COMPLIANCE. associates VALIDATOR WHITE PAPER. Addressing 21 cfr Part 11

Similar documents
Exhibitor Software and 21 CFR Part 11

ISSUE N 1 MAJOR MODIFICATIONS. Version Changes Related Release No. PREVIOUS VERSIONS HISTORY. Version Date History Related Release No.

21 CFR PART 11 COMPLIANCE

TECHNICAL BULLETIN [ 1 / 13 ]

Compliance Matrix for 21 CFR Part 11: Electronic Records

WHITE PAPER AGILOFT COMPLIANCE WITH CFR 21 PART 11

21 CFR Part 11 Module Design

ChromQuest 5.0. Tools to Aid in 21 CFR Part 11 Compliance. Introduction. General Overview. General Considerations

REGULATION ASPECTS 21 CFR PART11. 57, av. Général de Croutte TOULOUSE (FRANCE) (0) Fax +33 (0)

NucleoCounter NC-200, NucleoView NC-200 Software and Code of Federal Regulation 21 Part 11; Electronic Records, Electronic Signatures (21 CFR Part 11)

OpenLAB ELN Supporting 21 CFR Part 11 Compliance

Adobe Sign and 21 CFR Part 11

The Impact of 21 CFR Part 11 on Product Development

Integration of Agilent UV-Visible ChemStation with OpenLAB ECM

Agilent ICP-MS ChemStation Complying with 21 CFR Part 11. Application Note. Overview

SDA COMPLIANCE SOFTWARE For Agilent ICP-MS MassHunter Software

Integration of Agilent OpenLAB CDS EZChrom Edition with OpenLAB ECM Compliance with 21 CFR Part 11

21 CFR Part 11 FAQ (Frequently Asked Questions)

Compliance of Shimadzu Total Organic Carbon (TOC) Analyzer with FDA 21 CFR Part 11 Regulations on Electronic Records and Electronic Signatures

FDA 21 CFR Part 11 Compliance by Metrohm Raman

EZChrom Elite Chromatography Data System. Regulatory Compliance with FDA Rule of Electronic Records and Electronic Signatures (21 CFR Part 11)

Using "TiNet 2.5 Compliant SR1" software to comply with 21 CFR Part 11

Sparta Systems Stratas Solution

Introduction 2. History. Adapted to zenon version 6.20 (MH) January 13 th, 2006

Sparta Systems TrackWise Digital Solution

Sparta Systems TrackWise Solution

Metrohm White paper. FDA 21 CFR Part 11 Requirements for NIR Spectroscopy. Dr. N. Rühl

INFORMATION. Guidance on the use of the SM1000 and SM2000 Videographic Recorders for Electronic Record Keeping in FDA Approved Processes

ComplianceQuest Support of Compliance to FDA 21 CFR Part 11Requirements WHITE PAPER. ComplianceQuest In-Depth Analysis and Review

21 CFR Part 11 LIMS Requirements Electronic signatures and records

White Paper Assessment of Veriteq viewlinc Environmental Monitoring System Compliance to 21 CFR Part 11Requirements

System Assessment Report Relating to Electronic Records and Electronic Signatures; 21 CFR Part 11. System: tiamo (Software Version 2.

Electronic Data Processing 21 CFR Part 11

Validation Checklist Appendix A WiZARD2 Secure and 21 CFR 11 Requirements

Assessment of Vaisala Veriteq viewlinc Continuous Monitoring System Compliance to 21 CFR Part 11 Requirements

Using "IC Net 2.2 " software to comply with 21 CFR Part 11

Technical Information

System Assessment Report Relating to Electronic Records and Electronic Signatures; 21 CFR Part 11. System: StabNet (Software Version 1.

Using Chromeleon 7 Chromatography Data System to Comply with 21 CFR Part 11

Using Chromeleon Chromatography Management Software to Comply with 21 CFR Part 11

Using the Titrando system to comply with 21 CFR Part 11

System Assessment Report Relating to Electronic Records and Electronic Signatures; Final Rule, 21 CFR Part 11

Guidelines for applying FactoryTalk View SE in a 21 CFR Part 11 environment

Part 11 Compliance SOP

System Assessment Report Relating to Electronic Records and Electronic Signatures; Final Rule, 21 CFR Part 11. System: tiamo 2.3

Using the Titrando system to comply with 21 CFR Part 11

21 CFR 11 Assistant Software. 21 CFR Part 11 Compliance Booklet

Cell Therapy Data Management

Agilent Response to 21CFR Part11 requirements for the Agilent ChemStation Plus

Guidance for a 21 CFR Part 11 implementation on Microsoft Office SharePoint Server 2007

Electronic Records and Signatures with the Sievers M9 TOC Analyzer and DataPro2 Software

OM-MICROLITE-8 AND OM- MICROLITE-16 DATA LOGGERS AND OM-MICROLAB

Spectroscopy Configuration Manager (SCM) Software. 21 CFR Part 11 Compliance Booklet

Meeting regulatory compliance guidelines with Agilent ICP-MS MassHunter and OpenLAB Server

Agilent Technologies Dissolution Workstation Software Electronic Records and Data Storage Background

Achieving 21 CFR Part11 Compliance using Exaquantum/Batch Authored by Stelex

Automation Change Management for Regulated Industries

How to get your Movicon 11 project FDA 21 CFR Part 11 ready. Document: RAC-4105 Released: Updated: Rel. Movicon: 11.

Introduction. So what is 21 CFR Part 11? Who Should Comply with 21CFR Part 11?

System Assessment Report Relating to Electronic Records and Electronic Signatures; Final Rule, 21 CFR Part 11. System: tiamo 2.0

21 CFR PART 11 FREQUENTLY ASKED QUESTIONS (FAQS)

21 CFR Part 11 Fundamentals

Real World Examples for Part 11 Technical Controls

Summary. Implementing CFR21 Part 11 with Movicon 11 Page 2

testo Comfort Software CFR 4 Instruction manual

Achieving 21 CFR Part 11 Compliance using CENTUM VP

Complying with FDA's 21 CFR Part 11 Regulation

Statement of 21 CFR Part 11 Validation Results

User Manual. Version 1 1/10/ of 26

MySign Electronic Signature

MicroLab FTIR Software 21 CFR Part 11 Compliance

SECURITY & PRIVACY DOCUMENTATION

Electronic Data Capture (EDC) Systems and Part 11 Compliance

Achieving 21 CFR Part 11 Compliance using CENTUM VP

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

e-authentication guidelines for esign- Online Electronic Signature Service

eprost System Policies & Procedures

ABB Limited. Table of Content. Executive Summary

Electronic Signature Policy

Premium HMI and FDA 21 Part 11 regulations TN0009. Version Description Date 1 First emission 10/04/2012

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Learning Management System - Privacy Policy

A Quick Guide to EPCS. What You Need to Know to Implement Electronic Prescriptions for Controlled Substances

Information Security Policy

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

5. The technology risk evaluation need only be updated when significant changes or upgrades to systems are implemented.

DFARS Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017

Oracle Eloqua HIPAA Advanced Data Security Add-on Cloud Service

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

ACCEPTANCE OF ELECTRONIC MAINTENANCE RECORDS

Virginia Commonwealth University School of Medicine Information Security Standard

EU Annex 11 Compliance Regulatory Conformity of eve

Implementing Electronic Signature Solutions 11/10/2015

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

National Identity Exchange Federation. Trustmark Signing Certificate Policy. Version 1.0. Published October 3, 2014 Revised March 30, 2016

Rev.1 Solution Brief

Access to University Data Policy

Support for the HIPAA Security Rule

Wescom Solutions, Inc. Practitioner Engagement Android Version CFR EPCS Certification Report

Transcription:

VALIDATOR WHITE PAPER Addressing 21 cfr Part 11

Compliance Associates 1 1 INTRODUCTION 21 CFR Part 11 has been become a very large concern in the pharmaceutical industry as of late due to pressure from regulatory bodies enforcing compliance for GxP systems. Due to this, more and more organizations are realizing the criticality of employing or ramping up existing system to meet these requirements. This document s intent is to clearly define how the Validator system developed by Compliance Associates demonstrates full compliance with 21 CFR Part 11 requirements. 2 SCOPE Part 11 applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted under any records requirements set forth in Agency regulations. Part 11 also applies to electronic records submitted to the Agency under the Federal Food, Drug, and Cosmetic Act (the Act) and the Public Health Service Act (the PHS Act), even if such records are not specifically identified in Agency regulations ( 11.1). 3 ELECTRONIC RECORDS Validator is a true content management system that allows documents, templates, sections, and other data to be created, manipulated and repurposed within the system with ease to quickly produce deliverables. Any deliverable produced by the system can in turn be generated as a report as well. These deliverables can be viewed in screen within data components, generated and saved as PDF copies, and printed from the PDF copies as well. 4 AUTHORIZATION, ACCESS and ENCRYPTION Validator employs three forms of identification that are required in order for users to login and access projects; User ID, Password, and Certification ID. Certification ID s are generated as a result of reading through training material content pertaining to validation, and taking an online test available through the system. A passing grade will generate the certificate ID which can then be used to login. User passwords are encrypted in the database using irreversible hash encryption algorithms, which ensures that passwords can never be discovered when created, even on the back end. The web.config file that holds configuration settings for the application also have all key database connection strings and security parameter encrypted for security The scope of Validator implementation currently is local installation at a client facility and thus is considered a closed system. As a result of this, responsibility for the network security and external access through VPN for secure connection falls to the client. Compliance Associates does not currently provide a hosted solution for Validator and thus the requirements pertaining to security of Validator as an open system will not be covered in this document. 5 ELECTRONIC SIGNATURES Validator employs e-signatures at several key locations in the system and most importantly during the review and approval of deliverables in the workflow module. E-signatures in Validator use a combination of User ID and password, both of which are required upon each signature regardless of continuous or separate signing sessions. Once a user signs electronically, a record is created in the database along with the User ID, time and date of signature and meaning of signature. When signing as approval for documents, the record information is also embedded within the PDF, and the database record will also contain information about the report being approved, the version etc. This report signature record is then encrypted within the database to secure the link between the record and the PDF, and prevent any tampering even on the back end by administrators. Furthermore, PDF s generated in Validator are stored in binary format and cannot be edited from within the database. PDF s stored in the system repository can be viewed by users and administrators, but any modifications made to the PDF are not able to be saved back to the database. This prevents unauthorized modification of PDF documents by system users and administrators. The combination of locked down PDF and encrypted records from signatures preserves the two core components of the e-signature in Validator producing secure and compliant methodology of signing documents. 6 SSL ENCRYPTION Validator employs SSL encryption to ensure that any page that allows login or signature within the system has been securely encrypted to use the https protocol on URL s to disallow any tampering, hacking or hi-jacking of data over networks or opens systems. www.compliance.ca www.linkedin.com/company/compliance-

Compliance Associates 2 7 SPECIFIC INERPRETATION TO RULING Controls for Closed Systems.10 Controls for Closed Systems Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: Validator allows application administrators to define roles/ permissions for each view within the system. Authenticity, integrity and confidentiality of electronic records within CA Validator are maintained through permission levels that restrict access where applicable. Documents are controlled and recorded in a secure audit trail. Authentication involves userid, password and certification id..10(a) Validation Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. Compliance Associates currently does not offer the Validator system as a hosted solution. Installations are done at client sites, thus the responsibility of validating the system lies with the client. However Compliance Associates has a complete validation package that is made available to clients upon installation such that this compliance requirement can be met fully..10(b) Readability The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records. Validator allows the viewing, generating and printing of reports for any deliverable produced by the system. Please refer to Section 3 of this document. www.compliance.ca www.linkedin.com/company/compliance-

Compliance Associates 3.10(c) Archival Record Protection Protection of records to enable their accurate and ready retrieval throughout the records retention period. Validator includes comprehensive security measures to protect all electronic records within the system. All reports generated, even for closed projects is secured, organized and readily available from the Validator repository when needed. Validator also has an archiving feature to relocate and store legacy reports/ projects to a shared drive location..10(d) System Limiting system access to authorized individuals. Validator provides multiple levels of security, restriction of access to projects, administrative functions, and every individual page in the system by role. Refer to Section 4 of this document for more details..10(e) Audit Trails / Document Retention Use of secure, computergenerated timestamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records shall be available for agency review and copying. Validator contains two levels of audit trail, one for the application and one for report approval. Both audit trails capture user performing the action, and date and time of the action. The application audit trail preserves prior entries and report audit trials capture meaning of signature. Audit trails within Validator are secure and are not alterable by users or administrators. Administrator module actions are also captured within a separate audit trail..10(f) Sequencing Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate. Validator allows multiple points at which dependencies can be set. Foremost document sequence can be pre-set to force sequencing of events and deliverable creation based on the organization s needs. Test procedure dependencies are also possible. www.compliance.ca www.linkedin.com/company/compliance-

Compliance Associates 4.10(g) Authority Checks Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand. Please refer to Sections 3, 4 and 5 of this document..10(h) Location Checks Use of device (e.g. terminal checks) to determine, as appropriate, the validity of the source of data input or operational instruction. Validator currently has no external systems or interfaces that data flows in from or out to..10(i) Education/ Training Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks. Validator provides a computer based training module. Upon completion of computer-based training, the user can choose to take a test. If the score is a passing grade then the user is provided with a unique certificate id. This unique certificate id grants the user access to the system. This method of restrict access to trained individuals ensures that the regulations that dictate the delivery and management of training is adhered to..10(j) Written Policies The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification. The compliance responsibility of this requirement lies with the client implementing the Validator system..10(k1) Document Controls/ Audit Trials Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. The compliance responsibility of this requirement lies with the client implementing the Validator system..10(k2) Document Controls/ Audit Trials Revision and change control procedures to maintain an audit trail that documents timesequenced development and modification of systems documentation. Compliance Associates provides detailed release notes documentation on major and minor product releases. Compliance Associates also employs a robust change control procedure internally that links to support calls made that allows clients to understand the impact of change requests and future releases. www.compliance.ca www.linkedin.com/company/compliance-

Compliance Associates 5 Controls for Open Systems Open System Controls Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and when appropriate, the confidentiality of electronic records from the point of their receipt. Such procedures and controls shall include those identified in 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality. Validator provides encryption for userid / password combinations and the use of electronic signatures. Please refer to Section 5 of this document for more details. Manifestations.50(a) Name Display/ Purpose Signed electronic records shall contain information associated with the signing that clearly indicates all the following: The printed name of the signer; The date and time when the signature was executed; and The meaning (such as review, approval, responsibility, or authorship) associated with the signature. Electronic singatures in Validator include name, date/time of signing and meaning of signature within the electronic record generated upon signing, and also on the PDF generated..50(b) Name Display The items identified in paragraphs (a) (1), (a) (2), and (a) (3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic records (such as electronic display or printout). Each electronic record is stamped with name, time and date stamp. /Record Linking.70 Binding Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means. Electronic signatures in Validator generate records in the database that are encrypted and create PDFs with the embedded data that are stored in binary within the repository. Please refer to Section 5 of this document for more details. www.compliance.ca www.linkedin.com/company/compliance-

Compliance Associates 6 General Requirements for Electronic s.100(a) Electronic Assignment Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else. Electronic signatures in Validator are done using User ID and password combinations used to login to the system which are unique, secure and encrypted..100(b) Electronic Assignment Before an organization establishes, assigns, certifies, or otherwise sanctions an individual s electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual. The compliance responsibility of this requirement lies with the client implementing the Validator system..100(c) Certification to FDA Office of Regional Operations Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures. The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations (HFC-100), 5600 Fishers Lane, Rockville, MD 20857. Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer s handwritten signature. The compliance responsibility of this requirement lies with the client implementing the Validator system. Manifestations.200(a1) Electronic signatures that are not based upon biometrics shall: Employ at least two distinct identification components such as an identification code and password. Validator employs three components to sign electronically (user id, password, and certificate id). Please refer to Section 3 of this document for more details. www.compliance.ca www.linkedin.com/company/compliance-

Compliance Associates 7.200(a1i) When an individual executes a series of signings during a single continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. All electronic signing performed within Validator requires at minimum, a User ID and password combination regardless of whether the session is continuous or not..200(a1ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all the electronic signature components. All electronic signing performed within Validator requires at, minimum a User ID and password combination regardless of whether the session is continuous or not..200(a2) Be used only by their genuine owners; and The compliance responsibility of this requirement lies with the client implementing the Validator system..200(a3) Be administered and executed to ensure that attempted use of an individual s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals. Validator does not support the use of delegate signatures or deputization. Each user must sign for and approve only items they are responsible for and must use their own credentials to do so. Controls for Biometric s.200(b) Biometric and /or behavioralbased signatures Electronic signatures based upon biometrics shall be signed to ensure that they cannot be used by anyone other than their genuine owners. Validator does not support biometric signatures. www.compliance.ca www.linkedin.com/company/compliance-

Compliance Associates 8 Controls for Identification codes/passwords.300(a) Identification/ Password Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls should include maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password. Electronic signatures in Validator are done using User ID and password combinations used to login to the system which are unique, secure and encrypted..300(b) Identification Maintenance Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging). Validator has a configurable password aging feature built in and also contains password history control..300(c) Identification Maintenance Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised token, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls. The compliance responsibility of this requirement lies with the client implementing the Validator system..300(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management. Validator locks out users after a set amount of failed login attempts and sends email notification to all users defined as administrators informing them of the unauthorized access attempts..300(e) Identification Maintenance Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner. Validator does not support the use of tokens or ID cards as a means of authentication or any other function within the system. www.compliance.ca www.linkedin.com/company/compliance-

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback