21 CFR Part 11 FAQ (Frequently Asked Questions)

Transcription

1 21 CFR Part 11 FAQ (Frequently Asked Questions) and Roles and Responsibilities for Assessment of METTLER TOLEDO STAR e Software Version 16.00, including: - 21 CFR 11 Compliance software option for Compliance with the Requirements of 21 CFR Part 11 Regulations (Electronic Records and Electronic Signatures Final Rule) 21CFR11FAQSTARE.doc 1 of

2 1. 21 CFR 11: nical, Administrative and Procedural Controls The purpose of this document is to outline the roles and responsibilities for 21 CFR 11 assessment and compliance and inform customers how METTLER TOLEDO is responding to the challenges presented by the regulation. Published in March 1997 and effective on August 20, 1997, the Electronic Records; Electronic Signature final rule (21 CFR Part 11) has had a greater impact on computerized systems than any other regulation. The basic requirement forces computerized systems to ensure the integrity, reliability and trustworthiness of electronic records. In addition, electronic signatures must be trustworthy and equivalent to handwritten signatures executed on paper records. The regulation requires organizations to have in place three levels of control: Administrative controls: e.g. policies for Part 11 and the use of electronic signatures Procedural controls: SOPs for using the system nical controls: functions built into software that ensure the reliability and integrity of electronic records and signatures This means that it is not possible for any supplier to offer a turnkey 21 CFR Part 11 compliant system. There is software that can be designed to be compliant with 21 CFR 11 technical controls, but it is the user who is responsible for providing policies and procedures to ensure the systems are fully compliant with the regulations and the predicate rule applicable. This is shown in Figure 1 below and illustrates the importance of an integrated approach to 21 CFR 11 compliance and why there is no 21 CFR 11 compliant software. nical controls ( responsibility) Software designed to be compliant Procedural controls (User responsibility) 21 CFR 11 Requirements defined in the regulations Administrative controls (User responsibility) Procedures for System (company internal guidelines) Figure 1: A compliant system requires 3 elements: one from the supplier and two from the user 21CFR11FAQSTARE.doc 2 of

3 The reference number (Ref. No.) index on page 5 21 is based on the following table: 21 CFR Part 11 (Electronic Records; Electronic Signatures) Sec. Subpart A General Provisions 11.1 Scope Implementation Definitions. Subpart B Electronic Records Controls for closed systems Controls for open systems Signature manifestation Signature/record linking. Subpart C Electronic Signatures General requirements Electronic signature components and controls Controls for identification codes/passwords. 21CFR11FAQSTARE.doc 3 of

4 1.1 Closed Versus Open System Definition of a closed system (Subpart A Definitions: 11.3 (4)): Closed system means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system Definition of an open system (Subpart A Definitions: 11.3 (9)): Open system means an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system (for example Internet) STAR e software The STAR e software is designed as a closed system. There is therefore no discussion or mention of open system controls (Subpart B Electronic Records: 11.30). 21CFR11FAQSTARE.doc 4 of

5 Controls Required for Electronic Records Abbreviations for 21 CFR 11 Control Type: = Procedural & Administrative ( responsibility); = nical ( responsibility) Controls for closed systems System Validation [11.10(a)] Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern altered and invalid records (a) / 1 Is the system validated to the Company standards? The end user is responsible for validation according to company policies and procedures. The system is specified in the DQ and the tested in the PQ. METTLER TOLEDO provides IQ and OQ at installation and can assist you with PQ. The STAR e software is delivered with a certificate of system validation. The software is designed and tested according to the METTLER TOLEDO internal ISO9001 quality management standards (a) / 2 Did software validation include tests and checks that demonstrate compliance with all applicable parts of 21 CFR 11 (e.g. audit trail, backup/restore, archive, security controls, device/terminal checks, e- signatures)? (The tests are based on these technical controls having been designed, programmed and tested into the system by the supplier) 11.10(a) / 3 Are altered records recognized by the system and how are these changes documented? The changes made to records are recognized by the system. The change record is logged in the audit trail and referenced in section 11.10(e) 21CFR11FAQSTARE.doc 5 of

6 11.10(a) / 4 Is the system able to recognize invalid records? The end user is responsible for checking that information is correctly applied. Standard operating procedures (SOPs) can be setup to ensure that this is the case. It is also a requirement under GMP regulations that a second, independent person checks laboratory records and the information they contain. The STAR e Software is designed with the following features: a) It does not allow you to create invalid records. Manual entry values are checked for validity. So as a result the data base contains only valid records. b) The data base does not allow a user to manually modify a record. A user only gets access to the records through the application. c) Invalid records cannot be read by the STAR e software. 21CFR11FAQSTARE.doc 6 of

7 11.10(b) / (b) / 4 Record Inspection [11.10(b)] The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review and copying by the agency. Can the system generate accurate and complete copies of records in both human readable and electronic form (ASCII, PDF) for inspection, off-line review, and copying by the FDA? Can the software generate copies of users with their individual user rights (e.g., file access, electronic signature) Yes, in ASCII and PDF formats. METTLER TOLEDO recommends an SOP for the handing over of electronic records to the agency for inspection. Yes, paper copies are possible and electronic copies (in PDF format) are possible. 21CFR11FAQSTARE.doc 7 of

8 11.10(c) / (c) / (c) / 7 Records Protection [11.10(c)] Protection of records to enable their accurate and ready retrieval throughout the records retention period. Are all electronic records saved to a secure location, preferably on the site network? Do SOPs cover who is responsible for backup, restore and recovery. How is this done? Do SOPs cover who is responsible for long term archiving and retrieval. How is this done? 11.10(c) / 8 Are all electronic records included in system backups? The backup is made with a tool from the STAR e database management system. It includes all electronic records (c) / (c) / (c) / (c) / (c) / (c) / 14 Can data generated in earlier software versions be retrieved from archive and viewed in its entirety? If records can be copied outside the software, is user access to the copy read-only? If no, does the software prohibit the overwriting of the original record by the copy? Are critical records stored in one location only? If not, do validated automatic functions exist to maintain data integrity? Is simultaneous write access to the same electronic record by multiple users prohibited? Can data be recreated after a computer system failure? Are the records protected from hazards such as fire, heat and water by environmental controls (e.g. ventilation)? The restore function allows you to import backups from earlier software versions. Backup and restore actions are documented in the system audit trail.,, Records cannot be copied outside of the STAR e software. Copies can be generated by export/import or by save as, but they are stored in a new file with a different date/time stamp. The original file is not overwritten. All data are stored in the STAR e database in one location. The customer can only access the database through the STAR e software. The database prevents two or more users simultaneously saving the same electronic record. The data can be recreated from the backup. Data created after the last backup is usually lost (e.g. hard disk failure). 21CFR11FAQSTARE.doc 8 of

9 11.10(c) / 15 Have retention periods for the electronic records retained in the system been specified? (Minimum requirements for GMP record retention is batch expiry plus one year, however product liability requirements are 11 years in Europe and 20 years in United States. The user should refer to their company policy) 21CFR11FAQSTARE.doc 9 of

10 11.10(d) / (d) / (d) / (d) / (d) / (d) / (d) / (d) / (d) / 24 Security [11.10(d)]: Limiting system access to authorized individuals. Are devices for storage of electronic records (e.g., PC, file/database servers and backup and archive durable media) located in a controlled area or physically secured? Does the system limit system access to authorized individuals? Does a list of current and previous users of the system exist? Does the system prevent deletion of users from the system in order to ensure the uniqueness of user IDs? The User ID should be deactivated but retained. Does the system have a password-protected inactivity lock? Is user access to the operating system restricted to the system administrator or an equivalent authorized user? If the computer system can be accessed remotely, are additional security measures such as call back or SecurID included? Do remote access sessions automatically log off when a disconnect is detected? Are safeguards in place to detect attempts at unauthorized use, and to lock the account after several consecutive unsuccessful attempts to enter a password? Is there an approved procedure that describes the administration of system security? Yes, the system has two safety levels. Only users with a Windows and a STAR e account can access the STAR e software. In the CFR Compliance mode, it is not possible to delete users. Old user accounts can only be disabled. The STAR e system has its own session lock system that is password-protected. Remote access with STAR e Version is possible. The security measures provided are based on the security settings of the operating system (Windows Terminal Services). After a disconnect, a login is required to establish a connection between the terminal and the server (Windows Terminal Services). The number of login attempts can be defined by the STAR e system administrator. After the defined number of failed login attempts the user account is locked. 21CFR11FAQSTARE.doc 10 of

11 11.10(e) / 25 Audit Trail [11.10(e)] Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying. Are there computer-generated (automatic) audit trails of all user actions? 11.10(e) / 26 Are audit trail entries date-stamped DD-MM-YYYY? Yes Yes, in the system audit trail or in the analysis audit trail (e) / 27 Are audit trails time-stamped HH-MM-SS in local time? Yes 11.10(e) / (e) / (e) / 30 Are there controls to ensure that the system clock date and time stamps are accurate and secure from tampering (e.g. changing the system clock)? Do all audit trails include operator identity, using full name or the customer-defined user ID of an individual? Is there an audit trail for system activity, including all user login and failed access attempts? Yes, the operator identity (user ID) is given by the unique user name. Yes, in the system audit trail (e) / 31 Is an audit trail generated during creation of all data? Yes 11.10(e) / 32 Is an audit trail generated during modification of all data? Yes 11.10(e) / (e) / 34 Is an audit trail generated during deletion or inactivation of all data? If a signed record is changed, does the system retain and display the old and new value? Yes Yes 21CFR11FAQSTARE.doc 11 of

12 11.10(e) / 35 Does each audit trail entry describe the action performed? Yes 11.10(e) / (e) / (e) / 38 Does the audit trail contain sufficient information to allow a reviewer to trace all changes to a signed record from its current state back to the original values? Is the audit trail directly linked to the record, but located separately? Is the audit trail backed up? Are audit trail records being maintained for at least as long as the retention of the underlying records? Yes Yes. The audit trail entry however is stored separately and is not part of the electronic record itself. Yes. The audit trail is also stored in the database and therefore part of the backup (e) / (e) / (e) / (e) / (f) / 43 Is a read-only display or report available for viewing the audit history? Are audit trails available for review and copying by the agency? Are all users, (including the system administrator) unable to modify audit trail details? Are changes to user access control levels (i.e. user roles) and permissions (i.e. user rights) audit trailed? Operational Checks [11.10(f)] Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate. If the sequence of system steps or events is important in a process, is this enforced by the system? (as appropriate)? Yes. The display or the printout of the audit trail can be configured using suitable filter criteria (e.g. action, date from, date to, user). Yes Yes. Nobody can modify the audit trail. Yes Yes. Sample analysis is performed in the appropriate sequence. For example, it is not possible to sign a record before it has been processed. 21CFR11FAQSTARE.doc 12 of

13 11.10(g) / 44 Authority Checks [11.10(g)] Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand. Does the software require entry of a separate user ID and password, in addition to that required by the operating system? Yes, see 11.10(d) / (g) / 45 Does each user have an individual unique account? Yes 11.10(g) / (g) / (g) / (h) / (h) / 50 Does the system have different user-defined access control levels? If the system has different user levels, are there SOP(s) in place to describe how a user s access shall be defined? Are modifications/deletions to data always performed through the software control? (e.g. data is not changed through SQL or other data access tools). Device and Terminal Checks [11.10(h)] Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction Are device checks to determine validity of the source of input or operation designed and implemented in the system (as appropriate)? [e.g. a software indicating that data input is derived from a particular device, such as a balance, should identify the device or only allow data entry from that device, and not from a terminal]. Are terminal checks to determine validity of the source of input implemented? Yes, via user roles and user rights. Yes. You can only access the database via the STAR e software. The STAR e software allows only certain predefined transactions to be performed. Yes. The system performs checks to ensure the validity of manual or automatic data input. For example with manual input the system checks whether the temperature entered exceeds the maximum usable temperature defined for the crucible. The data transferred from measuring modules to the STAR e system are automatically checked. Invalid data either leads to an error message, i.e. no data is stored, or all data is stored but the faulty data points are marked as invalid. The STAR e software does not support terminal input. 21CFR11FAQSTARE.doc 13 of

14 11.10(i) / 51 Personnel Qualifications [11.10(i)] Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks Has it been documented that the following persons have the education, training, and experience to perform their assigned tasks: Developers of the computerized system? Note: Following the preamble, this requirement only goes as far as internal developers. (Comment 87). In order to answer Yes to this question, the vendor must maintain training records, and be aware of the 21 CFR 11 implications. Documentation should be reviewed during audits. The software development team was trained in January 3-4, 2001 by Dr. Bob McDowall. Sales and service engineers receive special CFR training (see training certificate) and are fully qualified to perform their tasks (i) / 52 External maintainers of the computerized system? Only METTLER TOLEDO personnel are qualified to maintain the STAR e system, e.g. repair, upgrading, equipment qualification (i) / 53 Internal maintainers of computerized system? 11.10(i) / 54 Users of the computerized system? Accountability and Responsibility for Actions [11.10(j)] The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification 11.10(j) / 55 Have policies and/or procedures holding individuals accountable and responsible for actions initiated under their electronic signatures been established and followed? 21CFR11FAQSTARE.doc 14 of

15 Systems Documentation Controls [11.10(k)] Use of appropriate controls over systems documentation including: (1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. (2) Revision and change control procedures to maintain an audit trail that documents timesequenced development and modification of systems documentation. Note: This covers vendor supplied manuals/documentation as well as logs for the system (backup, errors etc.) 11.10(k) / 56 Are there adequate controls over the distribution of documentation for system operation and maintenance? (Only controlled copies of SOPs should be issued by the Quality Department.) 11.10(k) / 57 Are there adequate controls over access to documentation for system operation and maintenance? (System log books should be kept on the laboratory bench, next to the system.) 11.10(k) / 58 Are there adequate controls over the use of documentation for system operation and maintenance? 11.10(k) / 59 Are revision and change control procedures in place to maintain an audit trail that documents the timesequenced development and modification of the systems documentation? (Only applies to documentation that can be changed by individuals within ). Software and operating instructions are version-controlled. Version control is an important part of the IQ/OQ documentation provided by METTLER TOLEDO. Every change made to the system must be documented in the IQ/OQ documentation, e.g. a software update. 21CFR11FAQSTARE.doc 15 of

16 11.50(a) / (a) / Signature manifestations. Signing Requirements [11.50(a)] (a) Signed electronic records shall contain information associated with the signing that clearly indicates all of the following: (1) The printed name of the signer; (2) The date and time when the signature was executed; and (3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature. Do electronically signed electronic records contain information associated with the signing that clearly indicates: The full printed name of the signer? [11.50 (a)(1)] The date and time when the signature was executed? [11.50(a)(2)] N.B. Handwritten signatures on paper records require date only (a) / 3 The meaning of the signature? [11.50(a)(3)] Yes Yes Yes. The system administrator can define up to 10 meanings of signatures. The user must select one of these meanings when signing a document. 21CFR11FAQSTARE.doc 16 of

17 11.50(b) / (b) / 5 Controls for Electronic Signatures [11.50(b)] (b) The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout). Are all items in the signature manifestation subject to the same controls as for electronic records? [11.50(b)]. Are all items in the signature manifestation included as part of any human readable form of the electronic record (such as electronic display and/or printout or report)? [11.50 (b)] Yes Yes. The signature manifestation consists of: - printed name of the signer, - date and time of the signing, - meaning of signing and - remarks (optional text) This information is displayed or printed. 21CFR11FAQSTARE.doc 17 of

18 11.70 Signature/record linking. Linking Signatures to Electronic Records [11.70] Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means / 1 Are all electronic signatures on electronic records linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means? [11.70] / 2 Are handwritten signatures on printouts of electronic records linked to their respective electronic records? Note: Minimum requirement is initials of signer, print date/time unique sample identifier, and, if appropriate, file name and location / file size / 3 Does the system identify whether a record has been modified after signing and requires a new signature? / 4 When changes are made to previously approved electronic records, are electronic or handwritten signatures applied to updated records, and linked to the original signed record? Yes Yes Yes. Please note that the linkage of handwritten signatures to printouts of the electronic records is in the responsibility of the user. 21CFR11FAQSTARE.doc 18 of

19 General requirements. Uniqueness of Signature [11.100(a)] (a) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else (a) / 1 Are electronic signatures unique to an individual? [ (a)] (a) / 2 Does the system prohibit use of shared/group accounts as components of electronic signatures? Verification of Identities [11.100(b)] (b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual s electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual (b) / 3 Electronic signatures cannot be reused by, or reassigned to, anyone else [ (b)] Yes. The STAR e software supports unique electronic signatures. Please note, the customer must ensure that no two or more users share the same user account. Yes. The STAR e software supports unique user accounts. Please note, the customer must ensure that no two or more users share the same user account. Yes. The user account (and therefore also the electronic signature) is unique for the lifetime of the database. User accounts can only be disabled but not deleted. 21CFR11FAQSTARE.doc 19 of

20 Certification to the FDA [11.100(c)] (c) Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures. (1) The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations (HFC 100), 5600 Fishers Lane, Rockville, MD (2) Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer s handwritten signature (c) / 4 Is the identity of an individual verified before an electronic signature is allocated? [ (c)] (c) / 5 Has the customer organization sent a letter to the FDA, stating their intent to use electronic signatures? (Before using electronic signatures) 21CFR11FAQSTARE.doc 20 of

21 2. Controls Required for Electronic Signatures Abbreviations for 21 CFR 11 Control Type: = Procedural & Administrative ( responsibility); = nical ( responsibility) Electronic signature components and controls. Components and Sessions [11.200(a)] (a) Electronic signatures that are not based upon biometrics shall: (1) Employ at least two distinct identification components such as an identification code and password. (i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. (ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components. (1) Be used only by their genuine owners; and (2) Be administered and executed to ensure that attempted use of an individual s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals (a) / 1 Is the signature made up of at least two components, such as an identification code and password or an ID card and a password? [ (a)(1)] Yes, user name and password. 21CFR11FAQSTARE.doc 21 of

22 (a) / 2 When several signings are made during a continuous session, is the secret part of the signature executed at each signing? Both components must be executed at the first signing of a session. [ (a)(1)(i)] (a) / 3 If signings are not done in a continuous session, are both components of the electronic signature executed with each signing? [ (a)(1)(ii)] The STAR e software does not allow procedures in which more than one file is signed in a continuous signing session. Electronic records must be individually signed. Yes. Each signing action is linked to one single electronic record and always requires authentification with user name and password (a) / 4 Are signatures designed to ensure that they can only be used by their genuine owners? [ (a)(2)] (a) / 5 Would an attempt to falsify an electronic signature require the collaboration of at least two individuals? [ (a)(3)] Biometric Electronic Signatures [11.200(b)] (b) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners (b) / 6 Have biometric electronic signatures been validated including attempted use by other users? Yes The STAR e system does not support biometric devices. 21CFR11FAQSTARE.doc 22 of

23 Controls for identification codes/passwords. Uniqueness of Electronic Signature [11.300(a)] (a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password (a) / 1 Does the system keep all password details confidential, so that they are not available to any system user, including the administrator? (a) / 2 Are controls in place to maintain the uniqueness of each combined identification code and password, such that no two individuals can have the same combination of identification code and password? [ (b)] Yes Yes, the identification code (ID) is already unique. 21CFR11FAQSTARE.doc 23 of

24 Checking of IDs and Passwords [11.300(b)] (b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging) (b) / 3 Are procedures in place to ensure that the validity of identification codes is periodically checked? [ (b)] (b) / 4 Do passwords periodically expire and need to be revised? [11.300(b)] (b) / 5 Are passwords obscured when entered? Yes Loss of Passwords and Tokens [11.300(c)] (c) Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls (c) / 6 Is there a procedure for recalling identification codes and passwords if a person leaves or is transferred? [11.300(c)] (c) / 7 Is there a procedure for electronically deactivating an identification code or password if it is potentially compromised or lost? [11.300(c)] (c) / 8 Is there a procedure for temporary or permanent replacements using suitable rigorous controls? [11.300(c)] The password expires after a certain time period predefined by the system administrator. Yes. The STAR e system allows the administrator to disable user accounts. Yes. The STAR e system allows the administrator to reset the passwords of any user. 21CFR11FAQSTARE.doc 24 of

25 Unauthorised Use [11.300(d)] (d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management (d) / 9 Is there a technical feature to detect attempts at unauthorized use and for informing security? [11.300(d)] (d) / 10 Is there a procedure for immediate and urgent reporting to security/management any attempt at unauthorized use of identification codes and passwords? [11.300(d)] (Note: a SOP should describe the regular inspection of the audit trail for unauthorized login attempts.) Checking Devices [11.300(e)] (e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner. Yes. Login attempts are monitored in two ways by the STAR e system. 1. After a predefined number of attempts a user account is automatically locked. 2. In addition, every login attempt creates an audit trail entry. Unsuccessful login attempts are documented in the audit tail but not automatically reported to the administrator (e) / 11 Are tokens or devices regularly checked or replaced? The STAR e software does not support the use of tokens and devices to generate identification codes or password information. 21CFR11FAQSTARE.doc 25 of