Comalatech Compliance Solution
A 21 CFR Part 11 Compliance Solution is made up of the following components:
|Third-party User Management/Directory Solution||A directory service integrated with Confluence to support user account, password, locking and failure notification requirements.|
|Comala Workflows||A Comalatech add-on for Atlassian Confluence which allows the customer to create workflows around documents, define role-based approvals, and enforce electronically-signed approval while providing an audit log.|
A Comalatech add-on for Atlassian Confluence which allows customers to separate working spaces from approved spaces. This component is optional: some customers find it easier to work with two sets of spaces, one for drafts and another for approved content, or it can be used in cases where there are more strict auditing requirements. Comala Publishing works in conjunction with Comala Workflows.
In addition to these components, the Customer needs to define a Workflow using Comala Workflows's scripts to define the required steps, approvals, roles and permissions over the managed documentation.
As indicated earlier, a major component of compliancy is the customer's own Policies and Procedures. As this differs from organization to organization, such policies and procedures are beyond the scope of this document, so we can only indicate what needs to be addressed.
Subpart B--Electronic Records
Compliant Electronic Document Management Systems must be validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.
|Many online and 3rd party resources are available to help plan and conduct the validation of Electronic Document Management Systems|
Compliant Electronic Document Management Systems must have the ability to generate accurate and complete copies of records in both human readable and electronic form, suitable for inspection, review, and copying.
|Confluence provides ways to export documents in PDF and Word format.|
Comala Workflows ensures only approved versions are exported, and can be configured to include the page status and audit trail on exported documents.
Compliant Electronic Document Management Systems must protect documents, to enable their accurate and ready retrieval throughout the document retention period.
Confluence stores documents in a transferable format, and provides a mechanism for exporting documents, should the system be retired.
|All audit trail information is stored in Confluence's database, thus part of the archived and backed-up data.||The Customer must implement an effective backup policy.|
Compliant Electronic Document Management Systems must limit system access to authorized individuals.
Confluence allows for the definition of users and groups, and content access control can be based on those groups.
|Comala tools apply all Confluence access restrictions and authorization.||In order to enforce the more restrictive policies indicated in Subpart C, the Customer may need to rely on an external User Management/Directory Solution, such as Atlassian Crowd or Active Directory.|
Compliant Electronic Document Management Systems must use secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic documents. Document changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic documents, and shall be available for review and copying.
Confluence records secure, time-stamped audit trails by keeping the history of user changes to each page, and creating a new version of the page each time it is modified.
Comala Workflows consolidates document creation and modifications with the approval and signing audit trails.
A time-stamped log of workflow operation actions is also maintained, and associated with each document.
Audit trails are associated with the content within Confluence Spaces, therefore, the Customer must keep the archived content for as long as it is required.
Customers must restrict the hard deletion of documents to only operators (administrator), and should handle the decommission of documents as part of the document workflow.
Compliant Electronic Document Management systems must use operational system checks to enforce the permitted sequencing of steps and events, as appropriate.
Comala Workflows ensures all approval steps are conducted in the predefined order.
|The Customer is responsible for creating their specific workflow, defining the required steps and role based approvals.|
Compliant Electronic Document Management Systems must use authority checks to ensure that only authorized individuals can use the system, electronically sign a document, access the operation or computer system input or output device, alter a record, or perform the operation at hand.
Confluence's security overview is described here: https://confluence.atlassian.com/x/fg0C
Comala Workflows verifies the user has the necessary authority to perform key functions, and supports role-based and electronically signed approvals.
|The Customer must ensure that the defined workflow states the appropriate roles and permissions.|
Compliant Electronic Document Management Systems must use device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.
Implementers of compliant Electronic Document Management Systems must ensure that persons who develop, maintain, or use these systems have the education, training, and experience to perform their assigned tasks.
|Customers must implement appropriate training programs, and maintain ongoing training records.|
Implementers of compliant Electronic Document Management Systems must establish and adhere to written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.
|Customers must establish strong accountability and responsibility policies, to ensure that employees understand the importance of maintaining the integrity of electronic records and signatures.|
Compliant Electronic Document Management Systems must implement adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.
Comala Workflows maintains control of the approved version of each document, and can control which version of the document is available to each user, based on their role.
Alternatively, Comala Publishing provides a solution to separate approved from draft content in distinct, seperate spaces.
|The Customer must control system documentation to ensure it is up to date.|
Compliant Electronic Document Management Systems must implement revision and change control procedures to maintain an audit trail that documents time-sequenced development, and modification of systems documentation.
|Comala Workflows maintains a time-stamped log of all administrative actions.|
Compliant Electronic Document Management Systems ensure that signed electronic documents contain information associated with the signing, clearly indicating all of the following:
(1) The printed name of the signer;
(2) The date and time when the signature was executed; and
(3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature.
Comala Workflows can include the user name, the timestamp, and the approval description in the signature block for each document.
The Customer must ensure their specified workflow includes this information in the header and footer content.
Compliant Electronic Document Management Systems ensure that the signors name, the timestamp and the meaning of the signature are subject to the same controls as for electronic records, and shall be included as part of any human readable form of the electronic record (such as electronic display or printout).
|Comala Workflows can show the document’s status when viewed electronically, and can display the full signature block when printed.||The Customer must ensure their workflow includes a header and footer containing the approval information.|
Compliant Electronic Document Management Systems ensure that electronic signatures, and handwritten signatures executed to electronic records, shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.
|Comala Workflows stores all approval details and electronic signatures within the contents metadata, and can embed the signature block in the body of the printed document. This ensures that the signature block cannot be excised, copied, or otherwise transferred to falsify another electronic document.||The Customer must ensure their workflow includes a header and footer containing the approval information.|
Subpart C - Electronic Signatures
Comala Workflows provides a mechanism to require credentials (e.g. user name and password) when approving content. For additional account and password requirements, it is recommended to use a User Management/Directory Solution.
Each electronic signature shall be unique to one individual, and shall not be reused by, or reassigned to, anyone else.
Confluence ensures duplicate user Id's cannot be created, and user Id's cannot be reused
|The Customer must have policies in place to ensure unique Id's are not reused or reassigned. This can be achieved through a User Management/Directory Solution.|
Before an organization establishes, assigns, certifies, or otherwise sanctions an individual's electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual.
Confluence ensures only authenticated user have access to system content.
The Customer must ensure that user Id's/Electronic Signatures are assigned to the correct users.
If the Customer uses Single Sign-on, said customer must be satisfied with the originating system identity validation.
Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures.
|The Customer must submit paper based, hand signed certification to the “Office of Regional Operations (HFC-100), 5600 Fishers Lane, Rockville, MD 20857”|
Electronic signatures shall employ at least two distinct identification components, such as an identification code and password.
Confluence ensures only authenticated users have access to system content, and provides validation of user-provided credentials.
Comala Workflows allows for electronically signed approvals, where in users are required to provide their user Id and password at the moment of approval.
These credentials are validated through Confluence's authentication interface.
|The Customer must define an appropriate workflow, specifying where approvals are required.|
Compliant Electronic Document Management Systems ensure that, when an individual executes a series of signings during a single, continuous period of controlled system access, the first signing is executed using all electronic signature components; subsequent signings must be executed using at least one electronic signature component that is only executable by, and designed to be used only by, that individual
Confluence ensures only authenticated user have access to content, provides validation of user-provided credentials, and provides control over the duration of continuous sessions.
|Comala Workflows requires that credentials are provided for every single approval signing.||The Customer can control the duration of the user session, see: https://confluence.atlassian.com/x/hYCQBw|
Compliant Electronic Document Management Systems ensure that, when an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.
Confluence has a limited, customer-defined session duration. After the session has expired, the user must log in again, providing his/her full credentials.
|Comala Workflows only allows approval rights to authenticated users, and additionally, requires that credentials be provided for every single approval.||The Customer can control the duration of the user session, see: https://confluence.atlassian.com/x/hYCQBw|
Electronic signatures shall be used only by their genuine owners
Comala Workflows ensures that the credentials provided during signing match those of the authenticated user.
Actual validation of credentials is internally delegated to the User Management/Directory Solution.
Electronic signatures shall be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.
Confluence relies on a User Management/Directory Solution to lock an account after a specified number of failed attempts.
The Customer must have policies in place to manage failed sign-in attempts, and account reactivation requiring two or more individuals.
The Customer should rely on a User Management/Directory Solution for account lockout policies.
Compliant Electronic Document Management Systems maintain the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password.
Confluence controls user Id creation, such that no two users will ever be assigned the same identification code and password combination.
|The Customer should define proper account creation policies, and could rely on a User Management/Directory Solution to enforce these policies.|
Compliant Electronic Document Management Systems ensure that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).
|The Customer should properly define their password policy, and could rely on a User Management/Directory Solution for this purpose.|
Compliant Electronic Document Management Systems follow loss management procedures to electronically de-authorize lost, stolen, missing, or otherwise potentially compromised password information, and issue temporary or permanent replacements using suitable, rigorous controls.
Atlassian Confluence provides the ability to reset passwords.
The Customer should properly define their password policy, a User Management/Directory Solution is recommended.
The Customer should also implement administrative procedures to reset passwords when necessary.
Compliant Electronic Document Management Systems use transaction safeguards to prevent unauthorized use of user Id's and passwords, and detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and as appropriate, to organizational management.
|Comala Workflows electronic signature validation relies on Confluence's authentication interface, and when connected to a directory service supporting account locking policies, would lock the account if necessary.||The Customer should rely on a User Management/Directory Solution for account lockout policies and notification rules.|
Found out more...
(c) 2016 Comala Technology Solutions, Inc.