Title 21 CFR Part 11 (FDA) compliance checklist for ApexSQL Audit

Title 21 CFR Part 11 is the part of Title 21 of the Code of Federal Regulations established by the United States Food and Drug Administration (FDA) as regulation on electronic records and electronic signatures (ERES). Part 11 defines the criteria under which electronic signatures and electronic records are trustworthy, reliable and comparable to paper records

All SQL Server systems that store data which are used in process of making quality decisions or any data to be reported to the FDA must be compliant with Title 21 CFR Part 11

The 21 CFR Part 11 is arranged into three subparts. As for SQL SERVER compliance the Subpart B – Electronic records is the one of interest

The 21 CFR Part 11 Subpart B consist of four sections of which § 11.10 – Controls for closed systems is related to SQL Server compliance and supported by ApexSQL Audit

Source: U.S. Food and Drug Administration –  Title 21, Volume 1 CFR11.10

Title 21 CFR Part 11Subpart B Level of Support & Supporting Features ApexSQL Audit Provides
Section 11.10 Controls for closed systems
§ 11.10 (a) – Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records Supports ApexSQL Audit can audit all SQL Server related events, including those related to security on both the server and database level, all schema changes and all DML related changes, including real-time alerting on any specified event
§ 11.10 (b) – The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency Supports ApexSQL Audit ensures comprehensive reporting on all audited events allowing for granular customization based on end user requirements
§ 11.10 (c) – Protection of records to enable their accurate and ready retrieval throughout the records retention period Supports ApexSQL Audit can audit all backup and restore activity including alerting and reporting. By reviewing the reports on backup/restore activities audited by ApexSQL can ensure that proper procedure for data protection is established and maintained in case of need for disaster recovery or business continuity
§ 11.10 (d) Limiting system access to authorized individuals Supports with Exceptions Once SQL Server privileges have been set, ApexSQL Audit can ensure auditing and reporting on every change of security privileges or any unapproved new users creation or existing users deletion, including real-time alerting and comprehensive reporting on who saw what 
§ 11.10 (e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying Supports Centralized collection, archiving, and consolidation of all data including the local date and time of the actions that alter the record. ApexSQL Audit doesn’t prevent audit data alteration but makes such attempts to tamper fully evident. Audit trails do not overwrite older data, including other audit trail records. Archiving ensures the audit trail to be stored as long as the records itself
§ 11.10 (f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate Supports ApexSQL Audit can track and collect all changes including their time stamps, while precise custom reporting on specific changes allows sequence inspection to ensure that the proper sequence of events is followed
§ 11.10 (g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand Supports with Exceptions ApexSQL Audit can audit and report on any unapproved user account change including the real-time alerting and thus ensure verifying of the appropriate implementation of user-level security throughout the validation process

For Appendix on meaning of category assessments e.g. supports, click here