- 26 June 2014
How Epicor Addresses 21 CFR Part 11
Epicor provides a wide range of functionality that enables manufacturers to address the validation, security, accountability, and nonrepudiation requirements of 21 CFR Part 11. Unlike many companies that support regulatory compliance through the use of add-on functionality, Epicor builds this functionality directly into its product. As a result, manufacturers will find that implementation is faster, easier and more comprehensive, particularly for small and mid-sized companies.
Epicor is based on an Internet Component Environment (Epicor ICE) framework that supports the Epicor business processes and provides a framework for regulatory compliance that simplifies the effort and cost of compliance. Epicor ICE was built from the ground up using service-oriented standards. Epicor ICE features a web service architecture, which breaks complex business processes into many smaller processes and abstracts them into self-contained business services.
A byproduct of Epicor ICE is the delivery of all business services as XML Web services. Each Web service operates as a reusable, self-describing software component, enabling enterprises to orchestrate solutions with other Web services or business operations. This solution assembly approach via Epicor ICE means Epicor business solutions support straightforward, low cost interaction with existing company IT hardware and software and outside collaboration with suppliers, partners and customers—all delivered within the strictest security.
Each business service can be bypassed or accessed in any order and from anywhere, paused for human intervention, modified, re-directed to the cloud, or new Web service processes may be created and inserted into the process workflow. This allows businesses to anticipate changing demands and quickly correct operational workflows.
Epicor ICE provides the framework for Epicor’s n-tier enterprise applications, and as such, separates business logic from the underlying technology framework. This layered approach enables users to dynamically model business rules to extend and customize the solution without modifying source code. The framework can be systematically upgraded to incorporate new technology enhancements without disrupting the applications built upon it—thereby reducing the cost of adopting new technologies and upgrading customizations.
When software is used as part of a production or quality system, 21 CFR Part 11 requires manufacturers to validate the software for its intended use according to an established protocol. The purpose of software validation is to ensure a high degree of confidence in the integrity of the electronic results and information.
21 CFR Part 11 requires that companies validate any software used to automate device design, testing, component acceptance, manufacturing, labeling, packaging, distribution and compliant handling or to automate any other aspect of the quality system. Systems typically affected are: Quality management systems, ERP, MES, and PLM/CAD. Computer systems used to create, modify and maintain electronic records and to manage electronic signatures are also subject to validation requirements covered by 21 CRF Part 11.
One common misconception is that a software vendor can “validate” its software. However, vendors can only say that they’ve built all of the Technical Controls for 21 CFR Part 11 compliance into the product. Epicor develops its products using state-of-the-art design, programming and validation techniques. All final version products are validated by several techniques, including, but not limited to:
- Developer peer review
- Test case execution against defined test data
- Alpha and beta testing feedback
The remainder of this whitepaper describes how Epicor builds the technical controls into its product.
Software must be validated for its intended use; one customer may be using the software in a way that is inappropriate in a regulated environment, while another may be using the same software in a way that fits its intended use. Although a software vendor can support its customers’ compliance—by providing evidence of software quality, for example, ultimately it is the responsibility of the system user to ensure that the system itself and its implementation and use are appropriate.
One of the challenges for businesses under validation requirements is in keeping current with technology. Updates to software require risk analysis and re-validation of software. Epicor introduces technology solutions to simplify not only initial validation but ongoing validation requirements. In particular, the Automation Tool for Epicor (ATE) allows companies to build electronic validation scripts using their own business data and run these unattended with future updates.
Epicor supports FDA regulated manufacturers in their efforts to validate Epicor software for its intended use by providing a team of expert consultants with deep knowledge of FDA regulated environments, quality and compliance. These expert consultants offer turnkey validation services that provide a fully documented validation without impact to the organization’s resources. Guided team validation trains the customers’ teams in validation while they work. Guided team engagements reduce risk and time to perform a validation and leave behind a trained and experienced internal team.
21 CFR Part 11 requires security controls to prevent unauthorized access to documents. In addition, manufacturers must ensure that the person accessing documents is identified and can attest to the validity of the process. Epicor offers built-in role-based access control and workflow capabilities to support these demands.
FDA regulated manufacturers must ensure that only authorized personnel can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform an operation. Companies can go part of the way towards achieving this goal by employing standard security precautions—for example, by assigning each user an individual user name and password, requiring users to change passwords regularly, and so on. However, manufacturers can achieve full compliance only if they protect their electronic records at all levels. Because complex applications operate on a relational database within an operating system, 21 CFR Part 11 requires manufacturers to protect records at the application, database and the operating system level.
Epicor tightly controls access at all of these levels. At the operating system level, Epicor ICE allows manufacturers to set Password policies. It also provides the option for MS Windows Authentication to ensure that users are who they say they are and Windows Single Sign-on to allow users to sign in once and have secure access to all levels of the systems as well as to multiple applications and services. To provide data-level security, Epicor provides user/password based access to control which data users are allowed to access at a dataset level (e.g. all sales order information), the data table level (e.g. sales order header information), or the field level. At the application level, Epicor provides menu security that limits whether the user can access a particular application or customer entry. Method security controls the types of processing users are able to perform by user or group; for example, it can allow a user to update an existing part but not add a new part.
Finally, Epicor offers security reporting that allows manufacturers to more closely manage user security, including who has access to what features, and provides a baseline for proof-of-security during an audit.
Identifying Users and Validating Processes
21 CFR Part 11 requires organizations to identify and authorize a person wishing to create, modify or review data and to standardize and automate business processes surrounding document modifications to ensure process validity. Epicor offers automated workflow management capabilities that validate and enforce even the most complex processes. These capabilities include:
Task Management—systematically automates and executes routine processes. Organizations can define workflow processes with key transactions that must be followed for completion. Tasks may be a single step process or a series of interlinked processes involving many different parties. Task sets can contain multi-level tasks, milestones, mandatory tasks and alternative routes. Optionally, they may require password clearance for sign-off on key tasks, providing traceability and adherence to procedures. Task sets ensure that transactions can only be updated if the task set is at the right status.
Business Process Management—Epicor BPM allows organizations to build pre-process conditions that require approvals or other conditions to be met before processing continues. When coupled with Epicor Service Connect, Epicor BPM gives Epicor customers seamless integration with any service driven application. Thus, organizations can also automate post process routines such as an Epicor Service Connect workflow that provides integration to an outside system, send an e-mail, invoke a .NET method, execute code or create a record such as a workflow task.
ServiceConnect—Epicor Service Connect provides orchestration that allows organizations to automate business processes. Service Connect is a powerful business integration platform, functioning as a central integration point for secure workflow orchestrations within Epicor applications as well as providing external connectivity to Epicor and non-Epicor applications. Service Connect logs workflow processing for both transactional integrity and compliance. Processes are available for review and tracking while in progress or after the process completes. If for any reason, processes error or stop, transactions are rolled back and queued for subsequent correction and resubmit. Notification services can be incorporated into the workflow to alert either the submitting application or an administrator.
Epicor provides security for users initiating a workflow process at the user and group level through the use of two distinct components, user id and password, for log in. When organizations deploy embedded BPM, security options include menu item, process and database down to the field level. BPM and process level security drive electronic signature access at the transactional level and requirements for password authentication can be developed for any Epicor process.
Epicor Software Corporation is a global leader delivering business software solutions to the manufacturing, distribution, retail, and service industries. With more than 40 years of experience, Epicor has more than 20,000 customers in over 150 countries. Epicor solutions enable companies to drive increased efficiency and improve profitability. With a history of innovation, industry expertise and passion for excellence, Epicor inspires customers to build lasting competitive advantage. Epicor provides the single point of accountability that local, regional, and global businesses demand. For more information, visit www.epicor.com.
For previous blog postings https://www.ctnd.com/blog/.