Part 11 Compliance SOP

Similar documents
Compliance Matrix for 21 CFR Part 11: Electronic Records

21 CFR Part 11 LIMS Requirements Electronic signatures and records

ISSUE N 1 MAJOR MODIFICATIONS. Version Changes Related Release No. PREVIOUS VERSIONS HISTORY. Version Date History Related Release No.

21 CFR PART 11 COMPLIANCE

White Paper Assessment of Veriteq viewlinc Environmental Monitoring System Compliance to 21 CFR Part 11Requirements

FDA 21 CFR Part 11 Compliance by Metrohm Raman

WHITE PAPER AGILOFT COMPLIANCE WITH CFR 21 PART 11

Assessment of Vaisala Veriteq viewlinc Continuous Monitoring System Compliance to 21 CFR Part 11 Requirements

REGULATION ASPECTS 21 CFR PART11. 57, av. Général de Croutte TOULOUSE (FRANCE) (0) Fax +33 (0)

21 CFR Part 11 FAQ (Frequently Asked Questions)

Exhibitor Software and 21 CFR Part 11

Sparta Systems TrackWise Digital Solution

Sparta Systems TrackWise Solution

Sparta Systems Stratas Solution

21 CFR Part 11 Module Design

COMPLIANCE. associates VALIDATOR WHITE PAPER. Addressing 21 cfr Part 11

The Impact of 21 CFR Part 11 on Product Development

Electronic Data Processing 21 CFR Part 11

SDA COMPLIANCE SOFTWARE For Agilent ICP-MS MassHunter Software

Adobe Sign and 21 CFR Part 11

Agilent Response to 21CFR Part11 requirements for the Agilent ChemStation Plus

ChromQuest 5.0. Tools to Aid in 21 CFR Part 11 Compliance. Introduction. General Overview. General Considerations

Integration of Agilent OpenLAB CDS EZChrom Edition with OpenLAB ECM Compliance with 21 CFR Part 11

Agilent ICP-MS ChemStation Complying with 21 CFR Part 11. Application Note. Overview

NucleoCounter NC-200, NucleoView NC-200 Software and Code of Federal Regulation 21 Part 11; Electronic Records, Electronic Signatures (21 CFR Part 11)

Compliance of Shimadzu Total Organic Carbon (TOC) Analyzer with FDA 21 CFR Part 11 Regulations on Electronic Records and Electronic Signatures

System Assessment Report Relating to Electronic Records and Electronic Signatures; 21 CFR Part 11. System: tiamo (Software Version 2.

INFORMATION. Guidance on the use of the SM1000 and SM2000 Videographic Recorders for Electronic Record Keeping in FDA Approved Processes

OpenLAB ELN Supporting 21 CFR Part 11 Compliance

Integration of Agilent UV-Visible ChemStation with OpenLAB ECM

System Assessment Report Relating to Electronic Records and Electronic Signatures; 21 CFR Part 11. System: StabNet (Software Version 1.

ComplianceQuest Support of Compliance to FDA 21 CFR Part 11Requirements WHITE PAPER. ComplianceQuest In-Depth Analysis and Review

TECHNICAL BULLETIN [ 1 / 13 ]

EZChrom Elite Chromatography Data System. Regulatory Compliance with FDA Rule of Electronic Records and Electronic Signatures (21 CFR Part 11)

Using "TiNet 2.5 Compliant SR1" software to comply with 21 CFR Part 11

21 CFR 11 Assistant Software. 21 CFR Part 11 Compliance Booklet

System Assessment Report Relating to Electronic Records and Electronic Signatures; Final Rule, 21 CFR Part 11

Metrohm White paper. FDA 21 CFR Part 11 Requirements for NIR Spectroscopy. Dr. N. Rühl

Using Chromeleon 7 Chromatography Data System to Comply with 21 CFR Part 11

Introduction. So what is 21 CFR Part 11? Who Should Comply with 21CFR Part 11?

Agilent Technologies Dissolution Workstation Software Electronic Records and Data Storage Background

System Assessment Report Relating to Electronic Records and Electronic Signatures; Final Rule, 21 CFR Part 11. System: tiamo 2.3

Electronic Records and Signatures with the Sievers M9 TOC Analyzer and DataPro2 Software

Using Chromeleon Chromatography Management Software to Comply with 21 CFR Part 11

Real World Examples for Part 11 Technical Controls

Technical Information

Validation Checklist Appendix A WiZARD2 Secure and 21 CFR 11 Requirements

Automation Change Management for Regulated Industries

Introduction 2. History. Adapted to zenon version 6.20 (MH) January 13 th, 2006

SECURITY & PRIVACY DOCUMENTATION

Leveraging ALCOA+ Principles to Establish a Data Lifecycle Approach for the Validation and Remediation of Data Integrity. Bradford Allen Genentech

ABB Limited. Table of Content. Executive Summary

Using "IC Net 2.2 " software to comply with 21 CFR Part 11

NIST Risk Assessment for Part 11 Compliance: Evaluation of a GXP Case Study

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Using the Titrando system to comply with 21 CFR Part 11

21 CFR PART 11 FREQUENTLY ASKED QUESTIONS (FAQS)

Guidelines for applying FactoryTalk View SE in a 21 CFR Part 11 environment

Spectroscopy Configuration Manager (SCM) Software. 21 CFR Part 11 Compliance Booklet

Information Security Policy

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Standard Development Timeline

Standard CIP Cyber Security Systems Security Management

DFARS Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017

CIP Cyber Security Configuration Management and Vulnerability Assessments

Using the Titrando system to comply with 21 CFR Part 11

EU Annex 11 Compliance Regulatory Conformity of eve

testo Comfort Software CFR 4 Instruction manual

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

FairWarning Mapping to PCI DSS 3.0, Requirement 10

5. The technology risk evaluation need only be updated when significant changes or upgrades to systems are implemented.

NIST Compliance Controls

Rev.1 Solution Brief

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Standard CIP Cyber Security Critical Cyber Asset Identification

MySign Electronic Signature

Standard CIP Cyber Security Critical Cyber Asset Identification

Employee Security Awareness Training Program

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

The Common Controls Framework BY ADOBE

Recommendations for Implementing an Information Security Framework for Life Science Organizations

Access to University Data Policy

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

Data Integrity and Worldwide Regulatory Guidance

Data Storage, Recovery and Backup Checklists for Public Health Laboratories

Achieving 21 CFR Part11 Compliance using Exaquantum/Batch Authored by Stelex

Afilias DNSSEC Practice Statement (DPS) Version

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

ACCEPTANCE OF ELECTRONIC MAINTENANCE RECORDS

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

LOGGING AND AUDIT TRAILS

Ashford Board of Education Ashford, Connecticut POLICY REGARDING RETENTION OF ELECTRONIC RECORDS AND INFORMATION

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

Annex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems

CIP Cyber Security Personnel & Training

Standard CIP 007 3a Cyber Security Systems Security Management

Transcription:

1.0 Commercial in Confidence 16-Aug-2006 1 of 14 Part 11 Compliance SOP Document No: SOP_0130 Prepared by: David Brown Date: 16-Aug-2006 Version: 1.0

1.0 Commercial in Confidence 16-Aug-2006 2 of 14 Document Approval Name Role Date Signature David Brown Author Document Control Version Author Date Description 1.0 David Brown 16-Aug-2006 First draft.

1.0 Commercial in Confidence 16-Aug-2006 3 of 14 Table of Contents 1 Introduction... 4 1.1 Purpose... 4 1.2 Scope... 4 1.3 Definitions... 4 1.4 Responsibility... 5 1.5 References... 6 2 Procedure... 7 2.1 Overview... 7 2.2 Electronic Signature/Electronic Records... 7 2.3 Application Specific Requirements... 7 2.4 Functional Requirement Specification... 8 2.5 21 CFR Part 11 Interpretation... 9 2.6 Practices related to the Use of Electronic Signatures... 14

1.0 Commercial in Confidence 16-Aug-2006 4 of 14 1 Introduction 1.1 Purpose 1.2 Scope To define the requirements for the design of validated computer systems as they relate to the use of electronic signatures, electronic records, and appropriate operation. Department/Section: IT and Validation Groups This SOP applies to all validated computer systems implemented after 20 th August 1997. However, all systems implemented prior to that date should meet the predicate rules of 21 CFR [FDA: Guidance for Industry: Part 11, Electronic Records; Electronic Signatures Scope and Application]. 1.3 Definitions Access Security - Security involves the overall protection of hardware, software, and electronic records from unauthorized or accidental modification, destruction, or disclosure. Biometrics - A method of verifying an individual's identity based on measurement of the individual's physical feature(s) or repeatable action(s) where those features and/or actions are both unique to that individual and measurable. Closed System - An environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system. Digital Signature - An electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signatory and the integrity of the data can be verified. Data security The ability to prohibit access to a data record by unauthorized means. Data security involves access control within and external to the application. Electronic Records - Any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system. Electronic Signature - A computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an

1.0 Commercial in Confidence 16-Aug-2006 5 of 14 individual to be the legally binding equivalent of the individual's handwritten signature. Handwritten Signature - The scripted name or legal mark of an individual handwritten by that individual and executed or adopted with the present intention to authenticate writing in a permanent form. The act of signing with a writing or marking instrument such as a pen or stylus is preserved. The scripted name or legal mark, while conventionally applied to paper may also be applied to other devices that capture the name or mark. Open System - An environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system. System Specifications (also referred to as Specifications) - Document(s) which describe what a system processes or how it provides control. Specifications can include single or multiple sets of documents, such as internal/external design documents, program specifications, functional requirement documents, drawings, electrical drawings, flowcharts, timing diagrams, user guides, technical documents and vendor provided documentation. Client the business system owner is typically the line manager responsible for the business process where the computer system will be used. Validation Group the group responsible for ensuring that computer systems are implemented and maintained in a validated state. IT Group the group responsible for development, operation, and maintenance of computer systems. 1.4 Responsibility Those who commission, develop, configure, maintain, and/or install a validated system are responsible for ensuring that the system complies with this SOP. Validation and client groups are responsible for ensuring that practices related to the use of electronically approved records are incorporated in appropriate client SOP s.

Title Part 11 Compliance SOP 1.0 Commercial in Confidence 16-Aug-2006 6 of 14 1.5 References Document ID Title 21 CFR Part 11 Part 11 of Title 21 of the Code of Federal Regulations. Electronic Records. Electronic Signatures. N/A FDA: Guidance for Industry: Part 11, Electronic Records; Electronic Signatures Scope and Application. Template_11_0001 Part 11 Assessment Template.

1.0 Commercial in Confidence 16-Aug-2006 7 of 14 2 Procedure 2.1 Overview The specific requirements of 21 CFR Part 11 and FDA: Guidance for Industry: Part 11, Electronic Records; Electronic Signatures Scope and Application must be considered during the design of a computer system. These requirements must include system configuration, system component integration, access security, and data integrity. The configuration of a computer system is typically decided in the design phase of the system development life cycle. There are often existing constraints that would affect the decision (i.e. existing networks, personnel, and geographical distribution of users and equipment). In any system, security is a major design consideration and should be established early in the design phase. While the possibility of deliberate abuse cannot be ignored, the majority of security breaches are associated with accidental abuse, arising from a lack of user proficiency or poor system design. Training, system access procedures, and sound design are therefore all fundamental requirements of a secure computer system. Due to regulatory requirements for electronic records security, security requirements for computer systems must be adequate to prevent accidental and/or intentional abuse. The following requirements reflect the understanding that security design cannot be absolute or complete, but instead, will reduce risks or exposures. The template [template_11_0001 Part 11 Assessment Template] is provided to assist in conducting an assessment of how the computer system will address the requirements of Part 11. 2.2 Electronic Signature/Electronic Records Electronic signatures generated while using computer systems that comply with this SOP, are considered to be the legally binding equivalent of the person s handwritten signature. 2.3 Application Specific Requirements The security requirements described in this section are based on regulations presented by FDA in Title 21 of the Code of Federal Regulations, Part 11, titled Electronic Signature and Electronic Records. This regulation defines requirements for systems that

1.0 Commercial in Confidence 16-Aug-2006 8 of 14 provide functionality for operations as defined in the cgxps. All validated systems employing electronic signatures and/or electronic records, either developed or purchased must comply with the security requirements provided in this SOP. 2.4 Functional Requirement Specification The following section describes requirements that all newly developed or purchased applications requiring validation must comply with, where the application stores electronic records and electronic signatures. These requirements must be included in the Functional Requirement Specification for the application. For applications where electronic records are recorded but an electronic signature is not required, the Functional Requirement Specification does not need to include the requirements in section 3 of the following table Application Security Design Requirements. Any justification for the system deviation from these requirements is to be recorded in the Validation Plan and must be approved by the validation group.

Title Part 11 Compliance SOP 1.0 Commercial in Confidence 16-Aug-2006 9 of 14 2.5 21 CFR Part 11 Interpretation The following table provides an interpretation of 21 CFR Part 11. The functionality of new systems should be measured against this interpretation. 1. Operating Systems and Application Software Access Control (see Note 1) 21 CFR Part 11 1.1 All users must be positively identified by having a unique user-id and a 11.10 (d) personal, secret password before being able to gain access to any computer system as verified against the security table at logon. 1.2 The length of passwords must always be checked automatically at the 11.10 (d) time users choose them, and passwords are recommended to have no fewer than six (6) characters. 1.3 All users must be able to change their passwords at any time. 11.10 (d) 1.4 All users must periodically change their passwords. (It is recommended to change passwords at least once every ninety (90) days). 1.5 Any password that is written to a file or the security database should be encrypted. Suitable encryption standards are RSA (Rivest-Shamir- Adleman), and NIST s Digital Signature Standard, (DSS). [The DSS became Federal Information Processing Standard (FIPS) 186 on December 1, 1994.] Where systems components are linked across application boundaries using automatic log-on sequences, passwords for user-ids with update capability should be read from a secure, encrypted system file, solely accessible to the system manager instead of using "hard-coded" passwords. 1.6 User passwords should not be viewable by anyone including security administrators. 1.7 Users entering new passwords should be required to enter unique passwords. At least one of the following should be used: a) restrict uniqueness of passwords during last six (6) months; b) restrict the re-use of the last 24 passwords. 11.300 (b) 11.10 (d) 11.10 (d) 11.300 (b)

Title Part 11 Compliance SOP 1.0 Commercial in Confidence 16-Aug-2006 10 of 14 1.8 Methods to restrict access of authorized persons should be employed after five (5) consecutive unsuccessful attempts to enter a password. At least one of the following should be used: a) the involved user-id must be suspended. The Security Administrator is required to reset the password in order for the user to be able to access the system again. b) the system must lock out the user for a period of at least five (5) hours. c) continuous monitoring and alerting functions are employed to detect access failures. 11.10 (d) 1.9 The system must be able to display or report current access rights of a user showing the user-id and all of their access capabilities to resources [e.g., file accesses, grants, permissions, etc.]. 1.10 The system must maintain a log of all security violations in logging into the computer system that include: a) the user-id who created the violation b) date & time of violation c) resource name (if appropriate) A display or report output must be available for viewing the Security Violations History/Log. 1.11 For applications requiring multiple levels of access, provide security controls to restrict access to components of the application by user or user group. If user group controls are utilized, provide functionality to assign users to one or more user groups. Controls should include components of the application which can be accessed such as screens and reports and the type of access allowed such as read, update, or delete. Applications requiring greater level of control should be designed to provide access to the appropriate data or field/data level security capability. 2. Data Integrity 2.1 The capability should be available to backup electronic records on at least a daily basis everywhere electronic records are stored. 2.2 Electronic data distributed on multiple machines should be able to be backed up and restored in a synchronized manner so that recovery of one or more files/servers does not compromise the integrity of the electronic data on the 'system'. The 'system' includes databases on the file servers/clients on all hardware platforms. 11.300 (b) 11.300 (d) 11.300 (d) 11.10 (c) 11.10 (c)

Title Part 11 Compliance SOP 1.0 Commercial in Confidence 16-Aug-2006 11 of 14 2.3 Secure, computer-generated, time-stamped audit trails should be used to independently record operator entries and actions that create, modify, or delete electronic records. Record changes should not obscure previously recorded information. In other words, an audit trail must contain sufficient information to allow a reviewer to trace all changes to a record, from its current state back to the original values of the record. Additionally, information within the audit history should contain: a) the user-id; b) the date and time stamp when the record was created, modified, or deleted; c) the new value; d) the old value; e) the transaction type (e.g., inserts, delete, modify) associated with the transaction. This audit trail data must be retained for a period at least as long as that required for the related electronic records. A display or report output must be available for viewing the audit history. This audit trail should be applied electronically a paper audit trail is not sufficient. 2.4 For database applications, transactions since the last backup should be able to be logged in order that synchronized forward data recovery and error processing can be performed. 2.5 File servers and host computers should be operated using Uninterrupted Power Service (UPS), other battery backup measures, or EPROM. 2.6 System privileges must be established that ensure users are only able to modify electronic records in a controlled manner. Update access to the electronic records can ONLY be allowed through validated secured application screens [i.e. no direct user (normal operator) access to electronic records through database tools such as SQL*PLUS]. 2.7 Application objects and application source code must be controlled using either: an automated configuration/version control system that provides change history for objects under control, or by a manual system that maintains previous versions throughout the established retention periods. 2.8 PCs that store electronic records, application configuration data, or software programs should be secured to prevent users from being able to manipulate, override, or otherwise invalidate the electronic records, application code, or operating environment of the system. Where securing of the client workstations is not possible due to environmental and/or technical limitations, automated auditing of the workstations-software components may be employed to satisfy this requirement. This auditing process must be in addition to any security functionality, which can be reasonably implemented and practically maintained at the operating system. 11.10 (e) 11.10 (c) 11.10 (c) 11.10 (g) 11.10(e) 11.10(c)

Title Part 11 Compliance SOP 1.0 Commercial in Confidence 16-Aug-2006 12 of 14 2.9 Critical records such as lot status or analytical lab data should not be stored in multiple locations unless automatic functions exist to maintain data integrity. The duplicate data should be refreshed at a frequency to satisfy the data currency requirement of the system. 2.10 Concurrent update (write) access by multiple users or processes to a single electronic record must not be allowed. 2.11 Updates to electronic records, which do not occur completely and successfully, should be negated such that all fields associated with the record are restored to their original state (e.g. rollback). 2.12 Operational system checks must be employed to enforce permitted sequencing of steps and events, as appropriate. 2.13 Device checks should be employed to determine, as appropriate, the validity of the source of data input or operational instruction. For example, an application indicating that data input is derived from a particular device (e.g. balance) should identify the device or allow data entry only from that device and not from a terminal. 2.14 Open systems should include additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality. 3. Electronic Signatures 3.1 Electronic signatures, though not required, should be employed where application functions perform tasks identified in FDA regulations using the words signature, hand-written signature, notarized, signed, or approved. If electronic signatures are not employed in an application, the requirements in 3.2 through 3.6 below do not have to be met. 3.2 Electronic signatures and handwritten signatures executed to electronic records must be logically linked to their respective electronic records to ensure that the signatures cannot be excised, copied or otherwise transferred so as to falsify an electronic record by ordinary means. 3.3 Signed electronic records should contain information associated with the signing that clearly indicates all of the following: The full name of the signer (first name, middle initial, last name); The user-id of the signer; The date and time when the signature was executed; and The meaning (such as review, approval, responsibility, or authorship) associated with the signature. The above items shall be included as part of any human readable form of the electronic record (such as electronic display or printout). Where the electronic record extends to multiple pages of displays or printouts, the above signing information must clearly be linked to the entire record to which it applies. 11.10(c) 11.10(c) 11.10(c) 11.10(f) 11.10(h) 11.30 11.200(a) 11.70 11.50

Title Part 11 Compliance SOP 1.0 Commercial in Confidence 16-Aug-2006 13 of 14 3.4 Electronic signatures that are not based upon biometrics must employ at least two distinct identification components such as an identification code and password. When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing must be executed using all electronic signature components; subsequent signings must be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing must be executed using all of the electronic signature components. 3.5 Electronic signatures based upon biometrics must be designed to ensure that they cannot be used by anyone other than their genuine owners. 3.6 Electronic signature functions should be able to detect and log attempts at unauthorized use of electronic signatures. 3.7 When an electronic record is approved via a hand-written signature on paper, the paper on which the signature is executed must contain adequate field and date/time information such that the electronic record(s) to which the signature does, and does not, apply can be determined with absolute certainty. The electronic audit trails, in combination with the information on the signed paper, must allow a reviewer to determine the value of each record field at the time the paper was generated. 4. Physical Security 4.1 Application file/database servers that store application electronic records or programs should be located in controlled areas such as computer rooms with adequate physical access security, ventilation, and protection from hazards such as fire, heat, and water. 4.2 Access to the system via dial-up communications must only be provided with a "call back" or SecurID type security system. 4.3 The user session should automatically log-off when a disconnect is detected for dial-up communications. 5. System Administration 5.1 Application should have the ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. 11.200(a1) 11.200(b) 11.300(b) 11.300(b) 11.10(c) 11.10(g) 11.10(g) 11.10(b) Notes: 1. Where the logon is performed at the network or operating system level and a separate logon is required for the application, the items 1.1-1.10 apply must be fulfilled at each logon. 2. In the above Design Requirements, the words must and should are used intentionally. The word must implies mandatory compliance. The

1.0 Commercial in Confidence 16-Aug-2006 14 of 14 word should is usually applied where optional methods are proposed, available, or possible to meet a particular requirement. The method is regarded as optional, while the need for compliance remains mandatory. Any alternate method used must be justified and appropriately documented. 2.6 Practices related to the Use of Electronic Signatures In certain situations, it is necessary to print out electronic signature records for users who may not have access to the electronic records. This printed signature record should be labelled Copy Verified By: along with the signature and date by the person who verified the printed record was produced by the electronic system. Printed records from an electronic system must not be used in an official manner without including the above statement.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback