CFR-11
This document describes how biologit MLM-AI core features help customers implement processes compliant with CFR Part 11 requirements.
Biologit MLM-AI was designed from the ground up with the requirements of pharmacovigilance in mind, including FDA's CFR Part 11 guidance on electronic records for computerized systems.

Key Features

The key features of MLM-AI supporting CFR-11 compliance are:
Auditing
  • Full audit trail of user actions.
    • The audit trail has indefinite retention and can not be tampered with.
  • Reporting capabilities to inspect the audit trail.
    • Limited to privileged users.
  • Data export capability to facilitate customer’s records management policies.
Permissions
Workflow
User authentication
  • Authentication based on unique user ID + password combination.
  • Configurable password complexity policy.

CFR Part 11 and Biologit MLM-AI

The table below maps relevant sections of the CFR Part-11 specification to biologit MLM-AI capabilities addressing the requirement.

Closed Systems Controls (11.10)

Section
Requirement
biologit MLM-AI Compliance
11.10 (a)
Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.
  • biologit MLM-AI includes full audit trail of user actions within the system.
  • The audit trail can be accessed via the system’s reporting capabilities.
  • The above functionality can be leveraged as part of a customer’s validation plan.
11.10 (b)
The ability to generate accurate and complete copies of records in both human-readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records.
  • biologit MLM-AI can report all activity recorded on the audit trail from its reporting functionality.
  • Reports can be issued in human and machine readable formats.
11.10 (c)
Protection of records to enable their accurate and ready retrieval throughout the records retention period.
11.10 (d)
Limiting system access to authorized individuals.
  • biologit MLM-AI implements a security model based on users and user groups (teams) allowing customers to limit access to users according to their function.
  • Users are uniquely identified by their ID and password combination.
11.10 (e)
Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.
  • biologit MLM-AI includes full audit trail of user actions within the system.
  • The audit trail can be accessed via the system’s reporting capabilities.
  • The audit trail can not be tampered with from within biologit MLM-AI.
  • The audit trail is retained indefinitely and is available for export to meet customer’s specific records retention policies.
11.10 (f)
Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.
  • biologit MLM-AI includes configurable workflow settings to enforce the completion of screening activities in accordance to a pre-determined sequence of steps.
  • User access can be configured such that steps are executed only by authorized individuals.
11.10 (g)
Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.
  • User access can be configured such that specific actions are executed only by authorized individuals.
  • Users are uniquely identified by their ID and password combination.
11.10 (h)
Compliant Electronic Document Management Systems must use device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.
N/A
11.10 (i)
Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks.
  • N/A - Implementing a training plan and maintaining training records are responsibilities specific to organizations using biologit MLM-AI
  • To assist with this task biologit MLM-AI supplies:
    • Extensive online product documentation and tutorials.
    • The ability for users to access an isolated “sandbox” environment for training purposes.
11.10 (j)
The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.
  • N/A - Preparing policies and ensuring their adherence are responsibilities specific to organizations using biologit MLM-AI.
Use of appropriate controls over systems documentation including:
  1. 1.
    Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.
  2. 2.
    Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.
  • N/A - Documentation controls are processes specific to organizations.
  • biologit provides extensive, freely available versioned online product documentation. The same content can be made available in printed format.

Controls for Open Systems (11.30)

Section
Requirement
biologit MLM-AI Compliance
11.30
Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt.
Such procedures and controls shall include those identified in Sec. 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality.
  • biologit MLM-AI is a cloud-hosted platform accessible via web browsers, and thus is considered an open system.
  • In addition to the 11.10 compliance features discussed above:
    • All customer data at-rest and in-transit is encrypted in biologit’s cloud platform.
    • biologit MLM-AI is only accessible via encrypted connections (HTTPS)

Electronic Signatures (11.50/11.70/11.100/11.200/11.300)

Section
Requirement
biologit MLM-AI Compliance
11.50 (a)
Compliant Electronic Document Management Systems ensure that signed electronic documents contain information associated with the signing, clearly indicating all of the following:
  1. 1.
    The printed name of the signer.
  2. 2.
    The date and time when the signature was executed.
  3. 3.
    The meaning (such as review, approval, responsibility, or authorship) associated with the signature.
  • A unique user ID and password are mapped to individuals configured in the tool.
  • All activity in biologit MLM-AI is timestamped and recorded in the system audit trail.
11.50 (b)
The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout).
  • biologit MLM-AI provides extensive reporting of the system audit trail, including user names, timestamps and activity record.
11.70
Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.
  • The biologit MLM-AI audit trail records all activity carried out in the system. Each audit record is associated with its signer and is immutable: records cannot be tampered with from the application.
Each electronic signature shall be unique to one individual, and shall not be reused by, or reassigned to, anyone else.
  • Users are authenticated in biologit MLM-AI by their unique user ID and password. Once logged in records created by the user are permanently associated with their user ID.
  • It is the responsibility of organizations using biologit MLM-AI to ensure accounts are not shared or reassigned.
Before an organization establishes, assigns, certifies, or otherwise sanctions an individual's electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual.
  • Users with administrative privileges' in biologit MLM-AI are responsible for ensuring users are properly identified before a unique user ID and password is created in the system for that user.
  • biologit MLM-AI supports this process by associating a user ID with a unique identifier in the organization (typically the email ID)
Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures.
N/A
Electronic signatures shall employ at least two distinct identification components, such as an identification code and password.
  • biologit MLM-AI uses the unique user ID and password as the two distinct identification components.
When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.
  • In biologit MLM-AI, no user access is granted before users authenticate with their user ID and password (all components).
  • After login, all user activity is associated with the user ID in the audit trail.
When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.
  • In biologit MLM-AI, no user access is granted before users authenticate with their user ID and password (all components).
  • Administrators can define a session inactivity period (defaults to 1 hour) corresponding to a contiguous period of controlled system access.
(Electronic signatures) shall be used only by their genuine owners
  • User IDs and passwords are uniquely associate with a user upon creation.
  • It is the responsibility of organizations using biologit MLM-AI to ensure user IDs are created to corresponding genuine users and passwords are distributed in accordance to company policy.
(Electronic signatures) shall be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.
  • This requirement should be implemented by the procedures in organizations implementing biologit MLM-AI.
  • biologit MLM-AI supports monitoring of unusual activity patterns (ex: login attempts) via its reporting capability.
Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include:
(a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password.
  • In biologit MLM-AI, users are assigned a unique user ID and password combination.
Ensuring that identification code and password issuance are periodically checked, recalled, or revised (e.g., to cover such events as password aging).
  • MLMAI administrators can configure the system with password policies reflecting the organization requirements.
Following loss management procedures to electronically de-authorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls.
  • biologit MLM-AI does not use tokens or cards at this time.
Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.
  • To support this requirement, administrators can configure the system with minimum password complexity and expiration policies.
  • biologit MLM-AI supports monitoring of unusual activity patterns (ex: login attempts)
Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner.
  • biologit MLM-AI does not use tokens or cards at this time.