Totara FDA CFR Part 11 Compliance (Electronic signatures)

Title 21 CFR Part 11 of the Code of Federal Regulations sets forth the FDA requirements for the FDA to consider electronic records and electronic signatures trustworthy, reliable, and legal equivalents to paper records and handwritten signatures. For more information see: http://www.fda.gov/RegulatoryInformation/Guidances/ucm125067.htm

This is an increasingly requested requirement from customers and prospects in the pharmaceutical sector who are required to adhere to this. An organisation using Totara TXP can be FDA CFR Part 11 Compliant, but it must be stressed that compliance is dependent on both the technical controls implemented by the platform, and organisation controls such as policy and procedure that must be met by the organisation itself.

You can read more about how Totara can help with compliance management on our website.

Below we outline Totara TXP's position on CFR Part 11 compliance, for the specific sections where the platform itself is responsible for meeting the requirement.

Section

Requirement

Totara feature

Section

Requirement

Totara feature

1.10 (b)

The system shall generate accurate and complete copies of records in human readable and electronic form suitable for inspection, review and copying

Totara provides extensive reporting capabilities to view, filter and export data in a variety of formats. In particular each user has a Record of Learning, which provides a full transcript of learning in web-accessible and downloadable formats.

11.10 (d)

The system shall limit system access to authorized individuals.

User authentication is controlled by username and password, or optionally via a number of authentication plugins supporting authentication schemes such as LDAP.

Access to individual actions is controlled via a system of roles and assignments, including hierarchical contexts allowing for management by exception to a subsection of the hierarchy.

11.10 (e)

The system shall employ secure, computer-generated date/time stamped audit trails to independently record operator entries and actions that create, modify, or delete electronic records, without obscuring previously recorded information.

The system includes an integrated logging system which records specified system events to a database table or external log store.

The logging system records additional system metadata such as date and time, user performing the action, and their IP address.

11.10 (f)

The system shall enforce required steps and events sequencing, as appropriate (e.g., key steps cannot be bypassed or similarly compromised).

It is possible to restrict access to learning activities, courses or programs based upon the completion state of other items. This prevents visibility of or access to the learning until the conditions are met. Enrolment plugins can be used to limit access to course enrolment until users are eligible.

11.10 (g)

The system shall ensure that only authorized individuals can use the system, electronically sign a record, access the operations or computer system input or output device, alter a record, or perform the operation at hand.

User authentication is controlled by username and password, or optionally via a number of authentication plugins supporting authentication schemes such as LDAP.

Access to individual actions is controlled via a system of roles and assignments, including hierarchical contexts allowing for management by exception to a subsection of the hierarchy.

11.10 (h) (1)

The system shall determine, as appropriate, the validity of the source of data input or operational instruction.

Access control checks ensure that the user performing an action is authorised to do so. Form validation is used to ensure only valid data is accepted.

11.50 (a) (1), (2), (3)

The system shall ensure all signed electronic records contain the printed name of the signer, date/time signature was executed, and the meaning associated with the signature (e.g. approval, responsibility, authorship).

Totara records the user's unique ID and date/time of an approval event. The meaning associated with the signature is captured as an 'action' in the system log and as a 'role' in the record storing the action.

11.50 (b)

The system shall ensure the three signature elements (described in the previous requirement) of a signed electronic record are a part of any human readable form of the electronic record (e.g. electronic display or printout).

Totara's event log records all three signature items for every action across the site.

11.70 (a)

The system shall ensure electronic signatures are linked to their respective electronic records and that these electronic signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.

The Totara system log is an append-only log with no functionality to edit or update records via the interface. Therefore once an event has been recorded it cannot be deleted or modified.

11.100 (a)

 The system shall ensure that each electronic signature is unique to one individual and shall not be reused by, or reassigned to, anyone else.

The user IDs associated with system users are generated during user creation and cannot be adjusted subsequently. Once a specific user ID is recorded it will reference that user for ever and will not be reassigned or reused.

11.200 (a) (1)

The system shall employ at least two distinct identification components such as an identification code and a password.

Totara's default authentication method uses username and password for login.

11.200 (a) (1) (i)

The system require the use of all electronic signature components for the first signing during a single continuous period of controlled system access

In Totara, the first signing refers to the user logging in to the system. At this stage the user must enter their username and password to be authenticated as a valid system user. Subsequently all actions performed are linked with the identify they logged in as.

11.200 (a) (1) (i)

The system shall allow all subsequent signing during the same continuous period of controlled system access to use at least one electronic signature component.

Current behaviour is to give continuous access to the system until the user logs out or their session times out. If a specific action requires the re-entry of a password it would be possible to implement that.

11.200 (a) (1) (i)

The system shall ensure users are timed out during periods of specified inactivity

Totara has a configurable session time-out setting. If the user doesn't undertake any activity for that length of time the user is automatically logged off the system. In addition we provide a log of active sessions with the ability to remotely terminate sessions that are no longer required.

11.200 (a) (1) (ii)

The system shall require the use of all electronic signature components for the signings not executed during a single continuous period of controlled system access.

If the user is not logged in (a single continuous period of controlled system access) then their privileges are extremely limited. In order to sign in again they will need both their username and password before they are able to perform any signature action.

11.200 (a) (3)

The system shall require all attempted uses of an individual’s electronic signature by anyone other than its genuine owner to require collaboration of two or more individuals.

A user should not share their username and password with other system users. The organisation should have procedures in place to enforce this.

11.300 (a)

The system shall require that each combination of identification code and password is unique, such that no two individuals have the same combination of identification code and password.

Username is unique for every account.

11.300 (b)

The system shall require that passwords be periodically revised.

Totara supports setting a password expiry period with an optional notification to the user a specified time before the password is set to expire.

11.300 (d)

The system shall employ transaction safeguards preventing the unauthorized use of password and/or identification codes.

Totara includes configurable protection against brute-force password attacks, which will lock accounts following too many failed login attempts during a specified time period.

11.300 (d)

The system shall detect and report unauthorized use of password and/or identification codes to specified units.

Totara logs and reports on failed login attempts, optionally sending an email to administrators. Date and time, IP address and username of failed logs are all recorded in the system logs and reported to administrators. The number of failed attempts that triggers action is configurable.