Transcription
FDA 21 CFR Part 11Electronic records and signatures –solutions for the Life Sciences Industry
The Rule 21 CFR Part 11“Handwritten signature means thescripted name or legal mark of anindividual handwritten by that individualand executed or adopted with thepresent intention to authenticate awriting in a permanent form.”FDA 21 CFR Part 11Detailed procedural and technical requirements are given forboth electronic signatures and electronic records. Some ofthese include:– – Ability to discern invalid records– – Ability to generate electronic copies of records– – Automatic generation of audit trail– – Access controls– – Secure link of signatures to records– – Use of unique secure signaturesFor Life Sciences Industries, electronic signatures were givenlegal equivalence with traditional “wet ink” signatures onpaper in 1997.Electronic record keeping and electronic signature use are notmandatory, but if used must comply with the requirements ofthe rule.The Food and Drug Administration (FDA) rule for electronicrecords and signatures became effective and enforceable onAugust 20, 1997. The rule has two main areas of enforcement: electronic records and electronic signatures.The scope of 21 CFR Part 11 includes operational areas of apharmaceutical, biotechnology or medical device companysuch as:– – Manufacturing (for example, production records)– – Maintenance (for example, asset management orcalibration records)– – Laboratory (for example, sampling results or productdevelopment)The rule applies to all areas of Title 21 of the Code of Federal Regulation (CFR) for all manufactured drugs and medicalproducts distributed in the United States of America.Although this document deals exclusively with 21 CFR Part 11for the U.S., many other jurisdictions also have directives inplace that enable the use of electronic records and signatures.2 21 CFR Part 11
You’ve been using electronic recordsfor years“Electronic record means anycombination of text, graphics, data,audio, pictorial, or other informationrepresentation in digital form that iscreated, modified, maintained, archived,retrieved, or distributed by a computersystem.” FDA 21 CFR Part 11By the 1990’s technical ABB solutions existed for generatingfully electronic batch records using distributed control systems. Batch management was either handled by a separatesoftware package or fully integrated with the DCS.This arrangement enabled a production plant to be operatedin accordance with the S88 standard or previous nationalstandards, generating working recipes, monitoring inventories, controlling plant equipment and collecting all salient dataunder a secure access control arrangement.The only item missing in the equation to make fully electronicbatch records a possibility was the actual regulation.21 CFR Part 211.188 states “.records [must be] checked foraccuracy, dated and signed.” Other clauses of Part 211 suchas §186 refer explicitly to “full signature handwritten.” Thesewere seen as regulatory blocks on the pharmaceutical road tothe digital world.Moving to fully electronic data handling promised huge costsavings from improved efficiency and reduced physical handlingand storage compared to traditional paper records, as well asincreased security, traceability and transferability of data.It is not just in the manufacturing (GMP) area that electronicdata handling offers noteworthy benefits. The amount of datagenerated in analytical laboratories operation under GLP issignificant, and since this data requires review and approvalsignatures, 21 CFR Part 11 promises major improvements inworkflows and data handling.The DCS had a configurable report package for generatingcustomized batch records and management reports. At thesame time, our batch software was becoming available fordigital signing of records.21 CFR Part 11 3
Our commitmentElectronic signature means a computer data compilationof any symbol or series of symbols executed, adopted,or authorized by an individual to be the legally bindingequivalent of the individual’s handwritten signature.Electronic records and signaturesOur technology combines the efficiency of electronic recordkeeping with the security of authenticated electronic signatures.Our customers ask for support moving into a paperless worldin order to satisfy regulatory requirements as well as businessrequirements such as ease of use and reduced costs. “Knowthe market, follow its demands, open up future opportunitiesfor our customers.” This is ABB’s philosophy to create valuefor our customers.Electronic records in an automation system are easier to keepthan manual records. Records generated and maintained bythe automation system include:– – Recipe handling– – System configuration– – Device calibration– – Operator input– – Audit trail– – Alarm and event history– – Trends and batch records21 CFR Part 11 has become an integrated part of our automation technology and system design. The rule is not a“problem” anymore. We help our customers to achieve andmaintain 21 CFR Part 11 compliance while minimizing lifecycle costs.Regulatory complianceThe 800xA automation system is a technology platform thatcan be installed and configured to support to the 21 CFRPart 11 regulation.Our automation system complies with the rule’s requirementswith features like system security, secure data managementand reporting, and supports electronic records andsignatures, and a time-stamped audit trail, for automatedelectronic recording.4 21 CFR Part 11The automation system can ask the user to electronically signrecords; for example, when new calibration data is releasedfor download into an instrument, a new batch recipe is approved for production or an operator input occurs. The electronic signature act is performed by user or supervisor typingin their User ID and Password.
SecurityClosed system means an environment in which systemaccess is controlled by persons who are responsible forthe content of electronic records that are on the system.Authorization and access controlWe utilize and extend the Microsoft Windows Security systemto meet the demands of automation applications for LifeSciences Industries. Access can be controlled down to theobject (e.g., motor) and even function (e.g., start the motor).Critical operator actions can be designated for a user authentication action prior to permitting the action to take effect inthe process.Data integritySystem, engineering and manufacturing data are protectedthroughout their life cycle from unauthorized access, modification or deletion in order to ensure accuracy, consistency,and completeness. For example:–– User access is controlled by a three-dimensional model:Person x Object x Function. User account passwords age.–– All accesses and changes to system and data are loggedand tracked in the audit trail.–– All essential components are designed with redundancy.When redundancy is implemented in the solution, if onecomponent fails, the redundant partner immediately takesover with no interruption of your operations, or loss of data.Asset monitors use real-time plant and system information asinputs for such tasks as detecting maintenance conditionsbefore failure occurs or to diagnosing a problem.NetworkThe system supports client/server architectures. The useof the Microsoft Domain and Networking ensures uniqueuser ID’s and maximizes security in the automation system.The “aspect server” is one of the core system services thathandles object and asset management, file set distributionand cross references as well as security. Redundancy is alsoavailable for the aspect server.The automation system network is based on TCP/IP overEthernet. The routing protocol (RNRP) supports redundantnetwork configurations based on standard network components. Detection of a network failure and switch over to theredundant network takes less than one second, with no lossor duplication of data.Network security considerations depend on whether the system is closed or open. An isolated automation system is anexample of a closed system; a system that connects to a corporate intranet or internet is an example of an open system.Proper Information Technology practices should be followedwhen implementing the network and network security.21 CFR Part 11 5
21 CFR Part 11 checklistOur automation technology addresses your 21 CFR Part11 requirements. This initial checklist for closed systemintroduces our system support.The assessment compares the actual regulation test withtypical compliant implementation examples using the ABBautomation system.Section21 CFR Part 11 Regulation Text800xA Implementation and ApplicationB-11.10Persons who use closed systems to create, modify, maintain,The end-user and manufacturer is responsible for developingor transmit electronic records shall employ procedures andprocedures to support automation applications in regulatedcontrols designed to ensure the authenticity, integrity, and,environments. Our validation experts support a full spectrumwhen appropriate, the confidentiality of electronic records, andof compliancy efforts, including end-user validation, SOP de-to ensure that the signer cannot readily repudiate the signedvelopment and risk-based approaches to dealing with 21 CFRrecord as not genuine. Such procedures and controls shallPart 11 issues.include the following:(a)Validation of systems to ensure accuracy, reliability, consistentOur customers need to validate their installation. We help byintended performance, and the ability to discern invalid orproviding project execution and product development meth-altered records.odologies that integrate validation activities throughout thesystem development life cycle.ABB’s automation system supports access control. It registerschanges to electronic records as audit trail events. It can beconfigured to check the validity of input data.(b)The ability to generate accurate and complete copies of re-Configuration as well as production data, like recorded history,cords in both human readable and electronic form suitable foraudit trails or batch records, can be exported or archived.inspection, review, and copying by the agency. Persons shouldThe information is available on-line to the authorized operatorcontact the agency if there are any questions regarding thein either standard or customized displays, or can be printed orability of the agency to perform such review and copying of theexported.electronic records.(c)Protection of records to enable their accurate and ready re-Our experts help our customers fulfill business and regulatorytrieval throughout the records retention period.drivers associated with record retention by defining appropriate procedures for access, archival and retrieval of records.Our automation system also supports long-term archiving.6 21 CFR Part 11
It is easy to use electronic recordingSection21 CFR Part 11 Regulation Text800xA Implementation and Application(d)Limiting system access to authorized individuals.Standard procedures to limit physical access are the responsibility of the customer.System access is managed through the use of a unique UserID and password combination for each user. Additionally, thesystem supports a number of schemes to prevent the compromising of a user’s password including minimum passwordlength, password aging and preventing the re-use of recentpasswords.(e)Use of secure, computer-generated, time-stamped audit trailsThe audit trail is an integrated system function.to independently record the date and time of operator entries(f)and actions that create, modify, or delete electronic records.Time-stamped audit trail events detail object or file nameRecord changes shall not obscure previously recordedchanges, operator ID, description of change and node. If theinformation. Such audit trail documentation shall be retainedchange is subject to authorization or electronic signature, thenfor a period at least as long as that required for the subjectthe audit trail will also show the reason and any comment.electronic records and shall be available for agency review andAudit trail events can be viewed, printed and archived. Changecopying.of date and time is access controlled.Use of operational system checks to enforce permitted se-Our automation system supports interlocks and sequentialquencing of steps and events, as appropriate.function charts. Our integrated Batch Manager is built toISA 88 and IEC 61512 standards.(g)Use of authority checks to ensure that only authorized individ-The system restricts access according to the user and useruals can use the system, electronically sign a record, accessrole configuration. The rules relate to the use of system func-the operation or computer system input or output device, altertions, workstations, operator actions, tags or event single taga record, or perform the operation at hand.signals. When the rules are changed, the system automaticallygenerates an audit trail event.(h)(i)Use of device (e.g., terminal) checks to determine, as ap-The functional scope of system servers or clients is definedpropriate, the validity of the source of data input or operationalduring system configuration. In addition, user roles and accessinstruction.can be limited to single or specified nodes.Determination that persons who develop, maintain, or useThe customer is responsible for ensuring that personnel work-electronic record/electronic signature systems have the educa-ing with the automation system are qualified. Under ABB’stion, training, and experience to perform their assigned tasks.quality system, ABB trains and documents the training of ABBproduct and system development staff and implementationpersonnel.21 CFR Part 11 7
The FDA allows electronic signaturesSection21 CFR Part 11 Regulation Text800xA Implementation and Application(j)The establishment of, and adherence to, written policies thatThe system owner is responsible for defining the policy for thehold individuals accountable and responsible for actions initi-manufacturing or production
for download into an instrument, a new batch recipe is ap-proved for production or an operator input occurs. The elec-tronic signature act is performed by user or supervisor typing in their User ID and Password. Our commitment. 21 CFR Part 11 5 Closed system means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are .
