21 CFR Part 11
FDA requirements for electronic records and electronic signatures. View requirements mapping
Compliance
Cohera is designed from the ground up to support regulatory compliance in pharmaceutical environments. This section provides detailed documentation on how Cohera meets regulatory requirements and guidance for your validation activities.
Regulatory Framework
Section titled “Regulatory Framework”Cohera supports compliance with major pharmaceutical regulations:
EU GMP Annex 11
European requirements for computerized systems in GMP environments. View requirements mapping
GAMP 5
Risk-based approach to compliant GxP computerized systems. View category classification
Compliance by Design
Section titled “Compliance by Design”Cohera implements compliance controls as core platform features, not add-ons:
Data Integrity (ALCOA+)
Section titled “Data Integrity (ALCOA+)”| Principle | Cohera Implementation |
|---|---|
| Attributable | Every action linked to authenticated user with timestamp |
| Legible | Data displayed clearly with full history accessible |
| Contemporaneous | Actions recorded at time of occurrence |
| Original | Original records preserved; changes create new versions |
| Accurate | Validation rules enforce data accuracy |
| Complete | Full audit trail with no gaps |
| Consistent | Standardized data entry and validation |
| Enduring | Data stored securely with configurable retention |
| Available | Data accessible for review throughout retention period |
Electronic Records
Section titled “Electronic Records”- Immutable audit trails: All changes recorded with before/after values
- Version control: Complete history of all record changes
- Access controls: Role-based permissions with audit logging
- Data integrity checks: Checksums and validation on all records
Electronic Signatures
Section titled “Electronic Signatures”- Signature manifestations: Clear indication of signature meaning
- Signature binding: Cryptographic link between signature and record
- Non-repudiation: Signatures cannot be removed or altered
- Authority verification: System validates signer’s authority
Security Controls
Section titled “Security Controls”Authentication
Section titled “Authentication”- Multi-factor authentication support
- Single sign-on (SSO) integration
- Password policies configurable per organization
- Session timeout controls
Authorization
Section titled “Authorization”- Role-based access control (RBAC)
- Object-level permissions
- Field-level security for sensitive data
- Separation of duties enforcement
- Complete audit trail for all actions
- Tamper-evident logging
- Secure audit log storage
- Audit trail export for regulatory review
Validation Support
Section titled “Validation Support”Cohera provides documentation and tools to support your Computer System Validation (CSV) activities:
Available Documentation
Section titled “Available Documentation”| Document | Description |
|---|---|
| System Design Specification | Architecture and design documentation |
| Functional Specification | Detailed feature documentation |
| User Requirements Template | Template for defining your requirements |
| IQ Protocol Template | Installation Qualification protocol |
| OQ Protocol Template | Operational Qualification protocol |
| PQ Protocol Template | Performance Qualification protocol |
| Traceability Matrix | Requirements to test traceability |
| SOPs | Standard operating procedures |
Validation Environment
Section titled “Validation Environment”┌─────────────────────────────────────────────────────────┐│ VALIDATION ENVIRONMENTS │├─────────────────────────────────────────────────────────┤│ DEVELOPMENT (DEV) ││ - New features and fixes ││ - Not validated │├─────────────────────────────────────────────────────────┤│ QUALIFICATION (UAT) ││ - IQ/OQ/PQ execution ││ - Customer validation testing │├─────────────────────────────────────────────────────────┤│ PRODUCTION (PROD) ││ - Validated, GxP data ││ - Change controlled │└─────────────────────────────────────────────────────────┘Change Control
Section titled “Change Control”All changes to Cohera follow a documented change control process:
Change Categories
Section titled “Change Categories”| Category | Description | Customer Impact |
|---|---|---|
| Critical | Security patches, data integrity fixes | Immediate deployment with notification |
| Major | New features, significant changes | Advance notice, validation impact assessment |
| Minor | Bug fixes, UI improvements | Release notes, minimal validation impact |
| Configuration | Customer-specific settings | Customer-controlled |
Release Process
Section titled “Release Process”- Development: Feature developed and tested
- Internal QA: Quality assurance testing
- Staging: Pre-production validation
- Release Notes: Documentation published
- Deployment: Staged rollout
- Verification: Post-deployment checks
Supplier Qualification
Section titled “Supplier Qualification”Cohera maintains qualification as a software supplier:
- ISO 27001 certified information security management
- SOC 2 Type II audited controls
- Regular third-party security assessments
- Documented software development lifecycle (SDLC)
Audit Support
Section titled “Audit Support”Cohera supports customer and regulatory audits:
- Remote audit capability
- On-site audit scheduling (Enterprise customers)
- Audit questionnaire completion
- Evidence package preparation
Data Sovereignty
Section titled “Data Sovereignty”Cohera supports data residency requirements:
| Region | Data Center Location |
|---|---|
| US | AWS us-east-1 (N. Virginia) |
| EU | AWS eu-west-1 (Ireland) |
| APAC | AWS ap-northeast-1 (Tokyo) |
Data does not leave the selected region without explicit customer configuration.
Getting Started with Compliance
Section titled “Getting Started with Compliance”21 CFR Part 11
Start with FDA electronic records requirements. Read the guide
EU GMP Annex 11
Start with European computerized systems requirements. Read the guide