Guide Specification

EcoStruxure™ Building Operation

Insert for 21 CFR Part 11

Boston ONE Campus

800 Federal Street
Andover, MA 01810
Phone: (978) 794 0806
www.schneider-electric.com 1 of 6

© 2020 Schneider Electric. All rights reserved. All trademarks are owned by Schneider Electric Industries SAS or its affiliated companies.
 Guide Specification insert for 21 CFR Part 11
Subpart B – Electronic Records 11.10 Controls for Closed Systems
1. Validation of systems to ensure accuracy, reliability, consistent intended performance, and the
ability to discern invalid or altered records.
a. Detection of Altered Records - If records can be altered by tools outside the Computer
System, it shall detect and trace all the actions performed on records. All records must
be included in the audit trail. It shall not be possible to alter any record in the audit trail.
b. Detection of Invalid Records - The Computer System shall detect invalid records.
c. The Computer System must generate accurate and complete records including
metadata.
2. The ability to generate accurate and complete copies of records in both human readable and
electronic form suitable for inspection, review, and copying by the agency. Persons should
contact the agency if there are any questions regarding the ability of the agency to perform such
review and copying of the electronic records.
a. The Computer System must either support the viewing of e-records or the generation of
valid paper copies. The Computer System shall provide viewing & printing capabilities
for all relevant e-records. Audit and historical data shall be viewable from within the
operating system of the Environmental Monitoring System/Building Management
System with no need for additional viewers.
b. The Computer System shall allow for the export of e-records to portable file formats,
either manually or automatically. On demand or via schedule, audit and historical data
shall be formatted into pdf reports that are protected by digital certificates. It shall be
possible to verify the digitally signed reports using standard technologies such as Adobe
Acrobat Reader.
c. The system shall enable review of, and able to produce reports on, historical data for
any given time period throughout the full retention period.
d. The system shall be able to produce Mean Kinetic Value/Temperature reports for any
given time period throughout the full retention period.
3. Protection of records to enable their accurate and ready retrieval throughout the records
retention period.
a. If the retention strategy does not include keeping the e-records in the originating
system, the Computer System shall have implemented a mechanism to archive e-
records in a standard file format.
b. If automated archiving is put into practice, transaction safeguards shall prevent the e-
records in the source system from deletion until there is confirmation that they have
been successfully archived.
4. Limiting system access to authorized individuals.
a. Ensure that the Computer System has a security mechanism that uses at least two
distinct identification components (e.g. User ID/ password, PKI mechanisms) or
biometrics. All users of the system shall only gain access via a unique user name and
encrypted password.
b. The Computer System must allow for the use of individual accounts, shared accounts for
access levels other than read only, are not acceptable.
c. If technically possible passwords must be stored in the Computer System in encrypted
form. In case where encryption of passwords is not possible, the file(s) containing
passwords and user-IDs must be secured by technical means and their access strictly
Boston ONE Campus
800 Federal Street
Andover, MA 01810
Phone: (978) 794 0806
www.schneider-electric.com 2 of 6

© 2020 Schneider Electric. All rights reserved. All trademarks are owned by Schneider Electric Industries SAS or its affiliated companies.
 controlled (no read option for any user, SOP/strict instruction for administrators about
password file handling, password file not accessible for users).
d. When password entry fields are shown on the screen, password entries must be
obscured (e.g. "*********").
e. The Computer System shall allow for quality passwords (configurable number of
alphanumeric and special characters) and enforce their use. Password policy shall be
established to allow for password aging, quantity of characters, types of characters,
required cases and frequency of reuse.
f. The Computer System shall include a log off mechanism after a pre-defined period of
user inactivity, or a mechanism where user ID entry is required after inactivity period.
g. Password shall be known only by the user. The Computer System shall force users to
change their password after the first login. Changes to passwords or to other properties
of users (except for one’s own password) shall require the approval and signature of
two people with both user names and comments recorded permanently in the audit
trail.
5. Use of secure, computer-generated, time-stamped audit trails to independently record the date
and time of operator entries and actions that create, modify, or delete electronic records.
Record changes shall not obscure previously recorded information. Such audit trail
documentation shall be retained for a period at least as long as that required for the subject
electronic records and shall be available for agency review and copying.
a. Computer System must provide secure, computer-generated time stamped audit trails
for e-records any time operator entries or actions create, modify or delete electronic
records
b. Computer generated audit trails shall contain information about: - person/ equipment
performing the activity (WHO) - date and time of its execution (WHEN) - (WHAT) was
changed/ done
c. The audit trail changes recorded shall not obscure or destroy the original recorded
information.
d. Audit trails cannot be turned off.
e. Audit trails must be available for review and be copied during the entire retention
period
f. Audit trails must be part of any back up
g. Computer generated audit trails shall at least record the hour and minute and must be
as precise as required by the business process (e.g. to verify correct sequencing of
events).
h. The server time shall be used for the generation of time stamps.
i. Time & date settings shall be subject to rigorous control to ensure the accuracy of time
stamps. The Computer System shall provide the ability to restrict access to time settings.
Users shall not be able to change time & date settings.
j. Time clock can be synchronized to central system.
k. Computer System spanning multiple time zones shall be able to display & print the time
zone used with the time stamp.
l. Audit trails can be reviewed.
6. Use of authority checks to ensure that only authorized individuals can use the system,
electronically sign a record, access the operation or computer system input or output device,
alter a record, or perform the operation at hand.
a. The Computer System shall apply authority checks to ensure that only authorized
Boston ONE Campus individuals can:
800 Federal Street
Andover, MA 01810
Phone: (978) 794 0806
www.schneider-electric.com 3 of 6

© 2020 Schneider Electric. All rights reserved. All trademarks are owned by Schneider Electric Industries SAS or its affiliated companies.
 - make use of system functions & features
- electronically sign a record
- create, modify, inactivate/ logically delete, delete records
- access input and/or output devices
- perform operations at hand
b. Authority checks shall be implemented by role-based access.
c. Records which are automatically captured by the Computer System (e.g. process data)
must not be modified. The Computer System shall provide mechanisms that prevent
users, except System Administrators, from having access other than “read” to such
records. If the Computer System lacks such controls, computer-generated audit trails
must be implemented.
d. When it is critical to the proper conduct of the process that specific hardware items /
devices / equipment (e.g. shop floor terminals, barcode readers) create, submit or
modify records, there shall be reporting & alarm features (prompts, flags, or other help
features) in place to ensure consistency of records and to alert the user of records being
out of acceptable range.

Subpart B – Electronic Records 11.50 Signature Manifestations

1. Signed electronic records shall contain information associated with the signing that clearly
indicates all of the following:
• The printed name of the signer
• The date and time when the signature was executed
• The meaning (such as review, approval, responsibility, or authorship) associated with the
signature
a. The Computer System must record
- the unique identifier of the person executing the signature
- the date & time of the signature
- the meaning of a signature (e.g. approval, review, responsibility,
authorship) for/ to each signature event. Ideally, e-signatures shall be
applied directly to records. Alternatively, separate e-signature records are
allowable if they are unambiguously linked with the record to which they
apply.
b. Ensure that all users are uniquely identifiable in the Computer System. Where the
User ID is not the user’s full name, ensure it is traceable to the user’s full name. This
does not impact the requirement that signed records used for GxP purposes must
display the full name (at least name & surname) of the signer.
c. The Computer System shall allow for pre-programming of signature meanings (e.g.
via configurable picklists), if this makes a good business sense, e.g. in case of
predictable and/ or recurrent signature meanings (e.g. approval / rejection of
documents). Where pre-programming of meanings for signatures appears to be not
useful, implement free text comments associated with the signature
• Only specifically designated users will be given the right to sign records.
• Users’ rights to sign records can be controlled by schedule.
• User’s rights to sign records can be controlled by location, i.e., IP address.
• The Computer System shall be capable of working either with single signature approval, or
dual signature approval. When two signatures are required, the audit trail must include a
separate time entry for each signature and a separate area for each signer to record that
Boston ONE Campus
800 Federal Street
Andover, MA 01810
Phone: (978) 794 0806
www.schneider-electric.com 4 of 6

© 2020 Schneider Electric. All rights reserved. All trademarks are owned by Schneider Electric Industries SAS or its affiliated companies.
 signer’s individual comments/justification. Each are separate events in the event log, and
the action requested shall not take place until both signatures have been completed in their
entirety.
• The system shall provide means for differentiated user level permissions based on location
and/or time-of-day.
2. The items identified in this section shall be subject to the same controls as for electronic records
and shall be included as part of any human readable form of the electronic record (such as
electronic display or printout).
a. Whenever a signed record is required to be used for GxP purposes, ensure that the full
name (at least forename & surname) of the signer, date and time of the application of
the signature and meaning of the signature are displayed and printed.
b. Electronic signatures and handwritten signatures executed to electronic records shall be
linked to their respective electronic records to ensure that the signatures cannot be
excised, copied, or otherwise transferred to falsify an electronic record by ordinary
means

Subpart B – Electronic Record 11.70 Signature/Record Linking

1. Electronic signatures and handwritten signatures executed to electronic records shall be linked
to their respective electronic records to ensure that the signatures cannot be excised, copied, or
otherwise transferred to falsify an electronic record by ordinary means.
a. The system must be designed such that e-signature information including links are saved
as read-only data and cannot be excised, copied or transferred to falsify e-records. It is
recommended to purchase Computer Systems, which have implemented or have plans
to implement technical link mechanisms such as hash functions.

Subpart C – Electronic Signature 11.100 General Requirements

1. Each electronic signature shall be unique to one individual and shall not be reused by, or
reassigned to, anyone else.
a. The Computer System must not accept duplicate user accounts. The System shall
maintain the uniqueness of each combined identification code and password, such that
electronic signature shall be unique to one individual and shall not be reused or
reassigned to anyone else.
b. The Computer System must not allow the removal of any retired accounts. If an account
becomes inactive due to a person’s change in employment status, that account must
continue to be associated with all previous activities.

Subpart C – Electronic Signature 11.200 Electronic Signature Components and Controls

1. Electronic signatures that are not based upon biometrics shall:
o Employ at least two distinct identification components such as an identification
code and password.
▪ When an individual executes a series of signings during a single, continuous
period of controlled system access, the first signing shall be executed using
all electronic signature components; subsequent signings shall be executed
using at least one electronic signature component that is only executable
by, and designed to be used only by, the individual.
▪ When an individual executes one or more signings not performed during a
single, continuous period of controlled system access, each signing shall be
Boston ONE Campus executed using all of the electronic signature components.
800 Federal Street
Andover, MA 01810
Phone: (978) 794 0806
www.schneider-electric.com 5 of 6

© 2020 Schneider Electric. All rights reserved. All trademarks are owned by Schneider Electric Industries SAS or its affiliated companies.
 o
Be used only by their genuine owners
o
Be administered and executed to ensure that attempted use of an individual's
electronic signature by anyone other than its genuine owner requires collaboration
of two or more individuals.
a. Computer Systems must be designed to require two components for the execution of
the first e- signature within a session (e.g. User ID & password).
b. The Computer System shall be designed to require the private component for the
execution of subsequent signings within a session.
c. To facilitate work, it is allowed that the Computer System pre-populates automatically
the user identification information (also for the first signature).

Subpart C – Electronic Signature 11.300 Controls for Identification Codes/Passwords

1. Ensuring that identification code and password issuances are periodically checked, recalled, or
revised (e.g., to cover such events as password aging).
a. The Computer System shall support password-aging processes (prompts for password
renewal after xx calendar days).
b. The Computer System shall allow for configuration of the password aging parameter.
c. The setting of the password aging parameter shall be limited to duly authorized
personnel only.
d. The System shall ensure that an identification code and password are periodically
checked, recalled or revised.
e. Check that the system can lock a user account after a specified number of failed access
attempts.
2. Use of transaction safeguards to prevent unauthorized use of passwords and/or identification
codes, and to detect and report in an immediate and urgent manner any attempts at their
unauthorized use to the system security unit, and, as appropriate, to organizational
management.
a. The Computer System shall be able to log unauthorized access attempts.
b. The Computer System shall be able to detect potential unauthorized access attempts
and notify immediate and urgent manner the system administrator.

Boston ONE Campus

800 Federal Street
Andover, MA 01810
Phone: (978) 794 0806
www.schneider-electric.com 6 of 6

© 2020 Schneider Electric. All rights reserved. All trademarks are owned by Schneider Electric Industries SAS or its affiliated companies.