15 Steps to implement 21 CFR 11 for JDE EnterpriseOne

Transparency and fairness must prevail for electronic records and signatures to be considered valid which is where CFR Part 11 of the Code of Federal Regulations finds its relevance. While it gives companies the guidelines to do this successfully and succinctly, Oracle EnterpriseOne gives companies the platform and controls to implement it in just 15 steps.

Early civilization carved valued information on stone tablets. Today, we use aluminum tablets. And, while the world is moving towards being digitized, corporations are already there. The days of ink signings and transports of paper documents via the postal service's boxy Grumman LLV are almost behind us. Let's face it, the majority of the corporate world is electronic, which creates the necessity for federal regulations to ensure transparency and authenticity. The fast-paced evolution and digital dependence of humanity is the reason why a Federal law like 21 CFR11 gets passed.

Created in 1997, 21 CFR 11 refers to the section which defines the stipulations on the use of records and electronic signatures. This law pertains to pharmaceutical companies, medical device manufacturers, biotech companies and those that operate under the umbrella of the FDA. And, it is Part 11 of this regulation that focuses on electronic records and signatures which is the area of interest for this post.

Since the world is becoming a global village and business people no longer have to trot the globe for business meetings and transactions, it goes without saying that the nature of documentation has to shift from the traditional hard copies of memos and business reports to digital sources. Business deals and contracts can only be considered tenable when all parties involved have their signatures on documents making the issue of digital signature to become equally topical to this agency. Transparency and fairness must prevail for these electronic records and signatures to be considered valid. This  is where part 11 of the Code of Federal Regulations finds its relevance.

Implementing CFR 11

As simple as this might look on paper, the rule has not been easy to implement. This is evident in the different updates and revisions that it has undergone from its launch in 1997 till the publication of the final guidelines in 2007. One of the grievances from in-house auditors was the fact that it was “very expensive and for some applications almost impractical”. Other problems also generated on the scope of the rule since even the 2003 guidelines were still too broad and vague on the segment. The revisions and additional clauses that were added in the meantime made the final publication more relevant and helpful. Critics of the rule still claim that the FDA could adopt an easier format that would be more efficient in terms of time and cost.

The implementation of rule 21 suggests that the government is accommodating the digital revolution by ensuring that records and signatures are filed correctly to guarantee authenticity, validity and reliability. The digital nature of our times makes it more cost effective to adopt electronic mediums of record keeping as well as signatures, but it is very important for a protocol to be put in place to avoid confusion and ambiguity. While CFR Part 11 gives companies the guidelines to do this successfully and succinctly, Oracle EnterpriseOne gives companies the platform and controls for implementing it. No plan is perfect but the modifications that the rule has seen since 1997 goes to show the agency desire to provide the best and most efficient method of electronic record keeping.  


There are three major sections:

  1. Features of your System. These are essentially the features that any company is mandated to make available for the successful implementation of the computer system that will control electronic records. This system must undergo a test inspection for functionality, security and data integrity, storage capacity, electronic signatures and documentation for software and systems and more.
  2. Standard Operating Procedures. This is an operating system that has to be put in place to indicate how actions and procedures will be managed. Within CFR Part 11, there are nine IT Standard Operating Procedures from which each company within the FDA can make a pick to standardize their setup.
  3. Systems Validation. This is another system check to confirm that the electronic system is fit to be used. There must also be a protocol in place to alert when the system is malfunctioning and the ways in which hitches could be ironed out. After meeting these stipulations, a company can now be considered valid to operate within CFR Part 11.


Oracle's EnterpriseOne
With that said, ERP systems have had to build this functionality into their software products to stay competivite. Oracle's
JD Edwards Enterprise One: Governance, Risk, and Compliance” solution document lists the modalities of building an effective control system. This includes:
  1. Systems-Based Internal Controls
  2. Automated Processes
  3. Consistent Documentation
  4. Ongoing Control & Monitoring

After comparing the Oracle solution for Governance, Risk and Compliance (GRC) with the inconsistent and ineffective 1997 version of the FDA model, the critics affirm that this protocol was not well thought out in the first place. Every electronic system gives room for improvement and the FDA can take credit for always working to make their guidelines proficient and relevant to the times.

How to get effective Government, Risk and Compliance in E1
Oracle has provided businesses with tools to manage their auditing and electronic signatures. It takes us (Allari) 15 steps to get a company CFR 11 compliant if they are on the latest release. 
Required Steps to Configure Table Auditing (Overview)
  1. Configure the database for JDE Table Auditing
  2. Create a Non-Julian System Data Source for the Clients/Servers
  3. Generate Specific Audit Related Tables
  4. Setup the OCM mappings required for the clients
  5. Setup the OCM mappings required for the servers
  6. Populate the F986112 Table with the trigger templates
  7. Enable Auditing for the Path Code
  8. Configure the needed tables for auditing
  9. Check-in the specifications for the needed tables for auditing
  10. Transfer the “A” tables from the default project to another project
  11. Promote the Project with The “A” table to status 26 or higher
  12. Copy the needed table(s) audit configurations to the J Environment
  13. Enable Auditing on the needed tables for auditing
  14. Test needed tables for auditing on the Web Client
  15. Build and Deploy an Update client/server package with the “A” tables from needed tables being audited

While the implementation is relatively easy, the behind the scenes is very complex and database intensive. There are some items that require planning. For example, turning on GRC will dramatically increase your database usage. Oracle recommends using the following formula to size your database post GRC activation. 

"Database size increase per audited table = audit table record size x2 (before and after image) x number of transactions."

Whoa, that will be a massive increase. It's time to call the SAN vendor. Is this justifiable? Yeah, it sure is, because E1's auditing functionality is largely based on table triggers passing before and after data, time and date of the transaction and the name of the user who made the change.

A few general rules must be understood:

  1. For every record being audited, a record is added to the auditing table.
  2. For every record changed, 2 records are added. One is to capture the data before and one for after the record was changed.

In addition, E1 will allow you to require an electronic signature approval when a user tries to alter the data in an application. The functionality can also be setup to require a signature before allowing a report to be submitted to the job queue. 

There are 3 applications which help to control this functionality.

  • P9500001 - Configuration Application
  • P9500002 - Reasons Codes Application
  • P9500005 - View Audit/Signature Information Application

And, there are 3 reports which produce a printable report of the audit and signature information.

  • R9500004 - Print Signature and Audit Information
  • R9500005 - Print Audit Information
  • R9500006 - Print Signature information

As each year passes, Cai Lun's invention of paper quickly moves towards obsolescence. Although I love writing on paper and reading printed books, I am grateful for the software companies who have added GRC functionality to their products. I say this because shortly after CFR stipulations were passed, as a young system administrator back in the late 90s when EnterpriseOne was known as Everest then OneWorld, our pharmaceutical customers required us to print a separate document, hand write the individual system change, endorse it and fax it to their CFR department. We had to do this for every single change, with the paperwork often taking more time to complete than the execution of the task.

Everyone wonders why prescription drugs and many of the items falling under the purview of the FDA cost so much. Even in today's digital environment, it's unbelievable to see the overhead these companies need to carry to bring their products to market. But I think anyone would agree that the cost of tracking CFR requirements on paper definitely justifies the cost of implementing Oracle's GRC functionality.

If you have any questions regarding the implementation of CFR functionality, please don't hesitate to contact us.