Priority Tools for Compliance with FDA Title 21 Code of

Federal Regulations Part 11

Introduction
FDA Title 21 CFR Part 11, which deals with electronic records and electronic
signatures, requires an audit of the ERP system used by the audited company. The
certification process audits the company itself, and how it employs the software; it
does not certify the software directly.

This document serves to outline the various tools available in Priority to enable
compliance with components of CFR Part 11 that must be addressed by the ERP
platform.

11.10 - Controls for closed systems.

Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ
procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the
confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record
as not genuine. Such procedures and controls shall include the following:

Requirement Comments
(a) Validation of systems to Priority has built in tools for validating data entered by users, that the
ensure accuracy, reliability, customer can employ to assure only valid data is entered into the
consistent intended system.
performance, and the ability to
discern invalid or altered records. Priority Software's QA process has thoroughly verified that creation and
modification of data is accurately captured in the system.

Priority has multiple checks and self-tests that ensure that partial
records are not committed to the database, and that data integrity is
maintained. All data are protected to prevent unauthorized access and
alteration.

(b) The ability to generate Priority stores data in a relational database in electronic form, and can
accurate and complete copies of easily be viewed through the Priority interface.
records in both human readable
and electronic form suitable for Priority offers a number of ways to view and export record data,:
inspection, review, and copying
by the agency. Persons should  In addition to displaying data in the graphical user interface,
contact the agency if there are electronic records include programs for creating customizable
any questions regarding the printouts and reports.
ability of the agency to perform  There are several report generators that allow users to create
such review and copying of the reports based on data in relevant electronic records.
electronic records.  Data can also be exported from a record into other formats.

Priority Software Ltd. ■ 12 Amal St, Rosh HaAyin 4809245, Israel 📞 +972.3.925.1000 +972.3.925.1001 www.priority-software.com

Cat.No. LB LB160255 Ver. 02 1/7

 Only authorized users can use the data export features.

(c) Protection of records to All records created in Priority are stored securely in a database.
enable their accurate and ready Priority supports automated backup of all records in the system.
retrieval throughout the records Restoring data from backup is simple, by use of a dedicated program
retention period. that restores both data and configuration settings.

(d) Limiting system access to Users can only access the system using their unique username and
authorized individuals. password. Passwords are stored and secured in the database in
encrypted form, further securing the system.

(e) Use of secure, computer- Records include a change log that tracks modifications (add, delete,
generated, time-stamped audit modify) and a log of statuses that provides an audit trail of the users
trails to independently record the who changed the status of the document (e.g. approved a transaction).
date and time of operator entries Each log contains a computer generated timestamp with the user that
and actions that create, modify, made the change.
or delete electronic records.
Record changes shall not All logs are built into the system and cannot be tampered with. These
obscure previously recorded logs are available for review at all times. The logs can be backed up in
information. Such audit trail the same way other data is backed up.
documentation shall be retained
for a period at least as long as
that required for the subject
electronic records and shall be
available for agency review and
copying.
(f) Use of operational system All documents in Priority are manageable through a graphical business
checks to enforce permitted process management (BPM) interface. The customer can define the
sequencing of steps and events, flow of the process and the users that may advance the process,
as appropriate. including conditions that must be fulfilled before progressing to the next
stage. Furthermore, for all records, the customer can define additional
warning and error messages that will appear when certain conditions
are met. The customer is responsible for maintaining the process and
ensuring that it meets all requirements.
(g) Use of authority checks to Priority requires users to login with a unique username and password.
ensure that only authorized The customer may choose to configure password complexity and
individuals can use the system, duration to ensure passwords are changed on a regular basis.
electronically sign a record, Accounts can be disabled by the administrator.
access the operation or
computer system input or output Priority's privilege management enables highly granular control over
device, alter a record, or perform what actions a user can perform. Each user can be assigned
the operation at hand. permissions on an individual basis, or they can be assigned a user
group based on skill set, that determines their permissions.

Permissions can be assigned separately for each feature in the system,

down to read/write permissions for individual fields, protecting data from
unauthorized access or modification. Users can only update/modify/
delete records based on these permissions.

(h) Use of device (e.g., terminal) Priority is a web-based software solution that can be distributed via the
checks to determine, as customer’s corporate Intranet. After it is installed, external access by
appropriate, the validity of the devices must be controlled through firewall and VPN administration.
source of data input or Access to Priority may be opened up to third parties that are part of an
operational instruction. extended secure network controlled by the customer.

Priority Software Ltd. ■ 12 Amal St, Rosh HaAyin 4809245, Israel 📞 +972.3.925.1000 +972.3.925.1001 www.priority-software.com

Cat.No. LB LB160255 Ver. 02 2/7

 (i) Determination that persons Priority’s privilege management tool enforces that only users with
who develop, maintain, or use specific roles may perform certain actions. Also, business rules can be
electronic record/electronic set up to further restrict actions to specific users.
signature systems have the
education, training, and In the HR module, it is possible to maintain employee’s training and
experience to perform their certification.
assigned tasks.
Generally, it is the customer's responsibility to ensure that their
employees are qualified to perform their tasks.

(j) The establishment of, and This is a procedural requirement relevant to customers and is not
adherence to, written policies related to functionality in Priority.
that hold individuals accountable
and responsible for actions
initiated under their electronic
signatures, in order to deter
record and signature falsification.
(k) Use of appropriate controls Priority Software provides official documentation for operation and
over systems documentation maintenance of Priority, which the customer can then distribute among
including: the appropriate employees.
(1) Adequate controls over the
distribution of, access to, and Priority Software's official documentation is version controlled, and
use of documentation for system changes are recorded.
operation and maintenance.
(2) Revision and change control It is the customer's responsibility to ensure that official documentation is
procedures to maintain an audit distributed to their personnel and is accessible to authorized
trail that documents time- individuals. They are also responsible to maintain and distribute private
sequenced development and documentation for their own internal processes.
modification of systems
documentation.

11.30 – Controls for open systems.

Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ
procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the
confidentiality of electronic records from the point of their creation to the point of their receipt. Such
procedures and controls shall include those identified in 1’1.10, as appropriate, and additional measures
such as document encryption and use of appropriate digital signature standards to ensure, as necessary
under the circumstances, record authenticity, integrity, and confidentiality.

Priority is a closed system. Access to Priority is permitted to authorized users only.

11.50 - Signature manifestations.

Requirement Comments
(a) Signed electronic records Each modification by a user will automatically generate a signature
shall contain information consisting of the username (which links to the full name of the user),
associated with the signing that and the date and time in which it was carried out.
clearly indicates all of the
following: These items are a part of the record and can be included in the printout
(1) The printed name of the or display of the record.
signer;
(2) The date and time when the
signature was executed; and
(3) The meaning (such as
review, approval, responsibility,

Priority Software Ltd. ■ 12 Amal St, Rosh HaAyin 4809245, Israel 📞 +972.3.925.1000 +972.3.925.1001 www.priority-software.com

Cat.No. LB LB160255 Ver. 02 3/7

 or authorship) associated with
the signature.

(b) The items identified in

paragraphs (a)(1), (a)(2), and
(a)(3) of this section shall be
subject to the same controls as
for electronic records and shall
be included as part of any
human readable form of the
electronic record (such as
electronic display or printout).

11.70 - Signature/record linking.

Requirement Comments
Electronic signatures and
handwritten signatures executed The electronic signature is comprised of username and password. Each
to electronic records shall be record that is modified contains documentation of the username.
linked to their respective
electronic records to ensure that This data is computer generated and read only, therefore cannot be
the signatures cannot be changed or copied in any manner.
excised, copied, or otherwise
transferred to falsify an electronic User passwords are maintained in Priority in an encrypted format to
record by ordinary means. protect from unauthorized use.

11.100 – General Requirements.

Requirement Comments
(a) Each electronic signature Users can only access the system using their unique username and
shall be unique to one individual password. Priority enforces the uniqueness of each username in the
and shall not be reused by, or system. Even when a username is deactivated, a user account with the
reassigned to, anyone else. same username cannot be created.
(b) Before an organization This is a procedural requirement relevant to customers and is not
establishes, assigns, certifies, or related to functionality in Priority.
otherwise sanctions an
individual's electronic signature,
or any element of such electronic
signature, the organization shall
verify the identity of the
individual.
(c) Persons using electronic This is a procedural requirement relevant to customers and is not
signatures shall, prior to or at the related to functionality in Priority.
time of such use, certify to the
agency that the electronic
signatures in their system, used
on or after August 20, 1997, are
intended to be the legally binding
equivalent of traditional
handwritten signatures.
(1) The certification shall be
submitted in paper form and
signed with a traditional

Priority Software Ltd. ■ 12 Amal St, Rosh HaAyin 4809245, Israel 📞 +972.3.925.1000 +972.3.925.1001 www.priority-software.com

Cat.No. LB LB160255 Ver. 02 4/7

 handwritten signature, to the
Office of Regional Operations
(HFC-100), 5600 Fishers Lane,
Rockville, MD 20857.
(2) Persons using electronic
signatures shall, upon agency
request, provide additional
certification or testimony that a
specific electronic signature is
the legally binding equivalent of
the signer's handwritten
signature.

11.200 - Electronic signature components and controls.

Requirement Comments
(a) Electronic signatures that are Users can only access the system using their unique username and
not based upon biometrics shall: password.
(1) Employ at least two distinct
identification components such
as an identification code and
password.
(i) When an individual executes a A unique username and password are both required for the first log in
series of signings during a to the system.
single, continuous period of
controlled system access, the In addition, the system can be configured to automatically log users out
first signing shall be executed of the system if they have been idle for a certain period of time
using all electronic signature (timeout). Users will be required to re-enter their credentials to log back
components; subsequent in (username and password).
signings shall be executed using
at least one electronic signature Every system function executed after the first sign in is recorded with
component that is only the individual’s username.
executable by, and designed to
be used only by, the individual. A 3rd party module is available to enforce additional password
protection prior to entering data for certain fields, after the initial login.

(ii) When an individual executes Users are required to enter both a username and password each time a
one or more signings not new session is initiated.
performed during a single,
continuous period of controlled
system access, each signing
shall be executed using all of the
electronic signature components.
(2) Be used only by their genuine This is a procedural requirement relevant to customers and is not
owners; and related to functionality in Priority.
(3) Be administered and Only the genuine owner of a username and password can use the
executed to ensure that electronic signature associated with that user.
attempted use of an individual's
electronic signature by anyone The customer can set in place procedures that ensure that if a system
other than its genuine owner administrator is going to perform actions that might infringe on the
requires collaboration of two or authenticity of the signature (by resetting an electronic signature or
more individuals. logging in as another user), such actions must be with the oversight of
another individual.

Priority Software Ltd. ■ 12 Amal St, Rosh HaAyin 4809245, Israel 📞 +972.3.925.1000 +972.3.925.1001 www.priority-software.com

Cat.No. LB LB160255 Ver. 02 5/7

 (b) Electronic signatures based Priority does not support electronic signatures based on biometrics,
upon biometrics shall be and as such the requirement pertaining to them is not applicable.
designed to ensure that they
cannot be used by anyone other
than their genuine owners.

11.300 - Controls for identification codes/passwords.

Persons who use electronic signatures based upon use of identification codes in combination with
passwords shall employ controls to ensure their security and integrity. Such controls shall include:

Requirement Comments
(a) Maintaining the uniqueness Priority enforces the uniqueness of each username in the system. Even
of each combined identification when a username is deactivated, a user account with the same
code and password, such that no username cannot be created.
two individuals have the same
combination of identification
code and password.
(b) Ensuring that identification The system manager can set a password policy for the system,
code and password issuances requiring users to change their password after a certain period of time
are periodically checked, has elapsed. The manager can also specify complexity and length
recalled, or revised (e.g., to requirements for new passwords.
cover such events as password
aging).
(c) Following loss management If the administrator suspects a certain user account has been
procedures to electronically compromised, said account can easily be deactivated, automatically
deauthorize lost, stolen, missing, revoking all permissions in the system.
or otherwise potentially
compromised tokens, cards, and
other devices that bear or
generate identification code or
password information, and to
issue temporary or permanent
replacements using suitable,
rigorous controls.
(d) Use of transaction Priority can be configured to lock out a certain username from logging
safeguards to prevent into the system if too many failed attempts to log in with that account
unauthorized use of passwords are made.
and/or identification codes, and
to detect and report in an Several tools are available for the system administrator to review
immediate and urgent manner actions performed by users within the system. If the administrator
any attempts at their suspects a certain user account has been compromised, said account
unauthorized use to the system can easily be deactivated, automatically revoking all permissions in the
security unit, and, as system.
appropriate, to organizational
management.
(e) Initial and periodic testing of This is a procedural requirement relevant to customers and is not
devices, such as tokens or related to functionality in Priority.
cards, that bear or generate
identification code or password
information to ensure that they
function properly and have not
been altered in an unauthorized
manner.

Priority Software Ltd. ■ 12 Amal St, Rosh HaAyin 4809245, Israel 📞 +972.3.925.1000 +972.3.925.1001 www.priority-software.com

Cat.No. LB LB160255 Ver. 02 6/7

Summary
For over 30 years, Priority has supported manufacturing and industry, including in
regulated industries. Priority offers a core set of features that allow compliance
with the guidelines of FDA Title 21 CFR Part 11, including security, process and
privilege management, electronic signatures, logging and auditing.

Priority Software Ltd. ■ 12 Amal St, Rosh HaAyin 4809245, Israel 📞 +972.3.925.1000 +972.3.925.1001 www.priority-software.com

Cat.No. LB LB160255 Ver. 02 7/7