===== 21 CFR part 11 compliance =====

PMA.core was developed with the [[https://www.fda.gov/regulatory-information/search-fda-guidance-documents/part-11-electronic-records-electronic-signatures-scope-and-application|FDA 21 CFR part 11 guidelines]] in mind.

Our software adheres to the following principles:

  * Data will be formatted to allow transfer to another system for long-term storage in a common portable format either during the life of the system or after the system is retired
  * The system will contain detection mechanisms for invalid field entries, values out of range, and blank fields if entry is required
  * It will be possible to provide regulatory agencies with both human-readable and [[submitted_data|electronic copies of the records, including metadata]]. It will be possible to transfer data in a human readable format onto transportable media such as PDF, XML, SGML. The system must allow that the copying process produces copies that preserve the content and meaning of the records
  * If it is important to system functionally that steps be performed in a specified order, the system will contain a mechanism to ensure that actions are performed in the correct sequence (in case of sequenced steps)
  * The system will contain an automatically generated [[audit_trailing|audit trail]] function for all process significant and GxP critical events and allow [[audit_trailing|audit trails]] on tables and individual records
  * The [[audit_trailing|audit trail]] data will be read-only
  * It will be impossible to disable the [[audit_trailing|audit trail]] function
  * The system will prevent the accidental or intentional modifications or deletion of [[audit_trailing|audit trail]] files
  * It will be possible to generate a report to view which data in the record has been modified
  * A mechanism will be in place to detect and report any attempts of unauthorized use immediately to the customer
  * The audit trail will record: user name, data and time (h/min/sec) of the event using local data and time of the host system, indication of the type of event: record creation/modification/deletion or approval, in case of modification/deletion: old value and new value, reason of change (if applicable)
  * A specific link must be in place to trace the audit trail data to the associated electronic record(s) itself
  * The system will not allow changes in date and time by the user 
  * The system date and time will be periodically checked and corrected. The system will support time synchronization
  * The [[audit_trailing|electronic audit trails]] will be readily available for review
  * The system will be [[user_management|protected against unauthorized use]]
  * Security will consist of at least two elements (e.g. login ID and password) in case of non-biometric security
  * The system must enforce and automatic log-out after a defined period of no activity
  * The system will allow the specification of different levels of access (e.g. user, administrator) 
  * The system will detect security violations and produce an alarm or warning message
  * Controls will be in place to ensure that no two (2) individuals can have the same combination of identification code and password
  * If a password is not issued privately (i.e. the password issuer knows the password), the user will immediately reset their password


[[https://www.wikipedia.org|Wikipedia]] has [[https://en.wikipedia.org/wiki/Title_21_CFR_Part_11|more background on this topic]].