If you are within an FDA-regulated environment and using Confluence and QC Approvals, then you might need to set up Confluence in accordance with the FDA CFR 21 Part 11 regulation.
For this article’s purpose, we assume that Confluence is installed as a “closed system”. “Closed system” is a regulatory term that refers to how you control who can access the system. This is common in corporate settings and is assumed here as a key point.
For our purposes, CFR 21 Part 11 covers two main areas:
-
Electronic Records: This relates to the data stored in the system, such as your Confluence pages. It sets rules to ensure electronic data can replace paper documents (Subpart B).
-
Electronic Signatures: This covers how people can sign documents electronically, like Confluence pages, so these signatures can serve as a legal substitute for paper (‘wet’) signatures (Subpart C).
This article focuses on how QC Approvals helps you achieve compliance if you’re within an FDA-regulated environment.
QC Analytics does not claim compliance or certification of any of our tools, as no vendor can provide a fully compliant system. While technical features are important, full compliance also requires proper procedural and administrative controls.
How to Set Up a DMS in Confluence
To set up a compliant Document Management System (DMS) in Confluence Cloud, you will need to have the following:
-
A license for Confluence Cloud: Confluence will serve as your main platform to create, update, and manage your documents.
-
A license for QC Approvals for Confluence Cloud: QC Approvals will serve as your way to confirm that the latest changes on your documents have been reviewed and approved.
-
Third-party User Management/Directory Solution: A directory service or single sign-on integrated with Confluence may be used to manage user accounts. While not strictly required by regulations, organizations in regulated industries often need stronger security and authentication features than Confluence’s built-in directory provides. For example, under CFR 21 Part 11, it is common to require periodic password renewal, which must be handled outside of Confluence.
-
Secure infrastructure: Ensure a secure platform where only authorized users can access and modify data.
FDA CFR 21 Part 11 Compliance Checklist
Subpart B - Electronic Records
|
Reference |
Requirement |
QC Approvals |
Confluence |
Processes |
|---|---|---|---|---|
|
|
Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. |
- |
- |
Establish a validation process. Consult an expert if needed. |
|
The ability to generate accurate and complete copies of records in both human-readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records. |
QC Approvals provides tables and macros that contain all historic information about the approval process. Tables can also be exported in CSV or Excel, and a Version Approvals Certificate is available in the form of a PDF file. |
Confluence pages can be exported to PDF and Word. |
Define which method of exporting data you prefer. |
|
|
Protection of records to enable their accurate and ready retrieval throughout the records retention period. |
- |
- |
Establish a backup policy and keep the backups for the duration you defined in the policy. |
|
|
Limiting system access to authorized individuals. |
- |
Confluence’s built-in access control can be used to grant access to specified users or groups. |
Define user access based on roles and responsibilities. Regularly review the access control. |
|
|
Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying. |
QC Approvals includes a “Dashboard” table that contains information about each approval request, including the status, the timestamp, and the signature type. |
Confluence’s Page History page provides an overview of all changes that occurred in a page. |
Configure Confluence to support the requirement:
|
|
|
Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate. |
- |
- |
- |
|
|
Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand. |
Only assigned users can perform approval tasks, such as rejecting or signing a page version with QC Approvals |
see 11.10 (d) |
see 11.10 (d) |
|
|
Compliant Electronic Document Management Systems must use device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction. |
Not applicable |
Not applicable |
Not applicable. The source of data is not a device. |
|
|
Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks. |
- |
- |
Establish training programs for your team on how to use Confluence and QC Approvals. Maintain training records for each team member. |
|
|
The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification. |
- |
- |
Create clear rules and training to ensure that login information is not shared with others and that signatures are not performed by another person. |
|
|
Use of appropriate controls over systems documentation including:
|
System documentation may be managed within Confluence, using the QC Approvals app’s features. |
Use Confluence’s built-in access permissions to manage who can view and edit the system documentation. |
Use Confluence for your system documentation. If needed, export the information with Confluence’s tools or any third-party apps that meet your needs. |
|
|
Compliant Electronic Document Management Systems ensure that signed electronic documents contain information associated with the signing, clearly indicating all of the following:
|
QC Approvals provides several tables that include the following information:
These tables also include the Role of the user. The available tables are:
|
- |
- |
|
|
The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout). |
The “Version Control” macro can be added to Confluence pages and exported using Confluence’s functionality. All other QC Approvals tables include an “Export” button and can be exported in CSV or Excel. |
- |
Keep a record of all the exported files to use in audits, etc. |
|
|
|
Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means. |
The linkage between user approvals and Confluence pages is part of the internal database tables and cannot be falsified. |
- |
- |
Subpart C - Electronic Signatures
|
Reference |
Requirement |
QC Approvals |
Confluence |
Processes |
|---|---|---|---|---|
|
Each electronic signature shall be unique to one individual, and shall not be reused by, or reassigned to, anyone else. |
- |
- |
Establish HR processes to ensure IDs are not reused. |
|
|
Before an organization establishes, assigns, certifies, or otherwise sanctions an individual's electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual. |
- |
- |
Establish HR policies to ensure people are indeed who they say, and perform background checks before granting access. |
|
|
Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures. |
- |
- |
This requires you to submit to the FDA a document in regards to how you will use the electronic signatures. |
|
|
11.200 (a)(1) Electronic signatures shall employ at least two distinct identification components, such as an identification code and password. 11.200 (a)(1)(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. 11.200 (a)(1)(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components. |
To sign a page with QC Approvals, one must first log in to Confluence. Users log in to Confluence using the email related to their account and their own password. QC Approvals requires that credentials are provided for each signature. These credentials are:
|
- |
Configure the approvals workflow by specifying the roles, meanings and signature types in the QC Approvals Site Admin. |
|
|
(Electronic signatures) shall be used only by their genuine owners |
- |
- |
Establish policies and procedures to ensure that login information is not shared with others and signatures are not performed by ohter people. Implement security measures to protect and identify breaches. |
|
|
(Electronic signatures) shall be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals. |
When signing with one-time password, QC Approvals requires the user to validate their identity by using a code generated by the authenticator app they used to enable OTP on their personal settings. |
Confluence has certain protections for password information. More details about this can be found here. |
Establish policies and procedures and employee training to ensure that login information is not shared with others, and set criteria for password protection and unauthorized access. |
|
|
Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: (a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password. |
- |
In Confluence, usernames are unique identifiers for each user in the system. |
User directories and sign-in systems must ensure every user has a unique account. |
|
|
Ensuring that identification code and password issuance are periodically checked, recalled, or revised (e.g., to cover such events as password aging). |
- |
You can set Confluence users as “inactive” to block them from accessing the system, but without losing their data. |
Establish policies to ensure that your user list and access rights are up to date. For example:
|
|
|
Following loss management procedures to electronically de-authorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls. |
You can reset your OTP authentication in the QC Approvals Personal Settings by re-registering your device. |
You can reset your password in Confluence by clicking the “reset your password” link when trying to log in. |
Establish a process to manage loss, theft, or misuse of devices and report any instances to the IT department. |
|
|
Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management. |
- |
- |
Use Confluence Cloud within a secure local network environment, establish and enforce an organizational security policy, and rely on Confluence’s built-in HTTPS support to ensure secure communication. |
|
|
Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner. |
- |
- |
Ensure that only apps from trusted developers are used to generate one-time passwords, and set up mobile device management. |
Need Help?
If you need help setting up Confluence and QC Approvals, feel free to contact us.