Enterprise Server Compliance Pack

EcoStruxure™ Building Operation ̶ Compliance Matrix to 21 CFR Part 11

21CFR11
Subpart Requirement Text Requirement Description Comment
Reference

Subpart B – ER Detection of Altered Records

§ 11.10 (a) 11.10 Controls for All records have audit trail for all changes.
Closed Systems If records can be altered by tools outside the System, the System shall
detect and trace all of the actions performed on records.
Validation of systems to ensure accuracy,
Subpart B – ER reliability, consistent intended performance, and Detection of Invalid Records
the ability to discern invalid or altered records. Invalid data not accepted in fields. All records have audit trail for all
§ 11.10 (a) 11.10 Controls for
changes.
Closed Systems The System shall detect invalid records.

Subpart B – ER
The system must generate accurate and complete records including Event logs displayed on the screen are with all necessary units and
§ 11.10 (b) 11.10 Controls for
metadata. metadata.
Closed Systems
The Computer System must either support the viewing of e-records or
Subpart B – ER The ability to generate accurate and complete the generation of valid paper copies. The Computer System should
All e-records can be viewed either from EBO or from external tools into
§ 11.10 (b) 11.10 Controls for copies of records in both human readable and provide viewing & printing capabilities for all relevant e-records. (In
the PostgreSQL. Paper copies can be generated.
Closed Systems electronic form suitable for inspection, review, and certain cases, controlled database queries or accurately performed
copying by the agency. Persons should contact the screen dumps may satisfy this requirement.)
agency if there are any questions regarding the
Subpart B – ER ability of the agency to perform such review and
The Computer System should allow for the export of e-records to All reports can be generated in pdf format with signed digital certificate
§ 11.10 (b) 11.10 Controls for copying of the electronic records.
portable file formats, preferably automatically. to ensure data integrity.
Closed Systems

Subpart B – ER Protection of records to enable their accurate and If the retention strategy does not include keeping the e-records in the
Clients can perform own archive strategy based on scalable
§ 11.10 (c) 11.10 Controls for ready retrieval throughout the records retention originating system, the Computer System should have implemented a
database.
Closed Systems period. mechanism to archive e-records in a standard file format.

Confidential Property of Schneider Electric | Page 1

21CFR11
Subpart Requirement Text Requirement Description Comment
Reference

Subpart B – ER If automated archiving is put into practice, transaction safeguards

§ 11.10 (c) 11.10 Controls for should prevent the e-records in the source system from deletion until Deletion can occur after archiving not part of it.
Closed Systems confirmation that they have been successfully archived.

Subpart B – ER Ensure that the Computer System has a security mechanism that uses
§ 11.10 (d) 11.10 Controls for at least two distinct identification components (e.g. User ID/ password, User ID and password required for system access.
Closed Systems PKI mechanisms) or biometriComputer System.

Subpart B – ER
The Computer System must allow for the use of individual accounts,
§ 11.10 (d) 11.10 Controls for User ID and password required for system access.
shared accounts for access levels other than read are not acceptable.
Closed Systems

If technically possible passwords must be stored in the Computer

System in encrypted form. In case where encryption of passwords
Subpart B – ER
is not possible, the file(s) containing passwords and user-IDs must be
§ 11.10 (d) 11.10 Controls for Limiting system access to authorized individuals. System Administrator cannot view passwords.
secured by technical means and their access strictly controlled (no
Closed Systems
read option for any user, SOP/strict instruction for administrators about
password file handling, password file not accessible for users).

Subpart B – ER
When password entry fields are shown on the screen, password
§ 11.10 (d) 11.10 Controls for Password entries are obscured.
entries must be obscured (e.g. "*********").
Closed Systems

Subpart B – ER
The system should allow for quality passwords (configurable number of
§ 11.10 (d) 11.10 Controls for Passwords are configurable.
alphanumeric characters, special characters) and enforce their use.
Closed Systems

Confidential Property of Schneider Electric | Page 2

21CFR11
Subpart Requirement Text Requirement Description Comment
Reference

Subpart B – ER The System shall include a log off mechanism after a pre-defined
§ 11.10 (d) 11.10 Controls for period of user inactivity, or a mechanism where user ID entry is System has configurable lock out mechanism.
Closed Systems required after inactivity period.

Limiting system access to authorized individuals.

Subpart B – ER Password shall be known only by the user.

§ 11.10 (d) 11.10 Controls for User forced to change password on 1st login.
Closed Systems System shall force user to change his password after the first login

Subpart B – ER Computer System must provide secure, computer-generated time

§ 11.10 (e) 11.10 Controls for stamped audit trails for e-records any time operator entries or actions The system has full audit trails.
Closed Systems create, modify or delete electronic records

Computer generated audit trails should contain information about:

Subpart B – ER - person/ equipment performing the activity (WHO)

§ 11.10 (e) 11.10 Controls for The system has full audit trails.
Closed Systems Use of secure, computer-generated, time-stamped - date and time of its execution (WHEN)
audit trails to independently record the date and
time of operator entries and actions that create,
modify, or delete electronic records. Record - (WHAT) was changed/ done
changes shall not obscure previously recorded
information. Such audit trail documentation shall be
Subpart B – ER retained for a period at least as long as that The audit trail changes recorded shall not obscure or destroy the
§ 11.10 (e) 11.10 Controls for The system has full audit trails.
required for the subject electronic records and original recorded information.
Closed Systems
shall be available for agency review and copying.

Subpart B – ER
§ 11.10 (e) 11.10 Controls for Audit trails cannot be turned off. Audit trails are automatic.
Closed Systems

Subpart B – ER
Audit trails must be available for review and be copied during the entire
§ 11.10 (e) 11.10 Controls for The audit trail is available for review and copying
retention period
Closed Systems

Confidential Property of Schneider Electric | Page 3

21CFR11
Subpart Requirement Text Requirement Description Comment
Reference

Subpart B – ER
§ 11.10 (e) 11.10 Controls for Audit trails must be part of any back up The audit trails are backed up.
Closed Systems

Subpart B – ER Computer generated audit trails should at least record the hour and
§ 11.10 (e) 11.10 Controls for minute and must be as precise as required by the business process Audit trails recorded to at least the minute
Closed Systems (e.g. to verify correct sequencing of events).

Subpart B – ER
§ 11.10 (e) 11.10 Controls for The server time should be used for the generation of time stamps. Server time is used for the audit trail.
Closed Systems

Use of secure, computer-generated, time-stamped Time & date settings should be subject to rigorous control to ensure the
Subpart B – ER
audit trails to independently record the date and accuracy of time stamps, the Computer System should provide the
§ 11.10 (e) 11.10 Controls for Time settings controlled by System Administrator.
time of operator entries and actions that create, ability to restrict access to time settings. Users should not be able to
Closed Systems
modify, or delete electronic records. Record change time & date settings.
changes shall not obscure previously recorded
information. Such audit trail documentation shall be
Subpart B – ER retained for a period at least as long as that
§ 11.10 (e) 11.10 Controls for required for the subject electronic records and Time clock can be synchronized to central system. Time clock can be synchronized to a central time system.
Closed Systems shall be available for agency review and copying.

Subpart B – ER
Computer System spanning multiple time zones should be able to
§ 11.10 (e) 11.10 Controls for Ability to print in time zone
display & print the time zone used with the time stamp.
Closed Systems

Subpart B – ER
§ 11.10 (e) 11.10 Controls for Audit trails can be reviewed. All audit trails can be reviewed.
Closed Systems

Subpart B – ER
If possible, Computer System has search tools, data filter and/ or report
§ 11.10 (e) 11.10 Controls for The system has effective filter functionality
functions for the audit trail to support its review.
Closed Systems

Confidential Property of Schneider Electric | Page 4

21CFR11
Subpart Requirement Text Requirement Description Comment
Reference

If the adherence to certain sequences is critical to the proper conduct

Subpart B – ER Use of operational system checks to enforce
of the process, the Computer System should support operational
§ 11.10 (f) 11.10 Controls for permitted sequencing of steps and events, as N/A
system checks to enforce the execution of operations according to the
Closed Systems appropriate.
predefined order.

The Computer System should apply authority checks to ensure that

only authorized individuals can:

- make use of system functions & features

- electronically sign a record

Subpart B – ER
§ 11.10 (g) 11.10 Controls for - create, modify, inactivate/ logically delete, delete records System has security for all functions.
Closed Systems

- access input and/or output devices

- perform operations at hand

Use of authority checks to ensure that only
authorized individuals can use the system,
electronically sign a record, access the operation Authority checks should be implemented by role based access.
or computer system input or output device, alter a
record, or perform the operation at hand.
Records which are automatically captured by a Computer System (e.g.
process data) must not be modified. The Computer System should
Subpart B – ER
provide mechanisms that prevent users, except System Administrators,
§ 11.10 (g) 11.10 Controls for All data generated cannot be modified.
from having access other than “read” to such records. If the Computer
Closed Systems
System lacks such controls, computer-generated audit trails must be
implemented.

When it is critical to the proper conduct of the process that specific HW

items / devices / equipment (e.g. shop floor terminals, barcode readers)
Subpart B – ER
create, submit or modify records, there should be reporting & alarm All devices are configured to gather and send data. If not working
§ 11.10 (g) 11.10 Controls for
features (prompts, flags, or other help features) in place to ensure properly that would appear to the System Administrator.
Closed Systems
consistency of records and to alert the user of records being out of
acceptable range.

Confidential Property of Schneider Electric | Page 5

21CFR11
Subpart Requirement Text Requirement Description Comment
Reference

Subpart B – ER Use of device (e.g., terminal) checks to determine,

§ 11.10 (h) 11.10 Controls for as appropriate, the validity of the source of data Customer’s Responsibility
Closed Systems input or operational instruction.

Determination that persons who develop, maintain,

Subpart B – ER
or use electronic record/electronic signature
§ 11.10 (i) 11.10 Controls for Customer’s Responsibility
systems have the education, training and
Closed Systems
experience to perform their assigned tasks.

The establishment of, and adherence to, written

Subpart B – ER policies that hold individuals accountable and
§ 11.10 (j) 11.10 Controls for responsible for actions initiated under their Customer’s Responsibility
Closed Systems electronic signatures, in order to deter record and
signature falsification.

Use of appropriate controls over systems

documentation including:

1. Adequate controls over the distribution of,

Subpart B – ER access to, and use of documentation for system
§ 11.10 (k) 11.10 Controls for operation and maintenance. Customer’s Responsibility
Closed Systems
2. Revision and change control procedures to
maintain an audit trail that documents time-
sequenced development and modification of
systems documentation.

Persons who use open systems to create, modify,

maintain or transmit electronic records shall employ
procedures and controls designed to ensure the
authenticity, integrity, and, as appropriate, the
The system has the ability to employ procedures and controls designed
confidentiality of electronic records from the point
Subpart B – ER to ensure authenticity, integrity and confidentiality, when an open
of their creation to the point of their receipt. Such
§ 11.30 11.10 Controls for system is used to create, modify, maintain or transmit electronic The system has the ability for encryption.
procedures and controls shall include those
Closed Systems records. Such controls could include encryption and use of digital
identified in § 11.10, as appropriate, and additional
signature standards to ensure record.
measures such as document encryptionand use of
appropriate digital signature standards to ensure,
as necessary under the circumstances, record
authenticity, integrity, and confidentiality.
Confidential Property of Schneider Electric | Page 6
21CFR11
Subpart Requirement Text Requirement Description Comment
Reference
Signed electronic records shall contain information
When a single signature is performed the system complies with the
associated with the signing that clearly indicates all The Computer System must record
signature manifestations compliance requirements.
of the following:

When a double signature is performed there are separate time stamps

The printed name of the signer - the unique identifier of the person executing the signature for each signature. There are also separate comments / reasons for
each signature.
Subpart B – ER
The date and time when the
§ 11.50 (a) 11.50 Signature - the date & time of the signature
signature was executed
Manifestations
- the meaning of a signature (e.g. approval, review, responsibility,
authorship)

for/ to each signature event. Ideally, e-signatures should be applied

directly to records. Alternatively, separate e-signature records are
allowable if they are unambiguously linked with the record to which
they apply.

Ensure that all users are uniquely identifiable in the Computer System.
Subpart B – ER Where the User ID is not the user’s full name, ensure it is traceable to
§ 11.50 (a) 11.50 Signature The meaning (such as review, approval, the user’s full name. This does not impact the requirement that signed Full name shown.
Manifestations responsibility, or authorship) associated with the records used for GxP purposes must display the full name (at least
signature name & surname) of the signer.

The Computer System should allow for pre-programming of signature

meanings (e.g. via configurable picklists), if this makes a good business
sense, e.g. in case of predictable and/ or recurrent signature meanings
Subpart B – ER (e.g. approval / rejection of documents).
§ 11.50 (a) 11.50 Signature There are also separate comments / reasons for each signature.
Manifestations
Where pre-programming of meanings for signatures appears to be not
useful, implement free text comments associated with the signature

Confidential Property of Schneider Electric | Page 7

21CFR11
Subpart Requirement Text Requirement Description Comment
Reference

Whenever a signed record is required to be used for GxP purposes,

Subpart B – ER
ensure that the full name (at least name & surname) of the signer, date
§ 11.50 (b) 11.50 Signature The items identified in paragraphs (a)(1), (a)(2), Full name printed.
and time of the application of the signature and meaning of the
Manifestations and (a)(3) of this section shall be subject to the signature are displayed and printed.
same controls as for electronic records and shall
be included as part of any human readable form of
Subpart B – ER the electronic record (such as electronic display or Electronic signatures and handwritten signatures executed to electronic
printout). records shall be linked to their respective electronic records to ensure
§ 11.50 (b) 11.50 Signature Electronic signature can’t be copied.
that the signatures cannot be excised, copied, or otherwise transferred
Manifestations
to falsify an electronic record by ordinary means

Electronic signatures and handwritten signatures

The system must be designed such that e-signature information
Subpart B – ER executed to electronic records shall be linked to
including links are saved as read-only data and cannot be excised,
11.70 their respective electronic records to ensure that
§ 11.70 copied or transferred to falsify e-records. It is recommended to Electronic Signature can’t be copied to another record
Signature/record the signatures cannot be excised, copied, or
purchase Computer System, which have implemented or have plans to
linking otherwise transferred to falsify an electronic record
implement technical link mechanisms such as hash functions
by ordinary means.

The Computer System must not accept duplicate user accounts.

Subpart C – ES Each electronic signature shall be unique to one
It is impossible to delete or change an existing user name and it is
§ 11.100 (a) 11.100 General individual and shall not be reused by, or
The System shall maintain the uniqueness of each combined impossible for account names to get duplicated.
requirements reassigned to, anyone else.
identification code and password, such that electronic signature shall
be unique to one individual and shall not be reused or reassigned to
anyone else
Before an organization establishes, assigns,
Subpart C – ES certifies, or otherwise sanctions an individual's
§ 11.100 (b) 11.100 General electronic signature, or any element of such Customer’s Responsibility
requirements electronic signature, the organization shall verify
the identity of the individual.

Confidential Property of Schneider Electric | Page 8

21CFR11
Subpart Requirement Text Requirement Description Comment
Reference
Persons using electronic signatures shall, prior to
or at the time of such use, certify to the agency that
the electronic signatures in their system, used on
or after August 20, 1997, are intended to be the
legally binding equivalent of traditional handwritten
signatures.

1. The certification shall be submitted in paper form

Subpart C – ES
and signed with a traditional handwritten signature,
§ 11.100 (c) 11.100 General Customer’s Responsibility
to the Office of Regional Operations (HFC-100),
requirements
5600 Fishers Lane, Rockville, MD 20857

2. Persons using electronic signatures shall, upon

agency request, provide additional certification or
testimony that a specific electronic signature is the
legally binding equivalent of the signer's
handwritten signature.

Electronic signatures that are not based upon

biometrics shall:

1. Employ at least two distinct identification

components such as an identification code and
password.

a. When an individual executes a series of signings

Subpart C – ES during a single, continuous period of controlled
11.200 Electronic system access, the first signing shall be executed Computer System must be designed to require two components for the
§ 11.200 (a) signature using all electronic signature components; execution of the first e- signature within a session (e.g. User ID & The system is designed for two distinct identification components.
components and subsequent signings shall be executed using at password).
controls least one electronic signature component that is
only executable by, and designed to be used only
by, the individual.
b. When an individual executes one or more
signings not performed during a single, continuous
period of controlled system access, each signing
shall be executed using all of the electronic
signature components.

Confidential Property of Schneider Electric | Page 9

21CFR11
Subpart Requirement Text Requirement Description Comment
Reference
Subpart C – ES
11.200 Electronic
The Computer System should be designed to require the private Second component, the password is always required for electronic
§ 11.200 (a) signature 2. Be used only by their genuine owners
component for the execution of subsequent signings within a session. signature.
components and
controls
Subpart C – ES
3.Be administered and executed to ensure that
11.200 Electronic To facilitate work, it is allowed that the Computer System pre-populates
attempted use of an individual's electronic
§ 11.200 (a) signature automatically the user identification information (also for the first The system works this way.
signature by anyone other than its genuine owner
components and signature).
requires collaboration of two or more individuals.
controls
Subpart C – ES
11.200 Electronic Electronic signatures based upon biometrics shall Computer System using electronic signatures based on
§ 11.200 (b) signature be designed to ensure that they cannot be used by biometriComputer System must provide mechanisms that prevent from
components and anyone other than their genuine owners. bypassing the biometric controls
controls

Subpart C – ES
11.300 Controls for The Computer System should support password-aging processes
§ 11.300 (b) System supports password ageing
identification (prompts for password renewal after xx calendar days).
codes/passwords

Subpart C – ES
11.300 Controls for The Computer System should allow for configuration of the password
§ 11.300 (b) On the system is the ability to configure password ageing.
identification aging parameter.
codes/passwords
Subpart C – ES Ensuring that identification code and password
11.300 Controls for issuances are periodically checked, recalled, or The setting of the password aging parameter should be limited to duly
§ 11.300 (b) Password ageing parameters secured to Administrator.
identification revised (e.g., to cover such events as password authorized personnel only.
codes/passwords aging).

Subpart C – ES
Controls for The System shall ensure that an identification code and password are
§ 11.300 (b) The system forces passwords to be changed.
identification periodically checked, recalled or revised.
codes/passwords

Subpart C – ES
Controls for Check that the system is able to lock a user account after a specified
§ 11.300 (b) Can configure how many failed attempts prior to locking of the system.
identification number of failed access attempts.
codes/passwords

Confidential Property of Schneider Electric | Page 10

21CFR11
Subpart Requirement Text Requirement Description Comment
Reference
Following loss management procedures to
electronically de-authorize lost, stolen, missing, or
Subpart C – ES
otherwise potentially compromised tokens, cards,
Controls for
§ 11.300 (c) and other devices that bear or generate Customer’s Responsibility
identification
identification code or password information, and to
codes/passwords
issue temporary or permanent replacements using
suitable, rigorous controls.
Subpart C – ES
Controls for Use of transaction safeguards to prevent The Computer System should be able to log unauthorized access
§ 11.300 (d) All unauthorized attempts are logged.
identification unauthorized use of passwords and/or attempts.
codes/passwords identification codes, and to detect and report in an
Subpart C – ES immediate and urgent manner any attempts at their
The Computer System should be able to detect potential unauthorized
Controls for unauthorized use to the system security unit, and, Unauthorized attempts are detected and the system notifies the System
§ 11.300 (d) access attempts and notify immediate and urgent manner the system
identification as appropriate, to organizational management. Administrator via the alarm functionality.
administrator.
codes/passwords
Initial and periodic testing of devices, such as
Subpart C – ES
tokens or cards, that bear or generate identification
Controls for
§ 11.300 (e) code or password information to ensure that they Customer’s Responsibility
identification
function properly and have not been altered in an
codes/passwords
unauthorized manner.
Data are captured contemporaneous with its generation. No “SAVE”
Data Integrity All data is captured contemporaneously.
decisions are permitted.

Confidential Property of Schneider Electric | Page 11