PDXpert software complies with U.S. Federal Drug
Administration regulation 21 CFR Part 11 - Electronic Records; Electronic
Signatures (20 March 1997).
| FDA requirement |
PDXpert PLM software |
| ยง11.10 ...ensure the authenticity, integrity, and, when
appropriate, the confidentiality of electronic records, and to
ensure that the signer cannot readily repudiate the signed record as
not genuine. |
All access to electronic records within PDXpert requires a
named-user log-in account. Each account requires a log-in password,
with separate (optional) passwords for change form sign-off.
Industry-standard encryption validates the user-selected signature
as genuine. |
| §11.10(b) The ability to generate accurate and complete copies of
records in both human readable and electronic form suitable for
inspection, review, and copying by the agency. |
Each document, part and change form record has both a computer
screen form and an equivalent printed report. Each equivalent
printed report can be exported as an electronic file. |
| §11.10(c) Protection of records to enable their accurate and
ready retrieval throughout the records retention period. |
Database records and associated electronic library files are
protected from (a) inappropriate access using system log-in
credentials; (b) pre-approval modification or deletion via security
access roles; and (c) post-approval modification or deletion via
system-level constraints. PDXpert renames all files within the
library to ensure uniqueness and to hide their original source and
purpose. |
| §11.10(d) Limiting system access to authorized individuals. |
System access is limited to those individuals who have been
assigned a log-in account. Administrators can create or revoke
access to PDXpert for any individual. |
| §11.10(e) Use of secure, computer-generated, time-stamped audit
trails to independently record the date and time of operator entries
and actions that create, modify, or delete electronic records. ... |
The creation of new document, part and change form records
indicates the creator (trustee) and the date/time of creation. Each
new item revision (modification) of a previously-approved item
indicates the new revision's trustee. Previously-approved electronic
records cannot be deleted. |
| §11.10(f) Use of operational system checks to enforce permitted
sequencing of steps and events, as appropriate. |
PDXpert workflow includes sending sequenced notifications to
change reviewers. |
| §11.10(g) Use of authority checks to ensure that only authorized
individuals can use the system, electronically sign a record, access
the operation or computer system input or output device, alter a
record, or perform the operation at hand. |
The administrator-assigned user account determines PDXpert
access. The administrator also determines which users have record
creation permissions, viewing rights to unreleased or canceled
items, and reviewer authority. The PDXpert rich client avoids
security vulnerabilities common to web browsers. |
| §11.10(k) Use of appropriate controls over systems documentation
including: (1) Adequate controls over the distribution of, access
to, and use of documentation for system operation and maintenance.
(2) Revision and change control procedures to maintain an audit
trail that documents time-sequenced development and modification of
systems documentation. |
Access to PDXpert records is controlled by the user account and
password. Role-based user permissions can be defined for viewing
unreleased, released and canceled document, part and change form
records, as well as creating new records. Document and part revision
management, with approvals based on formal change review and
approval process, is an inherent capability. |
| §11.50 Signature manifestations. (a) Signed electronic records
shall contain information associated with the signing that clearly
indicates all of the following: (1) The printed name of the signer;
(2) The date and time when the signature was executed; and (3) The
meaning (such as review, approval, responsibility, or authorship)
associated with the signature. |
A reviewer response on a change form consists of the (1)
administrator-assigned reviewer name, (2) system-assigned date/time
of the review, and (3) reviewer-selected response (approve,
disapprove, hold, etc.) to the proposed change. |
| §11.70 Signature/record linking. Electronic signatures and
handwritten signatures executed to electronic records shall be
linked to their respective electronic records to ensure that the
signatures cannot be excised, copied, or otherwise transferred to
falsify an electronic record by ordinary means. |
PDXpert automatically links a reviewer response to the change
form being reviewed. The response record cannot be modified, copied
or transferred to another change form. |
| §11.200 Electronic signature components and controls. (a)
Electronic signatures that are not based upon biometrics shall: (1)
Employ at least two distinct identification components such as an
identification code and password. ... |
The first item to be signed requires logging into PDXpert using
two distinct identifiers: an administrator-assigned account name and
a self-managed account password. Each user can also have an optional
reviewer password that is used exclusively during signing.
Subsequent signings while the user has been continuously signed into
PDXpert requires only the user's self-managed password. |