Epicor: Enabling 21 CFR Part 11 Compliance – Part 3 in a 3-part series from an Epicor White Paper

  • 22 July 2014
  • cre8
Categories: Epicor

Tags: , , ,




21 CFR Part 11 requires organizations to ensure that individuals are accountable for their electronic actions by creating and preserving electronic evidence. Among its requirements, 21 CFR Part 11 calls for organizations to note the time of information entry or of any modification, ensure that information is not altered in a manner that obscures the original information, maintain complete information, and make any records requested available in a timely fashion viewable in either electronic or human readable format.

Auditing Changes

21 CFR Part 11 requires the use of secure, computer-generated time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. When information is altered electronically, the changes must not obscure the original information much as is done with laboratory notebooks, where corrections are signed and where incorrect information is never deleted, merely amended. Epicor supports this requirement using Change Log functionality. Epicor’s automated change logs capture changes as they happen, helping companies better manage the accuracy of data. Change logs monitor:

  • The before and after values of all changes to records
  • Who made those changes? Epicor does this by providing unique

User IDs for individuals and using a login process that requires user IDs/passwords before allowing users to make any changes including additions and deletions.

  • When any changes were made via date and time stamps.

Epicor retains all required records including electronic signatures within the active database for the required retention period.

Maintaining System Documentation

Manufacturers must create revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation. Epicor manages systems documentation using the following capabilities:

  • Epicor Advanced Quality Management (AQM) maintains process documentation in a secure environment, providing document management across the draft, revision, currency, and obsolescence process. All new documents and all change requests require approval. AQM maintains a complete archive and change history record. It tracks revision levels, revision dates and unlimited text for all changes made to a document. Depending on the implementation of the system, this information can be entered manually or can be automatically posted from a Document Change request. AQM controls the ability to access the most current version. Printed copies are identified as “Controlled Copies” and the system is the master record.
  • Epicor Product Lifecycle Management supports complete document control, including document and subdocument linking and vaulted documentation. With Linked documents, users access files through a link. This method relies on network security. With vaulting, organizations move the document into a database, which maintains the security of the documents, controlling and recording what did what to the document. Vaulting provides higher security, including check in/check out processes. In addition, Epicor Product Lifecycle Management provides audit trails of distribution routes for documentation.

Rapid Document Accessibility in an Electronic and Human Readable Form

When the FDA wants to see particular electronic records for an audit or a product recall, manufacturers need to be able to produce them in a timely fashion in both an electronic and human readable format suitable for inspection, review and copying by the agency. Epicor allows companies to maintain accurate records in the active database for rapid retrieval. Systems implementation documentation outlines appropriate steps for maintaining and retrieving archived data. In addition, Epicor records are complete and presentable in human readable format. All records are available for delivery in XML and Excel, simplifying audits.


21 CFR Part 11 requires FDA regulated manufacturers to sign records electronically to track who is responsible and allow the FDA to check that that person is authorized and trained for the process. In a dispute, companies might also need unambiguous proof that the person whose name is associated with an experiment or process is actually responsible. The FDA also seeks to provide a way to legally enforce electronic records and signatures as well as maintain trust in electronic signatures by requiring manufacturers to guarantee that anyone who uses them cannot readily repudiate the signed record as not genuine. Epicor supports these 21 CFR Part 11 electronic signature requirements as follows:

Linking Signatures to Electronic Records

Electronic signatures and handwritten signatures executed to electronic records must be linked to their respective electronic records to ensure that the signatures cannot be excised, copied or otherwise transferred to falsify an electronic record. Epicor either stores signature records directly within the table as the electronic record they are tied to or stores them in a linked table. Epicor supports a fully relational database for fast retrieval and access to linked records. Links are maintained during archiving and retrieval of electronic and signature data.

Retaining Information about Electronic Signatures

Signed electronic records must contain information associated with the signing that clearly indicates all of the following:

  • The printed name of the signer
  • The data and time when the signature was executed
  • The meaning, such as review, approval, responsibility or authorship, associated with the signature
  • The items identified in the previous three areas are subject to the same controls as for electronic records and must be included as part of any human readable form of the electronic records, such as electronic display or printout

Epicor supports this requirement through Epicor Advanced Quality Management, which fully tracks and archives secure electronic signatures, including signer, date and time stamp, as well as meaning and archived with the event. In addition, Epicor BPM offers the ability to modify any Epicor process to support these same requirements.

Electronic Signatures Must be Legally Binding

When people use electronic signatures, they must certify that those signatures are intended to be the legally binding equivalent of the signer’s handwritten signature. Although this process is a procedural function of the manufacturing organization, Epicor for Human Resources and Epicor Advanced Quality Management manage employee documentation and certification results.

Holding Individuals Accountable

FDA regulated manufacturers must establish written policies to hold individuals accountable and responsible for actions initiated under their electronic signatures. While this clause refers to procedures required of the manufacturer, Epicor Advanced Quality Management provides for comprehensive process definition and documentation to maintain all written policies and manage policy changes.

Verifying the Identity of the Individual

Verifying the identity of the individual is a procedural function of the manufacturing organization. Epicor for Human Resources and Epicor Advanced Quality offer management of employee data for fast retrieval during an audit.

Ensuring that Electronic Signatures are Unique

Electronic signatures must be unique to a particular individual and not assigned to anyone else. Epicor solutions require a unique password for each user.

Electronic Signature Controls

21 CFR Part 11 requires controls over the use of electronic signatures. While Epicor supports some of these controls, others are a procedural function of the manufacturing organization. Epicor provides unique user IDs and passwords to meet the requirement that electronic signatures require two forms of identification. However, only in house processes can ensure that electronic signatures are used only by their genuine owners or that attempts to use an electronic signature by anyone other than the genuine owner require collaboration of two or more individuals.

Controls for Identification Codes and Passwords

21 CFR Part 11 requires manufacturers to maintain a number of controls over identification codes and passwords, including the following:

  • Unique ID code and password—Epicor makes systematic checks to disallow multiple sets of user ID/password code combinations.
  • Password aging—Epicor BPM in conjunction with Change Log functionality on the User Log determine and alert users that their passwords need changing.
  • Lost or stolen identification code and password combinations—This process is a procedural function of the manufacturing organization.
  • Safeguards on the misuse of ID code and passwords—Epicor provides implementation methodologies that safeguard the misuse of ID codes and passwords. It also supports Epicor system administrator workflow protocols and security reporting.
  • Periodic testing of devices—This is a procedure of the manufacturer. However, Epicor Advanced Quality Management equipment logs can maintain testing results and suggest testing based on user defined parameters.

Training and Authorizing Individuals for Particular Tasks

Manufacturers must ensure that people perform only tasks for which they are trained and authorized. Epicor Human Resources Management modules offer comprehensive skills and capability management. Organizations determine the necessary competence for personnel performing work affecting product quality and assign these skills to Job Descriptions and Training Courses. Epicor keeps track of employee skillsets and processes in manufacturing, ensures that personnel are aware of how their activities contribute to the achievement of quality objectives, and maintains appropriate records of education, training, skills and experience. As manufacturing processes change, Epicor Advanced Quality automatically alerts employees assigned to the process of the need for new process training.


The FDA’s 21 CFR Part 11 describes the FDA’s requirements for acceptable electronic records and signatures. These include validation that the software and systems used to create and maintain electronic records can ensure the integrity of electronic results and information, maintenance of confidentiality and integrity of electronic information, holding individuals accountable for their actions with regards to electronic documents, and providing trust through non repudiateable electronic signatures. Epicor solutions offer built-in capabilities that enable medical device and pharmaceutical manufacturers to more quickly, easily, and affordably meet these requirements of 21 CFR Part 11. As a result, manufacturers can not only achieve compliance with this FDA regulation, they can also streamline and improve efficiency of their workflows that relate to documentation.

About Epicor

Epicor Software Corporation is a global leader delivering business software solutions to the manufacturing, distribution, retail, and service industries. With more than 40 years of experience, Epicor has more than 20,000 customers in over 150 countries. Epicor solutions enable companies to drive increased efficiency and improve profitability. With a history of innovation, industry expertise and passion for excellence, Epicor inspires customers to build lasting competitive advantage. Epicor provides the single point of accountability that local, regional, and global businesses demand. For more information, visit www.epicor.com.

Contact Us

For previous blog postings https://www.ctnd.com/blog/.