Title 21 CFR Part 11 of the Code of Federal Regulations and how it relates to Azure/Office 365 based eQMS with SharePoint digital signatures
Title 21 CFR Part 11 is the part of the Federal Regulations that establishes the United States Food and Drug Administration (FDA) regulations on electronic records and electronic signatures (ERES), this article discussed how SharePoint Digital Signatures comply. Part 11, as it is commonly called, defines the criteria under which electronic records and electronic signatures are considered to be trustworthy, reliable and equivalent to paper records (Title 21 CFR Part 11 Section 11.1 (a)). The intent of this article is to show how Microsoft is able to provide a built-in capability for 21 CFR Part 11 SharePoint electronic signatures compliance using its Cloud Stack including Office 365 and Microsoft Azure, through standardised configuration. The FDA provides the following definitions in 21 CFR Part 11 for Electronic Signatures:
“Electronic signature means a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual’s handwritten signature.”
QikSolve delivers an enterprise compliance platform to meet modern agile business process needs – built on Microsoft SharePoint Online and Office 365 – and configured to meet the requirements of the industry regulations. QikSolve’s premier product, Ibiqs™, allows your organisation to focus on generating revenue instead of time consuming administration tasks by streamlining your work processes and reducing your risk by enforcing that business processes are followed correctly. Working in industries such as life science, FMCG, dairy, cosmetics and food production, QikSolve’s experienced consultants are able develop solutions to meet even the most stringent regulations for their clients.
Ibiqs™ is treated as an open system for 21 CFR Part 11 electronic and digital signature compliance. Users of the Ibiqs™ electronic quality management system (eQMS) are required to provide their username and password in order to authenticate themselves and ensure data integrity is maintained on submission. QikSolve has developed a solution that leverages the capabilities of Office 365 and Microsoft Azure to provide that functionality for Ibiqs™ with fully compliant SharePoint digital signatures.
Architecture and technical considerations
QikSolve has developed an Azure cloud service that authenticates user credentials against the Azure Active Directory every time the SharePoint electronic signatures are required. The Azure cloud service is hosted by QikSolve in its own Azure tenant, and can authenticate any valid Office 365 user against the Azure Active Directory. This enables Ibiqs™ to validate any user within the Office 365 ecosystem. It is however, important to ensure policies are in place that comply with good IT Governance practice, and as such, only users with in the current validated tenant are considered by the system.
The Azure cloud service developed by QikSolve makes use of SharePoint online client side library’s credential class to validate any username/password combination. If the username/password combination is validated as a correct one, it returns a result indicating that and is able to proceed; otherwise it returns the reason for validation failure in a clear configurable message.
Any unsuccessful attempt to validate also gets logged using Azure Storage, to ensure there is an traceable chain of events. In the event of multiple unsuccessful login attempts, a stop is put on the current process and the user is requested to discuss the issue with the IT administrator.
The Azure cloud service is developed by QikSolve as a RESTful WCF which accepts JSON input and returns JSON output. Once there is a need to authenticate user, user gets prompted with the following dialog:
After the user hits the submit button, the click event calls the Azure cloud service to validate the user credentials. On Office 365, the call to Azure cloud service is done using jQuery Ajax.
21 CFR Part 11 additional steps to compliance
21 CFR Part 11 requires critical processes to have a linked electronic signature against the record and the appropriate security, and auditing controls, in order to ensure systems are correctly used and maintained. Using the QikSolve’s 21 CFR Part 11 SharePoint electronic signature solution for Office 365, every signature attempt gets logged in the system, either against the record and an audit trail or in a separate database for failed attempts. For the audit trail, every entry records:
- the process that generated it
- the unique ID of the process
- the stage the process was at when it required the electronic signature
- the person who executed the electronic signature
- time stamp.
Against each record the SharePoint digital signatures or electronic signatures is also registered and is not transferable to other records.
At the service level, QikSolve encrypts all data between your Office 365 tenant and QikSolve’s Azure tenant using Transport Layer Security (TLS) that leverages SSL encryption. This protects your data from anyone sniffing the transit pipes. QikSolve also implemented domain based security on who can access its custom Azure cloud service for user authentication. As the service is hosted publicly using SSL certificate, it allows incoming requests only from authorised domains. The authorised domains are controlled on the server side of the hosted cloud service.