ComplianceQuest Support of Compliance to FDA 21 CFR Part 11Requirements WHITE PAPER. ComplianceQuest In-Depth Analysis and Review

Transcription

1 ComplianceQuest Support of Compliance to FDA 21 CFR Part 11 WHITE PAPER ComplianceQuest In-Depth Analysis and Review

2 ComplianceQuest Support of Compliance to FDA is the FDA guideline that defines the criteria under which electronic records and electronic signatures are considered to be dependable, reliable and equivalent to that of the paper records. Part 11, as it is commonly known, was introduced in 1997 and applies to the FDA-governed industries that choose to store their primary, authoritative records electronically. It stipulates the guidelines and rules for storage, copying, access & permissions, audit logs & tracking. It also identifies version control of the electronic records and the application of electronic signatures to them. Part 11 applies to all records that are defined in the underlying Acts and Regulations which govern activities in the life science industries. Part 11 requires drug makers, medical device manufacturers, biotech companies, biologics developers, and other FDA-regulated industries to implement controls, including: audits, system validations, audit trails, electronic signatures, & documentation for software and systems involved in processing electronic data that are either required to be maintained by the FDA predicate rules or used to demonstrate compliance to a predicate rule. ComplianceQuest (CQ) supports FDA compliance requirements for life science organizations in health-care, pharmaceutical, life-science, biotechnology, medical-manufacturing, medical-device, and other FDAregulated industries. Title requires companies to implement controls, including audits, system validations, audit trails, electronic signatures, and documentation for software and systems that are involved in processing many forms of data, as part of their business practices and product development. Title enacted the FDA's requirement that they be able to recognize electronic records and electronic signatures as dependable, reliable, and legal equivalents to paper records and handwritten signatures. This also allows companies to go to a paperless system of record keeping.

3 Electronic Signature CQ automatically secures and binds the authenticated user's electronic signature. CQ ensures that the user has signed onto the system and exposed their signature through the forced authentication process, as required by 21 CFR Part 11. Authentication is required each time a transaction is processed. It is equivalent to that of a paper form that would have been signed by an individual. Audit Trail CQ securely and automatically posts any and all field changes to a separate database. The Audit Trail includes the field's old value, new value, name of the user who made the change, and date and time. CQ not only stores the audit trail information, but also allows for the information to be queried and helps present the information to support a regulatory audit easily. Comparison of System Requirement with ComplianceQuest Features 11.10b The system shall generate accurate and complete copies of records in human readable and electronic form suitable for inspection, review and copying 11.10d The system shall limit access to authorized individuals e The system shall employ secure, computergenerated date/time stamped audit trails to independently record CQ has a broad range of standard reports and ability to generate custom reports, in both printed and downloadable electronic formats. CQ access is controlled by user id and password. Access to different functions and scope of data accessed is controlled by Function Permissions to role with Function Data Scope tables. These permissions and data scoping rules and may be customized. CQ database audit-trail tables (Insert, Update, and Delete triggers) exist for all the transaction records.

4 operator entries and actions that create, modify, or delete electronic records, without obscuring previously recorded information f The system shall enforce required steps and events sequencing, as appropriate (e.g., key steps cannot be bypassed or similarly compromised) g that only authorized individuals can use the system. Electronically sign a record, access the operations or computer system input or output device, alter a record, or perform the operation at hand h The system shall determine, as appropriate, the validity of the source of data input or operational instruction , (2), (3) all signed electronic records contain the printed name of the signer, date/time signature was executed, and the meaning associated with the signature (e.g. approval, responsibility, CQ system provides for the full enforcement of the pre-defined and validated rules that ensures that the required steps and event sequencing are performed as specified. CQ access is controlled by a user ID and password. Access to different functions and scope of data accessed is controlled by Function Permissions to Role and Function Data Scope tables. These permissions and data scoping rules may be customized. CQ access is controlled by user ID and password. Users may be required to reinput their password when approving a SCAR or confirming a change. CQ stores the user ID of the signer along with the date/time that the signature was executed. The definition of the signature is also stored in the database.

5 11.50 (b) (a) (a) (a) 1 (i) a authorship). the three signature elements (described in the previous requirement) of a signed electronic record, part of a readable form of the electronic record (e.g. electronic display or printout). electronic signatures are linked to their respective electronic records. These electronic signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by any ordinary means. that each electronic signature is unique to one individual and shall not be reused by, or reassigned to, anyone else. The system shall employee at least two distinct identification components such as an identification code and a password. The system requires the use of all electronic signature components for the first signing during The three signature items are included in all audit trail reports in the CQ solution. The addition of user ID s and date stamps to various records is done automatically by the CQ, rather than through any user interface. CQ User ID s in the system apply to one and only one person. However, it is a procedure to not change the name and property information associated with a user id, other than to correct errors or update information (e.g. address, phone, etc.), as required. If the user ID itself is changed, the changes are propagated to all records in the system with that user ID. The CQ system uses a user ID and a password for access. In the CQ system, the first signing is when the administrator or other user logs into the system. This requires a user ID and password.

6 (i) b (i) c (ii) (a) (2) (a) (3) a single continuous period of controlled system access The system shall allow all subsequent signing during the same continuous period of controlled system access to use at least one electronic signature component. users are timed out during periods of specified inactivity the use of all electronic signature components for the signings not executed during a single continuous period of controlled system access. non-biometric electronic signatures that can only be used by their genuine owner. all attempted uses of an individual's electronic signature by anyone other than its genuine As confirmation of data inputs or approvals, the CQ will prompt for the at least the password to comply with this requirement. The CQ has a configurable time-out period. If there is no activity for that length of time, the user is logged off and must perform a complete login to re-access the system. In CQ, a single continuous period means the time between login and logout. The logout would either be explicit or based on a timeout as described above. In both cases, a full login is then required, with both a user ID and password. The CQ requires the use of user ID and password for identification. The implementation of this requirement is more procedural, in that user ID s and passwords should be protected and not shared. The password may be configured to be of a certain length and format, and to be changed every nn days. At this time the system does not offer biometric electronic signatures but they can be added on a custom basis. User ID s and passwords should not be shared, and procedures should be in place to ensure this.

7 (a) (b) owner who will require collaboration of two or more individuals. each combination of identification code and password which is unique, such that no two individuals have the same combination of identification code and password. that passwords be periodically revised. For CQ, the user ID is primary key in the database, and as such, it is impossible to apply it to different users. The CQ can require that passwords be changed every nn days. An audit trail is also kept of password changes. Disclaimer: As per the regulation, the responsibility for FDA compliance falls squarely on companies themselves. They must have appropriate policies, procedures, and technical controls in place, to be compliant, so merely purchasing a software system with compliant functionality does not itself satisfy compliance regulations. While CQ solution has attempted to consider all parts of the Part 11 rule contained in this web page, the system described has not been approved or mandated by FDA or any other governmental agency. ComplianceQuest makes no claims that following the advice herein described will disqualify companies or individuals from FDA sanction. Compliance to FDA regulations in its entirety lies with the using company. About ComplianceQuest: ComplianceQuest, an innovative 100% cloud based Enterprise Quality Management System solution company, provides an enterprise grade solution platform that streamlines quality, compliance, content and collaboration management initiatives and strategies across your enterprise and globally based supply chain networks. ComplianceQuest helps accelerate manufacturers and distributors to accomplishing their most challenging quality, compliance and supplier management goals. ComplianceQuest,