Title 21 CFR Part 11 (FDA Regulated) Compliance

 

FDA food and drug administration

 

Integrify works with a variety of FDA-regulated companies and organizations and we've worked hard to ensure our product meets the FDA's requirements for electronic records and electronic signatures. The table below shows both the Title 21 CFR Part 11 requirements and Integrify's compliance with them.

Section CFR Requirement Integrify Compliance
11.10 (b) The system shall generate accurate and complete copies of records in human-readable and electronic form suitable for inspection, review, and copying Integrify's system provides reporting that can be displayed on the screen as well as downloadable as a PDF or CSV file.
11.10 (d) The system shall limit system access to authorized individuals. A username and password are required to access Integrify. Roles and access permissions are used to limit user access to data and features. We also offer encrypted passwords; enforced strong password selection, and; automated password expiration.
11.10 (e) The system shall employ secure, computer-generated date/time-stamped audit trails to independently record operator entries and actions that create, modify, or delete electronic records, without obscuring previously recorded information. Integrify captures all activity related to a process including time/date, username, tasks performed, and related documents. You can view this information onscreen or export this data to CSV if needed.
11.10 (f) The system shall enforce required steps and events sequencing, as appropriate (e.g., key steps cannot be bypassed or similarly compromised). Processes built-in Integrify follow the exact sequence set by the process creator and can not deviate from the path set. Steps/tasks must be completed by the proper individual in the proper order.
11.10 (g) The system shall ensure that only authorized individuals can use the system, electronically sign a record, access the operations or computer system input or output device, alter a record, or perform the operation at hand. Secure logins control access to the system and permissions control access to all functions of any process. Only individuals with appropriate access and permission can complete a task or access information. These controls are managed by the system administrator.
11.10 (h) (1) The system shall determine, as appropriate, the validity of the source of data input or operational instruction. Integrify will only communicate over HTTPS, which prevents a third party from modifying data being transmitted.
11.50 (a) (1), (2), (3) The system shall ensure all signed electronic records contain the printed name of the signer, the date/time the signature was executed, and the meaning associated with the signature (e.g. approval, responsibility, authorship). Integrify's e-signature includes the action performed/task completed, the name of the user, and the date/time stamp.
11.50 (b) The system shall ensure the three signature elements (described in the previous requirement) of a signed electronic record are a part of any human-readable form of the electronic record (e.g. electronic display or printout). Integrify's e-signature includes the action performed/task completed, the name of the user, and the date/time stamp and is available as part of the process record.
11.70 (a) The system shall ensure electronic signatures are linked to their respective electronic records and that these electronic signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means. Electronic signatures are linked to process records and actions performed. These records can not be altered or tampered with, even by those with administrative access.
11.100 (a) The system shall ensure that each electronic signature is unique to one individual and shall not be reused by, or reassigned to, anyone else. The uniqueness of username and password is enforced by the system. Inactive accounts and their records are never removed from the system.
11.200 (a) (1) The system shall employ at least two distinct identification components such as an identification code and a password. Integrify uses username and password protection.
11.200 (a) (1) (i) The system requires the use of all electronic signature components for the first signing during a single continuous period of controlled system access. All users are required to enter their credentials prior to taking any action in the system including signing/approving as part of an initiated process.
11.200 (a) (1) (i) The system shall allow all subsequent signing during the same continuous period of controlled system access to use at least one electronic signature component. A user in the system must stay signed in with their credentials or re-sign in if they've been logged out for any reason. Log out timing settings are controlled by the system administrator.
11.200 (a) (1) (i) The system shall ensure users are timed out during periods of specified inactivity. A user in the system must stay signed in with their credentials or re-sign in if they've been logged out for any reason. Log out settings are controlled by the system administrator.
11.200 (a) (1) (ii) The system shall require the use of all electronic signature components for the signings not executed during a single continuous period of controlled system access. A user in the system must stay signed in with their credentials or re-sign in if they've been logged out for any reason. Log out settings are controlled by the system administrator.
11.200 (a) (3) The system shall require all attempted uses of an individual’s electronic signature by anyone other than its genuine owner to require the collaboration of two or more individuals. Sharing of sign-in credentials is not permitted and is enforced by system administrators.
11.300 (a) The system shall require that each combination of identification code and password is unique, such that no two individuals have the same combination of identification code and password. The system will not allow duplicate usernames.
11.300 (b) The system shall require that passwords be periodically revised. Integrify offers system administrators to set an expiration of password-based on Title 21 CFR requirements.
11.300 (d) The system shall employ transaction safeguards preventing the unauthorized use of a password and/or identification codes. Unauthorized use of credentials is logged with the attempted username, timestamp and IP Address. Accounts can be suspended based on suspicious activity.
11.300 (d) The system shall detect and report unauthorized use of a password and/or identification codes to specified units. Unauthorized use of credentials is logged with the attempted username, timestamp and IP Address.