) support hours to ensure that software is operating (whether on premises or in a cloud-hosted environment) correctly.

Operational Qualification (OQ) and Performance Qualification (PQ) can be measured via metrics in xDM. These would explain, for example the completeness of data across the system for a given field or set of attributes.

Workflows can be utilized for alerts, hard errors, and remediation of these attributes the responsible party of for these efforts.

(b) ​The ​ability ​to ​generate ​accurate ​and complete ​copies ​of ​records ​in ​both ​human readable ​and ​electronic ​form ​suitable ​for inspection, ​review, ​and ​copying ​by ​the ​agency. Persons ​should ​contact ​the ​agency ​if ​there ​are any ​questions ​regarding ​the ​ability ​of ​the agency ​to ​perform ​such ​review ​and ​copying of the ​electronic ​records. Accurate ​and ​complete ​copies ​of ​records ​are available ​in ​the ​tool’s ​browser-based ​user interface, ​through ​programmatic ​web services ​APIs, ​and ​through ​direct ​database access.
(c) ​Protection ​of ​records ​to ​enable ​their accurate ​and ​ready ​retrieval ​throughout ​the records ​retention ​period. Records ​are ​fully ​protected ​and ​readily available ​by ​the ​user ​of ​standard ​database backup ​technologies ​and ​corresponding backup ​policies ​throughout ​the ​required retention ​period. 

Ready retrieval – xDM users can readily access data, via free text search or standard data exploration, for the purposes of review/update. 

Retention period — xDM can purge any data in the system according to retention periods defined by an authorized administrator. Removal of data can be done on an ad hoc basis when required, or processes can be designed to purge data after retention periods have expired.

Logging and traceability are available for any field in the system. 

(d) ​Limiting ​system ​access ​to ​authorized individuals. System ​access ​is ​limited ​to ​authorized individuals ​both ​at ​the ​application ​level ​and ​at the ​database ​access ​level. ​Authorization ​is typically ​delegated ​to ​a ​standard authorization ​technology ​(for ​example, ​Active Directory, ​LDAP, ​OKTA, ​OpenID ​Connect, ​or similar ​provider).
(e) ​Use ​of ​secure, ​computer-generated, time-stamped ​audit ​trails ​to ​independently record ​the ​date ​and ​time ​of ​operator ​entries and ​actions ​that ​create, ​modify, ​or ​delete electronic ​records. ​Record ​changes ​shall ​not obscure ​previously ​recorded ​information. ​Such audit ​trail ​documentation ​shall ​be ​retained ​for a ​period ​at ​least ​as ​long ​as ​that ​required ​for the ​subject ​electronic ​records ​and ​shall ​be available ​for ​agency ​review ​and ​copying. Secure, ​computer-generated, ​time-stamped audit ​trails ​are ​automatically ​applied ​to ​all data ​authored ​in ​Semarchy ​xDM.
(f) ​Use ​of ​operational ​system ​checks ​to enforce ​permitted ​sequencing ​of ​steps ​and events, ​as ​appropriate. Customer-defined ​workflows ​are ​created ​in Semarchy ​xDM, ​and ​these ​enforce ​the allowed ​sequencing ​of ​tasks.
(g) ​Use ​of ​authority ​checks ​to ​ensure ​that ​only authorized ​individuals ​can ​use ​the ​system, electronically ​sign ​a ​record, ​access ​the operation ​or ​computer ​system ​input ​or ​output device, ​alter ​a ​record, ​or ​perform ​the ​operation at ​hand. User ​roles ​are ​defined ​and ​managed ​in Semarchy ​xDM ​to ​provide ​authority ​checks ​to ensure ​that ​only ​authorized ​individuals ​can use ​the ​system. ​The ​Semarchy ​customer ​has control ​over ​the ​precise ​operations ​allowed for ​each ​role.
(h) ​Use ​of ​device ​(e.g., ​terminal) ​checks ​to determine, ​as ​appropriate, ​the ​validity ​of ​the source ​of ​data ​input ​or ​operational ​instruction. Validity ​of ​source ​data ​is ​checked ​with server-side ​validation ​rules ​managed ​by ​the Semarchy ​customer. ​Being ​a ​browser-based application, ​Semarchy ​xDM ​has ​no ​need ​to perform ​additional ​device-based ​checks ​of the ​data.

xDM is tested and quality-assured against the following internet browsers:

Internet Explorer 11 and later
Google Chrome 58 and later
Firefox 40 and later
Safari 10 and later (macOS)
Microsoft Edge 38 and later

Supported browsers are published and updated regularly in online documentation at https://www.semarchy.com/doc/semarchy-xdm/semng.html

Note that we test regularly on new browser releases.

(i) ​Determination ​that ​persons ​who ​develop, maintain, ​or ​use ​electronic ​record/electronic signature ​systems ​have ​the ​education, training, ​and ​experience ​to ​perform ​their assigned ​tasks. The ​determination ​that ​persons ​who ​develop, maintain, ​or ​use ​electronic ​record/electronic signature ​systems ​have ​the ​education, training, ​and ​experience ​to ​perform ​their assigned ​tasks ​is ​the ​responsibility ​of ​the Semarchy ​customer ​rather ​than ​the Semarchy ​software.

Standard Developer and Data Steward training available is available via the Semarchy Customer Success Team. “Train the Trainer” services are available (for a fee) and can be conducted online or in-person, based on request and prior arrangement with the Customer Success Team.

(j) ​The ​establishment ​of, ​and ​adherence ​to, written ​policies ​that ​hold ​individuals accountable ​and ​responsible ​for ​actions initiated ​under ​their ​electronic ​signatures, ​in order ​to ​deter ​record ​and ​signature falsification. Semarchy ​xDM ​provides ​the ​means ​to document ​and ​manage ​policies. ​Holding individuals ​accountable ​and ​responsible ​for actions ​is ​the ​domain ​of ​the ​Semarchy customer.
(k) ​Use ​of ​appropriate ​controls ​over ​systems documentation ​including:

(1) ​Adequate ​controls ​over ​the ​distribution ​of, access ​to, ​and ​use ​of ​documentation ​for system ​operation ​and ​maintenance.

(2) ​Revision ​and ​change ​control ​procedures ​to maintain ​an ​audit ​trail ​that ​documents time-sequenced ​development ​and modification ​of ​systems ​documentation.

Semarchy ​xDM ​generates ​comprehensive documentation ​for ​the ​integration ​points ​of the ​system ​as ​well ​as ​the ​details ​of ​the ​data model ​and ​implemented ​workflows. ​Access to ​the ​documentation ​and ​complementary user ​manual ​documentation ​is ​owned ​by ​the Semarchy ​customer. ​Generated documentation ​as ​well ​as ​an ​XML ​version ​of the ​deployed ​model ​may ​be ​preserved ​in source ​control ​system ​for ​complete ​metadata audit ​trail.

Controls ​for ​open ​systems

Not ​applicable ​to ​Semarchy xDM.

Signature ​manifestations

The ​Semarchy xDM ​customer ​controls ​all ​details ​of ​the ​implemented ​data ​model. ​Therefore ​the customer ​can ​guarantee ​that ​name, ​date, ​meaning, ​and ​any ​additional ​required ​information ​may be ​mandatory ​information ​for ​any ​record ​as ​appropriate.

Signature/record ​linking

Not ​directly ​applicable ​to ​Semarchy xDM.

Semarchy xDM ​ensures ​the ​linkage ​between ​authorized ​users ​and ​data ​which ​these ​users ​have reviewed ​and ​approved. ​This ​allows ​the ​customer ​to ​easily ​find ​all ​supporting ​data ​related ​to submitted ​documents. ​The ​link ​between ​a ​signature ​and ​a ​submitted ​document ​is ​maintained outside ​of ​Semarchy xDM.

Electronic​ ​Signatures

General ​requirements

Semarchy xDM ​does ​not ​generate ​documents ​submitted ​directly ​to ​the ​FDA. ​Therefore ​it ​does not ​manage ​signatures ​directly. ​It ​is ​important, ​however, ​that ​Semarchy xDM ​maintain ​the integrity ​of ​the ​association ​between ​an ​individual ​and ​his/her ​electronic ​signature ​which ​is managed ​externally ​and ​the ​data ​being ​approved ​within ​Semarchy xDM.

Requirement Explanation
(a) ​Each ​electronic ​signature ​shall ​be ​unique to ​one ​individual ​and ​shall ​not ​be ​reused ​by, ​or reassigned ​to, ​anyone ​else. The ​Semarchy xDM ​customer ​is ​responsible for ​ensuring ​each ​electronic ​signature ​is unique ​to ​one ​individual ​and ​linked ​to ​an authorization ​server. ​Semarchy xDM ​ensures that ​the ​electronic ​signature ​cannot ​be reused ​by ​other ​individuals ​by ​delegating authorization ​duties ​to ​this ​authentication server ​and ​preventing ​unauthorized ​access ​to the ​system.
(b) ​Before ​an ​organization ​establishes, assigns, ​certifies, ​or ​otherwise ​sanctions ​an individual’s ​electronic ​signature, ​or ​any element ​of ​such ​electronic ​signature, ​the organization ​shall ​verify ​the ​identity ​of ​the individual. The ​Semarchy xDM ​customer ​is ​responsible for ​verify ​the ​identity ​of ​the ​individual ​who use ​the ​system.
(c) ​Persons ​using ​electronic ​signatures ​shall, prior ​to ​or ​at ​the ​time ​of ​such ​use, ​certify ​to the ​agency ​that ​the ​electronic ​signatures ​in their ​system, ​used ​on ​or ​after ​August ​20, ​1997,are ​intended ​to ​be ​the ​legally ​binding equivalent ​of ​traditional ​handwritten signatures. Certifying ​to ​the ​FDA ​that ​the ​electronic signatures ​in ​their ​system ​are ​intended ​to ​be the ​legally ​binding ​is ​the ​responsibility ​of ​the Semarchy xDM ​customer.

Appendix

Database support

Semarchy ​xDM ​makes ​use ​of a relational database to hold both data and metadata. Semarchy customers may choose to use either Oracle or PostgreSQL.

Oracle ​DB ​Capabilities ​for ​CFR-11

Oracle ​provides many ​applications ​which ​are ​compatible ​with ​CFR-11. ​This Oracle ​Security ​presentation includes ​additional ​technical ​details ​about ​how ​Oracle ​technologies ​including ​the ​RDBMS ​can support ​CFR-11 ​solutions.

PostgreSQL ​database ​Capabilities ​for ​CFR-11

Many CFR-11 compliant solutions use PostgreSQL as a data source. Tracking business-level changes to data is the responsibility of the Semarchy xDM software, and this is supported by PostgreSQL’s ability to track all technical-level changes to data.

Disclaimer:

The ​information ​contained ​in ​this ​document ​is ​for ​general ​information ​purposes ​only. ​The information ​is ​provided ​by ​Semarchy ​and ​while ​we ​endeavour ​to ​keep ​the ​information ​up ​to ​date and ​correct, ​we ​make ​no ​representations ​or ​warranties ​of ​any ​kind, ​express ​or ​implied, ​about ​the completeness, ​accuracy, ​reliability, ​suitability ​or ​availability ​with ​respect ​to ​the ​information contained ​on ​this ​document ​for ​any ​purpose. ​Any ​reliance ​you ​place ​on ​such ​information ​is therefore ​strictly ​at ​your ​own ​risk.